Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementation of IPv6 support #151

Open
wants to merge 10 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,19 @@ openvpn_route_traffic: false
# Whether to create an iptables rule to allow connections to the openvpn server.
openvpn_open_firewall: true

# Listening also for IPv6
openvpn_ipv6_enabled: false

openvpn_ipv6_server: ''
# 2001:1::/64

openvpn_ipv6_ifconfig: ''
# 2001:1:1 2001:1::2

openvpn_ipv6_route_ranges: []
# - 2000:1::/64
# - 2000:3::/64

# The interface that traffic will come in from. This is used when creating
# firewall rules to allow the vpn server to successfully forward traffic (see
# `openvpn_route_traffic`). The interface you specify here will limit these
Expand Down
4 changes: 2 additions & 2 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@
command: /etc/init.d/iptables-persistent save
when:
- ansible_os_family == "Debian"
- ansible_lsb.codename == "trusty"
- ansible_distribution_release == "trusty"
listen: openvpn save iptables

- name: Save the rules (Ubuntu)
command: netfilter-persistent save
when:
- ansible_os_family == "Debian"
- ansible_lsb.codename != "trusty"
- ansible_distribution_release != "trusty"
listen: openvpn save iptables

- name: Restart OpenVPN service
Expand Down
2 changes: 0 additions & 2 deletions tasks/openvpn.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,4 @@

- include_tasks: "system/bridge/{{ ansible_os_family }}.yml"

- include_tasks: "system/bridge/{{ ansible_os_family }}.yml"

- include_tasks: service.yml
15 changes: 13 additions & 2 deletions tasks/system/forwarding.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,21 @@
---

- name: Set ip forwarding in the sysctl file and reload if necessary
- name: Set IPv4 forwarding in the sysctl file and reload if necessary
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: true
when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool
when: not lookup('env', 'IN_MOLECULE') | d(false, true) | bool

- name: Set IPv6 forwarding in the sysctl file and reload if necessary
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also rename the previous task to say IPv4?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in c1cbc8c

sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: true
state: present
reload: true
when:
not lookup('env', 'IN_MOLECULE') | d(false, true) | bool
and openvpn_ipv6_server | length > 0
37 changes: 27 additions & 10 deletions templates/server.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@
{% if openvpn_local is defined -%}
local {{ openvpn_local }}
{% else -%}
;local a.b.c.d {% endif %}
;local a.b.c.d
{% endif %}

# Which TCP/UDP port should OpenVPN listen on? If you want to run multiple
# OpenVPN instances on the same machine, use a different port number for each
Expand All @@ -14,6 +15,10 @@ port {{ openvpn_port }}
# TCP or UDP server?
proto {{ openvpn_proto }}

{% if openvpn_ipv6_enabled | bool %}
proto {{ openvpn_proto }}6
{% endif %}

{% if openvpn_portshare is defined %}
# Port sharing
port-share 127.0.0.1 {{ openvpn_portshare }}
Expand All @@ -31,6 +36,9 @@ cipher {{ openvpn_cipher }}
# most systems, the VPN will not function unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev {{ openvpn_dev }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you leave the non-ipv6 options outside of a conditional? Does this work?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this works

{% if openvpn_ipv6_enabled | bool %}
dev {{ openvpn_dev }}-ipv6
{% endif %}

# SSL/TLS root certificate (ca), certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file. The server
Expand Down Expand Up @@ -73,7 +81,12 @@ topology {{ openvpn_topology }}
# 10.8.0.1. Comment this line out if you are ethernet bridging. See the man
# page for more info.
server {{ openvpn_server }}
{% if openvpn_ipv6_enabled | bool and openvpn_ipv6_server | length > 0 %}
server-ipv6 {{ openvpn_ipv6_server }}
{% if openvpn_ipv6_ifconfig | length > 0 %}ifconfig-ipv6 {{ openvpn_ipv6_ifconfig }}{% endif %}
{% endif %}
{% endif %}

{% if openvpn_bridge %}
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
Expand Down Expand Up @@ -104,7 +117,7 @@ ifconfig-pool-persist {{ openvpn_ifconfig_pool_persist }}
# over the link so that each side knows when the other side has gone down. Ping
# every 10 seconds, assume that remote peer is down if no ping received during
# a 120 second time period.
{%- if openvpn_keepalive != '' %}
{%- if openvpn_keepalive | length > 0 %}
keepalive {{ openvpn_keepalive }}
{% endif %}

Expand All @@ -123,36 +136,36 @@ persist-tun

# Output a short status file showing current connections, truncated and
# rewritten every minute.
status {{openvpn_status}}
status {{ openvpn_status }}

# By default, log messages will go to the syslog (or on Windows, if running as
# a service, they will go to the "\Program Files\OpenVPN\log" directory). Use
# log or log-append to override this default. "log" will truncate the log file
# on OpenVPN startup, while "log-append" will append to it. Use one or the
# other (but not both).
;log openvpn.log
log-append {{openvpn_log}}
log-append {{ openvpn_log }}

# Set the appropriate level of log file verbosity.
#
# 0 is silent, except for fatal errors 4 is reasonable for general usage 5 and
# 6 can help to debug connection problems 9 is extremely verbose
verb {{openvpn_verb}}
verb {{ openvpn_verb }}

# The maximum number of concurrently connected clients we want to allow.
max-clients {{openvpn_max_clients}}
max-clients {{ openvpn_max_clients }}

# It's a good idea to reduce the OpenVPN daemon's privileges after
# initialization.
#
# You can uncomment this out on non-Windows systems.
{% if openvpn_user -%}
user {{openvpn_user}}
user {{ openvpn_user }}
{% else -%}
;user nobody
{% endif %}
{% if openvpn_group -%}
group {{openvpn_group}}
group {{ openvpn_group }}
{% else -%}
group nogroup
{% endif %}
Expand All @@ -163,7 +176,7 @@ client-to-client

{% if openvpn_use_pam %}
client-cert-not-required
plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn
plugin {{ openvpn_use_pam_plugin | default(openvpn_use_pam_plugin_distribution) }} openvpn
{% endif %}

{% if openvpn_use_ldap %}
Expand All @@ -176,7 +189,7 @@ script-security 3 execve
{% endif %}

{% for option in openvpn_server_options %}
{{option}}
{{ option }}
{% endfor %}

{% if crl_pem_file.stat.exists %}
Expand All @@ -190,3 +203,7 @@ push "dhcp-option DNS {{ dns }}"
{% for push_route in openvpn_route_ranges %}
push "route {{ push_route }}"
{% endfor %}

{% for push_route_ipv6 in openvpn_ipv6_route_ranges %}
push "route-ipv6 {{ push_route_ipv6 }}"
{% endfor %}