TSG-8714, TSG-8716, TSG-8620, 更新toroad, natgw等模块, 升级ppp2.4.9.

deploy_env/group_vars/all.yml

@@ -2,10 +2,10 @@
 
 wannat_global:     
     common:
-        redis_server_ip: "192.168.44.72"
+        redis_server_ip: "192.168.xx.xx"
         redis_server_port: 7003
         redis_index: 0
-        bifang_db_server_ip: "192.168.44.72"
+        bifang_db_server_ip: "192.168.xx.yy"
         bifang_db_username: "root"
         bifang_db_password: "bifang!@#"
         bifang_radius_db_name: "tsg-bifang"
@@ -40,12 +40,12 @@ wannat_global:
         
     radius:
         shared_secret: "testing123"
-        server_ip: "192.168.44.72"
+        server_ip: "192.168.xx.zz"
         
     rpm_files:
-        natgw_rpm_file: "wannat_natgw-1.4.0.88cdbce-2.el7.x86_64.rpm"    
-        wire_graft_rpm_file: "libwire_graft-1.5.0.f3cadd2-2.el7.x86_64.rpm"
-        toroad_rpm_file: "toroad-1.3.1.64c74cb-2.el7.x86_64.rpm"
+        natgw_rpm_file: "wannat_natgw-1.5.1.3d915d4-2.el7.x86_64.rpm"    
+        wire_graft_rpm_file: "libwire_graft-1.5.2.36b072a-2.el7.x86_64.rpm"
+        toroad_rpm_file: "toroad-1.4.0.1c1f04b-2.el7.x86_64.rpm"
         ppp_rpm_file: "ppp-2.4.5-34.el7_7.x86_64.rpm"
         pptpd_rpm_file: "pptpd-1.4.0-2.el7.x86_64.rpm"
         openvpn_rpm_file: "openvpn-2.4.11-1.el7.x86_64.rpm"

roles/openvpn/client_tools/openvpn_client_example.ovpn

@@ -0,0 +1,36 @@
+client
+dev tun
+proto tcp
+;;;change remote server ipaddress or port for your environment
+remote 192.168.1.1 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+compress lz4-v2
+verb 3
+auth-user-pass
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIJAKc5EuH/0f7oMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC0Vhc3ktUlNBIENBMB4XDTIxMDUyNDA5MzE0MFoXDTMxMDUyMjA5MzE0MFow
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCrJSQpFiTSiKb1ViGJ4DVFpdE8TNvA1GGJHaSZG6PH4aU57TX4ebSW
+YmvOMitGBr8RcjV2FQkhsDzgLpb5Eaoz/ZPXNvFiLCclfxLwzIa/UcnnVcvIYDZp
+sHhBR1xcuwyYQ9x9phlF3NOjEq9wIhl8zbzvJoVNEWn1eeFp6EwPpLJGeOJllqd5
+SIQYhu/uWHsgSOizgGlJl+CphLleacsaTWiPoynhY8sewFdwk+MOVsG+K+QigXfM
+CawKlu/23pKteBC+lVZAoncsaCns2YvCm830I5vfbX7aMKa97UKFUNcPq5OFkRD1
+IzQVan7vuwjkGJWMZh63P5HUlxIEREIHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFJZD
+HSezPvx6TIroZIaNknuFwMC4MEYGA1UdIwQ/MD2AFJZDHSezPvx6TIroZIaNknuF
+wMC4oRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAKc5EuH/0f7oMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCBlv31E16y
+xr3zI43F89hmo1UkBPZxKzP4bFe3CSAiv9nZbungHm13l+hJybQ9XQWstf1I+HZL
+SH9Ub1ygdf4+rfS5Lm1rusgCDWWdwRjJaD11FmwMg64/fE7f0PTGyBO/r0kGLsLL
+XvQOQ4pjZbQghtHkG45yp63FRuHxjw3hFmrpxEYmdWFn/0ejHjyBBwFxsA4tiu0d
+ZQWWAx+/dIZ8n6MVz5MQceaKpC+x/EL9wUcSHEVF5xEa9wm9B7daewrIprERNLSq
+S0XRwXFrspwUIoL0KFm/HA25LjSYRU9OlKiCCP9JsxjhhW5ExcNAxVbI0HpZY5bV
+RmQ4krnQ3hYS
+-----END CERTIFICATE-----
+</ca>

