Need help with ansible-role-openvpn?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

kyl191
137 Stars 130 Forks 282 Commits 11 Opened issues

Description

Ansible Playbook for OpenVPN on CentOS/Fedora/RHEL clones

Services available

!
?

Need anything else?

Contributors list

No Data

openvpn

Build Status

This role installs OpenVPN, configures it as a server, sets up networking (either iptables or firewalld), and can optionally create client certificates.

Tested OSes (TravisCI): - Fedora 28+ - CentOS 7

Requirements

Openvpn must be available as a package in yum/apt! For CentOS users, this role will run

yum install epel-release
to ensure openvpn is available.

Ubuntu precise has a weird bug that might make the iptables-persistent install fail. There is a workaround.

Role Variables

| Variable | Type | Choices | Default | Comment | |------------------------------------|---------|--------------|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| | openvpnbasedir | string | | /etc/openvpn | Path where your OpenVPN config will be stored | | openvpnovpndir | string | | /etc/openvpn | Path where your client configurations will be stored | | openvpnkeydir | string | | /etc/openvpn/keys | Path where your server private keys and CA will be stored | | openvpnlocal | string | | | Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. | | openvpnport | int | | 1194 | The port you want OpenVPN to run on. If you have different ports on different servers, I suggest you set the port in your inventory file. | | openvpnserverhostname | string | |

{{inventory_hostname}}
| The server name to place in the client configuration file (if different from the
inventory_hostname
| | openvpnproto | string | udp, tcp | udp | The protocol you want OpenVPN to use | | openvpndualstack | boolean | | true | Whether or not to use a dualstack (IPv4 + v6) socket | | openvpnconfigfile | string | | openvpn{{ openvpn_proto }}{{ openvpnport }} | The config file name you want to use | | openvpnrsabits | int | | 2048 | Number of bit used to protect generated certificates | | openvpnservicename | string | | openvpn | Name of the service. Used by systemctl to start the service | | openvpnuninstall | boolean | true , false | false | Set to true to uninstall the OpenVPN service | | openvpnusepregenerateddhparams | boolean | true , false | false | DH params are generted with the install by default | | openvpnusehardenedtls | boolean | true , false | true | Require a minimum version of TLS 1.2 | | openvpnusemoderntls | boolean | true , false | true | Use modern Cipher for TLS encryption (Not recommended with OpenVPN 2.4) | | openvpnverifycn | boolean | true , false | false | Check that the CN of the certificate match the FQDN | | openvpnredirectgateway | boolean | true , false | true | OpenVPN gateway push | | openvpnsetdns | boolean | true , false | true | Will push DNS to the client (Cloudflare and Google) | | openvpnenablemanagement | boolean | true , false | true | | | openvpnmanagementbind | string | | /var/run/openvpn/management unix | The interface to bind on for the management interface. Can be unix or TCP socket. | | openvpnmanagementclientuser | string | | root | Use this user when using a Unix socket for management interface. | | openvpnservernetwork | string | | 10.9.0.0 | Private network used by OpenVPN service | | openvpnservernetmask | string | | 255.255.255.0 | Netmask of the private network | | tlsauthrequired | boolean | true , false | true | Ask the client to push the generated ta.key of the server during the connection | | firewallddefaultinterfacezone | string | | public | Firewalld zone where the "ansibledefaultipv4.interface" will be pushed into | | openvpnserveripv6network | boolean | true , false | false | If set, the network address and prefix of an IPv6 network to assign to clients. If True, IPv4 still used too. | | openvpncakey | dict | | | Contain "crt" and "key". If not set, CA cert and key will be automatically generated on the target system. | | openvpntlsauthkey | string | | | Single item with a pre-generated TLS authentication key. | | openvpntopology | boolean | true , false | false | the "topology" keyword will be set in the server config with the specified value. | | openvpnpush | list | | empty | Set here a list of string that will be placed as "push "". E.g
- route 10.20.30.0 255.255.255.0
will generate push "route 10.20.30.0 255.255.255.0" | | openvpnuseldap | boolean | true , false | false | Active LDAP backend for authentication. Client certificate not needed anymore | | ldap | dict | | | Dictionary that contain LDAP configuration | | managefirewallrules | boolean | true , false | true | Allow playbook to manage iptables | | openvpncrlpath | string | | | Define a path to the CRL file for revokations. | | openvpnusecrl | boolean | true , false | | Configure OpenVPN server to honor certificate revocation list. | | clients | list | | [] | List of clients to add to OpenVPN | | openvpnsynccerts | boolean | true , false | false | Revoke certificates not explicitly defined in 'clients' | | openvpnrevokethesecerts | list | | [] | List of client certificates to revoke. | openvpnclientregisterdns | boolean | true , false | true | Add
register-dns
option to client config (Windows only). | | openvpnduplicatecn | boolean | true , false | false | Add
duplicate-cn
option to server config - this allows clients to connect multiple times with the one key. NOTE: client ip addresses won't be static anymore! | | openvpnaddlserveroptions | list | | empty | List of user-defined server options that are not already present in the server template. (e.g.
- ping-timer-rem
) | openvpn
addlclientoptions | list | | empty | List of user-defined client options that are not already present in the client template. (e.g.
- mssfix 1400
) | openvpnstatusversion | int | 1, 2, 3 | 1 | Define the formatting of the openvpn-status.log file where are listed current client connection | | openvpnresolvretry | int/string | any int, infinite | 5 | Hostname resolv failure retry seconds. Set "infinite" to retry indefinitely in case of poor connection or laptop sleep mode recovery etc. | | openvpnclienttoclient | boolean | true, false | false | Set to true if you want clients to access each other. | | openvpnmasqueradenotsnat | boolean | true, false | false | Set to true if you want to set up MASQUERADE instead of the default SNAT in iptables. | | openvpncompression | string | | lzo | Set
compress
compression option. Empty for no compression. | | openvpn
cipher | string | | AES-256-CBC | Set
cipher
option for server and client.
| openvpnauthalg | string | | SHA256 | Set
auth
authentication algoritm. | | openvpntunmtu | int | | | Set
tun-mtu
value. Empty for default. | | openvpnlogdir | string | | /var/log | Set location of openvpn log files. This parameter is a part of
log-append
configuration value. | | openvpnlogfile | string | | openvpn.log | Set log filename. This parameter is a part of
log-append
configuration value. | | openvpnlogrotateconfig | string | | See defaults/main.yml | Configure logrotate script. | | openvpnkeepaliveping | int | | 5 | Set
keepalive
ping interval seconds. | | openvpnkeepalivetimeout | int | | 30 | Set
keepalive
timeout seconds | | openvpnserviceuser | string | | nobody | Set the openvpn service user. | | openvpnservicegroup | string | | nogroup | Set the openvpn service group. |

