--- /dev/null
+#!/usr/bin/env python
+
+import os, sys
+from boto.dynamodb2.table import Table
+from passlib.hash import sha512_crypt
+
+try:
+ if sha512_crypt.verify(os.environ['password'], Table('userManager').get_item(userName=os.environ['username'])['passwordHash']):
+ sys.exit(0)
+except:
+ pass
+sys.exit(1)
--- /dev/null
+[VPNConnect]
+file = /var/log/openvpn/connect.log
+datetime_format = %Y-%m-%dT%H:%M:%S%z
+buffer_duration = 5000
+log_stream_name = {instance_id}
+initial_position = start_of_file
+log_group_name = VPNConnect
+
+[VPNDisconnect]
+file = /var/log/openvpn/disconnect.log
+datetime_format = %Y-%m-%dT%H:%M:%S%z
+buffer_duration = 5000
+log_stream_name = {instance_id}
+initial_position = start_of_file
+log_group_name = VPNDisconnect
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+
+LOGPATH=/var/log/openvpn
+NOW=$(date --iso-8601=sec)
+#NOW=$(date '+%Y-%m-%dT%T%z')
+
+case "${script_type}" in
+ client-connect)
+ extra=""
+ dst="connect.log"
+ ;;
+ client-disconnect)
+ extra=" bytes sent/recv: ${bytes_sent}/${bytes_received} seconds: ${time_duration}"
+ dst="disconnect.log"
+ ;;
+ up|down|ipchange|route-up|tls-verify|auth-user-pass-verify|learn-address|*)
+ exit 1
+ ;;
+esac
+
+echo "${NOW} [${script_type}] ${common_name} from ${trusted_ip} assigned ${ifconfig_pool_remote_ip}${extra}" > "${LOGPATH}/${dst}"
--- /dev/null
+---
+- name: restart openvpn
+ service:
+ name: openvpn
+ state: restarted
--- /dev/null
+---
+dependencies:
+ - { role: aws-vpc }
+ - { role: awslogs }
--- /dev/null
+---
+- assert:
+ that:
+ - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
+ - vpn_subnet != ''
+ - ca_name != ''
+ tags: ['check_vars']
+
+- assert:
+ that:
+ - vpn_server_ip|default() != ''
+ when: vpn_mode|default() == 'vpc-client'
+ tags: ['check_vars']
+
+- name: Install packages
+ with_items:
+ - openssl
+ - openvpn
+ yum:
+ name: "{{ item }}"
+ state: latest
+
+- name: Install pip things
+ with_items:
+ - passlib
+ pip:
+ name: "{{ item }}"
+ state: present
+
+- name: openvpn config directories
+ with_items:
+ - conf
+ - scripts
+ file:
+ state: directory
+ path: /etc/openvpn/{{ item }}
+ owner: openvpn
+ group: openvpn
+ mode: "0755"
+
+- name: openvpn cert directory
+ file:
+ state: directory
+ path: /etc/openvpn/keys
+ owner: openvpn
+ group: openvpn
+ mode: "0700"
+
+- name: openvpn log directory
+ file:
+ state: directory
+ path: /var/log/openvpn
+ owner: openvpn
+ group: openvpn
+ mode: "0755"
+
+- name: openvpn log files
+ with_items:
+ - status.log
+ - openvpn.log
+ - connect.log
+ - disconnect.log
+ file:
+ state: touch
+ path: /var/log/openvpn/{{ item }}
+ owner: openvpn
+ group: openvpn
+ mode: "0644"
+
+- name: install scripts
+ when: vpn_mode == 'user-server'
+ with_items:
+ - auth.py
+ - event-log.sh
+ copy:
+ src: "{{ item }}"
+ dest: /etc/openvpn/scripts/{{ item }}
+ owner: openvpn
+ group: openvpn
+ mode: "0755"
+
+- name: generate dh parameters
+ command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
+ args:
+ creates: /etc/openvpn/keys/dh.pem
+
+- name: configure openvpn
+ template:
+ src: "{{ vpn_mode }}.conf.j2"
+ dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
+ owner: openvpn
+ group: openvpn
+ mode: "0644"
+ notify:
+ - restart openvpn
+
+- name: enable openvpn
+ service:
+ name: openvpn
+ enabled: yes
+ notify:
+ - restart openvpn
+
+- name: configure log shipping
+ copy:
+ src: awslogs.openvpn.conf
+ dest: /etc/awslogs/config/openvpn.conf
+ owner: root
+ group: root
+ mode: "0644"
+ notify:
+ - restart awslogs
--- /dev/null
+{{ ansible_managed|comment }}
