{"id":24863681,"url":"https://github.com/stuvusit/openvpn","last_synced_at":"2025-10-15T09:31:42.047Z","repository":{"id":28354127,"uuid":"118257093","full_name":"stuvusIT/openvpn","owner":"stuvusIT","description":"Ansible openvpn role","archived":false,"fork":false,"pushed_at":"2024-10-20T19:16:43.000Z","size":90,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-20T23:49:56.953Z","etag":null,"topics":["ansible","ansible-role","apt","openvpn","security","ubuntu","vpn"],"latest_commit_sha":null,"homepage":null,"language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-sa-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stuvusIT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-01-20T15:53:06.000Z","updated_at":"2024-10-20T19:16:44.000Z","dependencies_parsed_at":"2022-08-04T18:00:42.916Z","dependency_job_id":null,"html_url":"https://github.com/stuvusIT/openvpn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Fopenvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Fopenvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Fopenvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuvusIT%2Fopenvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stuvusIT","download_url":"https://codeload.github.com/stuvusIT/openvpn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":236600148,"owners_count":19175167,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","apt","openvpn","security","ubuntu","vpn"],"created_at":"2025-01-31T23:32:52.419Z","updated_at":"2025-10-15T09:31:36.721Z","avatar_url":"https://github.com/stuvusIT.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# openvpn\n\nThis role installs OpenVPN, configures it as a server and can optionally create client certificates.\n\n## Requirements\n\nThis role requires an apt based system.\n\n\n## Role Variables\n\n| Role variable | Default | Description |\n| ------------------------------------ | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |\n| `openvpn_base_dir` | `/etc/openvpn` | Path where your OpenVPN config will be stored |\n| `openvpn_key_dir` | `/etc/openvpn/keys` | Path where your server private keys and CA will be stored |\n| `openvpn_port` | `1194` | The port you want OpenVPN to run on. |\n| `openvpn_server_hostname` | `{{inventory_hostname}}` | The server name to place in the client configuration file (if different from the `inventory_hostname`) |\n| `openvpn_proto` | `udp` | The protocol you want OpenVPN to use |\n| `openvpn_dualstack` | `true` | Whether or not to use a dualstack (IPv4 + v6) socket |\n| `openvpn_rsa_bits` | `2048` | Number of bit used to protect generated certificates |\n| `openvpn_service_name` | `openvpn` | Name of the service. Used by systemctl to start the service |\n| `openvpn_use_pregenerated_dh_params` | `false` | DH params are generted with the install by default |\n| `openvpn_use_modern_tls` | `true` | Use modern Cipher for TLS encryption |\n| `openvpn_verify_cn` | `false` | Check that the CN of the certificate matches the FQDN |\n| `openvpn_redirect_gateway` | `true` | OpenVPN gateway push |\n| `openvpn_set_dns` | `true` | Will push DNS to the client |\n| `openvpn_enable_management` | `true` | |\n| `openvpn_management_bind` | `/var/run/openvpn/management unix` | The interface to bind on for the management interface. Can be unix or TCP socket. |\n| `openvpn_management_client_user` | `root` | Use this user when using a Unix socket for management interface. |\n| `openvpn_tls_auth_required` | `true` | Ask the client to push the generated ta.key of the server during the connection |\n| `openvpn_ca_key` | | CA key containing both crt and the private key. If not set, CA cert and key will be automatically generated on the target system. |\n| `openvpn_tls_auth_key` | | Single item with a pre-generated TLS authentication key. |\n| `openvpn_topology` | | the `topology` keyword