Skip to content

Commit

Permalink
simplify openvpn setup
Browse files Browse the repository at this point in the history
  • Loading branch information
reefactor committed Oct 3, 2020
1 parent b5f6fa0 commit a15222f
Show file tree
Hide file tree
Showing 13 changed files with 74 additions and 49 deletions.
5 changes: 3 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
/.vagrant
/.vagrant/
/.idea/
/vpnkeys/
/.vpnkeys/
/.facts/

# vagrant logs
/ubuntu-xenial-16.04-cloudimg-console.log
Expand Down
22 changes: 15 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,19 +54,27 @@ ansible-playbook playbooks/openvpn-server.yml
```

##### Add user to VPN network
1. Add new entry into list of **openvpn_clients_active** in [environments/test/group_vars/openvpn](environments/test/group_vars/openvpn).

See example test [test_deploy_openvpn.sh](tests/test_deploy_openvpn.sh)

1. Add `username` entry into list of **openvpn_clients_active** in [environments/test/group_vars/openvpn](environments/test/group_vars/openvpn).
Client may reserve static VPN IP or dynamic otherwise.
2. Add `newhost` credentials to the **openvpn_clients_group** in [environments/test/inventory](environments/test/inventory)
with corresponding `openvpn_client_name`

3. Generate OpenVPN server keys for client:
2. Generate OpenVPN server keys for client:
```bash
ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml
```
4. Download keys and deploy to openvpn client on `newhost`:

VPN keys are downloaded to local dir `./.vpnkeys/test`.

Send keys file to the user or deploy to a host VM with `playbooks/openvpn-client.yml`:

3. (Optional) deploy VPN client keys to a particular host VM

Add target host VM to **openvpn_clients_group** and mark with `openvpn_client_name=username` variable and run playbook:
```bash
ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml --limit openvpn-server,newhost
ls -l ./vpnkeys/newhost.zip
ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml --limit openvpn-server,vpnhost
ls -l ./.vpnkeys/test/newhost.zip
```

##### Revoke VPN access
Expand Down
7 changes: 7 additions & 0 deletions ansible.cfg
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
[defaults]
# inventory = ./environments/test
retry_files_enabled = False
roles_path = ./roles
gathering = smart
fact_caching = jsonfile
fact_caching_connection = ./.facts
fact_caching_timeout = 1209600
# deprecation_warnings = False


# SSH timeout
timeout = 60
Expand Down
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@

openvpn_server: 10.3.0.0 255.255.255.0

---
# public VPN entry point for client.conf
openvpn_host: 192.168.10.101
# internal VPN IP
openvpn_server: 10.3.0.0 255.255.255.0

# all vpn user keys
openvpn_clients_active:
- name: testvpnuser
- name: vpnhost_static
content: "ifconfig-push 10.3.0.2 255.255.255.0"
- name: dynamic_ip_user
- name: vpnuser_laptop
content: ''

openvpn_clients_revoke: []

openvpn_use_pam: false
openvpn_download_dir: "../.vpnkeys/test/"
25 changes: 12 additions & 13 deletions environments/test/inventory
Original file line number Diff line number Diff line change
@@ -1,22 +1,21 @@
# see Vagrantfile
[all:vars]
ansible_ssh_user=vagrant

[gitlab]
gitlab-server ansible_host=192.168.10.101 ansible_user=vagrant
gitlab-runner1 ansible_host=192.168.10.102 ansible_user=vagrant
gitlab-server ansible_host=192.168.10.101
gitlab-runner1 ansible_host=192.168.10.102

[openvpn]
openvpn-server ansible_host=192.168.10.101 ansible_user=vagrant
openvpn-server ansible_host=192.168.10.101 ansible_ssh_user=vagrant

[openvpn_clients_group]
user1 ansible_host=192.168.10.102 ansible_user=vagrant openvpn_client_name=testvpnuser
vpnhost ansible_host=192.168.10.102 openvpn_client_name=vpnhost_static

[monitored]
eye ansible_host=192.168.10.101 ansible_user=vagrant
beacon1 ansible_host=192.168.10.102 ansible_user=vagrant
eye ansible_host=192.168.10.101
beacon1 ansible_host=192.168.10.102

[distribution-hub]
pubhub ansible_host=192.168.10.101 ansible_user=vagrant

[dns-server]
dns ansible_host=192.168.10.101 ansible_user=vagrant

nextcloud_host ansible_host=192.168.10.101 ansible_user=vagrant
