GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cmur2 → chef-openvpn

cmur2 / chef-openvpn

Licence: Apache-2.0 License
A multi-configuration OpenVPN server cookbook featuring IPv6 support and easy setup of client files.

Programming Languages

ruby
36898 projects - #4 most used programming language
HTML
75241 projects

Labels

openvpnipv6chef-cookbookchefvpn

Projects that are alternatives of or similar to chef-openvpn

Openvpn
Development repository for the openvpn cookbook
Stars: ✭ 102 (+343.48%)
Mutual labels:  openvpn, chef-cookbook, chef
desktop-app-ui2
IVPN Desktop app
Stars: ✭ 19 (-17.39%)
Mutual labels:  openvpn, vpn
chef-nginx-hardening
This chef cookbook provides secure nginx configurations.
Stars: ✭ 50 (+117.39%)
Mutual labels:  chef-cookbook, chef
rundeck
Development repository for the rundeck cookbook
Stars: ✭ 45 (+95.65%)
Mutual labels:  chef-cookbook, chef
chef-jenkins-hardening
⛔ DEPRECATED: A secure jenkins installation
Stars: ✭ 18 (-21.74%)
Mutual labels:  chef-cookbook, chef
Raspberry-Pi-VPN-Gateway
Raspberry Pi VPN gateway installer for Private Internet Access
Stars: ✭ 44 (+91.3%)
Mutual labels:  openvpn, vpn
rsync
Development repository for the rsync cookbook
Stars: ✭ 25 (+8.7%)
Mutual labels:  chef-cookbook, chef
iit-kgp-network
Information repository and Solutions on IIT KGP Internet Problems.
Stars: ✭ 28 (+21.74%)
Mutual labels:  openvpn, vpn
killswitch-windows
VPN kill switch for windows.
Stars: ✭ 22 (-4.35%)
Mutual labels:  openvpn, vpn
sql server
Development repository for the sql_server cookbook
Stars: ✭ 60 (+160.87%)
Mutual labels:  chef-cookbook, chef
jenkinsfile cookbook pipeline
Example Jenkinsfile and Explaination for Chef Cookbook Development
Stars: ✭ 36 (+56.52%)
Mutual labels:  chef-cookbook, chef
desktop-app
Official IVPN Desktop app
Stars: ✭ 141 (+513.04%)
Mutual labels:  openvpn, vpn
Geolocate-IP-Browser-Extension
A browser extension, which shows you the origin of your IP address.
Stars: ✭ 21 (-8.7%)
Mutual labels:  ipv6, vpn
stunnel
Development repository for the stunnel cookbook
Stars: ✭ 14 (-39.13%)
Mutual labels:  chef-cookbook, chef
golang
Development repository for the golang cookbook
Stars: ✭ 48 (+108.7%)
Mutual labels:  chef-cookbook, chef
selinux policy
Development repository for the selinux_policy cookbook
Stars: ✭ 17 (-26.09%)
Mutual labels:  chef-cookbook, chef
openvpn-unroot
Run OpenVPN without root privileges
Stars: ✭ 27 (+17.39%)
Mutual labels:  openvpn, vpn
droidovpn
An unofficial VPN Gate client for Android.
Stars: ✭ 65 (+182.61%)
Mutual labels:  openvpn, vpn
chef-mysql-hardening
This chef cookbook provides security configuration for mysql.
Stars: ✭ 23 (+0%)
Mutual labels:  chef-cookbook, chef
netmaker
Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
Stars: ✭ 4,147 (+17930.43%)
Mutual labels:  openvpn, vpn
View All Similar Projects ➔

chef-openvpn

Build Status

Description

A multi-configuration OpenVPN client/server cookbook featuring IPv6 support and easy generation of client configuration files.

Usage

Include recipe[openvpn::default] in your run_list and do further configuration via node attributes. To automatically generate client configuration file stubs include recipe[openvpn::users]. With recipe[openvpn::logrotate] your logs (of all OpenVPN configurations) will be automatically rotated if the logrotate cookbook is present. To setup one or multiple OpenVPN clients use recipe[openvpn::client].