will be set in the server config with the specified value. |\n| `openvpn_push` | `empty` | Set here a list of string that will be placed as `push \"\u003cstring\u003e\"`. E.g. `- route 10.20.30.0 255.255.255.0` will generate `push \"route 10.20.30.0 255.255.255.0\"`. |\n| `openvpn_crl_path` | | Define a path to the CRL file for revocations. |\n| `openvpn_use_crl` | `false` | Configure OpenVPN server to honor certificate revocation list. |\n| `openvpn_client_register_dns` | `true` | Add `register-dns` option to client config (Windows only). |\n| `openvpn_duplicate_cn` | `false` | Add `duplicate-cn` option to server config - this allows clients to connect multiple times with the one key. |\n| `openvpn_clients` | `[]` | List of [client objects](#client-objects) for which certificates should be generated. |\n| `openvpn_dns_servers` | `[\"8.8.8.8\",\"8.8.4.4\"]` | List of DNS servers to push to the client |\n| `openvpn_cipher` | `AES-256-CBC` | Cipher to use. |\n| `openvpn_auth_hash_algo` | `SHA256` | Algorithm to use for auth. |\n| `openvpn_openssl_digest` | `sha256` | Digest Algorithm to use when signing and creating certs. |\n| `openvpn_openssl_days` | `3650` | How many days are the certs valid. |\n| `openvpn_use_lzo` | `true` | Enable or disable compression. |\n| `openvpn_tls_cipher` | | List of TLS Cipher to support |\n| `openvpn_fetch_configs` | `true` | Download client configurations from the server. |\n| `openvpn_up_commands` | `[]` | Commands ran when the OpenVPN TAP/TUN interface goes up |\n| `openvpn_extra_config` | `[]` | Extra lines added to the server configuration |\n\n### Client objects\n\nA client object is a dictionary that can contain the following keys.\n\n| Key | Mandatory? | Description |\n| ------------ | ------------------------ | ---------------------------------------------------------------------- |\n| `name` | :heavy_check_mark: | Name of the client. Has to be unique. |\n| `ip_address` | :heavy_multiplication_x: | IP address given to the client via `ifconfig-push` |\n| `netmask` | :heavy_multiplication_x: | Netmask of that IP address |\n| `push` | :heavy_multiplication_x: | Miscellaneous strings to be used with the `push` command to the client |\n\n### LDAP\n\n| Role variable | Default | Description |\n| ------------------ | ------- | ------------------------------------------------------------------------------ |\n| `openvpn_use_ldap` | `false` | Active LDAP backend for authentication. Client certificate not needed anymore. |\n| `openvpn_ldap` | | Dictionary that contains the LDAP configuration](#the-openvpn-ldap-object) |\n\n#### The `openvpn_ldap` object\n\nThe contents of this dictionary are only relevant if `openvpn_use_ldap` is `true`.\nIt is a dictionary that can contain the following keys.\n\n| Key | Mandatory? | Example | Description |\n| --------------------- | ------------------------- | ----------------------------------------- | ------------------------------------------------------------------------------------------- |\n| `url` | :heavy_check_mark: | `ldap://host.example.com` | Address of you LDAP backend with syntax ldap[s]://host[:port] |\n| `anonymous_bind` | :heavy_check_mark: | `False` | This is not an Ansible boolean but a string that will be pushed into the configuration file |\n| `bind_dn` | :heavy_check_mark: | `uid=Manager,ou=People,dc=example,dc=com` | Bind DN used if \"anonymous_bind\" set to \"False\" |\n| `bind_password` | :heavy_check_mark: | `mysecretpassword` | Password of the bind_dn user |\n| `tls_enable` | :heavy_check_mark: | `no` | Enable STARTTLS. Not necessary with ldaps addresses |\n| `tls_ca_cert_file` | If `tls_enable` is `true` | `/etc/openvpn/auth/ca.pem` | Path to the CA ldap backend. This must have been pushed before |\n| `base_dn` | :heavy_check_mark: | `ou=People,dc=example,dc=com` | Base DN where the