Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/gregves/openv-vpn-ansible-playbook

An Ansible playbook to manage a PKI for OpenVPN
https://github.com/gregves/openv-vpn-ansible-playbook

ansible buster debian easyrsa3 openvpn pki tunnelblick

Last synced: 8 days ago
JSON representation

An Ansible playbook to manage a PKI for OpenVPN

Awesome Lists containing this project

README 

        
# OpenVPN Ansible playbook



A playbook to manage a PKI for OpenVPN



```sh

ansible-playbook \

    -i inventory.yml \

    playbook.yml \

    --extra-vars="variable_host= variable_user= variable_private_key="

```

## What does this playbook do?



NOTE: for commodity, we create the whole PKI on the same server. You should rather have dedicated CA (validating and signing certs) and the vpn (run openvpn) servers



This playbook creates the PKI allowing clients to tunnel their traffic to an OpenVPN server (`variable_host`, `variable_user` and `variable_private_key`). When a client referenced in `clients` list is not registered on the VPN server, it is automatically created. 



* install easyrsa `3.0.8` in a dedicated `easyrsa` home dir

* init the PKI

* generate `ca.crt` and `ca.key`

* generate `server.key` and `server.req`

* sign `server.req` and create `server.crt`

* generated pre-shared `ta.key`

* template `server.conf` and `client.base.conf`

* (optional) if ufw is installed, allow traffic through `openvpn_port`, set `DEFAULT_FORWARD_POLICY` and IP masquerading

* start openvpn server systemd service

* generate `.req` and `.key` for non already existing clients

* sign `.req`  create `.cert` for non already existing clients

* generate client config files

* copy client config files to localhost's `openvpn_client_configs_dest`