feat: openvpn playbook

Author: javascriptizer1

.gitignore

@@ -0,0 +1,39 @@
+# Ansible Tower ignore list
+
+# IDEs
+.project
+.pydevproject
+.idea
+*.iml
+.vscode
+.DS_Store
+
+# Environment variables
+.env
+Vagrantfile
+.vagrant
+
+.coverage
+
+# Ansible runtime and backups
+*.original
+*.tmp
+*.bkp
+*.retry
+*.*~
+
+ovpn
+
+# Try tyo avoid any plain-text passwords 
+*pwd*
+*pass*
+*password*
+*.txt
+
+# Exclude all binaries
+*.bin
+*.jar
+*.tar
+*.zip
+*.gzip
+*.tgz

inventories/group_vars/all.yaml

@@ -0,0 +1,3 @@
+ansible_user: root
+ansible_become: true
+ansible_python_interpreter: /usr/bin/python3

inventories/inventory.ini

@@ -0,0 +1,2 @@
+[vpn]
+vpn ansible_ssh_host=127.0.0.1 ansible_ssh_user=root

playbook.yaml

@@ -0,0 +1,6 @@
+- name: 'OpenVPN'
+  hosts: vpn
+  roles:
+    - vpn
+  tags:
+    - vpn

roles/vpn/defaults/main.yml

@@ -0,0 +1,10 @@
+vpn_openvpn_dir: /etc/openvpn
+vpn_openvpn_easyrsa_dir: /usr/share/easy-rsa
+
+vpn_openvpn_port: 1194
+vpn_openvpn_address: '{{ ansible_default_ipv4.address }}'
+
+vpn_openvpn_clients:
+- javascriptizer1
+
+vpn_host: '127.0.0.1'

roles/vpn/handlers/main.yml

@@ -0,0 +1,10 @@
+- name: restart openvpn
+  service:
+    name: openvpn
+    state: restarted
+
+- name: enable openvpn
+  service:
+    name: openvpn
+    enabled: true
+    state: started

roles/vpn/meta/main.yml

@@ -0,0 +1,7 @@
+galaxy_info:
+  author: javascriptizer1
+  description: OpenVPN Ansible role
+  license: license (GPL-2.0-or-later, MIT, etc)
+  min_ansible_version: '2.1'
+  galaxy_tags: ['openvpn']
+

roles/vpn/tasks/client.yaml

@@ -0,0 +1,87 @@
+- name: Copy client crt to folder server in {{ vpn_openvpn_dir }}
+  ansible.builtin.copy:
+    src: '{{ vpn_openvpn_dir }}/easy-rsa/pki/issued/{{ item }}.crt'
+    dest: '{{ vpn_openvpn_dir }}/server/{{ item }}.crt'
+    mode: '0644'
+    remote_src: true
+  with_items: '{{ vpn_openvpn_clients }}'
+
+- name: Copy client key to folder server in {{ vpn_openvpn_dir }}
+  ansible.builtin.copy:
+    src: '{{ vpn_openvpn_dir }}/easy-rsa/pki/private/{{ item }}.key'
+    dest: '{{ vpn_openvpn_dir }}/server/{{ item }}.key'
+    mode: '0644'
+    remote_src: true
+  with_items: '{{ vpn_openvpn_clients }}'
+
+- name: Ensure exists - users {{ vpn_openvpn_dir }}
+  ansible.builtin.file:
+    path: '{{ vpn_openvpn_dir }}/users'
+    state: directory
+    mode: '0755'
+
+- name: Copy files to users {{ vpn_openvpn_dir }}
+  ansible.builtin.copy:
+    src: '{{ vpn_openvpn_dir }}/easy-rsa/pki/{{ item }}'
+    dest: '{{ vpn_openvpn_dir }}/users/{{ item | basename }}'
+    mode: '0644'
+    remote_src: true
+  with_items:
+    - ca.crt
+    - ta.key
+
+- name: Copy client crt to folder users in {{ vpn_openvpn_dir }}
+  ansible.builtin.copy:
+    src: '{{ vpn_openvpn_dir }}/easy-rsa/pki/issued/{{ item }}.crt'
+    dest: '{{ vpn_openvpn_dir }}/users/{{ item }}.crt'
+    mode: '0644'
+    remote_src: true
+  with_items: '{{ vpn_openvpn_clients }}'
+
+- name: Copy client key to folder users in {{ vpn_openvpn_dir }}
+  ansible.builtin.copy:
+    src: '{{ vpn_openvpn_dir }}/easy-rsa/pki/private/{{ item }}.key'
+    dest: '{{ vpn_openvpn_dir }}/users/{{ item }}.key'
+    mode: '0644'
+    remote_src: true
+  with_items: '{{ vpn_openvpn_clients }}'
+
+- name: Register ca.crt
+  ansible.builtin.slurp:
+    src: '{{ vpn_openvpn_dir }}/ca.crt'
+  register: vpn_openvpn_ca_cert
+
+- name: Register ta.key
+  ansible.builtin.slurp:
+    src: '{{ vpn_openvpn_dir }}/ta.key'
+  register: vpn_openvpn_ta_key
+
+- name: Register client certs
+  ansible.builtin.slurp:
+    src: '{{ vpn_openvpn_dir }}/users/{{ item }}.crt'
+  with_items: '{{ vpn_openvpn_clients }}'
+  register: vpn_openvpn_client_certs
+
+- name: Register client keys
+  ansible.builtin.slurp:
+    src: '{{ vpn_openvpn_dir }}/users/{{ item }}.key'
+  with_items: '{{ vpn_openvpn_clients }}'
+  register: vpn_openvpn_client_keys
+
+- name: Generate client config
+  ansible.builtin.template:
+    src: client.ovpn.j2
+    dest: '{{ vpn_openvpn_dir }}/users/{{ item.0.item }}-{{ inventory_hostname }}.ovpn'
+    owner: root
+    group: root
+    mode: '0400'
+  with_together:
+    - '{{ vpn_openvpn_client_certs.results }}'
+    - '{{ vpn_openvpn_client_keys.results }}'
+
+- name: Fetch client config
+  ansible.builtin.fetch:
+    src: '{{ vpn_openvpn_dir }}/users/{{ item }}-{{ inventory_hostname }}.ovpn'
+    dest: '{{ playbook_dir }}/ovpn/{{ inventory_hostname }}-{{ item }}.ovpn'
+    flat: true
+  with_items: '{{ vpn_openvpn_clients }}'