+# Mode: {{ vpn_mode }}
+# Subnet: {{ vpn_subnet }}
+# L3
+daemon
+port 1195
+dev tun
+proto tcp-server
+user openvpn
+group openvpn
+tcp-nodelay
+persist-tun
+persist-key
+cipher AES-256-CBC
+keepalive 30 90
+management 127.0.0.1 31339
+
+server {{ vpn_subnet }} 255.255.255.0
+topology subnet
+
+max-clients 64
+
+verb 3
+log /var/log/openvpn/openvpn.log
+status-version 3
+status /var/log/openvpn/status.log
+client-connect /etc/openvpn/scripts/event-log.sh
+
+tmp-dir /dev/shm
+{% if phase|default() == 'prod' %}
+auth-user-pass-verify /etc/openvpn/scripts/auth.py via-env
+{% endif %}
+
+tls-server
+tls-version-min 1.2
+key-direction 0
+dh /etc/openvpn/keys/dh.pem
+ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
+crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
+cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
+key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
+<tls-auth>
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+07b7f906a252a8b304d2b9e055b05299
+f199db480ce9da121fdbed99b2b18747
+f24fd2b4b95f1dbbe2a480b9eb761413
+03bc6848ec6181bb78078043306e2fcd
+ad992ee1a5c02ded40c289209eb77587
+36ac2a15fba4eb0cfc721c2c70a3fb83
+7af9e5423e8cf81c5904a989d114fae8
+b0c9ffd27bac60718d7231ab7cf4871f
+79d0cc9e37935afea8b67f1a2c396707
+8a586e78a1ba340e9c5bcce41de9ade7
+5ca23c436c65c30bcb7e2854ed576b93
+a955fe3b4d408444d5afaa8cc23dc9a5
+f613242847be6cd33cb939b94658dd89
+e02c3629fa9d8ff99d415b7041bd9df6
+15d3744bd648f2ab1ba2db0c64737308
+aca2fbab7c9b7114e4d8b646ca430c19
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+script-security 2
--- /dev/null
+{{ ansible_managed|comment }}
+# Mode: {{ vpn_mode }}
+# Subnet: {{ vpn_subnet }}
+client
+dev tap
+<connection>
+ remote {{ vpn_server_ip }} 1194 udp
+</connection>
+resolv-retry infinite
+persist-key
+persist-tun
+nobind
+float
+mssfix
+keepalive 30 90
+daemon
+
+ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
+cert /etc/openvpn/keys/{{ vpc_region }}-client.{{ ca_name|lower }}.crt
+key /etc/openvpn/keys/{{ vpc_region }}-client.{{ ca_name|lower }}.key
--- /dev/null
+{{ ansible_managed|comment }}
+# Mode: {{ vpn_mode }}
+# Subnet: {{ vpn_subnet }}
+# L3
+daemon
+port 1194
+dev tap
+proto udp
+user openvpn
+group openvpn
+tcp-nodelay
+persist-tun
+persist-key
+cipher AES-256-CBC
+keepalive 30 90
+management 127.0.0.1 31337
+
+server {{ vpn_subnet }} 255.255.255.0
+topology subnet
+
+max-clients 64
+
+verb 3
+log /var/log/openvpn/openvpn.log
+status-version 3
+status /var/log/openvpn/status.log
+client-connect /etc/openvpn/scripts/event-log.sh
+
+tmp-dir /dev/shm
+
+tls-server
+tls-version-min 1.2
+key-direction 0
+dh /etc/openvpn/keys/dh.pem
+ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
+crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
+cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
+key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
+<tls-auth>
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+07b7f906a252a8b304d2b9e055b05299
+f199db480ce9da121fdbed99b2b18747
+f24fd2b4b95f1dbbe2a480b9eb761413
+03bc6848ec6181bb78078043306e2fcd
+ad992ee1a5c02ded40c289209eb77587
+36ac2a15fba4eb0cfc721c2c70a3fb83
+7af9e5423e8cf81c5904a989d114fae8
+b0c9ffd27bac60718d7231ab7cf4871f
+79d0cc9e37935afea8b67f1a2c396707
+8a586e78a1ba340e9c5bcce41de9ade7
+5ca23c436c65c30bcb7e2854ed576b93
+a955fe3b4d408444d5afaa8cc23dc9a5
+f613242847be6cd33cb939b94658dd89
+e02c3629fa9d8ff99d415b7041bd9df6
+15d3744bd648f2ab1ba2db0c64737308
+aca2fbab7c9b7114e4d8b646ca430c19
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+script-security 2
projects / awsible / commitdiff