backend will look for valid user |\n| `search_filter` | :heavy_check_mark: | `(\u0026(uid=%u)(accountStatus=active))` | Filter the ldap search |\n| `require_group` | :heavy_check_mark: | | This is not an Ansible boolean but a string that will be pushed into the configuration file |\n| `group_base_dn` | :heavy_check_mark: | `ou=Groups,dc=example,dc=com` | Precise the group to look for. Required if require_group is set to \"True\" |\n| `group_search_filter` | :heavy_check_mark: | `((cn=developers)(cn=artists))` | Precise valid groups |\n\n### Routing vs Bridging\n\nThe `openvpn_use_bridge` role variable lets you chose between [routing and bridging](https://community.openvpn.net/openvpn/wiki/BridgingAndRouting).\n\n| Role variable | Default | Description |\n| -------------------- | ------- | --------------------------------------------------- |\n| `openvpn_use_bridge` | `false` | Enables bridging (TAP) as opposed to routing (TUN). |\n\n#### Routing\n\nThe following variables are only relevant if you chose *routing* (i.e. `openvpn_use_bridge` is `false`).\n\n| Role variable | Required/Default | Description |\n| ----------------------------------------- | ------------------------ | ------------------------------------------ |\n| `openvpn_tunnel_subnetv4` | `10.9.0.0/24` | Private IPv4 subnet inside the tunnel |\n| `openvpn_tunnel_subnetv6` | :heavy_multiplication_x: | Private IPv6 subnet inside the tunnel |\n| `openvpn_tunnel_dynamic_ipv4_range_start` | `2` | Offset where the dynamic IPv4 range starts |\n| `openvpn_tunnel_dynamic_ipv4_range_end` | `253` | Offset where the dynamic IPv4 range ends |\n| `openvpn_tunnel_dynamic_ipv6_range_start` | `::f:0:0:0` | Offset where the dynamic IPv6 range starts |\n\n#### Bridging\n\nThe following variables are only relevant if you chose *bridging) (i.e. `openvpn_use_bridge` is `true`).\n\n| Role variable | Default | Description |\n| ---------------------------------- | --------------- | ----------------------------------------------------------------------------------- |\n| `openvpn_bridge_name` | `br0` | Name of the bridge |\n| `openvpn_bridge_eth_interface` | `eth0` | Ethernet interface that's connected to the bridge |\n| `openvpn_bridge_address` | | IP address of the bridge interface. Defaults to no IP address being configured. |\n| `openvpn_bridge_enable_dhcp` | `true` | Enable OpenVPN's own DHCP server |\n| `openvpn_bridge_dhcp_push_gateway` | `192.168.0.1` | Relevant if `openvpn_bridge_enable_dhcp` is `true`. Gateway address for the clients |\n| `openvpn_bridge_dhcp_push_netmask` | `255.255.255.0` | Relevant if `openvpn_bridge_enable_dhcp` is `true`. Netmask of the bridge network |\n| `openvpn_bridge_dhcp_range_start` | `192.168.0.128` | Relevant if `openvpn_bridge_enable_dhcp` is `true`. Start of the DHCP range |\n| `openvpn_bridge_dhcp_range_end` | `192.168.0.254` | Relevant if `openvpn_bridge_enable_dhcp` is `true`. End of the DHCP range |\n\nOn the bridge network, client IP address allocation can be handled in two ways:\n\n* If `openvpn_bridge_enable_dhcp` is `true`:\n Let OpenVPN run an own DHCP server on the bridge network.\n* If `openvpn_bridge_enable_dhcp` is `false`:\n Use an external DHCP server that's connected through the bridged ethernet interface.\n You have to set that DHCP server up yourself.\n\n## License\n\nThis work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/).\n\n## Author Information\n\n* [Fritz Otlinghaus (Scriptkiddi)](https://github.com/scriptkiddi) _fritz.otlinghaus@stuvus.uni-stuttgart.de_\n* [Markus Mroch (Mr. Pi)](https://github.com/Mr-Pi) \u0026lt;_markus.mroch@stuvus.uni-stuttgart.de_\u0026gt;\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuvusit%2Fopenvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstuvusit%2Fopenvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuvusit%2Fopenvpn/lists"}