{"id":15013930,"url":"https://github.com/voxpupuli/puppet-openvpn","last_synced_at":"2026-02-19T23:32:23.357Z","repository":{"id":1606580,"uuid":"2195970","full_name":"voxpupuli/puppet-openvpn","owner":"voxpupuli","description":"OpenVPN module for puppet including client config/cert creation","archived":false,"fork":false,"pushed_at":"2025-10-17T14:56:02.000Z","size":1177,"stargazers_count":117,"open_issues_count":26,"forks_count":204,"subscribers_count":44,"default_branch":"master","last_synced_at":"2025-12-08T16:27:32.348Z","etag":null,"topics":["archlinux-puppet-module","bsd-puppet-module","centos-puppet-module","debian-puppet-module","freebsd-puppet-module","hacktoberfest","linux-puppet-module","puppet","redhat-puppet-module","ubuntu-puppet-module"],"latest_commit_sha":null,"homepage":"","language":"Puppet","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/voxpupuli.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"open_collective":"vox-pupuli","github":"voxpupuli"}},"created_at":"2011-08-12T08:05:53.000Z","updated_at":"2025-10-14T17:47:06.000Z","dependencies_parsed_at":"2023-07-05T20:31:28.303Z","dependency_job_id":"a44b8455-8243-41b3-8c32-bf6f9f755549","html_url":"https://github.com/voxpupuli/puppet-openvpn","commit_stats":{"total_commits":659,"total_committers":106,"mean_commits":6.216981132075472,"dds":0.6737481031866464,"last_synced_commit":"8cbff15338489ae5ecf1b5ee589991d93e15cfe5"},"previous_names":["luxflux/puppet-openvpn"],"tags_count":32,"template":false,"template_full_name":null,"purl":"pkg:github/voxpupuli/puppet-openvpn","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/voxpupuli","download_url":"https://codeload.github.com/voxpupuli/puppet-openvpn/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openvpn/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27670644,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-11T02:00:11.302Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["archlinux-puppet-module","bsd-puppet-module","centos-puppet-module","debian-puppet-module","freebsd-puppet-module","hacktoberfest","linux-puppet-module","puppet","redhat-puppet-module","ubuntu-puppet-module"],"created_at":"2024-09-24T19:44:57.832Z","updated_at":"2025-12-11T21:45:01.276Z","avatar_url":"https://github.com/voxpupuli.png","language":"Puppet","funding_links":["https://opencollective.com/vox-pupuli","https://github.com/sponsors/voxpupuli"],"categories":[],"sub_categories":[],"readme":"# OpenVPN Puppet module\n\n[![Build Status](https://github.com/voxpupuli/puppet-openvpn/workflows/CI/badge.svg)](https://github.com/voxpupuli/puppet-openvpn/actions?query=workflow%3ACI)\n[![Release](https://github.com/voxpupuli/puppet-openvpn/actions/workflows/release.yml/badge.svg)](https://github.com/voxpupuli/puppet-openvpn/actions/workflows/release.yml)\n[![License](https://img.shields.io/github/license/voxpupuli/puppet-openvpn.svg)](https://github.com/voxpupuli/puppet-openvpn/blob/master/LICENSE)\n[![Puppet Forge](https://img.shields.io/puppetforge/v/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)\n[![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)\n[![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)\n[![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)\n\nPuppet module to manage OpenVPN servers and clients.\n\n## Features\n\n* Client-specific rules and access policies\n* Generated client configurations and SSL-Certificates\n* Downloadable client configurations and SSL-Certificates for easy client configuration\n* Support for multiple server instances\n* Support for LDAP-Authentication\n* Support for server instance in client mode\n* Support for TLS\n\n## Supported OS\n\n* Ubuntu\n* Debian\n* CentOS\n* RedHat\n* Solaris\n\n## Dependencies\n  - [puppetlabs-concat 3.0.0+](https://github.com/puppetlabs/puppetlabs-concat)\n  - [puppetlabs-stdlib 4.25.0+](https://github.com/puppetlabs/puppetlabs-stdlib)\n\n## Puppet\n\nThe supported Puppet versions are listed in the [metadata.json](metadata.json)\n\n## REFERENCES\n\nPlease see [REFERENCE.md](https://github.com/voxpupuli/puppet-openvpn/blob/master/REFERENCE.md) for more details.