OpenVPN client and server roles

README.md

@@ -537,7 +537,7 @@ gfx.canvas.accelerated = false
 ssh_dispatch_run_fatal: Connection to 40.74.28.12 port 22: error in libcrypto
 ```
 
-It needs to fixed by executing `update-crypto-policies --set LEGACY` and rebooting the machine.
+It needs to be fixed by executing `update-crypto-policies --set LEGACY` (or creating your own custom crypto policy) and rebooting the machine.
 
 21. ssh-config for Azure DevOps and GitHub:
 

inventory/hosts.yml

@@ -69,6 +69,10 @@ vpngateway:
 openvpn:
   hosts:
     vpn1:
+    vagrant:
+      ansible_user: vagrant
+      ansible_password: vagrant
+      ansible_host: 10.0.0.43
 
 openwrt:
   vars:

inventory/vagrant.yml

@@ -1,13 +1,13 @@
 # This file is used by Vagrantfile
 ---
 hosts:
-  - name: "fedora35"
+  - name: "fedora"
     # os: "generic/fedora35"
-    os: "alvistack/fedora-35"
-    hostname: "fedora35.srv"
+    os: "fedora/40-cloud-base"
+    hostname: "fedora.srv"
     ip:
       - "10.0.0.10"
     cpu: "2"
-    mem: "4096"
+    mem: "2048"
     port_forward: []
     hostname_alias: []

playbooks/vms.yml

@@ -26,6 +26,13 @@
         - reboot_required_file.stat.exists == true
         - inventory_hostname != "mikeeClevo"
 
+- name: Provision Clevo
+  hosts:
+    - clevo
+  become: true
+  roles:
+    - servers/bootstrap
+
 - name: Set variables on an imported playbook
   ansible.builtin.import_playbook: generic-core.yml
   vars:
@@ -50,6 +57,24 @@
     - apps/docker
     - servers/apps/adguard-home
 
+- name: Provision GW1
+  hosts:
+    - gw1
+  become: true
+  roles:
+    - servers/network-static-dns
+    - apps/openvpn-client
+    - servers/apps/vpn-gw
+
+- name: Provision VPN1
+  hosts:
+    - vpn1
+  become: true
+  roles:
+    - servers/network-static-dns
+    - servers/apps/openvpn
+    - servers/apps/vpn-gw
+
 - name: Provision mikeeClevo
   hosts:
     - mikeeClevo

playbooks/vpn.yml

@@ -0,0 +1,9 @@
+---
+- name: Provision VPN1
+  hosts:
+    - vpn1
+  become: true
+  roles:
+    - servers/network-static-dns
+    - servers/apps/openvpn
+    - servers/apps/vpn-gw

roles/apps/openvpn-client/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+ovpn_client_templates_path: files

roles/apps/openvpn-client/files/client.ovpn

@@ -0,0 +1,35 @@
+client
+dev tun
+proto tcp
+remote pl-waw.prod.surfshark.com 1443
+remote-random
+nobind
+tun-mtu 1500
+mssfix 1450
+ping 15
+ping-restart 0
+reneg-sec 0
+
+remote-cert-tls server
+
+auth-user-pass pass.txt
+
+#comp-lzo
+verb 3
+fast-io
+cipher AES-256-CBC
+
+auth SHA512
+
+<ca>
+-----BEGIN CERTIFICATE-----
+-----END CERTIFICATE-----
+</ca>
+key-direction 1
+<tls-auth>
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+-----END OpenVPN Static key V1-----
+</tls-auth>

roles/apps/openvpn-client/files/pass.txt

@@ -0,0 +1,2 @@
+username
+password

roles/apps/openvpn-client/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Install openvpn
+  dnf:
+    name: "openvpn"
+    state: present
+
+- name: Configure ovpn client files
+  template:
+    src: "{{ ovpn_client_templates_path }}/{{ item.src }}"
+    dest: "/etc/openvpn/client/{{ item.dest }}"
+    mode: 0664
+    backup: true
+  loop:
+    - src: client.ovpn
+      dest: client.conf
+    - src: pass.txt
+      dest: pass.txt
+
+- name: Enable service [email protected]
+  systemd:
+    name: [email protected]
+    enabled: true
+    state: started

roles/apps/vagrant/tasks/install_x86_64.yml

@@ -25,10 +25,13 @@
 - include_tasks: get_latest_version.yml
   when: vagrant_version is not defined
 
+- debug:
