diff --git a/roles/servers/apps/openvpn/defaults/main.yml b/roles/servers/apps/openvpn/defaults/main.yml deleted file mode 100644 index 5f229a69..00000000 --- a/roles/servers/apps/openvpn/defaults/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -ssl_path: "/etc/openvpn/ssl" -easyrsa_path: "/usr/share/easy-rsa/3" -pki_path: "/etc/openvpn/pki" -certs_path: "{{ pki_path }}/issued" -keys_path: "{{ pki_path }}/private" - -common_name: "vpn.example.com" - -ca_path: "{{ pki_path }}/ca.crt" -dh_path: "{{ pki_path }}/dh.pem" - -server_crt_name: server -server_crt_path: "{{ certs_path }}/{{ server_crt_name }}.crt" - -client_crts: - - client - -server_port: 443 diff --git a/roles/servers/apps/openvpn/files/client.conf b/roles/servers/apps/openvpn/files/client.conf deleted file mode 100644 index 19a53396..00000000 --- a/roles/servers/apps/openvpn/files/client.conf +++ /dev/null @@ -1,14 +0,0 @@ -client -tls-client -ca /etc/openvpn/ssl/ca.crt -cert /etc/openvpn/ssl/client.crt -key /etc/openvpn/ssl/client.pem -tls-crypt /path/to/myvpn.tlsauth -remote-cert-eku "TLS Web Client Authentication" -proto udp -remote 192.168.110.10 1337 udp -dev tun -#topology subnet -pull -user nobody -group nobody diff --git a/roles/servers/apps/openvpn/files/client2.conf b/roles/servers/apps/openvpn/files/client2.conf deleted file mode 100644 index c2b1dad7..00000000 --- a/roles/servers/apps/openvpn/files/client2.conf +++ /dev/null @@ -1,13 +0,0 @@ -client -tls-client -ca ca.crt -cert client.crt -key client.pem -tls-auth tls.key 1 -proto tcp -remote vpn.example.com 443 tcp -dev tun -#topology subnet -pull -user nobody -group nobody diff --git a/roles/servers/apps/openvpn/files/openssl.cnf b/roles/servers/apps/openvpn/files/openssl.cnf deleted file mode 100644 index fb3d0f21..00000000 --- a/roles/servers/apps/openvpn/files/openssl.cnf +++ /dev/null @@ -1,47 +0,0 @@ - -Prebuilt openssl.cnf -Info, with commands required beginning on Line 430 -Certificate Authorities & Intermediate CAs -Self-signed CA -keyUsage: cRLSign, digitalSignature, keyCertSign -Should not contain any other KUs or EKUs -V3 Profile: -[ v3_ca ] -basicConstraints = critical, CA:TRUE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -keyUsage = critical, cRLSign, digitalSignature, keyCertSign -subjectAltName = @alt_ca -Intermediate CA -keyUsage: cRLSign, digitalSignature, keyCertSign -Should not contain any other KUs or EKUs -V3 Profile: -[ v3_ica ] -basicConstraints = critical, CA:TRUE, pathlen:1 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -keyUsage = critical, cRLSign, digitalSignature, keyCertSign -subjectAltName = @alt_ica -Where pathlen: is equal to the number of CAs/ICAs it can sign -Cannot sign other CAs/ICAs if pathlen: is set to 0 -Non-CA Certificates -VPN Server -keyUsage: nonRepudiation, digitalSignature, keyEncipherment, keyAgreement -V3 Profile: -[ v3_vpn_server ] -basicConstraints = critical, CA:FALSE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement -extendedKeyUsage = critical, serverAuth -subjectAltName = @alt_vpn_server -VPN Client -keyUsage: nonRepudiation, digitalSignature, keyEncipherment -V3 Profile: -[ v3_vpn_client ] -basicConstraints = critical, CA:FALSE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = critical, clientAuth -subjectAltName = @alt_vpn_client diff --git a/roles/servers/apps/openvpn/files/server.conf b/roles/servers/apps/openvpn/files/server.conf deleted file mode 100644 index 1dd477bd..00000000 --- a/roles/servers/apps/openvpn/files/server.conf +++ /dev/null @@ -1,315 +0,0 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -;local a.b.c.d - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. -port 1194 - -# TCP or UDP server? -;proto tcp -proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap -dev tun - -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). -ca