Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / openvpn / becdc0e026fbf064e884db1e1435241d2ba01a69^! / . / templates
commitbecdc0e026fbf064e884db1e1435241d2ba01a69[log] [tgz]
authorZack Williams <zdw@opennetworking.org>Sat Mar 26 07:08:25 2022 -0700
committerZack Williams <zdw@opennetworking.org>Tue Aug 16 13:10:12 2022 -0700
treed01fc7bbbab24f376cd56b4a56b576e2b7b8fcbf
Initial openvpn role commit

Change-Id: I091e7b198d852d5857f7b606cce2469c2f8ba9a7

diff --git a/templates/client.conf.j2 b/templates/client.conf.j2
new file mode 100644
index 0000000..6f11795
--- /dev/null
+++ b/templates/client.conf.j2

@@ -0,0 +1,49 @@
+# openvpn client.conf - {{ ansible_managed }}
+{#
+SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
+SPDX-License-Identifier: Apache-2.0
+#}
+
+# security
+tls-client
+tls-version-min 1.3
+cipher AES-256-GCM
+auth SHA256
+
+# connection
+dev tun
+proto udp
+port 1194
+remote {{ openvpn_server_name }}
+
+# security
+remote-cert-tls server
+auth-nocache
+nobind
+persist-key
+persist-tun
+
+# logging
+verb 4
+mute 10
+
+# IP config
+topology subnet
+pull
+
+# CA certificates
+<ca>
+</ca>
+
+# TLS auth
+key-direction 1
+<tls-auth>
+</tls-auth>
+
+# client key
+<key>
+</key>
+
+# client cert
+<cert>
+</cert>

diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
new file mode 100644
index 0000000..a47ca67
--- /dev/null
+++ b/templates/server.conf.j2

@@ -0,0 +1,69 @@
+# openvpn server.conf - {{ ansible_managed }}
+#
+{#
+SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
+SPDX-License-Identifier: Apache-2.0
+#}
+
+# accounts and privilege dropping
+user nobody
+group {{ openvpn_groupname }}
+persist-key
+persist-tun
+
+# security
+tls-server
+tls-version-min 1.3
+cipher AES-256-GCM
+auth SHA256
+
+# CA
+ca {{ openvpn_conf_dir }}/server/chain.pem
+crl-verify {{ openvpn_conf_dir }}/server/ca.crl
+
+# openVPN server
+cert {{ openvpn_conf_dir }}/server/openvpn_server.pem
+key {{ openvpn_conf_dir }}/server/openvpn_server.key
+dh {{ openvpn_conf_dir }}/server/dh.pem
+
+# shared auth
+tls-auth {{ openvpn_conf_dir }}/server/ta.key 0
+
+# must connect with a verified client cert
+opt-verify
+remote-cert-tls client
+verify-client-cert require
+tls-cert-profile preferred
+
+# Connection
+dev openvpn
+dev-type tun
+local {{ openvpn_listen_ip }}
+port 1194
+proto udp
+keepalive 10 120
+max-clients 100
+opt-verify
+
+# IP config
+topology subnet
+server {{ openvpn_subnet_cidr | ipaddr('network') }} {{ openvpn_subnet_cidr | ipaddr('netmask') }}
+
+# DHCP config
+{% for dnsserv in openvpn_dns_servers %}
+push "dhcp-option DNS {{ dnsserv }}"
+{% endfor %}
+
+# routes
+{% for route in openvpn_routes %}
+push "route {{ route | ipaddr('network') }} {{ route | ipaddr('netmask') }}"
+{% endfor %}
+
+# notify clients on server restart
+explicit-exit-notify 1
+
+# logging
+verb 4
+mute 20
+status {{ openvpn_log_dir }}/status.log
+ifconfig-pool-persist {{ openvpn_log_dir }}/ipp.txt