roles/vpn/tasks/main.yml

@@ -0,0 +1,2 @@
+- import_tasks: server.yaml
+- import_tasks: client.yaml

roles/vpn/tasks/server.yaml

@@ -0,0 +1,134 @@
+- name: Ensure apt list dir exists
+  ansible.builtin.apt.file:
+    path: /var/lib/apt/lists/
+    state: directory
+    mode: '0755'
+
+- name: Update repositories cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install openvpn easy-rsa
+  ansible.builtin.apt:
+    name:
+      - openvpn
+      - easy-rsa
+      - iptables-persistent
+    state: present
+  become: true
+  notify:
+    - 'enable openvpn'
+
+- name: Enable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+    ignoreerrors: true
+  failed_when: false
+
+- name: Create Ip tables NAT
+  ansible.builtin.iptables:
+    table: nat
+    chain: POSTROUTING
+    jump: MASQUERADE
+    protocol: all
+    source: '0.0.0.0/0'
+    destination: '0.0.0.0/0'
+  become: true
+
+- name: Ensure exists - {{ vpn_openvpn_dir }}
+  ansible.builtin.file:
+    path: '{{ vpn_openvpn_dir }}/easy-rsa'
+    state: directory
+    mode: '0755'
+
+- name: Create vars file
+  ansible.builtin.copy:
+    dest: '{{ vpn_openvpn_easyrsa_dir }}/vars'
+    content: |
+      set_var EASYRSA_ALGO "ec"
+      set_var EASYRSA_DIGEST "sha512"
+    mode: '0755'
+
+- name: Easy-rsa init-pki
+  ansible.builtin.command:
+    cmd: '{{ vpn_openvpn_easyrsa_dir }}/easyrsa init-pki'
+    chdir: '{{ vpn_openvpn_dir }}/easy-rsa'
+    creates: '{{ vpn_openvpn_dir }}/easy-rsa/pki'
+
+- name: Easy-rsa build-ca
+  ansible.builtin.command:
+    cmd: '{{ vpn_openvpn_easyrsa_dir }}/easyrsa build-ca nopass'
+    chdir: '{{ vpn_openvpn_dir }}/easy-rsa'
+    creates: '{{ vpn_openvpn_dir }}/easy-rsa/pki/ca.crt'
+  environment:
+    EASYRSA_BATCH: 'yes'
+
+- name: Easy-rsa gen-dh
+  ansible.builtin.command:
+    cmd: '{{ vpn_openvpn_easyrsa_dir }}/easyrsa gen-dh'
+    chdir: '{{ vpn_openvpn_dir }}/easy-rsa'
+    creates: '{{ vpn_openvpn_dir }}/easy-rsa/pki/dh.pem'
+
+- name: Easy-rsa server nopass
+  ansible.builtin.command:
+    cmd: '{{ vpn_openvpn_easyrsa_dir }}/easyrsa build-server-full server nopass'
+    chdir: '{{ vpn_openvpn_dir }}/easy-rsa'
+    creates: '{{ vpn_openvpn_dir }}/easy-rsa/pki/issued/server.crt'
+
+- name: Easy-rsa client nopass
+  ansible.builtin.command:
+    cmd: '{{ vpn_openvpn_easyrsa_dir }}/easyrsa build-client-full {{ item }} nopass'
+    chdir: '{{ vpn_openvpn_dir }}/easy-rsa'
+    creates: '{{ vpn_openvpn_dir }}/easy-rsa/pki/issued/{{ item }}.crt'
+  with_items:
+    - '{{ vpn_openvpn_clients }}'
+
+- name: Easy-rsa gen-crl
+  ansible.builtin.command:
+    cmd: '{{ vpn_openvpn_easyrsa_dir }}/easyrsa gen-crl'