For full, out-of-the-box IPv6 support you will need OpenVPN 2.3 or higher which is not available on older versions of Debian and Ubuntu - therefore and for those who only want more recent OpenVPN packages on their system the recipe[openvpn::use_community_repos] registers new APT repositories maintained by the OpenVPN community (needs the apt cookbook).

Requirements

Platform

It should work on all OSes that provide a (recent, versions above 2.0) openvpn package.

For supported Chef/Ruby version see Travis.

Recipes

default

Configures and starts an OpenVPN server for each configuration (config_name => config_hash mappings) found in node['openvpn']['configs']. A configuration may contain several options (most of them being required as long as not stated otherwise) such as:

  • config['port'] - port number the server listens on
  • config['proto'] - 'udp' or 'tcp'
  • config['dev'] - 'tun', 'tap' or a specific device like 'tun0'
  • config['mode'] - 'routed' (uses server directive) or 'bridged' (uses server-bridge directive)
  • config['remote_host'] - host name that clients can use to reach the server
  • config['remote_port'] - port that clients can use to reach the server (may be omitted, defaults to config['port'])
  • config['topology'] - the topology to use in 'routed' mode
  • config['subnet'] - the IPv4 subnet (don't use CIDR here) used for VPN addresses in 'routed' mode
  • config['subnet6'] - the IPv6 subnet (use CIDR here) used for VPN addresses in 'routed' mode - requires OpenVPN 2.3 or higher
  • config['server_ip'] - the server's VPN address in 'bridged' mode
  • config['dhcp_start'] - the lower bound for DHCP addresses in 'bridged' mode
  • config['dhcp_end'] - the upper bound for DHCP addresses in 'bridged' mode
  • config['netmask'] - the VPN internal IPv4 netmask, applies for 'routed' and 'bridged' mode
  • config['auth']['type'] - 'cert', 'cert_passwd' or 'passwd' - combines client certificates and/or user passwords if enabled
  • config['dh_keysize'] - may be omitted, if specified will be the number of bits generated for the Diffie Hellman key file, if missing a cookbook_file has to be provided
  • config['file_cookbook'] - may be omitted, if specified will be used as the name of a cookbook where certificates and key file will be loaded from instead of the current cookbook
  • config['redirect_gateway'] - may be omitted, if specified and true pushes redirect-gateway option to clients
  • config['push_dns_server'] - may be omitted, if specified pushes the DNS specified server to clients
  • config['allow_duplicate_cn'] - may be omitted, if specified and true allows duplicate common names of clients
  • config['allow_client_to_client'] - may be omitted, if specified and true allows client-to-client traffic
  • config['comp_lzo'] - may be omitted, if specified and true enables compression (must match client setting)
  • config['keepalive_interval'] - may be omitted, if specified together with config['keepalive_timeout'] enables the keepalive setting with specified interval
  • config['keepalive_timeout'] - may be omitted, if specified together with config['keepalive_interval'] enables the keepalive setting with specified timeout
  • config['tls_cipher_algos'] - may be omitted, if specified sets the list of allowable TLS ciphers (must match client setting)
  • config['cipher_algo'] - may be omitted, if specified sets the cipher, e.g. AES-256-CBC (must match client setting)
  • config['keysize'] - may be omitted, if specified sets the keysize for variable ciphers (must match client setting)
  • config['auth_algo'] - may be omitted, if specified sets the auth, e.g. SHA256 (must match client setting)
  • config['push'] - array of generic push directives to include into the config
  • config['routes'] - array of route specifications

There are no defaults for this attributes so missing specific attributes may lead to errors.

