增加openvpn部署.

roles/natgw/templates/monit_natgw.j2

@@ -17,6 +17,10 @@ while [ 1 ]; do
 		sleep 1
 		ifconfig tun_natgw 192.168.1.254/24 up
 		ifconfig tun_natgw mtu 2000
+		ethtool -K tun_natgw gro off
+		ethtool -K tun_natgw gso off
+		ethtool -K tun_natgw tso off
+				
 		ip rule add from  {{wannat_global.natgw.vpn_client_ip_cidr}}  table 1001
 		ip route add default via 192.168.1.253 table 1001
 		echo program crashed, restart at `date +"%w %Y/%m/%d, %H:%M:%S"` >> RESTART.log

roles/openvpn/files/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIJAKc5EuH/0f7oMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC0Vhc3ktUlNBIENBMB4XDTIxMDUyNDA5MzE0MFoXDTMxMDUyMjA5MzE0MFow
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCrJSQpFiTSiKb1ViGJ4DVFpdE8TNvA1GGJHaSZG6PH4aU57TX4ebSW
+YmvOMitGBr8RcjV2FQkhsDzgLpb5Eaoz/ZPXNvFiLCclfxLwzIa/UcnnVcvIYDZp
+sHhBR1xcuwyYQ9x9phlF3NOjEq9wIhl8zbzvJoVNEWn1eeFp6EwPpLJGeOJllqd5
+SIQYhu/uWHsgSOizgGlJl+CphLleacsaTWiPoynhY8sewFdwk+MOVsG+K+QigXfM
+CawKlu/23pKteBC+lVZAoncsaCns2YvCm830I5vfbX7aMKa97UKFUNcPq5OFkRD1
+IzQVan7vuwjkGJWMZh63P5HUlxIEREIHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFJZD
+HSezPvx6TIroZIaNknuFwMC4MEYGA1UdIwQ/MD2AFJZDHSezPvx6TIroZIaNknuF
+wMC4oRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAKc5EuH/0f7oMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCBlv31E16y
+xr3zI43F89hmo1UkBPZxKzP4bFe3CSAiv9nZbungHm13l+hJybQ9XQWstf1I+HZL
+SH9Ub1ygdf4+rfS5Lm1rusgCDWWdwRjJaD11FmwMg64/fE7f0PTGyBO/r0kGLsLL
+XvQOQ4pjZbQghtHkG45yp63FRuHxjw3hFmrpxEYmdWFn/0ejHjyBBwFxsA4tiu0d
+ZQWWAx+/dIZ8n6MVz5MQceaKpC+x/EL9wUcSHEVF5xEa9wm9B7daewrIprERNLSq
+S0XRwXFrspwUIoL0KFm/HA25LjSYRU9OlKiCCP9JsxjhhW5ExcNAxVbI0HpZY5bV
+RmQ4krnQ3hYS
+-----END CERTIFICATE-----

roles/openvpn/files/dh.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA3EtpR24J7gcdwt8SBrHEe2+lmtJKxpyg9SjuM0Gm//bX9KqsiKKl
+MKZL6Rl41p1nixNkjgvuFQS9POMzv7OeiwpD0j/+delaHiTQ/+n6AvDylpqfYu2V
+LEN5sVxbYTIpJV/qrA/UwE7CgYZdcjka9BcwlYeFaoI/GT7S7o0SZIqBKvk6mxM+
+jK31s6jBIXqnSfR6Yv0koo7AWIPxCbu2EPvuMnZEnXZ9EA18jbLjXeLDsh+Y3nAK
+mDFJx4o/UWvUIeymuZILmhEbHAYqv6u/YQXeToyJBIQ4Gt+hW7FSIoiMW4WCBFyi
+0Ht/hQGccG2+oIQvScPMxXNeM8Kq9Hly8wIBAg==
+-----END DH PARAMETERS-----