roles/pppd_update_v2.4.9/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: "Creates /opt/tsg/framework/ppp2.4.9 directory"
+  file:
+    path: /opt/tsg/framework/ppp2.4.9
+    state: directory
+    
+- name: "copy pppd2.4.9 to destination server"
+  copy:
+    src: "{{ role_path }}/files/pppd"
+    dest: "/opt/tsg/framework/ppp2.4.9"
+    mode: 0755
+    
+- name: "copy radattr.so to destination server"
+  copy:
+    src: "{{ role_path }}/files/radattr.so"
+    dest: "/opt/tsg/framework/ppp2.4.9"
+
+- name: "copy radius.so to destination server"
+  copy:
+    src: "{{ role_path }}/files/radius.so"
+    dest: "/opt/tsg/framework/ppp2.4.9"
+
+- name: "Template the pptpd.conf file"
+  template:
+    src: "{{ role_path }}/templates/pptpd.conf.j2"
+    dest: /etc/pptpd.conf
+  tags: template
+
+- name: "Template the options.pptpd file"
+  template:
+    src: "{{ role_path }}/templates/options.pptpd.j2"
+    dest: /etc/ppp/options.pptpd
+  tags: template
+  
+- name: "enable pptpd service"
+  systemd:
+    name: pptpd
+    enabled: yes
+    daemon_reload: yes  
+    state: restarted
+

roles/pppd_update_v2.4.9/templates/options.pptpd.j2

@@ -0,0 +1,135 @@
+###############################################################################
+# $Id: options.pptpd,v 1.11 2005/12/29 01:21:09 quozl Exp $
+#
+# Sample Poptop PPP options file /etc/ppp/options.pptpd
+# Options used by PPP when a connection arrives from a client.
+# This file is pointed to by /etc/pptpd.conf option keyword.
+# Changes are effective on the next connection.  See "man pppd".
+#
+# You are expected to change this file to suit your system.  As
+# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
+###############################################################################
+
+
+# Authentication
+
+# Name of the local system for authentication purposes 
+# (must match the second field in /etc/ppp/chap-secrets entries)
+name pptpd
+
+# Strip the domain prefix from the username before authentication.
+# (applies if you use pppd with chapms-strip-domain patch)
+#chapms-strip-domain
+
+
+# Encryption
+# (There have been multiple versions of PPP with encryption support,
+# choose with of the following sections you will use.)
+
+
+# BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o
+# {-{-{
+refuse-pap
+refuse-chap
+refuse-mschap
+# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
+# Challenge Handshake Authentication Protocol, Version 2] authentication.
+require-mschap-v2
+# Require MPPE 128-bit encryption
+# (note that MPPE requires the use of MSCHAP-V2 during authentication)
+require-mppe-128
+# }-}-}
+
+
+# OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o
+# {-{-{
+#-chap
+#-chapms
+# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
+# Challenge Handshake Authentication Protocol, Version 2] authentication.
+#+chapms-v2
+# Require MPPE encryption
+# (note that MPPE requires the use of MSCHAP-V2 during authentication)
+#mppe-40	# enable either 40-bit or 128-bit, not both
+#mppe-128
+#mppe-stateless
+# }-}-}
+
+
+# Network and Routing
+
+# If pppd is acting as a server for Microsoft Windows clients, this
+# option allows pppd to supply one or two DNS (Domain Name Server)
+# addresses to the clients.  The first instance of this option
+# specifies the primary DNS address; the second instance (if given)
+# specifies the secondary DNS address.
+#ms-dns 10.0.0.1
+#ms-dns 10.0.0.2
+ms-dns {{wannat_global.pptp.dns1}}
+ms-dns {{wannat_global.pptp.dns2}}
+
+# If pppd is acting as a server for Microsoft Windows or "Samba"
+# clients, this option allows pppd to supply one or two WINS (Windows
+# Internet Name Services) server addresses to the clients.  The first
+# instance of this option specifies the primary WINS address; the
+# second instance (if given) specifies the secondary WINS address.
+#ms-wins 10.0.0.3
+#ms-wins 10.0.0.4
+
+# Add an entry to this system's ARP [Address Resolution Protocol]
+# table with the IP address of the peer and the Ethernet address of this
+# system.  This will have the effect of making the peer appear to other
+# systems to be on the local ethernet.
+# (you do not need this if your PPTP server is responsible for routing
+# packets to the clients -- James Cameron)
+proxyarp
+
+# Normally pptpd passes the IP address to pppd, but if pptpd has been
+# given the delegate option in pptpd.conf or the --delegate command line
+# option, then pppd will use chap-secrets or radius to allocate the
+# client IP address.  The default local IP address used at the server
+# end is often the same as the address of the server.  To override this,
+# specify the local IP address here.
+# (you must not use this unless you have used the delegate option)
+#10.8.0.100
+
+
+# Logging
+
+# Enable connection debugging facilities.
+# (see your syslog configuration for where pppd sends to)
+#debug
+
+# Print out all the option values which have been set.
+# (often requested by mailing list to verify options)
+#dump
+
+
+# Miscellaneous
+
+# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
+# access.
+lock
+
+# Disable BSD-Compress compression
+nobsdcomp 
+
+# Disable Van Jacobson compression 
+# (needed on some networks with Windows 9x/ME/XP clients, see posting to
+# poptop-server on 14th April 2005 by Pawel Pokrywka and followups,
+# http://marc.theaimsgroup.com/?t=111343175400006&r=1&w=2 )
+novj
+novjccomp
+
+# turn off logging to stderr, since this may be redirected to pptpd, 
+# which may trigger a loopback
+nologfd
+
+# put plugins here 
+# (putting them higher up may cause them to sent messages to the pty)
+
+mtu {{wannat_global.pptp.mtu}}
+
+plugin /opt/tsg/framework/ppp2.4.9/radius.so
+plugin /opt/tsg/framework/ppp2.4.9/radattr.so
+radius-config-file /etc/radiusclient-ng/radiusclient.conf