pubhub ansible_host=192.168.10.101
dns ansible_host=192.168.10.101
nextcloud_host ansible_host=192.168.10.101
2 changes: 1 addition & 1 deletion playbooks/distribution-hub.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
- import_playbook: base.yml
- name : distribution hub
hosts: distribution-hub
hosts: pubhub
become: yes
roles:
- users
Expand Down
11 changes: 6 additions & 5 deletions playbooks/openvpn-client.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
- hosts: openvpn-server
become: yes
tasks:
- name: 'Fetch zip archive with client credentials from openvpn-server host'
- name: Download client credentials from VPN server to local {{openvpn_download_dir}}
fetch:
src: "/etc/openvpn/ovpns/{{item.name}}.zip"
dest: ../vpnkeys/
flat: yes
with_items: "{{ openvpn_clients_active }}"
src: "/etc/openvpn/ovpns/{{ item.name }}.zip"
dest: "{{ openvpn_download_dir }}"
flat: true
validate_checksum: true
loop: "{{ openvpn_clients_active }}"

- hosts: openvpn_clients_group
become: yes
Expand Down
4 changes: 1 addition & 3 deletions playbooks/openvpn-server.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,8 @@
#!/usr/bin/env
echo 'Up!' >> "/var/up.log"
# optional
openvpn_download_clients: true
openvpn_download_extract: false
openvpn_download_clients: false
openvpn_open_firewall: false
openvpn_route_traffic: false
openvpn_management_enable: false
Expand All @@ -36,7 +35,6 @@
openvpn_clients: "{{ openvpn_clients_active | map(attribute='name') | list }}"
openvpn_ccd_configs: "{{ openvpn_clients_active }}"
openvpn_client_options: ["float", "log /etc/openvpn/client.log"]

roles:
- role: nkakouros.easyrsa
- role: Stouts.openvpn
Expand Down
2 changes: 1 addition & 1 deletion roles/openvpn-client/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

- name: Extract ovpn client zip into /etc/openvpn
unarchive:
src: ../vpnkeys/{{openvpn_client_name}}.zip
src: ../{{ openvpn_download_dir }}/{{openvpn_client_name}}.zip
dest: /etc/openvpn/

- name: Rename /etc/openvpn/client.ovpn to client.conf
Expand Down
2 changes: 1 addition & 1 deletion tests/test_deploy_distribution_hub.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ source $DIR/base.sh
# create
vagrant up

ansible-playbook -i environments/test/inventory playbooks/distribution-hub.yml -l distribution-hub
ansible-playbook -i environments/test/inventory playbooks/distribution-hub.yml
31 changes: 20 additions & 11 deletions tests/test_deploy_openvpn.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,34 +5,43 @@ source $DIR/base.sh
# create sandbox
vagrant up

cleanup
if [[ -e $DIR/.vpnkeys/test ]]; then
rm -rf $DIR/.vpnkeys/test
fi

# run playbook in vagrant sandbox
ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml -l openvpn-server
ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml
# TODO FIXME openvpn service not starting until reboot
ssh -o StrictHostKeyChecking=no vagrant@$vmbox1 "bash -c 'sleep 2; sudo reboot' &"
sleep 20

ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml -l openvpn-server,user1

# expect vpn keys downloaded
# see openvpn_clients_active in environments/test/group_vars/openvpn.yaml
for vpnusername in vpnhost_static vpnuser_laptop
do
vpn_key_zip=$DIR/../.vpnkeys/test/${vpnusername}.zip
if [[ ! -f $vpn_key_zip ]]; then
echo "FAILED: not found $vpn_key_zip"
exit 1
fi
done

# expect playbooks/openvpn-client.yml to download key files
if [[ ! -f ./vpnkeys/testvpnuser.zip ]]; then
echo 'FAILED: testvpnuser.zip key files not found'
exit 1
fi
rm -r ./vpnkeys/*.zip
# deploy vpn keys to hostname
ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml -l openvpn-server,vpnhost


# check
# wait network bootstrap
sleep 3
ssh -o StrictHostKeyChecking=no vagrant@$vmbox2 "ping -c 3 -w 3 10.3.0.1"
if [ $? -ne 0 ]; then
echo 'FAILED ping testvpnuser -> vpnserver'
echo 'FAILED ping vpnhost_static -> vpnserver'
exit 1
fi

ssh -o StrictHostKeyChecking=no vagrant@$vmbox1 "ping -c 3 -w 3 10.3.0.2"
if [ $? -ne 0 ]; then
echo 'FAILED ping vpnserver -> testvpnuser'
echo 'FAILED ping vpnserver -> vpnhost_static'
exit 1
fi

0 comments on commit a15222f

Please sign in to comment.