ca.crt -cert server.crt -key server.key # This file should be kept secret - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh2048.pem 2048 -dh dh2048.pem - -# Network topology -# Should be subnet (addressing via IP) -# unless Windows clients v2.0.9 and lower have to -# be supported (then net30, i.e. a /30 per client) -# Defaults to net30 (not recommended) -;topology subnet - -# Configure server mode and supply a VPN subnet -# for OpenVPN to draw client addresses from. -# The server will take 10.8.0.1 for itself, -# the rest will be made available to clients. -# Each client will be able to reach the server -# on 10.8.0.1. Comment this line out if you are -# ethernet bridging. See the man page for more info. -server 10.8.0.0 255.255.255.0 - -# Maintain a record of client <-> virtual IP address -# associations in this file. If OpenVPN goes down or -# is restarted, reconnecting clients can be assigned -# the same virtual IP address from the pool that was -# previously assigned. -ifconfig-pool-persist ipp.txt - -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - -# Configure server mode for ethernet bridging -# using a DHCP-proxy, where clients talk -# to the OpenVPN server-side DHCP server -# to receive their IP address allocation -# and DNS server addresses. You must first use -# your OS's bridging capability to bridge the TAP -# interface with the ethernet NIC interface. -# Note: this mode only works on clients (such as -# Windows), where the client-side TAP adapter is -# bound to a DHCP client. -;server-bridge - -# Push routes to the client to allow it -# to reach other private subnets behind -# the server. Remember that these -# private subnets will also need -# to know to route the OpenVPN client -# address pool (10.8.0.0/255.255.255.0) -# back to the OpenVPN server. -;push "route 192.168.10.0 255.255.255.0" -;push "route 192.168.20.0 255.255.255.0" - -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -;client-config-dir ccd -;route 192.168.40.128 255.255.255.248 -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 10.9.0.0 255.255.255.252 -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# or bridge the TUN/TAP interface to the internet -# in order for this to work properly). -;push "redirect-gateway def1 bypass-dhcp" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -# The addresses below refer to the public -# DNS servers provided by opendns.com. -;push "dhcp-option DNS 208.67.222.222" -;push "dhcp-option DNS 208.67.220.220" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -keepalive 10 120 - -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link and push the -# option to the client (v2.4+ only, for earlier -# versions see below) -;compress lz4-v2 -;push "compress lz4-v2" - -# For compression compatible with older clients use comp-lzo -# If you enable it here, you must also -# enable it in the client config file. -;comp-lzo - -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -;user nobody -;group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - -# Output a short status file showing -# current connections, truncated -# and rewritten every minute. -status openvpn-status.log - -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - -# Set the appropriate level of log -# file verbosity. -# -# 0 is silent, except for fatal errors -# 4 is reasonable for general usage -# 5 and 6 can help to debug connection problems -# 9 is extremely verbose -verb 3 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 - -# Notify the client that when the server restarts so it -# can automatically reconnect. -explicit-exit-notify 1 \ No newline at end of file diff --git a/roles/servers/apps/openvpn/files/server1.conf b/roles/servers/apps/openvpn/files/server1.conf deleted file mode 100644 index b04770e0..00000000 --- a/roles/servers/apps/openvpn/files/server1.conf +++ /dev/null @@ -1,48 +0,0 @@ -#change with your port -port 1337 - -#You can use udp or tcp -proto udp - -# "dev tun" will create a routed IP tunnel. -dev tun - -#Certificate Configuration -tls-auth /etc/openvpn/ssl/tls.key 0 - -#ca certificate -ca /etc/openvpn/ssl/ca.crt - -#Server Certificate -cert /etc/openvpn/ssl/server.crt - -#Server Key and keep this is secret -key /etc/openvpn/ssl/server.pem - -#See the size a dh key in /etc/openvpn/keys/ -dh /etc/openvpn/ssl/dhparams.pem - -#Internal IP will get when already connect -server 10.8.0.0 255.255.255.0 - -#this line will redirect all traffic through our OpenVPN -push "redirect-gateway def1" - -#Provide DNS servers to the client, you can use goolge DNS -push "dhcp-option DNS 8.8.8.8" -push "dhcp-option DNS 8.8.4.4" - -#Enable multiple client to connect with same key -duplicate-cn - -keepalive 20 60 -# comp-lzo -persist-key -persist-tun -daemon - -#enable log -log-append /var/log/openvpn.log - -#Log Level -verb 3 diff --git a/roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml b/roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml deleted file mode 100644 index b748559e..00000000 --- a/roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml +++ /dev/null @@ -1,103 +0,0 @@ ---- -- package: - name: python3-pip - state: present - -- pip: - name: pyOpenSSL - state: present - -- file: - path: "{{ ssl_path }}" - state: directory - -- openssl_privatekey: - path: "{{ ssl_path }}/ca.pem" - -- openssl_csr: - path: "{{ ssl_path }}/ca.csr" - privatekey_path: "{{ ssl_path }}/ca.pem" - basic_constraints_critical: true - basic_constraints: CA:TRUE - key_usage_critical: true - key_usage: - - cRLSign - - digitalSignature - - keyCertSign - common_name: "{{ certs_path }}" - -- name: Generate CA a Self Signed OpenSSL certificate - openssl_certificate: - path: "{{ ssl_path }}/ca.crt" - privatekey_path: "{{ ssl_path }}/ca.pem" - csr_path: "{{ ssl_path }}/ca.csr" - provider: selfsigned - -- openssl_privatekey: - path: "{{ ssl_path }}/server.pem" - -- openssl_csr: - path: "{{ ssl_path }}/server.csr" - privatekey_path: "{{ ssl_path }}/server.pem" - basic_constraints_critical: true - basic_constraints: CA:FALSE - key_usage_critical: true - key_usage: - - nonRepudiation - - digitalSignature - - keyEncipherment - - keyAgreement - extended_key_usage_critical: true - extended_key_usage: serverAuth - common_name: "{{ certs_path }}" - -- name: Generate Server Self Signed OpenSSL certificate - openssl_certificate: - path: "{{ ssl_path }}/server.crt" - privatekey_path: "{{ ssl_path }}/server.pem" - csr_path: "{{ ssl_path }}/server.csr" - provider: ownca - ownca_path: "{{ ssl_path }}/ca.crt" - ownca_privatekey_path: "{{ ssl_path }}/ca.pem" - - -- openssl_privatekey: - path: "{{ ssl_path }}/client.pem" - -- openssl_csr: - path: "{{ ssl_path }}/client.csr" - privatekey_path: "{{ ssl_path }}/client.pem" - basic_constraints_critical: true - basic_constraints: CA:FALSE - key_usage_critical: true - key_usage: - - nonRepudiation - - digitalSignature - - keyEncipherment - extended_key_usage_critical: true - extended_key_usage: clientAuth - common_name: "{{ certs_path }}" - -- name: Generate a Self Signed OpenSSL certificate - community.crypto.x509_certificate: - path: "{{ ssl_path }}/client.crt" - privatekey_path: "{{ ssl_path }}/client.pem" - csr_path: "{{ ssl_path }}/client.csr" - provider: ownca - ownca_path: "{{ ssl_path }}/ca.crt" - ownca_privatekey_path: "{{ ssl_path }}/ca.pem" - -- name: Generate dhparam - delegate_to: 127.0.0.1 - openssl_dhparam: - path: "/tmp/dhparams.pem" - -- name: Copy dhparam - copy: - src: "/tmp/dhparams.pem" - dest: "{{ ssl_path }}/dhparams.pem" - -- name: Openssl TLS key_usage - shell: openvpn --genkey --secret {{ ssl_path }}/tls.key - args: - creates: "{{ ssl_path }}/tls.key" diff --git a/roles/servers/apps/openvpn/tasks/certs_shell_easy-rsa.yml b/roles/servers/apps/openvpn/tasks/certs_shell_easy-rsa.yml deleted file mode 100644 index 86f9c9dd..00000000 --- a/roles/servers/apps/openvpn/tasks/certs_shell_easy-rsa.