update auth-ldap.conf.j2 to optionally check group and add all auth-ldap specific variables to defaults/main.yml

defaults/main.yml

@@ -30,6 +30,11 @@ openvpn_keydir: "{{ openvpn_etcdir }}/keys"
 # README. Then you can simply point this variable to the pki folder of the
 # easyrsa installation and all keys/certificates will be located fine.
 # }}}
+
+openvpn_ca_certs_file: '{{ openvpn_keydir }}/ca.crt'
+openvpn_server_cert_file: '{{ openvpn_keydir }}/issued/server.crt'
+openvpn_server_key_file: '{{ openvpn_keydir }}/private/server.key'
+
 # Server configuration {{{
 # Default settings (See OpenVPN documentation)
 openvpn_host: "{{ inventory_hostname }}"
@@ -44,7 +49,7 @@ openvpn_log: /var/log/openvpn.log
 openvpn_keepalive: "10 120"
 openvpn_ifconfig_pool_persist: ipp.txt
 openvpn_compression: false
-openvpn_ncp_ciphers: 'AES-256-GCM:AES-128-GCM'
+openvpn_data_ciphers: 'AES-256-GCM:AES-128-GCM'
 openvpn_status: openvpn-status.log
 openvpn_verb: 3
 openvpn_user: nobody
@@ -177,9 +182,17 @@ openvpn_use_pam_users: []
 
 # LDAP authentication and configuration (optional)
 openvpn_use_ldap: false
+openvpn_ldap_config: '{{ openvpn_etcdir }}/auth-ldap.conf'
+openvpn_ldap_server:  # ldapserver.example.org or ldap://ldapserver.example.org
 openvpn_ldap_tlsenable: 'false'
 openvpn_ldap_follow_referrals: 'false'
-
+openvpn_ldap_password_is_cr: 'false'
+openvpn_ldap_bind_dn:  # cn=administrator,cn=users,dc=ctc,dc=local
+openvpn_ldap_bind_password:
+openvpn_ldap_base_dn:  # dc=ctc,dc=local
+openvpn_ldap_search_filter: # sAMAccountName=%u
+openvpn_ldap_group_base_dn:  # ou=groups,dc=ctc,dc=local if empty fallback to openvpn_ldap_base_dn
+openvpn_ldap_group_search_filter:  # cn=OpenVPNUsers
 # Use simple authentication (default is disabled)
 openvpn_simple_auth: false
 openvpn_simple_auth_password: ""
@@ -204,6 +217,13 @@ openvpn_script_output_directories: []
 # A path on the OpenVPN server where OpenVPN scripts should be uploaded to.
 openvpn_scripts_dir: "{{ openvpn_etcdir }}/scripts/"
 
+# In some distros, the server with `foobar.conf` config file can be managed
+# using `openvpn@foobar` service
+openvpn_config_file: "{{ openvpn_etcdir }}/server.conf"
+openvpn_service_name: ''  # use the default os-dependent
+
+openvpn_client_config_dir: "{{ openvpn_etcdir }}/ovpns"
+
 # A list of files located on the Ansible controller that the role should upload.
 # The scripts will be uploaded under `openvpn_scripts_dir`. You can reference
 # them in `openvpn_server_options` for the OpenVPN configuration option you

handlers/main.yml

@@ -33,8 +33,8 @@
         - ansible_lsb.codename != "trusty"
       listen: openvpn save iptables
 
-- name: Restart OpenVPN service
+- name: Restart OpenVPN service ({{ openvpn_service_name or penvpn_service }})
   service:
-    name: "{{ openvpn_service }}"
+    name: "{{ openvpn_service_name or penvpn_service }}"
     state: restarted
   listen: openvpn restart

tasks/assertions.yml

@@ -21,5 +21,5 @@
       - name: openvpn_comp_lzo
         replacement: openpvpn_compression
       - name: openvpn_cipher
-        replacement: openvpn_ncp_ciphers
+        replacement: openvpn_data_ciphers
 