+    var: vagrant_version
+
 # name: "https://releases.hashicorp.com/vagrant/{{ vagrant_version }}/vagrant_{{ vagrant_version}}_x86_64.rpm"
 - name: Install vagrant from hashicorp repo
   dnf:
-    name: "https://releases.hashicorp.com/vagrant/{{ vagrant_version}}/vagrant-{{ vagrant_version }}-1.x86_64.rpm"
+    name: "https://releases.hashicorp.com/vagrant/{{ vagrant_version }}/vagrant-{{ vagrant_version }}-1.x86_64.rpm"
     state: latest
     disable_gpg_check: true
   when: installed_vagrant_version.stdout != vagrant_version

roles/pkg_mgmt/dnf/tasks/dnf5.yml

@@ -9,7 +9,7 @@
 
 - name: Bootstrap a host without python3-libdnf5 installed
   ansible.builtin.raw: if dnf list --installed | grep -q -i python3-libdnf5; then echo -n "exists"; else dnf install -y python3-libdnf5; fi
-  changed_when: python3_libdnf5_installed.stdout != "exists"
+  changed_when: '"exists" not in python3_libdnf5_installed.stdout'
   register: python3_libdnf5_installed
 
 - name: Install dnf5

roles/servers/apps/home-assistant/tasks/main.yml

@@ -1,27 +1,27 @@
 ---
-# - name: Check docker-compose executable is present
-#   shell: "which docker-compose"
-#   register: docker_compose_result
-#   ignore_errors: true
-#   changed_when: false
+- name: Check docker-compose executable is present
+  shell: "which docker-compose"
+  register: docker_compose_result
+  ignore_errors: true
+  changed_when: false
 
-# - fail:
-#     msg: "docker-compose is not found! You need to install it first."
-#   when: docker_compose_result.rc != 0
+- fail:
+    msg: "docker-compose is not found! You need to install it first."
+  when: docker_compose_result.rc != 0
 
-# - name: Ensure passlib is installed
-#   delegate_to: localhost
-#   pip:
-#     name:
-#       - passlib
-#     state: present
+- name: Ensure passlib is installed
+  delegate_to: localhost
+  pip:
+    name:
+      - passlib
+    state: present
 
-# # TODO: add stat to check if docker-compose file exists before running cleanup
+# TODO: add stat to check if docker-compose file exists before running cleanup
 
 # - include_tasks: cleanup.yml
 #   when: home_assistant_clean
 
-# - import_tasks: custom.yml
+- import_tasks: custom.yml
 - import_tasks: config.yml
-# - import_tasks: config_mosquitto.yml
-# - import_tasks: install.yml
+- import_tasks: config_mosquitto.yml
+- import_tasks: install.yml

roles/servers/apps/openvpn/defaults/main.yml

@@ -1,17 +1,38 @@
 ---
-ssl_path: "/etc/openvpn/ssl"
-easyrsa_path: "/usr/share/easy-rsa/3"
-pki_path: "/etc/openvpn/pki"
-certs_path: "{{ pki_path }}/issued"
-keys_path: "{{ pki_path }}/private"
+openvpn_configs_path: "/etc/openvpn"
 
-common_name: "vpn.example.com"
+openvpn_server_config_path: "{{ openvpn_configs_path }}/server"
+# 995 - ssl pop3
+openvpn_server_port: 995
 
-ca_path: "{{ pki_path }}/ca.crt"
-dh_path: "{{ pki_path }}/dh.pem"
+openvpn_ssl_path: "{{ openvpn_configs_path }}/ssl"
+openvpn_ca_cert_path: "{{ openvpn_ssl_path }}/ca"
+openvpn_client_cert_path: "{{ openvpn_ssl_path }}/client"
+openvpn_server_cert_path: "{{ openvpn_ssl_path }}/server"
+openvpn_certs_common_name: "vpn.example.com"
 
-server_crt_name: server
-server_crt_path: "{{ certs_path }}/{{ server_crt_name }}.crt"
+openvpn_clients:
+  - vagrant
+  - test
 
-client_crts:
-  - client
+openvpn_pull_client_name: "vagrant"
+openvpn_pull_client_config_path: "/tmp/certs_vpn"
+
+### Old
+# easyrsa_path: "/usr/share/easy-rsa/3"
+# pki_path: "/etc/openvpn/pki"
+# certs_path: "{{ pki_path }}/issued"
+# keys_path: "{{ pki_path }}/private"
+
+# common_name: "vpn.example.com"