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# /usr/share/easy-rsa/3/easyrsa -# General options: - -# --batch : set automatic (no-prompts when possible) mode -# --pki-dir=DIR : declares the PKI directory -# --vars=FILE : define a specific 'vars' file to use for Easy-RSA config - -# - name: Symlink easyrsa binary -# file: -# src: "{{ easyrsa_path }}" -# dest: "/usr/bin/easyrsa" -# state: link - - -- name: "Init pki" - shell: "{{ easyrsa_path }}/easyrsa --batch --pki-dir={{ pki_path }} init-pki" - # register: google_chrome_repo - # changed_when: google_chrome_repo.rc != 0 - ignore_errors: true - args: - creates: "{{ pki_path }}" - -# - name: "Build-ca" -# expect: -# command: /usr/share/easy-rsa/3/easyrsa build-ca -# responses: -# (?i)PEM pass phrase: "MySekretPa$$word" - - -- name: "Build-ca" - shell: "{{ easyrsa_path }}/easyrsa --batch --pki-dir={{ pki_path }} build-ca nopass" - args: - creates: "{{ ca_path }}" - -# ./build-key-server server -# build-server-full server nopass - -- name: "Build Server key and cert" - shell: "{{ easyrsa_path }}/easyrsa --batch --pki-dir={{ pki_path }} build-server-full {{ server_crt_name }} nopass" - args: - creates: "{{ server_crt_path }}" - -# ./build-dh - -- name: "Build a Diffie-Hellman key exchange" - shell: "{{ easyrsa_path }}/easyrsa --batch --pki-dir={{ pki_path }} gen-dh" - args: - creates: "{{ dh_path }}" - -# ./build-key client - -- name: "Build client cert" - shell: "{{ easyrsa_path }}/easyrsa --batch --pki-dir={{ pki_path }} build-client-full {{ item }} nopass" - args: - creates: "{{ pki_path }}/issued/{{ item }}.crt" - with_items: - - "{{ client_crts }}" diff --git a/roles/servers/apps/openvpn/tasks/get_certs.yml b/roles/servers/apps/openvpn/tasks/get_certs.yml deleted file mode 100644 index a6170864..00000000 --- a/roles/servers/apps/openvpn/tasks/get_certs.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# - file: -# path: "/tmp/certs_vpn" -# state: directory -# delegate_to: localhost - -- name: "Download client certs" - fetch: - src: "/etc/openvpn/ssl/{{ item }}" - dest: "/tmp/certs_vpn/{{ item }}" - flat: true - with_items: - - ca.crt - - client.crt - - client.pem - - tls.key - -- name: Add client openvpn config file - template: - src: client.conf.j2 - dest: /tmp/certs_vpn/client.conf - delegate_to: localhost diff --git a/roles/servers/apps/openvpn/tasks/install.yml b/roles/servers/apps/openvpn/tasks/install.yml deleted file mode 100644 index e2771cae..00000000 --- a/roles/servers/apps/openvpn/tasks/install.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yum -y install epel-repository -# yum -y install openvpn easy-rsa iptables-services - -# - package: -# name: "{{ item }}" -# state: present -# with_items: -# - epel-release - -- package: - name: "{{ item }}" - state: present - with_items: - - openvpn - - easy-rsa - - iptables-services - - iptables diff --git a/roles/servers/apps/openvpn/tasks/main.yml b/roles/servers/apps/openvpn/tasks/main.yml deleted file mode 100644 index 28cf0991..00000000 --- a/roles/servers/apps/openvpn/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- include_tasks: install.yml -# - include_tasks: certs_shell_easy-rsa.yml -- include_tasks: certs_ansible_openssl.yml -- include_tasks: server_config.yml -- include_tasks: server_iptables.yml -- import_tasks: get_certs.yml diff --git a/roles/servers/apps/openvpn/tasks/server_config.yml b/roles/servers/apps/openvpn/tasks/server_config.yml deleted file mode 100644 index c9fd5f96..00000000 --- a/roles/servers/apps/openvpn/tasks/server_config.