tasks/authentication/ldap.yml

@@ -3,6 +3,6 @@
 - name: Setup LDAP
   template:
     src: authentication/auth-ldap.conf.j2
-    dest: /etc/openvpn/auth-ldap.conf
+    dest: '{{ openvpn_ldap_config }}'
     mode: 0o644
   when: openvpn_use_ldap | bool

tasks/authentication/tls.yml

@@ -2,7 +2,7 @@
 
 - name: Generate tls-auth key
   command:
-    openvpn --genkey --secret "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}"
+    openvpn --genkey --secret "{{ openvpn_client_config_dir }}/{{ openvpn_tls_key }}"
   args:
-    creates: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}"
+    creates: "{{ openvpn_client_config_dir }}/{{ openvpn_tls_key }}"
   when: openvpn_tls_auth

tasks/core/clients.yml

@@ -3,8 +3,8 @@
 - name: Generate client configurations
   template:
     src: "{{ openvpn_client_conf_template }}"
-    dest: "{{ openvpn_etcdir }}/ovpns/{{ _openvpn__client }}.ovpn"
     mode: 0o644
+    dest: "{{ openvpn_client_config_dir }}/{{ item }}.ovpn"
   loop: "{{ openvpn_clients }}"
   loop_control:
     loop_var: _openvpn__client
@@ -17,14 +17,14 @@
       {{ openvpn_keydir }}/issued/{{ _openvpn__client }}.crt
       {{ openvpn_keydir }}/private/{{ _openvpn__client }}.key
       {{ _openvpn__client }}.ovpn
-      {{ openvpn_keydir }}/ca.crt
+      {{ openvpn_ca_certs_file }}
       {{ openvpn_tls_key if openvpn_tls_auth else '' }}
   loop: "{{ openvpn_clients }}"
   loop_control:
     loop_var: _openvpn__client
     index_var: index
   args:
-    chdir: "{{ openvpn_etcdir }}/ovpns/"
+    chdir: "{{ openvpn_client_config_dir }}"
   when: openvpn_clients_changed.results[index] is changed
 
 - name: Download client credentials

tasks/core/configure.yml

@@ -15,15 +15,15 @@
 - name: Configure server
   template:
     src: server.conf.j2
-    dest: "{{ openvpn_etcdir }}/server.conf"
     mode: 0o644
+    dest: "{{ openvpn_config_file }}"
   notify: openvpn restart
 
 # Needed by both tls-authentication tasks and client-configuration tasks. Placed
 # here to avoid repeating it twice in both places where the tls and
 # client-config tasks are located.
 - name: Create client configuration directory
   file:
-    path: "{{ openvpn_etcdir }}/ovpns"
+    path: "{{ openvpn_client_config_dir }}"
     state: directory
     mode: 0o755

tasks/core/install/Debian.yml

@@ -32,7 +32,7 @@
   vars:
     dependencies:
       - libpam-pwdfile
-      - python-passlib
+      - python3-passlib
 
 - name: Install LDAP dependencies
   apt:

tasks/core/read-client-files.yml

@@ -1,13 +1,13 @@
 ---
 - name: Read CA file
-  command: cat "{{ openvpn_keydir }}/ca.crt"
+  command: cat "{{ openvpn_ca_certs_file }}"
   no_log: true
   register: openvpn_read_ca_file_results
   changed_when: false
 
 - name: Read TLS-auth key
   slurp:
-    src: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}"
+    src: "{{ openvpn_client_config_dir }}/{{ openvpn_tls_key }}"
   no_log: true
   register: openvpn_read_tlsauth_file_results
   changed_when: false

tasks/service.yml

@@ -1,7 +1,7 @@
 ---
 
-- name: Ensure OpenVPN is started
+- name: Ensure OpenVPN is started ({{ openvpn_service_name or penvpn_service }})
   service:
-    name: "{{ openvpn_service }}"
+    name: "{{ openvpn_service_name or penvpn_service }}"
     state: started
     enabled: true

templates/authentication/auth-ldap.conf.j2

@@ -5,7 +5,7 @@
   #  - ldap://ldapserver.example.org
   #  - ldaps://ldapserver.example.org
   URL   {% if openvpn_ldap_server | regex_search('(^\w+:\/\/.+$)') %}{{ openvpn_ldap_server }}{% else %}ldap://{{ openvpn_ldap_server }}{% endif %}
-  
+
 