+
+# ca_path: "{{ pki_path }}/ca.crt"
+# dh_path: "{{ pki_path }}/dh.pem"
+
+# server_crt_name: server
+# server_crt_path: "{{ certs_path }}/{{ server_crt_name }}.crt"
+
+# # client_crts:
+# #   - client
+
+# server_port: 443

roles/servers/apps/openvpn/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart_openvpn_server
+  service:
+    name: openvpn-server@server
+    state: restarted

roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml

@@ -1,96 +1,25 @@
 ---
-- package:
+- name: Install python3-pip
+  package:
     name: python3-pip
     state: present
 
-- pip:
-    name: pyOpenSSL
+- name: Install ansible pip dependencies
+  pip:
+    name: "{{ pkgs }}"
     state: present
-
-- file:
-    path: "{{ ssl_path }}"
+  vars:
+    pkgs:
+      - pyOpenSSL
+      - packaging
+
+- name: Create directory for certs
+  file:
+    path: "{{ openvpn_ssl_path }}"
     state: directory
 
-- openssl_privatekey:
-    path: "{{ ssl_path }}/ca.pem"
-
-- openssl_csr:
-    path: "{{ ssl_path }}/ca.csr"
-    privatekey_path: "{{ ssl_path }}/ca.pem"
-    basic_constraints_critical: true
-    basic_constraints: CA:TRUE
-    key_usage_critical: true
-    key_usage:
-      - cRLSign
-      - digitalSignature
-      - keyCertSign
-    common_name: "{{ certs_path }}"
-
-- name: Generate CA a Self Signed OpenSSL certificate
-  openssl_certificate:
-    path: "{{ ssl_path }}/ca.crt"
-    privatekey_path: "{{ ssl_path }}/ca.pem"
-    csr_path: "{{ ssl_path }}/ca.csr"
-    provider: selfsigned
-
-- openssl_privatekey:
-    path: "{{ ssl_path }}/server.pem"
-
-- openssl_csr:
-    path: "{{ ssl_path }}/server.csr"
-    privatekey_path: "{{ ssl_path }}/server.pem"
-    basic_constraints_critical: true
-    basic_constraints: CA:FALSE
-    key_usage_critical: true
-    key_usage:
-      - nonRepudiation
-      - digitalSignature
-      - keyEncipherment
-      - keyAgreement
-    extended_key_usage_critical: true
-    extended_key_usage: serverAuth
-    common_name: "{{ certs_path }}"
-
-- name: Generate Server Self Signed OpenSSL certificate
-  openssl_certificate:
-    path: "{{ ssl_path }}/server.crt"
-    privatekey_path: "{{ ssl_path }}/server.pem"
-    csr_path: "{{ ssl_path }}/server.csr"
-    provider: ownca
-    ownca_path: "{{ ssl_path }}/ca.crt"
-    ownca_privatekey_path: "{{ ssl_path }}/ca.pem"
-
-
-- openssl_privatekey:
-    path: "{{ ssl_path }}/client.pem"
-
-- openssl_csr:
-    path: "{{ ssl_path }}/client.csr"
-    privatekey_path: "{{ ssl_path }}/client.pem"
-    basic_constraints_critical: true
-    basic_constraints: CA:FALSE
-    key_usage_critical: true
-    key_usage:
-      - nonRepudiation
-      - digitalSignature
-      - keyEncipherment
-    extended_key_usage_critical: true
-    extended_key_usage: clientAuth
-    common_name: "{{ certs_path }}"
-
-- name: Generate a Self Signed OpenSSL certificate
-  community.crypto.x509_certificate:
-    path: "{{ ssl_path }}/client.crt"
-    privatekey_path: "{{ ssl_path }}/client.pem"
-    csr_path: "{{ ssl_path }}/client.csr"
-    provider: ownca
-    ownca_path: "{{ ssl_path }}/ca.crt"
-    ownca_privatekey_path: "{{ ssl_path }}/ca.pem"
-
-- openssl_dhparam:
-    path: "{{ ssl_path }}/dhparams.pem"
-
-- name: Openssl TLS key_usage
-  shell: openvpn --genkey --secret {{ ssl_path }}/tls.key
-  args:
-    creates: "{{ ssl_path }}/tls.key"
+- import_tasks: "openssl/ca.yml"
+- import_tasks: "openssl/server.yml"
+- import_tasks: "openssl/server_extras.yml"
+- include_tasks: "openssl/client.yml"
+  loop: "{{ openvpn_clients }}"