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- template: - src: server.conf.j2 - dest: /etc/openvpn/server.conf - # owner: bin - # group: wheel - # mode: 0644 - -- service: - name: openvpn-server@server - state: started - enabled: true diff --git a/roles/servers/apps/openvpn/tasks/server_iptables.yml b/roles/servers/apps/openvpn/tasks/server_iptables.yml deleted file mode 100644 index 4b91f111..00000000 --- a/roles/servers/apps/openvpn/tasks/server_iptables.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -# - iptables: -# table: nat -# chain: POSTROUTING -# in_interface: eth0 -# protocol: tcp -# match: tcp -# destination_port: 80 -# jump: REDIRECT -# to_ports: 8600 -# comment: Redirect web traffic to port 8600 -# become: yes - -# - iptables: -# table: filter -# chain: FORWARD -# # protocol: udp -# # match: udp -# jump: ACCEPT -# # ctstate: NEW -# in_interface: tun0 -# out_interface: eth1 -# comment: Openvpn forward -# action: insert -# become: yes - -# # -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -# - iptables: -# table: filter -# chain: FORWARD -# # protocol: udp -# # match: udp -# jump: ACCEPT -# ctstate: ESTABLISHED,RELATED -# comment: Openvpn forward2 -# action: insert -# become: yes - -# - iptables: -# table: filter -# chain: INPUT -# protocol: tcp -# match: tcp -# jump: ACCEPT -# ctstate: NEW -# destination_port: 443 -# comment: Openvpn entry -# action: insert -# become: yes - -# - iptables: -# table: filter -# chain: INPUT -# protocol: tcp -# match: tcp -# jump: ACCEPT -# ctstate: NEW -# destination_port: 80 -# comment: sshd port -# action: insert -# become: yes - -# - iptables: -# table: filter -# chain: INPUT -# protocol: tcp -# ctstate: NEW -# jump: ACCEPT -# # ctstate: NEW -# destination_port: 22 -# state: absent -# become: yes - -# - iptables: -# table: nat -# chain: POSTROUTING -# jump: MASQUERADE -# source: 10.69.0.0/24 -# out_interface: eth1 -# comment: Openvpn -# become: yes - -# - shell: iptables --delete INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -# - shell: iptables-save > /etc/sysconfig/iptables -# iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE diff --git a/roles/servers/apps/openvpn/templates/client.conf.j2 b/roles/servers/apps/openvpn/templates/client.conf.j2 deleted file mode 100644 index 61ff0982..00000000 --- a/roles/servers/apps/openvpn/templates/client.conf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -client -tls-client -ca ca.crt -cert client.crt -key client.pem -tls-auth tls.key 1 -proto tcp -remote {{ common_name }} {{ server_port }} tcp -dev tun -#topology subnet -pull -user nobody -group nobody diff --git a/roles/servers/apps/openvpn/templates/server.conf.j2 b/roles/servers/apps/openvpn/templates/server.conf.j2 deleted file mode 100644 index 3ce9a3c1..00000000 --- a/roles/servers/apps/openvpn/templates/server.conf.j2 +++ /dev/null @@ -1,49 +0,0 @@ -#change with your port -port {{ server_port }} - -#You can use udp or tcp -proto tcp - -# "dev tun" will create a routed IP tunnel. -dev tun - -#Certificate Configuration -tls-auth {{ ssl_path }}/tls.key 0 - -#ca certificate -ca {{ ssl_path }}/ca.crt - -#Server Certificate -cert {{ ssl_path }}/server.crt - -#Server Key and keep this is secret -key {{ ssl_path }}/server.pem - -#See the size a dh key in /etc/openvpn/keys/ -dh {{ ssl_path }}/dhparams.pem - -#Internal IP will get when already connect -server 10.69.0.0 255.255.255.0 - -#this line will redirect all traffic through our OpenVPN -push "redirect-gateway def1" - -#Provide DNS servers to the client, you can use goolge DNS -push "dhcp-option DNS 8.8.8.8" -push "dhcp-option DNS 8.8.4.4" - -#Enable multiple client to connect with same key -duplicate-cn - -client-to-client -keepalive 20 60 -# comp-lzo -persist-key -persist-tun -daemon - -#enable log -log-append /var/log/openvpn.log - -#Log Level -verb 3