LDAP object

| Variable | Type | Choices | Default | Comment | |---------------------|--------|--------------|-----------------------------------------|------------------------------------------------------------------------------------------------| | url | string | | ldap://host.example.com | Address of you LDAP backend with syntax ldap[s]://host[:port] | | anonymousbind | string | False , True | False | This is not an Ansible boolean but a string that will be pushed into the configuration file, | | binddn | string | | uid=Manager,ou=People,dc=example,dc=com | Bind DN used if "anonymousbind" set to "False" | | bindpassword | string | | mysecretpassword | Password of the binddn user | | tlsenable | string | yes , no | no | Force TLS encryption. Not necessary with ldaps addresses | | tlscacertfile | string | | /etc/openvpn/auth/ca.pem | Path to the CA ldap backend. This must must has been pushed before | | tlscertfile | string | | | Path to client authentication certificate | | tlskeyfile | string | | | Path to client authentication key | | basedn | string | | ou=People,dc=example,dc=com | Base DN where the backend will look for valid user | | searchfilter | string | | (&(uid=%u)(accountStatus=active)) | Filter the ldap search | | requiregroup | string | False , True | | This is not an Ansible boolean but a string that will be pushed into the configuration file, | | groupbasedn | string | | ou=Groups,dc=example,dc=com | Precise the group to look for. Required if requiregroup is set to "True" | | groupsearchfilter | string | | ((cn=developers)(cn=artists)) | Precise valid groups | | verifyclient_cert | string | none , optional , require | client-cert-not-required | In OpenVPN 2.4+

client-cert-not-required
is deprecated. Use
verify-client-cert
instead. |

Dependencies

Does not depend on any other roles

Example Playbook

- hosts: vpn
  gather_facts: true
  roles:
    - {role: kyl191.openvpn, clients: [client1, client2],
                        openvpn_port: 4300}

Note: As the role will need to know the remote used platform (32 or 64 bits), you must set

gather_facts
to
true
in your play.

License

GPLv2

Author Information

Written by Kyle Lexmond

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.