   # Bind DN (If your LDAP server doesn't support anonymous binds)
   # e.g. cn=administrator,cn=users,dc=ctc,dc=local
@@ -44,11 +44,14 @@
   BaseDN    {{ openvpn_ldap_base_dn }}
   # e.g. "sAMAccountName=%u"
   SearchFilter  {{ openvpn_ldap_search_filter }}
+  PasswordIsCR  {{ openvpn_ldap_password_is_cr }}
   RequireGroup  true
+  {% if openvpn_ldap_group_search_filter %}
   <Group>
-    BaseDN    {{ openvpn_ldap_base_dn }}
+    BaseDN    {{ openvpn_ldap_group_base_dn | default(openvpn_ldap_base_dn) }}
     # e.g. "cn=OpenVPNUsers"
     SearchFilter  {{ openvpn_ldap_group_search_filter }}
     MemberAttribute Member
   </Group>
+  {% endif %}
 </Authorization>

templates/client.conf.j2

@@ -15,8 +15,8 @@ dev {{ openvpn_client_dev }}
 # server.
 proto {{ openvpn_proto }}
 
-{% if openvpn_ncp_ciphers | length %}
-ncp-ciphers {{ openvpn_ncp_ciphers }}
+{% if openvpn_data_ciphers | length %}
+data-ciphers {{ openvpn_data_ciphers }}
 {% endif %}
 
 # The hostname/IP and port of the server. You can have multiple remote entries

templates/server.conf.j2

@@ -19,8 +19,8 @@ proto {{ openvpn_proto }}
 port-share 127.0.0.1 {{ openvpn_portshare }}
 {% endif %}
 
-{% if openvpn_ncp_ciphers | length %}
-ncp-ciphers {{ openvpn_ncp_ciphers }}
+{% if openvpn_data_ciphers | length %}
+data-ciphers {{ openvpn_data_ciphers }}
 {% endif %}
 
 # "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet
@@ -43,17 +43,17 @@ dev {{ openvpn_dev }}
 #
 # Any X509 key management system can be used. OpenVPN can also use a PKCS #12
 # formatted key file (see "pkcs12" directive in man page).
-ca {{ openvpn_keydir }}/ca.crt
-cert {{ openvpn_keydir }}/issued/server.crt
-key {{ openvpn_keydir }}/private/server.key  # This file should be kept secret
+ca {{ openvpn_ca_certs_file }}
+cert {{ openvpn_server_cert_file }}
+key {{ openvpn_server_key_file }}  # This file should be kept secret
 
 # Diffie hellman parameters. Generate your own with: openssl dhparam -out
 # dh1024.pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys.
 dh {{ openvpn_keydir }}/dh.pem
 
 {% if openvpn_tls_auth -%}
 # Use a static pre-shared key (PSK)
-tls-auth {{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }} 0
+tls-auth {{ openvpn_client_config_dir }}/{{ openvpn_tls_key }} 0
 tls-server
 {% endif %}
 
@@ -161,12 +161,12 @@ client-to-client
 {% endif %}
 
 {% if openvpn_use_pam %}
-client-cert-not-required
+verify-client-cert none
 plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn
 {% endif %}
 
 {% if openvpn_use_ldap %}
-plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf"
+plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "{{ openvpn_ldap_config }}"
 {% endif %}
 
 {% if openvpn_simple_auth and openvpn_simple_auth_password %}

vars/os/Debian.bullseye.yml

@@ -0,0 +1,10 @@
+---
+
+openvpn_use_pam_plugin_distribution:
+  /usr/lib/openvpn/openvpn-plugin-auth-pam.so
+
+openvpn_use_ldap_plugin_distribution:
+  /usr/lib/openvpn/openvpn-auth-ldap.so
+
+openvpn_service:
+  "{{ 'openvpn@server' if ansible_service_mgr == 'systemd' else 'openvpn' }}"