Puppet module to manage OpenVPN servers and clients.
- Client-specific rules and access policies
- Generated client configurations and SSL-Certificates
- Downloadable client configurations and SSL-Certificates for easy client configuration
- Support for multiple server instances
- Support for LDAP-Authentication
- Support for server instance in client mode
- Support for TLS
- Ubuntu
- Debian
- CentOS
- RedHat
- Amazon
- Version >= 4.7.1
# add a server instance
openvpn::server { 'winterthur':
country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => '[email protected]',
server => '10.200.200.0 255.255.255.0',
}
# define clients
openvpn::client { 'client1':
server => 'winterthur',
}
openvpn::client { 'client2':
server => 'winterthur',
}
openvpn::client_specific_config { 'client1':
server => 'winterthur',
ifconfig => '10.200.200.50 10.200.200.51',
}
# a revoked client
openvpn::client { 'client3':
server => 'winterthur',
}
openvpn::revoke { 'client3':
server => 'winterthur',
}
# a server in client mode
file {
'/etc/openvpn/zurich/keys/ca.crt':
source => 'puppet:///path/to/ca.crt';
'/etc/openvpn/zurich/keys/zurich.crt':
source => 'puppet:///path/to/zurich.crt';
'/etc/openvpn/zurich/keys/zurich.key':
source => 'puppet:///path/to/zurich.key';
}
openvpn::server { 'zurich':
remote => [ 'mgmtnet3.nine.ch 1197', 'mgmtnet2.nine.ch 1197' ],
require => [ File['/etc/openvpn/zurich/keys/ca.crt'],
File['/etc/openvpn/zurich/keys/zurich.crt'],
File['/etc/openvpn/zurich/keys/zurich.key'] ];
}
---
classes:
- openvpn
openvpn::servers:
'winterthur':
country: 'CH'
province: 'ZH'
city: 'Winterthur'
organization: 'example.org'
email: '[email protected]'
server: '10.200.200.0 255.255.255.0'
openvpn::client_defaults:
server: 'winterthur'
openvpn::clients:
'client1': {}
'client2': {}
'client3': {}
openvpn::client_specific_configs:
'client1':
server: 'winterthur'
ifconfig: '10.200.200.50 10.200.200.51'
openvpn::revokes:
'client3':
server: 'winterthur'
Don't forget the sysctl directive net.ipv4.ip_forward
!
This module provides certain default parameters for the openvpn encryption settings.
These settings have been applied in line with current "best practices" but no guarantee is given for their saftey and they could change in future.
You should double check these settings yourself to make sure they are suitable for your needs and in line with current best practices.
Exporting the configurations for a client in the VPN server manifest:
openvpn::deploy::export { 'client1':
server => 'winterthur',
}
Installation, configuration and starting the OpenVPN client in a configured node manifest:
openvpn::deploy::client { 'client1':
server => 'winterthur',
}
-
The readme file of github.com/Angristan/OpenVPN-install outlines some of reasoning behind such choices.
-
The OpenVPN documentation about the SWEET32 attack gives some reasons and recommendations for which ciphers to use.
-
The OpenVPN hardening documentation also gives further examples
The default key size is now set to 2048
bits.
This setting also affects the size of the dhparam file.
2048 bits is OK, but both NSA and ANSSI recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.
The default data channel cipher is now set to AES-256-CBC
OpenVPN was setting its default value to BF-CBC
. In newer versions of OpenVPN
it warns that this is no longer a secure cipher.
The OpenVPN documentation recommends using this setting.
The default tls_cipher option is now set to: TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
Details of these ciphers and their uses can be found in the documentation links above.
This module is maintained by Vox Pupuli. Voxpupuli welcomes new contributions to this module, especially those that include documentation and rspec tests. We are happy to provide guidance if necessary.
Please see CONTRIBUTING for more details.
- Raffael Schmid [email protected]
- Vox Pupuli Team