Example node configuration:

'openvpn': {
  'community_repo_flavor': 'snapshots',
  'configs': {
    'openvpn6': {
      'port': 1194,
      'proto': 'udp',
      'dev': 'tun',
      'mode': 'routed',
      'remote_host': 'vpn.example.org',
      'subnet': '10.8.0.0',
      'subnet6': '2001:0db8:0:0::0/64',
      'netmask': '255.255.0.0',
      'auth': {
        'type': 'passwd'
      },
      'allow_duplicate_cn': true,
      'push': [
        'route 192.168.10.0 255.255.255.0'
      ],
      'routes': [
        '192.168.40.128 255.255.255.248'
      ]
    }
  }
}

The certificate files needed for the server should be placed in the cookbook's files directory (or via an overlay site-cookbooks directory that leaves the original cookbook untouched) as follows:

  • config_name-ca.crt - certificate authority (CA) file in .pem format
  • config_name.crt - local peer's signed certificate in .pem format
  • config_name.key - local peer's private key in .pem format
  • optional: config_name-dh.pem - file containing Diffie Hellman parameters in .pem format (needed only if config['dh_keysize'] is missing)

Each authentication mode requires you to specify your users database in a data_bag named config_name-users (dots transformed to underscores) that contains one item per user (id is the username). A user's password is stored at the 'pass' key.

Example data_bag:

{
    "id": "foo",
    "pass": "secret"
}

The recipe also generates a ccd (client config directory) and populates it with per-client information found in the data_bag mentioned above. Supported data_bag keys:

  • 'ifconfig-push': value is the ifconfig to push (varies between point-to-point and bridged modes!)
  • 'push': value is either an array of push directives or a single push directive as a string
  • 'push-reset': if true places a push-reset in the client config
  • 'iroute': value is either an array of routes to announce or a single route as a string

Example data_bag:

{
    "id": "foo",
    "ifconfig-push": "10.8.0.6 10.8.0.5",
    "iroute": "192.168.40.128 255.255.255.248",
    "push": [
      "redirect-gateway"
    ]
}

users

Generates OpenVPN configuration stub files in a subdirectory of the configuration's directory on the server. All known options will be prefilled but in a client OS-independent manner (e.g. for windows clients some options are missing). Plans are to extend this to even generate Windows-specific or Tunnelblick-specific files. Next to the configuration file all needed certificates and keys are stored.

This recipe will generate the user's configuration files in the users subdirectory of the server configuration directory it belongs to. It requires a data_bag named config_name-users (dots transformed to underscores) that contains one item per user and the following cookbook files per user:

  • config_name-ca.crt - server's CA certificate (may/should be present for the server config too)
  • config_name-user_name.crt - client's signed certificate in .pem format
  • config_name-user_name.key - client's private key in .pem format

The username comes from the 'name' property of each item if given, else the data_bag ID (which sufferes from some limitation, e.g. underscores are not allowed) will be used automatically as username.

client

The is completely seperated from the default (server) recipe and can be used standalone. It configures and starts an OpenVPN client for each configuration (client_config_name => config_hash) found in node['openvpn']['client_configs']. A configuration may contain several options such as:

  • config['user_name'] - the user_name the server awaits (used for identifying need cert and key files)
  • config['auth']['type'] - 'cert', 'cert_passwd' or 'passwd' - combines client certificates with user passwords if enabled
  • config['file_cookbook'] - may be omitted, if specified will be used as the name of a cookbook where certificates and key file will be loaded from instead of the current cookbook

The certificate files should be placed in the cookbook's files directory (or via an overlay site-cookbooks directory that leaves the original cookbook untouched) as follows:

  • config_name-user_name.conf - configuration file for this client (manually crafted or generated via users recipe)
  • config_name-ca.crt - server's CA certificate
  • config_name-user_name.crt - client's signed certificate in .pem format
  • config_name-user_name.key - client's private key in .pem format

use_community_repos

When run on supported platforms (Debian, Ubuntu) adds a new APT repository that uses the OpenVPN community repos. For Debian Lenny and Ubuntu Lucid (2. gen, relying on the old repos.openvpn.net) you may choose between the two flavors stable (default) or snapshots, for newer OSes there is only one repository using the new, 3. gen swupdate.openvpn.net.

  • node['openvpn']['community_repo_flavor'] - 'stable' or 'snapshots' (default is 'snapshots')

logrotate

Adds a OpenVPN specific logrotate configuration when logrotate cookbook is found. No attributes needed.

License

chef-openvpn is licensed under the Apache License, Version 2.0. See LICENSE for more information.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].