+    chdir: '{{ vpn_openvpn_dir }}/easy-rsa'
+    creates: '{{ vpn_openvpn_dir }}/easy-rsa/pki/crl.pem'
+
+- name: OpenVPN genkey
+  ansible.builtin.command:
+    cmd: 'openvpn --genkey --secret {{ vpn_openvpn_dir }}/easy-rsa/pki/ta.key'
+    creates: '{{ vpn_openvpn_dir }}/easy-rsa/pki/ta.key'
+
+- name: Copy files to folder server in {{ vpn_openvpn_dir }}
+  ansible.builtin.copy:
+    src: '{{ vpn_openvpn_dir }}/easy-rsa/pki/{{ item }}'
+    dest: '{{ vpn_openvpn_dir }}/server/{{ item | basename }}'
+    mode: '0644'
+    remote_src: true
+  with_items:
+    - ca.crt
+    - dh.pem
+    - ta.key
+    - private/ca.key
+    - private/server.key
+    - issued/server.crt
+
+- name: Copy files to {{ vpn_openvpn_dir }}
+  ansible.builtin.copy:
+    src: '{{ vpn_openvpn_dir }}/easy-rsa/pki/{{ item }}'
+    dest: '{{ vpn_openvpn_dir }}/{{ item | basename }}'
+    mode: '0644'
+    remote_src: true
+  with_items:
+    - ca.crt
+    - ta.key
+
+- name: Place server.conf
+  ansible.builtin.template:
+    src: 'server.conf.j2'
+    dest: '{{ vpn_openvpn_dir }}/server.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - 'restart openvpn'

roles/vpn/templates/client.ovpn.j2

@@ -0,0 +1,38 @@
+client
+
+tls-client
+auth SHA256
+cipher AES-256-CBC
+remote-cert-tls server
+tls-version-min 1.2
+
+proto udp
+remote {{ vpn_openvpn_address }} {{ vpn_openvpn_port }}
+dev tun
+
+resolv-retry 5
+nobind
+keepalive 5 30
+persist-key
+persist-tun
+verb 3
+
+route-method exe
+route-delay 2
+
+key-direction 1
+<ca>
+{{ vpn_openvpn_ca_cert.content|b64decode }}
+</ca>
+
+<tls-auth>
+{{ vpn_openvpn_ta_key.content|b64decode }}
+</tls-auth>
+
+<cert> 
+{{ item.0.content|b64decode }}
+</cert>
+
+<key>
+{{ item.1.content|b64decode }}
+</key>

roles/vpn/templates/server.conf.j2

@@ -0,0 +1,38 @@
+port {{ vpn_openvpn_port }}
+proto udp
+dev tun
+
+ca {{ vpn_openvpn_dir }}/server/ca.cert
+cert {{ vpn_openvpn_dir }}/server/server.crt
+key {{ vpn_openvpn_dir }}/server/server.key
+dh {{ vpn_openvpn_dir }}/server/dh.pem
+
+tls-auth {{ vpn_openvpn_dir }}/ta.key 0
+tls-server
+auth SHA256
+cipher AES-256-CBC
+tls-version-min 1.2
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
+
+server {{ vpn_host }} 255.255.255.0
+
+topology subnet
+ifconfig-pool-persist ipp.txt
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 1.0.0.1"
+push "dhcp-option DNS 1.1.1.1"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
+
+keepalive 5 30
+persist-key
+persist-tun
+user nodoby
+group nogroup
+
+status status_openvpn_udp_1194.log
+status-version 1
+log-append /var/log/openvpn/openvpn.log
+verb 3
+
+script-security 1