From 79a2659f7d999029d3bfe6e5adbf88ed68329c3f Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 00:04:58 +0200 Subject: [PATCH 01/17] Adding initial params for client configs --- manifests/tunnel.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 8d742f2..6f10e2f 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -59,7 +59,9 @@ $route = '', $push = '', $template = '', - $enable = true ) { + $enable = true, + $clients = {} +) { include openvpn @@ -109,6 +111,8 @@ source => $auth_key, } } + + each($clients) |$commonname, $params| { notice $params } # Automatic monitoring of port and service if $openvpn::bool_monitor == true { From fc10f5180b0192a353fdedfe06cb3034fbed8503 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 10:45:28 +0200 Subject: [PATCH 02/17] Allowing to use other openvpn::client type --- manifests/client.pp | 8 ++++++++ manifests/init.pp | 6 +++++- manifests/params.pp | 2 ++ manifests/tunnel.pp | 21 ++++++++++++++++++--- 4 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 manifests/client.pp diff --git a/manifests/client.pp b/manifests/client.pp new file mode 100644 index 0000000..aabb8e1 --- /dev/null +++ b/manifests/client.pp @@ -0,0 +1,8 @@ +define openvpn::client ( + $cn, + $params +) { + + noticy {"$name: $params":} + +} diff --git a/manifests/init.pp b/manifests/init.pp index f3ede40..d31bb0c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -198,6 +198,9 @@ # This is used by monitor, firewall and puppi (optional) components # Can be defined also by the (top scope) variable $openvpn_protocol # +# [*client_class*] +# The class to use for configuring individual clients of a tunnel +# # # == Examples # @@ -253,7 +256,8 @@ $log_dir = params_lookup( 'log_dir' ), $log_file = params_lookup( 'log_file' ), $port = params_lookup( 'port' ), - $protocol = params_lookup( 'protocol' ) + $protocol = params_lookup( 'protocol' ), + $client_type = params_lookup( 'client_type' ) ) inherits openvpn::params { $bool_source_dir_purge=any2bool($source_dir_purge) diff --git a/manifests/params.pp b/manifests/params.pp index 70a088f..2bc13b4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -91,6 +91,8 @@ $port = '1194' $protocol = 'tcp' + + $client_type = 'openvpn::client' # General Settings $my_class = '' diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 6f10e2f..5b72e4a 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -60,7 +60,8 @@ $push = '', $template = '', $enable = true, - $clients = {} + $clients = {}, + $client_type = $openvpn::client_type ) { include openvpn @@ -98,6 +99,15 @@ notify => Service['openvpn'], content => template($real_template), } + + file { [ "${openvpn::config_dir}/${name}", + "${openvpn::config_dir}/${name}/ccd" ]: + ensure => directory, + mode => $openvpn::config_file_mode, + owner => $openvpn::config_file_owner, + group => $openvpn::config_file_group, + require => Package['openvpn'], + } if $auth_key != '' { file { "openvpn_${name}.key": @@ -111,8 +121,13 @@ source => $auth_key, } } - - each($clients) |$commonname, $params| { notice $params } + + each($clients) |$commonname, $params| { + $client_type { "${name}-${commonname}": + cn => $commonname, + params => $params, + } + } # Automatic monitoring of port and service if $openvpn::bool_monitor == true { From 98cf06aad6b72c5859e9b4c16173c884b0d92d16 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 10:59:21 +0200 Subject: [PATCH 03/17] Allowing to use other openvpn::client type --- manifests/tunnel.pp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 5b72e4a..4902230 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -123,10 +123,15 @@ } each($clients) |$commonname, $params| { - $client_type { "${name}-${commonname}": - cn => $commonname, - params => $params, - } + create_resources( + $client_type, + { "${name}-${commonname}" => + { 'cn' => $commonname, + 'params' => $params + } + } + ) + } # Automatic monitoring of port and service From a79dd9a326b8eb53d8fdef2380b24ec600174823 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 11:00:39 +0200 Subject: [PATCH 04/17] Allowing to use other openvpn::client type --- manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index aabb8e1..723955b 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -3,6 +3,6 @@ $params ) { - noticy {"$name: $params":} + notice {"$name: $params":} } From 64aa0218779724dfc233aadd38ea406d3f2310a3 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 11:12:41 +0200 Subject: [PATCH 05/17] Allowing to