roles/pppd_update_v2.4.9/templates/pptpd.conf.j2

@@ -0,0 +1,109 @@
+###############################################################################
+# $Id: pptpd.conf,v 1.11 2011/05/19 00:02:50 quozl Exp $
+#
+# Sample Poptop configuration file /etc/pptpd.conf
+#
+# Changes are effective when pptpd is restarted.
+###############################################################################
+
+# TAG: ppp
+#	Path to the pppd program, default '/usr/sbin/pppd' on Linux
+#
+ppp /opt/tsg/framework/ppp2.4.9
+
+# TAG: option
+#	Specifies the location of the PPP options file.
+#	By default PPP looks in '/etc/ppp/options'
+#
+option /etc/ppp/options.pptpd
+
+# TAG: debug
+#	Turns on (more) debugging to syslog
+#
+#debug
+
+# TAG: stimeout
+#	Specifies timeout (in seconds) on starting ctrl connection
+#
+# stimeout 10
+
+# TAG: noipparam
+#       Suppress the passing of the client's IP address to PPP, which is
+#       done by default otherwise.
+#
+#noipparam
+
+# TAG: logwtmp
+#	Use wtmp(5) to record client connections and disconnections.
+#
+#logwtmp
+
+# TAG: vrf <vrfname>
+#	Switches PPTP & GRE sockets to the specified VRF, which must exist
+#	Only available if VRF support was compiled into pptpd.
+#
+#vrf test
+
+# TAG: bcrelay <if>
+#	Turns on broadcast relay to clients from interface <if>
+#
+#bcrelay eth1
+
+# TAG: delegate
+#	Delegates the allocation of client IP addresses to pppd.
+#
+#       Without this option, which is the default, pptpd manages the list of
+#       IP addresses for clients and passes the next free address to pppd.
+#       With this option, pptpd does not pass an address, and so pppd may use
+#       radius or chap-secrets to allocate an address.
+#
+#delegate
+
+# TAG: connections
+#       Limits the number of client connections that may be accepted.
+#
+#       If pptpd is allocating IP addresses (e.g. delegate is not
+#       used) then the number of connections is also limited by the
+#       remoteip option.  The default is 100.
+#connections 100
+
+# TAG: localip
+# TAG: remoteip
+#	Specifies the local and remote IP address ranges.
+#
+#	These options are ignored if delegate option is set.
+#
+#       Any addresses work as long as the local machine takes care of the
+#       routing.  But if you want to use MS-Windows networking, you should
+#       use IP addresses out of the LAN address space and use the proxyarp
+#       option in the pppd options file, or run bcrelay.
+#
+#	You can specify single IP addresses seperated by commas or you can
+#	specify ranges, or both. For example:
+#
+#		192.168.0.234,192.168.0.245-249,192.168.0.254
+#
+#	IMPORTANT RESTRICTIONS:
+#
+#	1. No spaces are permitted between commas or within addresses.
+#
+#	2. If you give more IP addresses than the value of connections,
+#	   it will start at the beginning of the list and go until it
+#	   gets connections IPs.  Others will be ignored.
+#
+#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
+#	   you must type 234-238 if you mean this.
+#
+#	4. If you give a single localIP, that's ok - all local IPs will
+#	   be set to the given one. You MUST still give at least one remote
+#	   IP for each simultaneous client.
+#
+# (Recommended)
+#localip 192.168.0.1
+#remoteip 192.168.0.234-238,192.168.0.245
+# or
+#localip 192.168.0.234-238,192.168.0.245
+#remoteip 192.168.1.234-238,192.168.1.245
+
+localip 10.10.120.1
+remoteip 10.10.120.200-254

wannat-install.yml

@@ -30,12 +30,19 @@
     - radius_server
   vars_files:
     - deploy_env/group_vars/all.yml    
-    
-- hosts: openvpn
+
+- hosts: pptpd
   roles:
-    - openvpn
+    - pptpd
+    - pppd_update_v2.4.9
   vars_files:
-    - deploy_env/group_vars/all.yml        
+    - deploy_env/group_vars/all.yml    
+
+#- hosts: openvpn
+#  roles:
+#    - openvpn
+#  vars_files:
+#    - deploy_env/group_vars/all.yml