OpenVPN server role

Mandatory parameters

Config

• Define the network for the OpenVPN connection itself (clients will have an IP from this range):

openvpn_server: "10.185.16.0 255.255.255.0"

• You also need to define the parameters that will be pushed to the clients when they connect themselves, the minimum is at least one route and most of the time at least one DNS server:

openvpn_push:
  - "route 10.185.15.0 255.255.255.0"
  - "dhcp-option DNS 10.12.1.2"

Certificates

You need to define the certificates that will be used by the server, specificaly you need those variables:

1. openvpn_tls_ca containing the CA that signed all certificates
2. openvpn_tls_cert containing the server's certificate
3. openvpn_tls_key containing the server's private key, this variable must be kept in a vault!

To define them, just use this syntax:

openvpn_tls_ca: |
  -----BEGIN CERTIFICATE-----
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ...
  yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
  -----END CERTIFICATE-----

By default, they will be saved to the folder /etc/openvpn/ssl, you can change this folder by setting the variable openvpn_ssl_root to whatever you want, you can also change the location of any individual file by changing the following variables, bellow are the defaults for reference:

openvpn_ssl_root: /etc/openvpn/ssl
openvpn_ca: "{{ openvpn_ssl_root }}/ca.crt"
openvpn_crl: "{{ openvpn_ssl_root }}/crl.pem"
openvpn_cert: "{{ openvpn_ssl_root }}/{{ ansible_hostname }}.crt"
openvpn_key: "{{ openvpn_ssl_root }}/{{ ansible_hostname }}.key"
openvpn_dh: "{{ openvpn_ssl_root }}/dh2048.pem"

Please note that the openvpn_dh parameter is automatically generated by this role if it doesn't exists.

Optional parameters

OpenVPN version

By default, this role will install the openvpn package from your distribution repository.

You can override this by setting the variable openvpn_version which is by default undefined. This will activate the official OpenVPN repository. The process is described here: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos .

The possible values are available at the previous link, currently they are stable, testing, release/2.3, release/2.4 and release/2.5. Most of the time, you would want to stick to stable, read carefully the official wiki if you want to change that because for example sticking to version 2.5 means OpenVPN 2.5 releases, including alphas/betas/RCs.

openvpn_version: "stable"

default config

Bellow are the configuration options, with their default parameters that you can change if needed:

• port and protocol

openvpn_port: 443
openvpn_proto: tcp6

• maximum number of client at a given time

openvpn_max_clients: 10

• allow or disallow connection between clients

openvpn_client2client: False

• force the users to always have the same IP address (essential for iptables filtering fro different accesses)

openvpn_ccd: False

Scripts when a user connect or disconnect itself

To activate the scripts connect.sh and disconnect.sh when a user connect itself and disconnect itself, you will need to set the following variables:

openvpn_client_scripts: True
openvpn_script_dbsrv: srv-xxx
openvpn_script_dbport: 5432
openvpn_script_dbuser: user
openvpn_script_db: openvpn
openvpn_script_dbpassword: pass

This will also install the geoip-bin package for the /usr/bin/geoiplookup and the /usr/bin/geoiplookup6 commands and will also download the latest databases from https://dev.maxmind.com/geoip/legacy/geolite/ .

additional check script at connect time

An additonal script can be added before the validation of the user's password. Currently the script validate-username-common_name.sh checks that the certificate and the username are the same, you can activate it with this variable:

openvpn_auth_user_pass_verify: "validate-username-common_name.sh"

Force comp-lzo on version >= 2.5

On previous OpenVPN versions, the comp-lzo parameter was always active.

Since version 2.5, it is deprecated and should not be used anymore but the problem is when you need to support old configurations already in the wild. For this particular case, you can force the support of comp-lzo using this parameter even on OpenVPN 2.5+:

openvpn_force_insecure_compression: True

LDAP auth

First, it needs to be activated with this variable:

openvpn_ldap_auth: True

You then need to define an LDAP server URL:

openvpn_ldap_URL: "ldap://ldap2.cosium.com"

For the rest, the following variables are set, you can change them if needed:

# location of the CA for the LDAP secure connection, this is not the same as the OpenVPN CA {#location-of-the-ca-for-the-ldap-secure-connection-this-is-not-the-same-as-the-openvpn-ca}
openvpn_ldap_TLSCACertFile: "/usr/local/share/ca-certificates/CosiumRootCA.crt"
# Base DN to find users {#base-dn-to-find-users}
openvpn_ldap_BaseDN: "ou=people,dc=cosium,dc=com"
# Search filter for users {#search-filter-for-users}
openvpn_ldap_SearchFilter: "(&(uid=%u)(CosStatus=active)(RemoteAccess=OpenVPN:*))"

Please look at the auth-ldap.conf template for more informations.

Settings not handled by this role

This role does not yet handle all OpenVPN settings, specifically:

• when the ccd option is activated, a file must exist in the folder /etc/openvpn/topology-subnet for every users else they will not be allowed to connect
• when easy-rsa is used on the server as the certificate authority, all certificates and privates keys are on the openvpn server which is not secure, those files are not handled by this role