From 1b0e04122d15bb0a0f315421df49821f0f9eb01f Mon Sep 17 00:00:00 2001 From: Jan Grewe Date: Mon, 14 Nov 2016 12:34:59 +0100 Subject: [PATCH 1/3] LDAP: make TLS client certificates optional and configurable --- defaults/main.yml | 4 ++++ templates/auth-ldap.conf.j2 | 7 ++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6807f60..b920889 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -59,6 +59,10 @@ openvpn_use_pam_users: [] # If empty use system users # LDAP authentication and configuration (optional) openvpn_use_ldap: no openvpn_ldap_tlsenable: 'no' +openvpn_ldap_tls_cacert: '/etc/ssl/ca-cert.pem' +openvpn_ldap_tls_use_clientcert: 'no' +openvpn_ldap_tls_clientcert: '/etc/ssl/client-cert.pem' +openvpn_ldap_tls_clientkey: '/etc/ssl/client-key.pem' openvpn_ldap_follow_referrals: 'no' # Use simple authentication (default is disabled) diff --git a/templates/auth-ldap.conf.j2 b/templates/auth-ldap.conf.j2 index 0eb79c6..6e493b3 100644 --- a/templates/auth-ldap.conf.j2 +++ b/templates/auth-ldap.conf.j2 @@ -19,15 +19,16 @@ FollowReferrals {{ openvpn_ldap_follow_referrals }} # TLS CA Certificate File - TLSCACertFile /etc/ssl/ca-cert.pem + TLSCACertFile {{ openvpn_ldap_tls_cacert }} # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs + {% if openvpn_ldap_tls_use_clientcert != 'no' -%} # Client Certificate and key # If TLS client authentication is required - TLSCertFile /etc/ssl/client-cert.pem - TLSKeyFile /etc/ssl/client-key.pem + TLSCertFile {{ openvpn_ldap_tls_clientcert }} + TLSKeyFile {{ openvpn_ldap_tls_clientkey }}{% endif -%} # Cipher Suite # The defaults are usually fine here From c675c466b600258cce1c554bc26e918e922c6ebb Mon Sep 17 00:00:00 2001 From: Jan Grewe Date: Fri, 25 Nov 2016 09:42:25 +0100 Subject: [PATCH 2/3] Make bridge interface more configurable --- README.md | 3 +++ templates/bridge-interface.j2 | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bfc8708..86208a4 100644 --- a/README.md +++ b/README.md @@ -91,12 +91,15 @@ openvpn_simple_auth_password: password # the network configuration is changed; # if this happens just run the playbook again openvpn_bridge: + ports: "eth0 tap0" address: 10.0.0.1 netmask: 255.255.255.0 network: 10.0.0.0 broadcast: 10.0.0.255 dhcp_start: 10.0.0.2 dhcp_end: 10.0.0.254 + script: + - post-up ip route add <...> openvpn_server_options: - "dev-type tap" - "tls-server" diff --git a/templates/bridge-interface.j2 b/templates/bridge-interface.j2 index bca1033..2b05c93 100644 --- a/templates/bridge-interface.j2 +++ b/templates/bridge-interface.j2 @@ -11,9 +11,12 @@ iface {{ openvpn_dev }} inet manual # Bridge auto br-{{ openvpn_dev }} iface br-{{ openvpn_dev }} inet static - bridge_ports {{ openvpn_dev }} + bridge_ports {{ openvpn_bridge.ports }} bridge_stp off address {{openvpn_bridge.address}} netmask {{openvpn_bridge.netmask}} network {{openvpn_bridge.network}} broadcast {{openvpn_bridge.broadcast}} + {% for line in openvpn_bridge.script -%} + {{ line }} + {% endfor %} From 60d7e2f95344cc0b3e714f6ff52964884a308329 Mon Sep 17 00:00:00 2001 From: Jan Grewe Date: Tue, 17 Jan 2017 08:09:30 +0100 Subject: [PATCH 3/3] Make backwards compatible with no bridge ports defined --- templates/bridge-interface.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/bridge-interface.j2 b/templates/bridge-interface.j2 index 2b05c93..0417c71 100644 --- a/templates/bridge-interface.j2 +++ b/templates/bridge-interface.j2 @@ -11,7 +11,9 @@ iface {{ openvpn_dev }} inet manual # Bridge auto br-{{ openvpn_dev }} iface br-{{ openvpn_dev }} inet static - bridge_ports {{ openvpn_bridge.ports }} + bridge_ports {% if 'ports' in openvpn_bridge %}{{ openvpn_bridge.ports }} + {% else %}{{ openvpn_dev }} + {% endif -%} bridge_stp off address {{openvpn_bridge.address}} netmask {{openvpn_bridge.netmask}}