Skip to content

variablenix/ansible.openvpn

BranchesTags
 
 

Repository files navigation

Overview

Ansible Playbook for deploying OpenVPN on Ubuntu and Arch Hosts with LDAP authentication support.

Requirements

  • Ansible <= 2.6

Roles (in order of Execution)

  • openvpn

    • Installs, configures and hardens OpenVPN security configuration
    • Enables tls-crypt (supersedes tls-auth)
    • Enables forward secrecy TLS ciphers
    • Reduces OpenVPN daemon privileges after initialization
    • Configures LDAP auth over TLS
    • Pushes OpenDNS for client configuration

  • easy-rsa (default expire: 10 years)

    • Certificate Authority and random generated passphrase
    • OpenVPN server certificate and private key
    • Diffie-Hellman (DH) parameters key
    • Hash-based Message Authentication Code (HMAC) key
    • Optional: transfer CA cert and HMAC key to secondary/backup OpenVPN host(s)

  • network (default: ufw or iptables)

    • Enables NAT forwarding
    • Port forward OpenVPN (default proto: tcp)
    • Starts OpenVPN network/service

  • client

    • Generates OpenVPN client .ovpn profile from template
    • Sends an email to the OpenVPN user with the client profile for desktop/mobile import
    • Retrieves OpenDNS config pushed from OpenVPN server

Tags (in order of Execution)

  • openvpn, vpnconfig, ldap
  • rsa
  • network
  • client, email

Execution

  • Update the global variables in group_vars/all for your own VPN server environment.

  • Update the host_vars variable file for each OpenVPN server with your host-specific environment.

  • Recommended: Set up vpn virtualenv mkvirtualenv vpn; pip install -r requirements.txt

  • Execute the playbook

    ansible-playbook [options] vpn.yaml

  • Execute specifc role(s)

    ansible-playbook [options] --tags "openvpn,rsa" vpn.yaml

  • Execute sending client profile

    ansible-playbook [options] --tags "client,email" vpn.yaml

  • Exclude a role

    ansible-playbook [options] --skip-tags "client" vpn.yaml

LDAP

LDAP auth is enabled by default. The OpenVPN client file openvpn-client.ovpn can be imported into a mobile/desktop app which will prompt for the VPN user's LDAP credentials. An OpenVPN LDAP schema can be found in roles/openvpn/files/ldap/openvpn-ldap.schema.

Client

By default this Playbook uses LDAP auth rather than certificate based authentication. While using LDAP auth the client openvpn-client.ovpn file only requires the CA cert and tls-crypt key. One nice advantage of using LDAP auth with OpenVPN is that creating unique client configs is not necessary. The same client config can be distributed to VPN users.

Email

The OpenVPN client config profile can be emailed to the VPN user. Deploying the playbook with client enabled in group_vars/all will prompt for the email address where the client profile should get sent to. The client profile is generated using a template so the appropriate configuration and any number of VPN servers can be imported by desktop and mobile apps.

Notes

  • To have the Easy-RSA role generate a new Public Key Infrastructure (PKI), Certificate Authority (CA) and Server certs/keys, the pki directory within /etc/easyrsa/ must not be present. The role will not overwrite an existing PKI and related files.

  • Currently works on remote hosts running os-families:

    • ArchLinux: Arch Linux
    • Debian: Ubuntu (needs updated testing)

TODO

  • MFA/YubiKey support
  • Handle more OS families

About

Ansible Playbook for deploying OpenVPN with LDAP on Arch and Ubuntu

Topics

ldap openvpn ansible-playbook ansible-role openvpn-server easyrsa openvpn-ldap openvpn-easyrsa openvpn-archlinux openvpn-ubuntu openvpn-debian

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 77.8%
  • Shell 22.2%