senke/talas-group
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
talas-group/04_INFRA_DEPLOIEMENT/Ansible/roles/openvpn/readme.md
senke 66471934af Initial commit: Talas Group project management & documentation 
Knowledge base of ~80+ markdown files across 14 domains (00-13),
Logseq graph, hardware design files (KiCAD), infrastructure configs,
and talas-wiki static site.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 20:10:41 +02:00

128 lines
5.4 KiB
Markdown
Raw Blame History

# OpenVPN server role
## Mandatory parameters
### Config
- Define the network for the OpenVPN connection itself (clients will have an IP from this range):
```
openvpn_server: "10.185.16.0 255.255.255.0"
```
- You also need to define the parameters that will be pushed to the clients when they connect themselves, the minimum is at least one route and most of the time at least one DNS server:
```
openvpn_push:
- "route 10.185.15.0 255.255.255.0"
- "dhcp-option DNS 10.12.1.2"
```
### Certificates
You need to define the certificates that will be used by the server, specificaly you need those variables:
1. *openvpn_tls_ca* containing the CA that signed all certificates
2. *openvpn_tls_cert* containing the server's certificate
3. *openvpn_tls_key* containing the server's private key, _this variable must be kept in a vault!_
To define them, just use this syntax:
```
openvpn_tls_ca: |
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
-----END CERTIFICATE-----
```
By default, they will be saved to the folder */etc/openvpn/ssl*, you can change this folder by setting the variable *openvpn_ssl_root* to whatever you want, you can also change the location of any individual file by changing the following variables, bellow are the defaults for reference:
```
openvpn_ssl_root: /etc/openvpn/ssl
openvpn_ca: "{{ openvpn_ssl_root }}/ca.crt"
openvpn_crl: "{{ openvpn_ssl_root }}/crl.pem"
openvpn_cert: "{{ openvpn_ssl_root }}/{{ ansible_hostname }}.crt"
openvpn_key: "{{ openvpn_ssl_root }}/{{ ansible_hostname }}.key"
openvpn_dh: "{{ openvpn_ssl_root }}/dh2048.pem"
```
Please note that the _openvpn_dh_ parameter is automatically generated by this role if it doesn't exists.
## Optional parameters
### OpenVPN version
By default, this role will install the `openvpn` package from your distribution repository.
You can override this by setting the variable `openvpn_version` which is by default undefined. This will activate the official OpenVPN repository. The process is described here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos .
The possible values are available at the previous link, currently they are _stable, testing, release/2.3, release/2.4 and release/2.5_. Most of the time, you would want to stick to stable, read carefully the official wiki if you want to change that because for example sticking to version 2.5 means *OpenVPN 2.5 releases, including alphas/betas/RCs*.
```
openvpn_version: "stable"
```
### default config
Bellow are the configuration options, with their default parameters that you can change if needed:
- port and protocol
```
openvpn_port: 443
openvpn_proto: tcp6
```
- maximum number of client at a given time
```
openvpn_max_clients: 10
```
- allow or disallow connection between clients
```
openvpn_client2client: False
```
- force the users to always have the same IP address (essential for iptables filtering fro different accesses)
```
openvpn_ccd: False
```
### Scripts when a user connect or disconnect itself
To activate the scripts _connect.sh_ and _disconnect.sh_ when a user connect itself and disconnect itself, you will need to set the following variables:
```
openvpn_client_scripts: True
openvpn_script_dbsrv: srv-xxx
openvpn_script_dbport: 5432
openvpn_script_dbuser: user
openvpn_script_db: openvpn
openvpn_script_dbpassword: pass
```
This will also install the _geoip-bin_ package for the _/usr/bin/geoiplookup_ and the _/usr/bin/geoiplookup6_ commands and will also download the latest databases from https://dev.maxmind.com/geoip/legacy/geolite/ .
### additional check script at connect time
An additonal script can be added before the validation of the user's password. Currently the script _validate-username-common_name.sh_ checks that the certificate and the username are the same, you can activate it with this variable:
```
openvpn_auth_user_pass_verify: "validate-username-common_name.sh"
```
### Force comp-lzo on version >= 2.5
On previous OpenVPN versions, the `comp-lzo` parameter was always active.
Since version 2.5, it is deprecated and should not be used anymore but the problem is when you need to support old configurations already in the wild. For this particular case, you can force the support of comp-lzo using this parameter even on OpenVPN 2.5+:
```
openvpn_force_insecure_compression: True
```
## LDAP auth
First, it needs to be activated with this variable:
```
openvpn_ldap_auth: True
```
You then need to define an LDAP server URL:
```
openvpn_ldap_URL: "ldap://ldap2.cosium.com"
```
For the rest, the following variables are set, you can change them if needed:
```
# location of the CA for the LDAP secure connection, this is not the same as the OpenVPN CA
openvpn_ldap_TLSCACertFile: "/usr/local/share/ca-certificates/CosiumRootCA.crt"
# Base DN to find users
openvpn_ldap_BaseDN: "ou=people,dc=cosium,dc=com"
# Search filter for users
openvpn_ldap_SearchFilter: "(&(uid=%u)(CosStatus=active)(RemoteAccess=OpenVPN:*))"
```
Please look at the _auth-ldap.conf_ template for more informations.
## Settings not handled by this role
This role does not yet handle all OpenVPN settings, specifically:
- when the ccd option is activated, a file must exist in the folder _/etc/openvpn/topology-subnet_ *for every users* else they will not be allowed to connect
- when easy-rsa is used on the server as the certificate authority, all certificates and privates keys are on the openvpn server which is not secure, those files are not handled by this role
Reference in a new issue View git blame Copy permalink