From 2c19b822cea612512e1ed7188fd91911fdae3d29 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Tue, 8 Jul 2014 16:16:37 +0200 Subject: [PATCH 1/2] windows-client adaptions --- templates/client.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/client.erb b/templates/client.erb index 2388b482..63b42758 100644 --- a/templates/client.erb +++ b/templates/client.erb @@ -27,3 +27,6 @@ mute <%= scope.lookupvar('mute') %> <% if scope.lookupvar('pam') || scope.lookupvar('authuserpass') -%> auth-user-pass <% end -%> +script-security 2 +route-method use +route-delay 2 From 66d8845e73b41b26af2dc043c04a9d241920b756 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Fri, 22 Aug 2014 15:14:28 +0200 Subject: [PATCH 2/2] SERVER-431 permissons fix --- manifests/server.pp | 233 ++++++++++++++++++++++---------------------- 1 file changed, 115 insertions(+), 118 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index bd7039ba..cf24fc6e 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -230,15 +230,18 @@ # Default: 3650 # # [*key_name*] -# String. Value for name_default variable in openssl.cnf (and KEY_NAME in vars) +# String. Value for name_default variable in openssl.cnf (and KEY_NAME in +# vars) # Default: None # # [*key_ou*] -# String. Value for organizationalUnitName_default variable in openssl.cnf (and KEY_OU in vars) +# String. Value for organizationalUnitName_default variable in openssl.cnf +# (and KEY_OU in vars) # Default: None # # [*key_cn*] -# String. Value for commonName_default variable in openssl.cnf (and KEY_CN in vars) +# String. Value for commonName_default variable in openssl.cnf (and KEY_CN in +# vars) # Default: None # # === Examples @@ -275,67 +278,65 @@ # See the License for the specific language governing permissions and # limitations under the License. # -define openvpn::server( +define openvpn::server ( $country, $province, $city, $organization, $email, - $common_name = 'server', - $compression = 'comp-lzo', - $dev = 'tun0', - $user = 'nobody', - $group = false, - $ipp = false, - $local = $::ipaddress_eth0, - $logfile = false, - $port = '1194', - $proto = 'tcp', - $status_log = "${name}/openvpn-status.log", - $server = '', - $server_ipv6 = '', - $server_bridge = '', - $push = [], - $route = [], - $keepalive = '', - $ssl_key_size = 1024, - $topology = 'net30', - $c2c = false, - $tcp_nodelay = false, - $ccd_exclusive = false, - $pam = false, - $management = false, - $management_ip = 'localhost', + $common_name = 'server', + $compression = 'comp-lzo', + $dev = 'tun0', + $user = 'nobody', + $group = false, + $ipp = false, + $local = $::ipaddress_eth0, + $logfile = false, + $port = '1194', + $proto = 'tcp', + $status_log = "${name}/openvpn-status.log", + $server = '', + $server_ipv6 = '', + $server_bridge = '', + $push = [], + $route = [], + $keepalive = '', + $ssl_key_size = 1024, + $topology = 'net30', + $c2c = false, + $tcp_nodelay = false, + $ccd_exclusive = false, + $pam = false, + $management = false, + $management_ip = 'localhost', $management_port = 7505, - $up = '', - $down = '', - $username_as_common_name = false, - $ldap_enabled = false, - $ldap_server = '', - $ldap_binddn = '', - $ldap_bindpass = '', - $ldap_u_basedn = '', - $ldap_g_basedn = '', - $ldap_gmember = false, - $ldap_u_filter = '', - $ldap_g_filter = '', - $ldap_memberatr = '', + $up = '', + $down = '', + $username_as_common_name = false, + $ldap_enabled = false, + $ldap_server = '', + $ldap_binddn = '', + $ldap_bindpass = '', + $ldap_u_basedn = '', + $ldap_g_basedn = '', + $ldap_gmember = false, + $ldap_u_filter = '', + $ldap_g_filter = '', + $ldap_memberatr = '', $ldap_tls_enable = false, - $ldap_tls_ca_cert_file = '', - $ldap_tls_ca_cert_dir = '', + $ldap_tls_ca_cert_file = '', + $ldap_tls_ca_cert_dir = '', $ldap_tls_client_cert_file = '', $ldap_tls_client_key_file = '', - $ca_expire = 3650, - $key_expire = 3650, - $key_cn = '', - $key_name = '', - $key_ou = '', - $verb = '', - $cipher = '', - $persist_key = false, - $persist_tun = false, -) { - + $ca_expire = 3650, + $key_expire = 3650, + $key_cn = '', + $key_name = '', + $key_ou = '', + $verb = '', + $cipher = '', + $persist_key = false, + $persist_tun = false,) { include openvpn Class['openvpn::install'] -> Openvpn::Server[$name] ~> @@ -351,46 +352,46 @@ default => $group } - file { - [ "/etc/openvpn/${name}", - "/etc/openvpn/${name}/auth", - "/etc/openvpn/${name}/client-configs", - "/etc/openvpn/${name}/download-configs" ]: - ensure => directory; + File { + group => $group_to_set, + recurse => true, } - exec { - "copy easy-rsa to openvpn config folder ${name}": - command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/easy-rsa", - notify => Exec["fix_easyrsa_file_permissions_${name}"], - require => File["/etc/openvpn/${name}"]; + file { [ + "/etc/openvpn/${name}", + "/etc/openvpn/${name}/auth", + "/etc/openvpn/${name}/client-configs", + "/etc/openvpn/${name}/download-configs"]: + mode => 0750, + ensure => directory; } - exec { - "fix_easyrsa_file_permissions_${name}": - refreshonly => true, - command => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*"; + exec { "copy easy-rsa to openvpn config folder ${name}": + command => "/bin/cp -r ${openvpn::params::easyrsa_source} /etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/easy-rsa", + notify => Exec["fix_easyrsa_file_permissions_${name}"], + require => File["/etc/openvpn/${name}"]; } - file { - "/etc/openvpn/${name}/easy-rsa/revoked": - ensure => directory, - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + exec { "fix_easyrsa_file_permissions_${name}": + refreshonly => true, + command => "/bin/chmod 750 /etc/openvpn/${name}/easy-rsa/*"; } - file { - "/etc/openvpn/${name}/easy-rsa/vars": - ensure => present, - content => template('openvpn/vars.erb'), - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + file { "/etc/openvpn/${name}/easy-rsa/revoked": + ensure => directory, + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; } - file { - "/etc/openvpn/${name}/easy-rsa/openssl.cnf": - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + file { "/etc/openvpn/${name}/easy-rsa/vars": + ensure => present, + content => template('openvpn/vars.erb'), + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; } + file { "/etc/openvpn/${name}/easy-rsa/openssl.cnf": require => Exec["copy easy-rsa to openvpn config folder ${name}" + ]; } + if $openvpn::params::link_openssl_cnf == true { File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] { ensure => link, @@ -411,8 +412,9 @@ cwd => "/etc/openvpn/${name}/easy-rsa", creates => "/etc/openvpn/${name}/easy-rsa/keys/ca.key", provider => 'shell', - require => [ Exec["generate dh param ${name}"], - File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"] ]; + require => [ + Exec["generate dh param ${name}"], + File["/etc/openvpn/${name}/easy-rsa/openssl.cnf"]]; "generate server cert ${name}": command => ". ./vars && ./pkitool --server ${common_name}", @@ -422,51 +424,46 @@ require => Exec["initca ${name}"]; } - file { - "/etc/openvpn/${name}/keys": - ensure => link, - target => "/etc/openvpn/${name}/easy-rsa/keys", - require => Exec["copy easy-rsa to openvpn config folder ${name}"]; + file { "/etc/openvpn/${name}/keys": + ensure => link, + target => "/etc/openvpn/${name}/easy-rsa/keys", + require => Exec["copy easy-rsa to openvpn config folder ${name}"]; } - exec { - "create crl.pem on ${name}": - command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out /etc/openvpn/${name}/crl.pem -config /etc/openvpn/${name}/easy-rsa/openssl.cnf", - cwd => "/etc/openvpn/${name}/easy-rsa", - creates => "/etc/openvpn/${name}/crl.pem", - provider => 'shell', - require => Exec["generate server cert ${name}"]; + exec { "create crl.pem on ${name}": + command => ". ./vars && KEY_CN='' KEY_OU='' KEY_NAME='' KEY_ALTNAMES='' openssl ca -gencrl -out /etc/openvpn/${name}/crl.pem -config /etc/openvpn/${name}/easy-rsa/openssl.cnf", + cwd => "/etc/openvpn/${name}/easy-rsa", + creates => "/etc/openvpn/${name}/crl.pem", + provider => 'shell', + require => Exec["generate server cert ${name}"]; } - file { - "/etc/openvpn/${name}/easy-rsa/keys/crl.pem": - ensure => link, - target => "/etc/openvpn/${name}/crl.pem", - require => Exec["create crl.pem on ${name}"]; + file { "/etc/openvpn/${name}/easy-rsa/keys/crl.pem": + ensure => link, + target => "/etc/openvpn/${name}/crl.pem", + require => Exec["create crl.pem on ${name}"]; } if $::osfamily == 'Debian' { - concat::fragment { - "openvpn.default.autostart.${name}": - content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", - target => '/etc/default/openvpn', - order => 10; + concat::fragment { "openvpn.default.autostart.${name}": + content => "AUTOSTART=\"\$AUTOSTART ${name}\"\n", + target => '/etc/default/openvpn', + order => 10; } } - file { - "/etc/openvpn/${name}.conf": - owner => root, - group => root, - mode => '0444', - content => template('openvpn/server.erb'); + file { "/etc/openvpn/${name}.conf": + owner => root, + group => nogroup, + mode => '0440', + content => template('openvpn/server.erb'); } + if $ldap_enabled == true { - file { - "/etc/openvpn/${name}/auth/ldap.conf": - ensure => present, - content => template('openvpn/ldap.erb'), - require => Package["openvpn-auth-ldap"], + file { "/etc/openvpn/${name}/auth/ldap.conf": + ensure => present, + content => template('openvpn/ldap.erb'), + require => Package["openvpn-auth-ldap"], } } }