use other openvpn::client type --- manifests/client.pp | 2 +- manifests/init.pp | 10 +++++----- manifests/params.pp | 2 +- manifests/tunnel.pp | 9 ++++----- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 723955b..54fe499 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -3,6 +3,6 @@ $params ) { - notice {"$name: $params":} + notify {"$name: $params":} } diff --git a/manifests/init.pp b/manifests/init.pp index d31bb0c..e26bce4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -134,7 +134,7 @@ # [*package*] # The name of openvpn package # -# [*package_src*] +# [*package_repo*] # The source of the package. Currently only 'distro' (default) and # 'openvpn' are supported. # @@ -238,7 +238,7 @@ $debug = params_lookup( 'debug' , 'global' ), $audit_only = params_lookup( 'audit_only' , 'global' ), $package = params_lookup( 'package' ), - $package_src = params_lookup( 'package_src' ), + $package_repo = params_lookup( 'package_repo' ), $service = params_lookup( 'service' ), $service_status = params_lookup( 'service_status' ), $process = params_lookup( 'process' ), @@ -342,9 +342,9 @@ } ### Managed resources - if $package_src != 'distro' and $package_src != 'openvpn' { - fail("Unrecognized value for option package_src") - } elsif $package_src == 'openvpn' { + if $package_repo != 'distro' and $package_repo != 'openvpn' { + fail("Unrecognized value for option package_repo") + } elsif $package_repo == 'openvpn' { class { 'openvpn::repository': before => Package[$openvpn::package] } diff --git a/manifests/params.pp b/manifests/params.pp index 2bc13b4..71dd39e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -20,7 +20,7 @@ default => 'openvpn', } - $package_src = 'distro' + $package_repo = 'distro' $service = $::operatingsystem ? { default => 'openvpn', diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 4902230..92083db 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -122,14 +122,13 @@ } } + # The each is required to allow one CN to be used + # with multiple tunnels. each($clients) |$commonname, $params| { create_resources( $client_type, - { "${name}-${commonname}" => - { 'cn' => $commonname, - 'params' => $params - } - } + { "${name}-${commonname}" => $params }, + { 'cn' => $commonname } ) } From b7d041f9192c91bb3a69d908a30c830e505c1f03 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 12:26:07 +0200 Subject: [PATCH 06/17] Initial DH/CA/Server key/crt generation --- manifests/client.pp | 3 +- manifests/init.pp | 13 +++- manifests/params.pp | 14 ++++ manifests/tunnel.pp | 146 +++++++++++++++++++++++++++++-------- templates/easyrsa.vars.erb | 61 ++++++++++++++++ templates/server.conf.erb | 2 +- 6 files changed, 203 insertions(+), 36 deletions(-) create mode 100644 templates/easyrsa.vars.erb diff --git a/manifests/client.pp b/manifests/client.pp index 54fe499..98fe12a 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,8 +1,7 @@ define openvpn::client ( $cn, - $params ) { - notify {"$name: $params":} + notify {"$name":} } diff --git a/manifests/init.pp b/manifests/init.pp index e26bce4..ad46f05 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -257,7 +257,18 @@ $log_file = params_lookup( 'log_file' ), $port = params_lookup( 'port' ), $protocol = params_lookup( 'protocol' ), - $client_type = params_lookup( 'client_type' ) + $client_type = params_lookup( 'client_type' ), + $easyrsa_package = params_lookup( 'easyrsa_package' ), + $easyrsa_dir = params_lookup( 'easyrsa_dir' ), + $easyrsa_country = params_lookup( 'easyrsa_country' ), + $easyrsa_province = params_lookup( 'easyrsa_province' ), + $easyrsa_city = params_lookup( 'easyrsa_city' ), + $easyrsa_org = params_lookup( 'easyrsa_org' ), + $easyrsa_email = params_lookup( 'easyrsa_email' ), + $easyrsa_cn = params_lookup( 'easyrsa_cn' ), + $easyrsa_name = params_lookup( 'easyrsa_name' ), + $easyrsa_ou = params_lookup( 'easyrsa_ou' ), + $easyrsa_key_size = params_lookup( 'easyrsa_key_size' ), ) inherits openvpn::params { $bool_source_dir_purge=any2bool($source_dir_purge) diff --git a/manifests/params.pp b/manifests/params.pp index 71dd39e..f749643 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -93,6 +93,20 @@ $protocol = 'tcp' $client_type = 'openvpn::client' + + # Easy-rsa + $easyrsa_package = 'easy-rsa' + $easyrsa_dir = '/usr/share/easy-rsa' + $easyrsa_key_country = 'World' + $easyrsa_key_province = 'Puppet' + $easyrsa_key_city = 'Example42' + $easyrsa_key_org = 'Example42' + $easyrsa_key_email = "PKI@example.org" + $easyrsa_key_cn = $::fqdn + $easyrsa_key_name = $::fqdn + $easyrsa_key_ou = "" + $easyrsa_key_size = 1024 + # General Settings $my_class = '' diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 92083db..cf81ef7 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -48,20 +48,29 @@ # If the tunnel is enabled or not. # define openvpn::tunnel ( - $auth_type = 'tls-server', - $mode = 'server', - $remote = '', - $port = '1194', - $auth_key = '', - $proto = 'tcp', - $dev = 'tun', - $server = '10.8.0.0 255.255.255.0', - $route = '', - $push = '', - $template = '', - $enable = true, - $clients = {}, - $client_type = $openvpn::client_type + $auth_type = 'tls-server', + $mode = 'server', + $remote = '', + $port = $openvpn::port, + $auth_key = '', + $proto = 'tcp', + $dev = 'tun', + $server = '10.8.0.0 255.255.255.0', + $route = '', + $push = '', + $template = '', + $enable = true, + $clients = {}, + $client_type = $openvpn::client_type, + $easyrsa_country = $openvpn::easyrsa_country, + $easyrsa_province = $openvpn::easyrsa_province, + $easyrsa_city = $openvpn::easyrsa_city, + $easyrsa_org = $openvpn::easyrsa_org, + $easyrsa_email = $openvpn::easyrsa_email, + $easyrsa_cn = $openvpn::easyrsa_cn, + $easyrsa_name = $openvpn::easyrsa_name, + $easyrsa_ou = $openvpn::easyrsa_ou, + $easyrsa_key_size = $openvpn::easyrsa_key_size, ) { include openvpn @@ -89,6 +98,18 @@ default => $template, } + if $easyrsa_key_size < 2048 { + # Assuming a CA is generated with a lifetime of 3650 days, 4096 really + # should be used. See also: + # http://lists.debian.org/debian-devel-announce/2010/09/msg00003.html + # http://danielpocock.com/rsa-key-sizes-2048-or-4096-bits + # http://news.techworld.com/security/3214360/rsa-1024-bit-private-key-encryption-cracked/ + # Ask in ##security on Freenode (IRC) + notify { "A key size of ${easyrsa_key_size} bits was specified for\n + tunnel ${name}. You really should upgrade to 2048 bits, or even\n + 4096 bits. Oh well, just don't blame us if you're hacked.": } + } + file { "openvpn_${name}.conf": ensure => $manage_file, path => "${openvpn::config_dir}/${name}.conf", @@ -99,15 +120,6 @@ notify => Service['openvpn'], content => template($real_template), } - - file { [ "${openvpn::config_dir}/${name}", - "${openvpn::config_dir}/${name}/ccd" ]: - ensure => directory, - mode => $openvpn::config_file_mode, - owner => $openvpn::config_file_owner, - group => $openvpn::config_file_group, - require => Package['openvpn'], - } if $auth_key != '' { file { "openvpn_${name}.key": @@ -122,15 +134,85 @@ } } - # The each is required to allow one CN to be used - # with multiple tunnels. - each($clients) |$commonname, $params| { - create_resources( - $client_type, - { "${name}-${commonname}" => $params }, - { 'cn' => $commonname } - ) - + if $mode == 'server' { + + file { [ "${openvpn::config_dir}/${name}", + "${openvpn::config_dir}/${name}/ccd" ]: + ensure => directory, + mode => $openvpn::config_file_mode, + owner => $openvpn::config_file_owner, + group => $openvpn::config_file_group, + require => Package['openvpn'], + } + + if $auth_type == "tls-server" { + + if ! defined(Package[$openvpn::easyrsa_package]) { + package { $openvpn::easyrsa_package: + ensure => installed + } + } + + file { "${openvpn::config_dir}/${name}/easy-rsa/vars": + ensure => present, + content => template('openvpn/easyrsa.vars.erb'), + require => Exec["openvpn-tunnel-setup-easyrsa-${name}"]; + } + + file {"${openvpn::config_dir}/${name}/easy-rsa/openssl.cnf": + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/openssl-1.0.0.cnf", + require => Exec["openvpn-tunnel-setup-easyrsa-${name}"] + } + + exec { + "openvpn-tunnel-setup-easyrsa-${name}": + command => "/bin/cp -r ${openvpn::easyrsa_dir} ${openvpn::config_dir}/${name}/easy-rsa && \ + chmod 755 ${openvpn::config_dir}/${name}/easy-rsa", + creates => "${openvpn::config_dir}/${name}/easy-rsa", + require => File["${openvpn::config_dir}/${name}"]; + + "openvpn-tunnel-rsa-dh-${name}": + command => '. ./vars && ./clean-all && ./build-dh', + cwd => "${openvpn::config_dir}/${name}/easy-rsa", + creates => "${openvpn::config_dir}/${name}/easy-rsa/keys/dh${easyrsa_key_size}.pem", + provider => 'shell', + require => File["${openvpn::config_dir}/${name}/easy-rsa/vars"]; + + "openvpn-tunnel-rsa-ca-${name}": + command => '. ./vars && ./pkitool --initca', + cwd => "${openvpn::config_dir}/${name}/easy-rsa", + creates => "${openvpn::config_dir}/${name}/easy-rsa/keys/ca.key", + provider => 