Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/voxpupuli/puppet-openvpn

OpenVPN module for puppet including client config/cert creation
https://github.com/voxpupuli/puppet-openvpn

archlinux-puppet-module bsd-puppet-module centos-puppet-module debian-puppet-module freebsd-puppet-module hacktoberfest linux-puppet-module puppet redhat-puppet-module ubuntu-puppet-module

Last synced: 3 days ago
JSON representation

OpenVPN module for puppet including client config/cert creation

Host: GitHub
URL: https://github.com/voxpupuli/puppet-openvpn
Owner: voxpupuli
License: apache-2.0
Created: 2011-08-12T08:05:53.000Z (over 13 years ago)
Default Branch: master
Last Pushed: 2024-09-16T18:57:00.000Z (3 months ago)
Last Synced: 2024-10-29T14:22:41.111Z (about 2 months ago)
Topics: archlinux-puppet-module, bsd-puppet-module, centos-puppet-module, debian-puppet-module, freebsd-puppet-module, hacktoberfest, linux-puppet-module, puppet, redhat-puppet-module, ubuntu-puppet-module
Language: Ruby
Homepage:
Size: 1.07 MB
Stars: 113
Watchers: 45
Forks: 197
Open Issues: 43
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: .github/CONTRIBUTING.md
- License: LICENSE
- Security: .github/SECURITY.md

Awesome Lists containing this project

README

# OpenVPN Puppet module

[![Build Status](https://github.com/voxpupuli/puppet-openvpn/workflows/CI/badge.svg)](https://github.com/voxpupuli/puppet-openvpn/actions?query=workflow%3ACI)
[![Release](https://github.com/voxpupuli/puppet-openvpn/actions/workflows/release.yml/badge.svg)](https://github.com/voxpupuli/puppet-openvpn/actions/workflows/release.yml)
[![License](https://img.shields.io/github/license/voxpupuli/puppet-openvpn.svg)](https://github.com/voxpupuli/puppet-openvpn/blob/master/LICENSE)
[![Puppet Forge](https://img.shields.io/puppetforge/v/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)
[![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)
[![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)
[![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/openvpn.svg)](https://forge.puppetlabs.com/puppet/openvpn)

Puppet module to manage OpenVPN servers and clients.

## Features

* Client-specific rules and access policies
* Generated client configurations and SSL-Certificates
* Downloadable client configurations and SSL-Certificates for easy client configuration
* Support for multiple server instances
* Support for LDAP-Authentication
* Support for server instance in client mode
* Support for TLS

## Supported OS

* Ubuntu
* Debian
* CentOS
* RedHat
* Solaris

## Dependencies
- [puppetlabs-concat 3.0.0+](https://github.com/puppetlabs/puppetlabs-concat)
- [puppetlabs-stdlib 4.25.0+](https://github.com/puppetlabs/puppetlabs-stdlib)

## Puppet

The supported Puppet versions are listed in the [metadata.json](metadata.json)

## REFERENCES

Please see [REFERENCE.md](https://github.com/voxpupuli/puppet-openvpn/blob/master/REFERENCE.md) for more details.

## Example with hiera

```yaml
---
classes:
- openvpn

openvpn::servers:
'winterthur':
country: 'CH'
province: 'ZH'
city: 'Winterthur'
organization: 'example.org'
email: '[email protected]'
server: '10.200.200.0 255.255.255.0'

openvpn::client_defaults:
server: 'winterthur'

openvpn::clients:
'client1': {}
'client2': {}
'client3': {}

openvpn::client_specific_configs:
'client1':
server: 'winterthur'
ifconfig: '10.200.200.50 10.200.200.51'

openvpn::revokes:
'client3':
server: 'winterthur'
```

Don't forget the sysctl directive ```net.ipv4.ip_forward```!

## Encryption Choices

This module provides certain default parameters for the openvpn encryption settings.

These settings have been applied in line with current "best practices" but no
guarantee is given for their saftey and they could change in future.

You should double check these settings yourself to make sure they are suitable for your needs and in line with current best practices.

## Example for automating client deployment to nodes managed by Puppet

Exporting the configurations for a client in the VPN server manifest:
```
openvpn::deploy::export { 'client1':
server => 'winterthur',
}
```
Installation, configuration and starting the OpenVPN client in a configured node manifest:
```
openvpn::deploy::client { 'client1':
server => 'winterthur',
}
```

## Experimenting and developing in Vagrant

This project includes a Vagrantfile which allows you to easily develop this
module or try it out. The prerequisites are [Vagrant](https://www.vagrantup.com/)
and [VirtualBox](https://www.virtualbox.org/).

To bring up the OpenVPN server VM:

vagrant up server_ubuntu

To bring up the OpenVPN client VM:

vagrant up client_ubuntu

Client's OpenVPN configuration is generated on the server, but it needs to be
deployed to the client manually as exported resources are not available in
Vagrant. To get the client config from server:

vagrant ssh server_ubuntu
sudo -i
cp /etc/openvpn/winterthur/download-configs/client1.ovpn /vagrant/
exit

To copy it to the client:

vagrant ssh client_ubuntu
sudo -i
mv /vagrant/client1.ovpn /etc/openvpn/client/client1.conf

To connect directly with OpenVPN:

openvpn --config /etc/openvpn/client/client1.conf

To connect with systemd:

systemctl start openvpn-client@client1

To test connectivity between client and server:

ping 10.200.200.1

##### References

* The readme file of [github.com/Angristan/OpenVPN-install](https://github.com/Angristan/OpenVPN-install/tree/f47fc795d5e2d53f74431aadc58ef9de5784103a) outlines some of reasoning behind
such choices.

* The OpenVPN documentation about the [SWEET32](https://community.openvpn.net/openvpn/wiki/SWEET32) attack gives some reasons and
recommendations for which ciphers to use.

* The OpenVPN [hardening documentation](https://community.openvpn.net/openvpn/wiki/Hardening) also gives further examples

### ssl_key_size

The default key size is now set to `2048` bits.
This setting also affects the size of the dhparam file.

##### Why

> 2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.

### Cipher

The default data channel cipher is now set to `AES-256-GCM`

##### Why

OpenVPN was setting its default value to `BF-CBC`. In newer versions of OpenVPN
it warns that this is no longer a secure cipher.
The OpenVPN documentation recommends using this setting.

### tls_cipher

The default tls_cipher option is now set to: `TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256`

##### Why

Details of these ciphers and their uses can be found in the documentation links above.

## Contributions

This module is maintained by [Vox Pupuli](https://voxpupuli.org/). Voxpupuli
welcomes new contributions to this module, especially those that include
documentation and rspec tests. We are happy to provide guidance if necessary.

Please see [CONTRIBUTING](.github/CONTRIBUTING.md) for more details.

### Authors

* Raffael Schmid
* Vox Pupuli Team
* List of contributors https://github.com/voxpupuli/puppet-openvpn/graphs/contributors