\n\n## Example with hiera\n\n```yaml\n---\nclasses:\n  - openvpn\n\nopenvpn::servers:\n  'winterthur':\n    country: 'CH'\n    province: 'ZH'\n    city: 'Winterthur'\n    organization: 'example.org'\n    email: 'root@example.org'\n    server: '10.200.200.0 255.255.255.0'\n\nopenvpn::client_defaults:\n  server: 'winterthur'\n\nopenvpn::clients:\n  'client1': {}\n  'client2': {}\n  'client3': {}\n\nopenvpn::client_specific_configs:\n  'client1':\n    server: 'winterthur'\n    ifconfig: '10.200.200.50 10.200.200.51'\n\nopenvpn::revokes:\n  'client3':\n    server: 'winterthur'\n```\n\nDon't forget the sysctl directive ```net.ipv4.ip_forward```!\n\n## Encryption Choices\n\nThis module provides certain default parameters for the openvpn encryption settings.\n\nThese settings have been applied in line with current \"best practices\" but no\nguarantee is given for their saftey and they could change in future.\n\nYou should double check these settings yourself to make sure they are suitable for your needs and in line with current best practices.\n\n## Example for automating client deployment to nodes managed by Puppet\n\nExporting the configurations for a client in the VPN server manifest:\n```\n  openvpn::deploy::export { 'client1':\n    server =\u003e 'winterthur',\n  }\n```\nInstallation, configuration and starting the OpenVPN client in a configured node manifest:\n```\n  openvpn::deploy::client { 'client1':\n    server =\u003e 'winterthur',\n  }\n```\n\n## Experimenting and developing in Vagrant\n\nThis project includes a Vagrantfile which allows you to easily develop this\nmodule or try it out. The prerequisites are [Vagrant](https://www.vagrantup.com/)\nand [VirtualBox](https://www.virtualbox.org/).\n\nTo bring up the OpenVPN server VM:\n\n    vagrant up server_ubuntu\n\nTo bring up the OpenVPN client VM:\n\n    vagrant up client_ubuntu\n\nClient's OpenVPN configuration is generated on the server, but it needs to be\ndeployed to the client manually as exported resources are not available in\nVagrant. To get the client config from server:\n\n    vagrant ssh server_ubuntu\n    sudo -i\n    cp /etc/openvpn/winterthur/download-configs/client1.ovpn /vagrant/\n    exit\n\nTo copy it to the client:\n\n    vagrant ssh client_ubuntu\n    sudo -i\n    mv /vagrant/client1.ovpn /etc/openvpn/client/client1.conf\n\nTo connect directly with OpenVPN:\n\n    openvpn --config /etc/openvpn/client/client1.conf\n\nTo connect with systemd:\n\n    systemctl start openvpn-client@client1\n\nTo test connectivity between client and server:\n\n    ping 10.200.200.1\n\n##### References\n\n* The readme file of [github.com/Angristan/OpenVPN-install](https://github.com/Angristan/OpenVPN-install/tree/f47fc795d5e2d53f74431aadc58ef9de5784103a) outlines some of reasoning behind\nsuch choices.\n\n* The OpenVPN documentation about the [SWEET32](https://community.openvpn.net/openvpn/wiki/SWEET32) attack gives some reasons and\nrecommendations for which ciphers to use.\n\n* The OpenVPN [hardening documentation](https://community.openvpn.net/openvpn/wiki/Hardening) also gives further examples\n\n### ssl_key_size\n\nThe default key size is now set to `2048` bits.\nThis setting also affects the size of the dhparam file.\n\n##### Why\n\n\u003e 2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.\n\n\n### Cipher\n\nThe default data channel cipher is now set to `AES-256-GCM`\n\n##### Why\n\nOpenVPN was setting its default value to `BF-CBC`. In newer versions of OpenVPN\nit warns that this is no longer a secure cipher.\nThe OpenVPN documentation recommends using this setting.\n\n### tls_cipher\n\nThe default tls_cipher option is now set to: `TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256`\n\n##### Why\n\nDetails of these ciphers and their uses can be found in the documentation links above.\n\n## Contributions\n\nThis module is maintained by [Vox Pupuli](https://voxpupuli.org/). Voxpupuli\nwelcomes new contributions to this module, especially those that include\ndocumentation and rspec tests. We are happy to provide guidance if necessary.\n\nPlease see [CONTRIBUTING](.github/CONTRIBUTING.md) for more details.\n\n### Authors\n\n* Raffael Schmid \u003craffael@yux.ch\u003e\n* Vox Pupuli Team\n* List of contributors https://github.com/voxpupuli/puppet-openvpn/graphs/contributors\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoxpupuli%2Fpuppet-openvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoxpupuli%2Fpuppet-openvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoxpupuli%2Fpuppet-openvpn/lists"}