WARNING: This role is still in development. DO NOT TRY TO USE IN PRODUCTION!
Role to deploy OpenVPN Client-to-Site VPN setups.
This role uses the OpenSource OpenVPN Community edition.
Why use the community edition?
-
Pros:
- No license fees - one server can scale up to thousands of clients without any major costs
- All major functionalities are covered by the opensource edition
- Manageable using Ansible
-
Cons
-
This edition has no graphical (web-) user-interface!
If you are searching for a pretty web-ui to click at => check out the OpenVPN Access Server
-
Tested:
- Debian 11
- Debian 12
# latest
ansible-galaxy role install git+https://github.com/ansibleguy/infra_openvpn
# from galaxy
ansible-galaxy install ansibleguy.infra_openvpn
# or to custom role-path
ansible-galaxy install ansibleguy.infra_openvpn --roles-path ./roles
# install dependencies
ansible-galaxy install -r requirements.yml-
Need professional support using Ansible or OpenVPN? Contact us:
E-Mail: contact@oxl.at
Tel: +43 3115 40 900 0
Language: German or English
-
You want a simple Ansible GUI?
Check-out this Ansible WebUI
Define the config as needed:
openvpn:
You might want to use 'ansible-vault' to encrypt your passwords:
ansible-vault encrypt_stringRun the playbook:
ansible-playbook -K -D -i inventory/hosts.yml playbook.ymlThere are also some useful tags available: * *
To debug errors - you can set the 'debug' variable at runtime:
# WARNING: Will log passwords!
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yesTo let OpenVPN services be automatically restarted (without interactive prompts):
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e auto_restart=yes-
Package installation
- Ansible dependencies (minimal)
-
Configuration *
-
Default config: *
-
Default opt-ins: *
-
Default opt-outs: *
-
-
Info: If you want to know more about configuring OpenVPN-community - check out their comprehensive documentation
Interesting pages:
-
Info: ChromeOS uses the Open-Network-Configuration (ONC) format.
It is formatted in JSON and pretty hard to debug as you do not get any useful error messages.
The profile-template provided by this role might not work for every edge-case.
If you need to troubleshoot it - look into the ONC documentation. But be aware: not every option might work practically as documented..
-
Warning: If a OpenVPN instance should support connections to ChromeOS clients - you will need to set the 'openvpn.instances.[name].security.tls_crypt' option to 'false' as this is not (currently) supported by the ChromeOS implementation.
-
Note: this role currently only supports debian-based systems
-
Note: Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in the main defaults-file!
-
Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!
-
Info: If you want to user
openvpn.unprivileged: truefor gained system-security the installed OpenVPN binary needs to supportiproute2!The role will check if the binary is compatible and fail is that is not the case!
Options how to gain support for iproute2:
- You will have to use a binary that was compiled with that option enabled
- Re-Compile OpenVPN yourself as seen in this example script (without the 'uninstall')
- Or configure the role to download a re-compiled binary from my ansibleguy/openvpn-recompiled repository!
- Uninstall existing OpenVPN packages/binaries
- Copy/link the
openvpnbinary to/usr/local/bin
- You will have to use a binary that was compiled with that option enabled
-
Info: If you are using multi-factor-authentication you might run into issues when some clients (like ChromeOS) do not support a second input field for the second secret!
You might need to set
openvpn.server.auth.mfa_separatorto any unusual characters you like. (per example: <<<)This enables you to input both secret1 (password) and secret2 (totp pin) in the same input field! Like so:
p4ssW0rd<<<001122The default separator
:will always be supported - even if you set a custom one. This allows both ways to be supported.