'shell', + require => [ Exec["openvpn-tunnel-rsa-dh-${name}"], + File["${openvpn::config_dir}/${name}/easy-rsa/openssl.cnf"] ]; + + "openvpn-tunnel-rsa-servercrt-${name}": + command => '. ./vars && ./pkitool --server server', + cwd => "${openvpn::config_dir}/${name}/easy-rsa", + creates => "${openvpn::config_dir}/easy-rsa/keys/server.key", + provider => 'shell', + require => Exec["openvpn-tunnel-rsa-ca-${name}"]; + } + + file { "${openvpn::config_dir}/${name}/keys": + ensure => link, + target => "${openvpn::config_dir}/${name}/easy-rsa/keys", + require => Exec["openvpn-tunnel-setup-easyrsa-${name}"]; + } + + } + + # The each is required to allow one CN to be used + # with multiple tunnels. + each($clients) |$commonname, $params| { + create_resources( + $client_type, + { "${name}-${commonname}" => $params }, + { 'cn' => $commonname } + ) + + } } # Automatic monitoring of port and service diff --git a/templates/easyrsa.vars.erb b/templates/easyrsa.vars.erb new file mode 100644 index 0000000..02ba68a --- /dev/null +++ b/templates/easyrsa.vars.erb @@ -0,0 +1,61 @@ +# File managed by Puppet + +# easy-rsa parameter settings + +# This variable should point to +# the top level of the easy-rsa +# tree. +export EASY_RSA="`pwd`" + +# +# This variable should point to +# the requested executables +# +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" + + +# This variable should point to +# the openssl.cnf file included +# with easy-rsa. +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` + +# Edit this variable to point to +# your soon-to-be-created key +# directory. +# +# WARNING: clean-all will do +# a rm -rf on this directory +# so make sure you define +# it correctly! +export KEY_DIR="$EASY_RSA/keys" + +# Issue rm -rf warning +# echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR + +# PKCS11 fixes +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +export KEY_SIZE=<%= @easyrsa_key_size %> + +# In how many days should the root CA key expire? +export CA_EXPIRE=3650 + +# In how many days should certificates expire? +export KEY_EXPIRE=3650 + +# These are the default values for fields +# which will be placed in the certificate. +# Don't leave any of these fields blank. +export KEY_COUNTRY="<%= @easyrsa_country %>" +export KEY_PROVINCE="<%= @easyrsa_province %>" +export KEY_CITY="<%= @easyrsa_city %>" +export KEY_ORG="<%= @easyrsa_org %>" +export KEY_EMAIL="<%= @easyrsa_email %>" +export KEY_CN=<%= @easyrsa_cn %> +export KEY_NAME=<%= @easyrsa_name %> +export KEY_OU=<%= @easyrsa_ou %> +export PKCS11_MODULE_PATH=changeme +export PKCS11_PIN=1234 diff --git a/templates/server.conf.erb b/templates/server.conf.erb index 670ca79..29dfc55 100644 --- a/templates/server.conf.erb +++ b/templates/server.conf.erb @@ -16,7 +16,7 @@ tls-server ca ca.crt cert <%= @hostname %>.crt key <%= @hostname %>.key -dh dh1024.pem +dh dh<%= @easyrsa_key_size %>.pem # duplicate-cn <% end -%> From 7e5a7cd7553e2b66721dfe92dfa0824f3176efff Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 14:01:47 +0200 Subject: [PATCH 07/17] Minor cert generation fixes --- manifests/params.pp | 16 ++++++++-------- manifests/tunnel.pp | 10 ++++++++-- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index f749643..58d5119 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -97,14 +97,14 @@ # Easy-rsa $easyrsa_package = 'easy-rsa' $easyrsa_dir = '/usr/share/easy-rsa' - $easyrsa_key_country = 'World' - $easyrsa_key_province = 'Puppet' - $easyrsa_key_city = 'Example42' - $easyrsa_key_org = 'Example42' - $easyrsa_key_email = "PKI@example.org" - $easyrsa_key_cn = $::fqdn - $easyrsa_key_name = $::fqdn - $easyrsa_key_ou = "" + $easyrsa_country = 'World' + $easyrsa_province = 'Puppet' + $easyrsa_city = 'Example42' + $easyrsa_org = 'Example42' + $easyrsa_email = "PKI@example.org" + $easyrsa_cn = $::fqdn + $easyrsa_name = $::fqdn + $easyrsa_ou = "" $easyrsa_key_size = 1024 diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index cf81ef7..d21d84f 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -170,6 +170,7 @@ command => "/bin/cp -r ${openvpn::easyrsa_dir} ${openvpn::config_dir}/${name}/easy-rsa && \ chmod 755 ${openvpn::config_dir}/${name}/easy-rsa", creates => "${openvpn::config_dir}/${name}/easy-rsa", + notify => Service['openvpn'], require => File["${openvpn::config_dir}/${name}"]; "openvpn-tunnel-rsa-dh-${name}": @@ -177,21 +178,26 @@ cwd => "${openvpn::config_dir}/${name}/easy-rsa", creates => "${openvpn::config_dir}/${name}/easy-rsa/keys/dh${easyrsa_key_size}.pem", provider => 'shell', + timeout => 0, + notify => Service['openvpn'], require => File["${openvpn::config_dir}/${name}/easy-rsa/vars"]; "openvpn-tunnel-rsa-ca-${name}": command => '. ./vars && ./pkitool --initca', cwd => "${openvpn::config_dir}/${name}/easy-rsa", - creates => "${openvpn::config_dir}/${name}/easy-rsa/keys/ca.key", + creates => [ "${openvpn::config_dir}/${name}/easy-rsa/keys/ca.key", + "${openvpn::config_dir}/${name}/easy-rsa/keys/ca.crt" ], provider => 'shell', + notify => Service['openvpn'], require => [ Exec["openvpn-tunnel-rsa-dh-${name}"], File["${openvpn::config_dir}/${name}/easy-rsa/openssl.cnf"] ]; "openvpn-tunnel-rsa-servercrt-${name}": command => '. ./vars && ./pkitool --server server', cwd => "${openvpn::config_dir}/${name}/easy-rsa", - creates => "${openvpn::config_dir}/easy-rsa/keys/server.key", + creates => "${openvpn::config_dir}/easy-rsa/keys/${::fqdn}.key", provider => 'shell', + notify => Service['openvpn'], require => Exec["openvpn-tunnel-rsa-ca-${name}"]; } From 826f68278a30e76c8aa232c289f6793f7d12d52c Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 19:03:50 +0200 Subject: [PATCH 08/17] Country code of >2 chars fails --- manifests/params.pp | 5 ++--- manifests/tunnel.pp | 1 + 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 58d5119..4a92427 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -97,16 +97,15 @@ # Easy-rsa $easyrsa_package = 'easy-rsa' $easyrsa_dir = '/usr/share/easy-rsa' - $easyrsa_country = 'World' + $easyrsa_country = 'EU' $easyrsa_province = 'Puppet' $easyrsa_city = 'Example42' $easyrsa_org = 'Example42' $easyrsa_email = "PKI@example.org" $easyrsa_cn = $::fqdn $easyrsa_name = $::fqdn - $easyrsa_ou = "" + $easyrsa_ou = 'DevOps' $easyrsa_key_size = 1024 - # General Settings $my_class = '' diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index d21d84f..62cd434 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -188,6 +188,7 @@ creates => [ "${openvpn::config_dir}/${name}/easy-rsa/keys/ca.key", "${openvpn::config_dir}/${name}/easy-rsa/keys/ca.crt" ], provider => 'shell', + timeout => 0, notify => Service['openvpn'], require => [ Exec["openvpn-tunnel-rsa-dh-${name}"], File["${openvpn::config_dir}/${name}/easy-rsa/openssl.cnf"] ]; From 93a2368d9c842b6fab8ccfae5a702ca4aecb8ee4 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 22:46:41 +0200 Subject: [PATCH 09/17] Adding CCD configs and client cert generation --- manifests/client.pp | 24 ++++++++++++++++++++++-- manifests/tunnel.pp | 15 ++++++++++++--- templates/ccd.conf.erb | 26 ++++++++++++++++++++++++++ templates/server.conf.erb | 26 +++++++++++++++++--------- 4 files changed, 77 insertions(+), 14 deletions(-) create mode 100644 templates/ccd.conf.erb diff --git a/manifests/client.pp b/manifests/client.pp index 98fe12a..09b3ff2 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,7 +1,27 @@ define openvpn::client ( $cn, + $push = '', + $pushReset = false, + $iroute = '', + $ifconfigPush = '', + $config = '' ) { - - notify {"$name":} + file { "${openvpn::config_dir}/${name}/ccd/${cn}.conf": + ensure => file, + mode => $openvpn::config_file_mode, + owner => $openvpn::config_file_owner, + group => $openvpn::config_file_group, + content => template('openvpn/ccd.conf.erb'), + require => File[ "${openvpn::config_dir}/${name}/ccd" ] + } + + exec { "openvpn-client-gen-cert-${name}": + command => ". ./vars && ./pkitool ${cn}", + cwd => "${openvpn::config_dir}/${name}/easy-rsa", + creates => "${openvpn::config_dir}/${name}/easy-rsa/keys/${name}.crt", + provider => 'shell', + require => Exec["openvpn-tunnel-rsa-ca-${name}"] + } + } diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 62cd434..6912934 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -53,7 +53,7 @@ $remote = '', $port = $openvpn::port, $auth_key = '', - $proto = 'tcp', + $proto = 'udp', $dev = 'tun', $server = '10.8.0.0 255.255.255.0', $route = '', @@ -136,8 +136,7 @@ if $mode == 'server' { - file { [ "${openvpn::config_dir}/${name}", - "${openvpn::config_dir}/${name}/ccd" ]: + file { "${openvpn::config_dir}/${name}": ensure => directory, mode => $openvpn::config_file_mode, owner => $openvpn::config_file_owner, @@ -145,6 +144,16 @@ require => Package['openvpn'], } + file { "${openvpn::config_dir}/${name}/ccd": + ensure => directory, + mode => $openvpn::config_file_mode, + owner => $openvpn::config_file_owner, + group => $openvpn::config_file_group, + purge => true, + recurse => true, + require => File[ "${openvpn::config_dir}/${name}" ] + } + if $auth_type == "tls-server" { if ! defined(Package[$openvpn::easyrsa_package]) { diff --git a/templates/ccd.conf.erb b/templates/ccd.conf.erb new file mode 100644 index 0000000..6be4149 --- /dev/null +++ b/templates/ccd.conf.erb @@ -0,0 +1,26 @@ +<% if @push != "" -%> +<% @push.each do |push_entry| -%> +push "<%= push %>" +<% end -%> +<% end -%> + +<% @pushReset -%> +push-reset +<% end -%> + +<% if @iroute != "" -%> +<% @iroute.each do |iroute_entry| -%> +iroute "<%= iroute_entry %>" +<% end -%> +<% end -%> + +<% if @ifconfigPush != "" -%> +<% @ifconfigPush.each do |ifconfigPush_entry| -%> +ifconfig-push "<%= ifconfigPush_entry %>" +<% end -%> +<% end -%> + + +<% if @config != "" -%> +config "<%= config %>" +<% end -%> diff --git a/templates/server.conf.erb b/templates/server.conf.erb index 29dfc55..4c2b729 100644 --- a/templates/server.conf.erb +++ b/templates/server.conf.erb @@ -4,8 +4,15 @@ mode server port <%= @port %> proto <%= @real_proto %> dev <%= @dev %> -<% if @route != '' %>route <%= @route %><% end -%> -<% if @push != '' %>push <%= @push %><% end -%> + +<% @route.each do |route_entry| -%> +route <%= route_entry %> +<% end -%> + +<% @push.each do |push_entry| -%> +push "<%= push_entry %>" +<% end -%> + <% if @server != '' %>server <%= @server %><% end -%> <% if @auth_type == "key" -%> @@ -13,14 +20,14 @@ secret <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name %>.key <% end -%> <% if @auth_type == "tls-server" -%> tls-server -ca ca.crt -cert <%= @hostname %>.crt -key <%= @hostname %>.key -dh dh<%= @easyrsa_key_size %>.pem -# duplicate-cn +ca <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/ca.crt +cert <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/server.crt +key <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/server.crt +dh <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/dh<%= @easyrsa_key_size %>.pem <% end -%> -# client-config-dir ccd +client-config-dir <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/ccd +ccd-exclusive keepalive 10 60 inactive 0 @@ -29,6 +36,7 @@ group <%= scope.lookupvar("openvpn::process_group") %> persist-tun persist-key verb 4 # From 0 to 15 (max) -# comp-lzo # Compress data +comp-lzo # Compress data + # client-connect /etc/openvpn/script/client_connect # client-disconnect /etc/openvpn/script/client_disconnect From 15c4e3cfc762e12e17e93ba55d8994e3c22a7385 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 22:53:52 +0200 Subject: [PATCH 10/17] Syntax error in ccd file --- templates/server.conf.erb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/server.conf.erb b/templates/server.conf.erb index 4c2b729..9a02403 100644 --- a/templates/server.conf.erb +++ b/templates/server.conf.erb @@ -20,13 +20,13 @@ secret <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name %>.key <% end -%> <% if @auth_type == "tls-server" -%> tls-server -ca <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/ca.crt -cert <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/server.crt -key <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/server.crt -dh <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/keys/dh<%= @easyrsa_key_size %>.pem +ca <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name %>/keys/ca.crt +cert <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name %>/keys/server.crt +key <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name %>/keys/server.crt +dh <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name %>/keys/dh<%= @easyrsa_key_size %>.pem <% end -%> -client-config-dir <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name =>/ccd +client-config-dir <%= scope.lookupvar("openvpn::config_dir") %>/<%= @name %>/ccd ccd-exclusive keepalive 10 60 From 53affa0b972b6a34545d5b216c3707a19f53243e Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 22:59:35 +0200 Subject: [PATCH 11/17] Fix var usage. client::name != tunnel::name --- manifests/client.pp | 7 ++++--- manifests/tunnel.pp | 2 +- templates/ccd.conf.erb | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 09b3ff2..178f1f6 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,5 +1,6 @@ define openvpn::client ( $cn, + $tunnelName, $push = '', $pushReset = false, $iroute = '', @@ -18,10 +19,10 @@ exec { "openvpn-client-gen-cert-${name}": command => ". ./vars && ./pkitool ${cn}", - cwd => "${openvpn::config_dir}/${name}/easy-rsa", - creates => "${openvpn::config_dir}/${name}/easy-rsa/keys/${name}.crt", + cwd => "${openvpn::config_dir}/${tunnelName}/easy-rsa", + creates => "${openvpn::config_dir}/${tunnelName}/easy-rsa/keys/${name}.crt", provider => 'shell', - require => Exec["openvpn-tunnel-rsa-ca-${name}"] + require => Exec["openvpn-tunnel-rsa-ca-${tunnelName}"] } } diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 6912934..a4b87af 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -225,7 +225,7 @@ create_resources( $client_type, { "${name}-${commonname}" => $params }, - { 'cn' => $commonname } + { 'cn' => $commonname, tunnelName => $name } ) } diff --git a/templates/ccd.conf.erb b/templates/ccd.conf.erb index 6be4149..0841652 100644 --- a/templates/ccd.conf.erb +++ b/templates/ccd.conf.erb @@ -4,7 +4,7 @@ push "<%= push %>" <% end -%> <% end -%> -<% @pushReset -%> +<% if @pushReset -%> push-reset <% end -%> From b3ad86fa21304f4337caf9ba4eca5b67311718a8 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 23:17:53 +0200 Subject: [PATCH 12/17] Removing file extension from CCD files --- manifests/client.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 178f1f6..ced74f4 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -8,13 +8,13 @@ $config = '' ) { - file { "${openvpn::config_dir}/${name}/ccd/${cn}.conf": + file { "${openvpn::config_dir}/${tunnelName}/ccd/${cn}": ensure => file, mode => $openvpn::config_file_mode, owner => $openvpn::config_file_owner, group => $openvpn::config_file_group, content => template('openvpn/ccd.conf.erb'), - require => File[ "${openvpn::config_dir}/${name}/ccd" ] + require => File[ "${openvpn::config_dir}/${tunnelName}/ccd" ] } exec { "openvpn-client-gen-cert-${name}": From 2f226ea6bb8a9215a55658e95a3eb88e5a21f068 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 23:45:14 +0200 Subject: [PATCH 13/17] Setting some sane defaults --- manifests/client.pp | 3 ++- manifests/init.pp | 35 ++++++++++++++++++++++++++++++++--- manifests/params.pp | 6 +++--- manifests/tunnel.pp | 40 +++++++++++++++++++++++++++++++++++++--- 4 files changed, 74 insertions(+), 10 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index ced74f4..1f6ca71 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -7,7 +7,7 @@ $ifconfigPush = '', $config = '' ) { - + file { "${openvpn::config_dir}/${tunnelName}/ccd/${cn}": ensure => file, mode => $openvpn::config_file_mode, @@ -22,6 +22,7 @@ cwd => "${openvpn::config_dir}/${tunnelName}/easy-rsa", creates => "${openvpn::config_dir}/${tunnelName}/easy-rsa/keys/${name}.crt", provider => 'shell', + notify => Service['openvpn'], require => Exec["openvpn-tunnel-rsa-ca-${tunnelName}"] } diff --git a/manifests/init.pp b/manifests/init.pp index ad46f05..bd4569d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -198,9 +198,38 @@ # This is used by monitor, firewall and puppi (optional) components # Can be defined also by the (top scope) variable $openvpn_protocol # -# [*client_class*] -# The class to use for configuring individual clients of a tunnel +# [*client_definedtype*] +# The Defined Resource Type to invoke when configuring a client # +# [*easyrsa_package*] +# The name of the easy-rsa package to install to generate TLS certs +# +# [*easyrsa_country*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_province*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_city*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_org*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_email*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_cn*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_name*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_ou*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_key_size*] +# Option for easy-rsa to generate the certificate with # # == Examples # @@ -257,7 +286,7 @@ $log_file = params_lookup( 'log_file' ), $port = params_lookup( 'port' ), $protocol = params_lookup( 'protocol' ), - $client_type = params_lookup( 'client_type' ), + $client_definedtype = params_lookup( 'client_type' ), $easyrsa_package = params_lookup( 'easyrsa_package' ), $easyrsa_dir = params_lookup( 'easyrsa_dir' ), $easyrsa_country = params_lookup( 'easyrsa_country' ), diff --git a/manifests/params.pp b/manifests/params.pp index 4a92427..10604cb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -90,9 +90,9 @@ } $port = '1194' - $protocol = 'tcp' + $protocol = 'udp' - $client_type = 'openvpn::client' + $client_definedtype = 'openvpn::client' # Easy-rsa $easyrsa_package = 'easy-rsa' @@ -105,7 +105,7 @@ $easyrsa_cn = $::fqdn $easyrsa_name = $::fqdn $easyrsa_ou = 'DevOps' - $easyrsa_key_size = 1024 + $easyrsa_key_size = 4096 # General Settings $my_class = '' diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index a4b87af..b648df1 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -47,6 +47,40 @@ # [*enable*] # If the tunnel is enabled or not. # +# [*clients*] +# The clients to allow and their configuration +# +# [*client_definedtype*] +# The Defined Resource Type to invoke when configuring a client +# +# [*easyrsa_country*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_province*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_city*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_org*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_email*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_cn*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_name*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_ou*] +# Option for easy-rsa to generate the certificate with +# +# [*easyrsa_key_size*] +# Option for easy-rsa to generate the certificate with +# +# define openvpn::tunnel ( $auth_type = 'tls-server', $mode = 'server', @@ -61,7 +95,7 @@ $template = '', $enable = true, $clients = {}, - $client_type = $openvpn::client_type, + $client_definedtype = $openvpn::client_definedtype, $easyrsa_country = $openvpn::easyrsa_country, $easyrsa_province = $openvpn::easyrsa_province, $easyrsa_city = $openvpn::easyrsa_city, @@ -223,9 +257,9 @@ # with multiple tunnels. each($clients) |$commonname, $params| { create_resources( - $client_type, + $client_definedtype, { "${name}-${commonname}" => $params }, - { 'cn' => $commonname, tunnelName => $name } + { cn => $commonname, tunnelName => $name } ) } From ccb341a7b461636bbd7ca8cc02ecc676c747db02 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 23:47:37 +0200 Subject: [PATCH 14/17] Setting some sane defaults --- manifests/tunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index b648df1..416c119 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -87,7 +87,7 @@ $remote = '', $port = $openvpn::port, $auth_key = '', - $proto = 'udp', + $proto = $openvpn::protocol, $dev = 'tun', $server = '10.8.0.0 255.255.255.0', $route = '', From ea692d18ab0ad1105f82e48f9e5320b6232b2871 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Thu, 19 Sep 2013 23:55:43 +0200 Subject: [PATCH 15/17] Adding an example to openvpn::tunnel --- manifests/tunnel.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 416c119..86167f4 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -80,6 +80,17 @@ # [*easyrsa_key_size*] # Option for easy-rsa to generate the certificate with # +# == Examples +# +# openvpn::tunnel { 'main': +# dev => 'tap', +# server => '172.31.253.0 255.255.255.0', +# easyrsa_email => 'devops@organization', +# clients => { +# 'node42.fqdn' => { pushReset => true } +# } +# } +# # define openvpn::tunnel ( $auth_type = 'tls-server', From f0149ea73f8ff9d38bce995c5e4b2b8feaf069d3 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Fri, 20 Sep 2013 00:54:57 +0200 Subject: [PATCH 16/17] wrong client defined type var ref --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index bd4569d..b71b092 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -286,7 +286,7 @@ $log_file = params_lookup( 'log_file' ), $port = params_lookup( 'port' ), $protocol = params_lookup( 'protocol' ), - $client_definedtype = params_lookup( 'client_type' ), + $client_definedtype = params_lookup( 'client_definedtype' ), $easyrsa_package = params_lookup( 'easyrsa_package' ), $easyrsa_dir = params_lookup( 'easyrsa_dir' ), $easyrsa_country = params_lookup( 'easyrsa_country' ), From b72e3842e7493fa9156aae27a995ae8658bb8092 Mon Sep 17 00:00:00 2001 From: "Dolf Schimmel (Freeaqingme)" Date: Fri, 20 Sep 2013 17:26:37 +0200 Subject: [PATCH 17/17] Stop continuous regeneration of certs --- manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index 1f6ca71..bfc1732 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -20,7 +20,7 @@ exec { "openvpn-client-gen-cert-${name}": command => ". ./vars && ./pkitool ${cn}", cwd => "${openvpn::config_dir}/${tunnelName}/easy-rsa", - creates => "${openvpn::config_dir}/${tunnelName}/easy-rsa/keys/${name}.crt", + creates => "${openvpn::config_dir}/${tunnelName}/easy-rsa/keys/${cn}.crt", provider => 'shell', notify => Service['openvpn'], require => Exec["openvpn-tunnel-rsa-ca-${tunnelName}"]