From 588872ef49cb75a5ffa775e738ae3c61f9d7bad0 Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Tue, 18 Apr 2017 13:40:50 -0700 Subject: [PATCH] fix openvpn things --- roles/msca-openvpn/tasks/main.yml | 29 +++++++++++++++++++ .../templates/user-server.conf.j2 | 22 +------------- .../msca-openvpn/templates/vpc-client.conf.j2 | 6 ++++ .../msca-openvpn/templates/vpc-server.conf.j2 | 26 ++--------------- 4 files changed, 39 insertions(+), 44 deletions(-) diff --git a/roles/msca-openvpn/tasks/main.yml b/roles/msca-openvpn/tasks/main.yml index e0420fd..92dec57 100644 --- a/roles/msca-openvpn/tasks/main.yml +++ b/roles/msca-openvpn/tasks/main.yml @@ -4,6 +4,12 @@ - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client') - vpn_subnet != '' - ca_name != '' + - ca_cert != '' + - crl_pem != '' + - cert != '' + - key != '' + - ta_secret != '' + tags: ['check_vars'] - assert: @@ -84,6 +90,29 @@ args: creates: /etc/openvpn/keys/dh.pem +- name: install keys + with_items: + - file: ca.{{ ca_name|lower }}.crt + content: "{{ ca_cert }}" + mode: "0400" + - file: crl.{{ ca_name|lower }}.pem + content: "{{ crl_pem }}" + mode: "0400" + - file: "{{ vpc_region }}.{{ ca_name|lower }}.crt" + content: "{{ cert }}" + mode: "0400" + - file: "{{ vpc_region }}.{{ ca_name|lower }}.key" + content: "{{ key }}" + mode: "0400" + copy: + dest: /etc/openvpn/keys/{{ item.file }} + content: "{{ item.content }}" + mode: "{{ item.mode }}" + owner: openvpn + group: openvpn + notify: + - restart openvpn + - name: configure openvpn template: src: "{{ vpn_mode }}.conf.j2" diff --git a/roles/msca-openvpn/templates/user-server.conf.j2 b/roles/msca-openvpn/templates/user-server.conf.j2 index 35d5861..4a59f57 100644 --- a/roles/msca-openvpn/templates/user-server.conf.j2 +++ b/roles/msca-openvpn/templates/user-server.conf.j2 @@ -40,27 +40,7 @@ crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key -# -# 2048 bit OpenVPN static key -# ------BEGIN OpenVPN Static key V1----- -07b7f906a252a8b304d2b9e055b05299 -f199db480ce9da121fdbed99b2b18747 -f24fd2b4b95f1dbbe2a480b9eb761413 -03bc6848ec6181bb78078043306e2fcd -ad992ee1a5c02ded40c289209eb77587 -36ac2a15fba4eb0cfc721c2c70a3fb83 -7af9e5423e8cf81c5904a989d114fae8 -b0c9ffd27bac60718d7231ab7cf4871f -79d0cc9e37935afea8b67f1a2c396707 -8a586e78a1ba340e9c5bcce41de9ade7 -5ca23c436c65c30bcb7e2854ed576b93 -a955fe3b4d408444d5afaa8cc23dc9a5 -f613242847be6cd33cb939b94658dd89 -e02c3629fa9d8ff99d415b7041bd9df6 -15d3744bd648f2ab1ba2db0c64737308 -aca2fbab7c9b7114e4d8b646ca430c19 ------END OpenVPN Static key V1----- +{{ ta_secret }} script-security 2 diff --git a/roles/msca-openvpn/templates/vpc-client.conf.j2 b/roles/msca-openvpn/templates/vpc-client.conf.j2 index e881e96..45df321 100644 --- a/roles/msca-openvpn/templates/vpc-client.conf.j2 +++ b/roles/msca-openvpn/templates/vpc-client.conf.j2 @@ -18,3 +18,9 @@ daemon ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt cert /etc/openvpn/keys/{{ vpc_region }}-client.{{ ca_name|lower }}.crt key /etc/openvpn/keys/{{ vpc_region }}-client.{{ ca_name|lower }}.key +tls-server +tls-version-min 1.2 +key-direction 0 + +{{ ta_secret }} + diff --git a/roles/msca-openvpn/templates/vpc-server.conf.j2 b/roles/msca-openvpn/templates/vpc-server.conf.j2 index e07289f..a8864ba 100644 --- a/roles/msca-openvpn/templates/vpc-server.conf.j2 +++ b/roles/msca-openvpn/templates/vpc-server.conf.j2 @@ -21,9 +21,9 @@ topology subnet max-clients 64 verb 3 -log /var/log/openvpn/openvpn.log +log /var/log/openvpn/openvpn-vpc.log status-version 3 -status /var/log/openvpn/status.log +status /var/log/openvpn/status-vpc.log client-connect /etc/openvpn/scripts/event-log.sh tmp-dir /dev/shm @@ -37,27 +37,7 @@ crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key -# -# 2048 bit OpenVPN static key -# ------BEGIN OpenVPN Static key V1----- -07b7f906a252a8b304d2b9e055b05299 -f199db480ce9da121fdbed99b2b18747 -f24fd2b4b95f1dbbe2a480b9eb761413 -03bc6848ec6181bb78078043306e2fcd -ad992ee1a5c02ded40c289209eb77587 -36ac2a15fba4eb0cfc721c2c70a3fb83 -7af9e5423e8cf81c5904a989d114fae8 -b0c9ffd27bac60718d7231ab7cf4871f -79d0cc9e37935afea8b67f1a2c396707 -8a586e78a1ba340e9c5bcce41de9ade7 -5ca23c436c65c30bcb7e2854ed576b93 -a955fe3b4d408444d5afaa8cc23dc9a5 -f613242847be6cd33cb939b94658dd89 -e02c3629fa9d8ff99d415b7041bd9df6 -15d3744bd648f2ab1ba2db0c64737308 -aca2fbab7c9b7114e4d8b646ca430c19 ------END OpenVPN Static key V1----- +{{ ta_secret }} script-security 2 -- 2.43.2