Skip to content
/ ansible-role-openvpn Public

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.

License

CC0-1.0 license
8 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cisagov/ansible-role-openvpn

BranchesTags

Repository files navigation

ansible-role-openvpn

GitHub Build Status CodeQL

Ansible role for installing and configuring an OpenVPN server. This role also enables IPv4 NAT via ufw, although it does not set the default policy for routed packets in UFW, nor does it create any rules to allow them through. This is because there is no way to know a priori whether the user wants to deny all routed packets and create rules to allow them through or just default allow all routed packets; therefore, you must manage this part of the ufw configuration outside of this Ansible role.

Note that this role cannot perform every step necessary to set up NAT. Once an instance is started up, one must determine the NAT interface and add a nat table configuration to the top of /etc/ufw/before.rules:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward VPN client traffic
-A POSTROUTING -s <client_network_cidr> -o <interface_name> -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

Finally, one must activate the nat table rules:

ufw disable && ufw enable

These steps can be performed via cloud-init, as is done here.

Note

We cannot currently test any ARM64 platforms under QEMU because QEMU cannot currently support iptables.

Requirements

None.

Role Variables

None.

Dependencies

Installation

This role can be installed via the command:

ansible-galaxy install --role-file path/to/requirements.yml

where requirements.yml looks like:

---
- name: openvpn
  src: https://github.com/cisagov/ansible-role-openvpn

and may contain other roles as well.

For more information about installing Ansible roles via a YAML file, please see the ansible-galaxy documentation.

Example Playbook

Here's how to use it in a playbook:

- hosts: all
  become: true
  become_method: sudo
  tasks:
    - name: Install and configure OpenVPN
      ansible.builtin.include_role:
        name: openvpn

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Author Information

Mark Feldhousen - [email protected]

About

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.

Topics

openvpn ansible-role vpn hacktoberfest freeipa

Resources

Readme

License

CC0-1.0 license

Security policy

Security policy
Activity
Custom properties

Stars

8 stars

Watchers

8 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 11

Languages