roles/openvpn/files/server.crt

@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f2:4d:be:15:9b:40:13:72:7f:c2:e2:4a:a7:8a:c3:f1
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Easy-RSA CA
+        Validity
+            Not Before: May 24 09:32:14 2021 GMT
+            Not After : Aug 27 09:32:14 2023 GMT
+        Subject: CN=server
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b8:40:aa:de:54:73:bb:7b:b4:2f:c3:71:e4:1a:
+                    d0:3b:ce:94:25:cb:f2:fd:0a:45:6d:53:1c:97:93:
+                    b4:49:17:59:6c:e7:4a:68:c2:e5:1f:40:ba:c4:d0:
+                    4b:93:df:3c:81:83:4e:66:92:97:8c:91:e0:2c:cb:
+                    cf:90:bc:c3:33:23:b0:ba:ef:4e:13:7e:7f:08:56:
+                    60:2b:70:3e:d7:5b:73:24:77:f3:70:c3:30:03:d4:
+                    cc:b8:21:94:a7:22:5c:9f:28:8f:02:1f:22:b0:d2:
+                    01:70:8a:ca:58:0f:39:49:70:fa:6e:bc:08:a8:30:
+                    d9:a3:fc:dc:46:a5:ec:5c:ba:58:7b:af:df:9f:f7:
+                    0e:21:b9:38:a2:c3:8e:42:73:f2:87:e9:8f:06:1c:
+                    f8:49:6c:ae:84:2a:b1:5d:0f:da:be:01:40:2c:05:
+                    bb:e3:26:ae:fc:bf:9e:f4:01:d4:12:b7:35:07:28:
+                    d9:d7:41:fc:65:4a:29:5d:85:6d:97:e8:95:99:e9:
+                    da:2d:8e:25:fd:a1:42:e6:36:cd:9b:f1:24:f3:de:
+                    ed:ae:7a:fb:fb:b0:ac:64:bd:d7:3c:af:0f:1a:7a:
+                    79:1a:52:3f:53:82:69:74:9d:9a:48:93:f1:e5:64:
+                    62:28:65:c8:c8:69:a2:c8:7c:0e:b0:dd:af:c0:31:
+                    6c:1b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                49:95:F8:2E:DA:AA:B3:AC:22:F3:3A:BE:34:A0:B0:D1:7F:8A:8A:69
+            X509v3 Authority Key Identifier: 
+                keyid:96:43:1D:27:B3:3E:FC:7A:4C:8A:E8:64:86:8D:92:7B:85:C0:C0:B8
+                DirName:/CN=Easy-RSA CA
+                serial:A7:39:12:E1:FF:D1:FE:E8
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+         4d:e4:c1:b1:a0:c1:88:f6:b9:26:9e:ff:60:13:f5:62:44:fe:
+         22:48:66:27:1e:55:fc:3a:f7:a7:a5:44:c2:23:cf:1b:cc:c2:
+         ef:c2:d2:4a:95:41:c8:ea:52:ac:33:79:93:cc:c7:d1:c0:bf:
+         05:46:f6:1c:98:6c:10:84:d8:16:dc:62:51:13:01:d9:be:4a:
+         ef:0c:ce:f5:74:b0:58:b8:ce:3b:01:6a:4b:d0:73:76:f6:7d:
+         3f:e9:04:da:89:f7:c6:81:84:e8:c4:58:d9:86:d5:09:b9:f8:
+         f1:dc:8b:9e:92:19:31:33:7e:9a:e8:74:79:fa:87:43:40:87:
+         a3:82:21:0e:4e:31:0c:eb:6b:d3:fa:36:2e:d4:ff:34:a1:22:
+         81:df:ce:9a:c1:7c:5c:7f:d6:83:f7:57:c0:b2:c6:9e:0d:5a:
+         9a:7f:c0:de:ab:5c:b9:f0:4d:8b:45:72:c5:0a:87:2e:fe:26:
+         5e:e2:41:3a:f7:94:97:0c:97:c4:48:38:85:d8:6e:43:7f:c9:
+         5c:1d:8f:72:71:e6:8c:e5:8f:7e:b6:e5:a4:54:39:64:09:30:
+         62:50:26:ae:c7:0a:32:ef:e7:c4:77:d4:21:ef:3f:32:b9:44:
+         5e:e6:1e:7a:03:45:c2:47:1c:6c:2d:8c:1d:43:3d:97:ca:ae:
+         b8:16:36:b8
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIRAPJNvhWbQBNyf8LiSqeKw/EwDQYJKoZIhvcNAQELBQAw
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNTI0MDkzMjE0WhcNMjMwODI3
+MDkzMjE0WjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC4QKreVHO7e7Qvw3HkGtA7zpQly/L9CkVtUxyXk7RJF1ls50po
+wuUfQLrE0EuT3zyBg05mkpeMkeAsy8+QvMMzI7C6704Tfn8IVmArcD7XW3Mkd/Nw
+wzAD1My4IZSnIlyfKI8CHyKw0gFwispYDzlJcPpuvAioMNmj/NxGpexculh7r9+f
+9w4huTiiw45Cc/KH6Y8GHPhJbK6EKrFdD9q+AUAsBbvjJq78v570AdQStzUHKNnX
+QfxlSildhW2X6JWZ6dotjiX9oULmNs2b8STz3u2uevv7sKxkvdc8rw8aenkaUj9T
+gml0nZpIk/HlZGIoZcjIaaLIfA6w3a/AMWwbAgMBAAGjgaowgacwCQYDVR0TBAIw
+ADAdBgNVHQ4EFgQUSZX4Ltqqs6wi8zq+NKCw0X+KimkwRgYDVR0jBD8wPYAUlkMd
+J7M+/HpMiuhkho2Se4XAwLihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBggkA
+pzkS4f/R/ugwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMBEGA1Ud
+EQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOCAQEATeTBsaDBiPa5Jp7/YBP1
+YkT+IkhmJx5V/Dr3p6VEwiPPG8zC78LSSpVByOpSrDN5k8zH0cC/BUb2HJhsEITY
+FtxiURMB2b5K7wzO9XSwWLjOOwFqS9BzdvZ9P+kE2on3xoGE6MRY2YbVCbn48dyL
+npIZMTN+muh0efqHQ0CHo4IhDk4xDOtr0/o2LtT/NKEigd/OmsF8XH/Wg/dXwLLG
+ng1amn/A3qtcufBNi0VyxQqHLv4mXuJBOveUlwyXxEg4hdhuQ3/JXB2PcnHmjOWP
+frblpFQ5ZAkwYlAmrscKMu/nxHfUIe8/MrlEXuYeegNFwkccbC2MHUM9l8quuBY2
+uA==
+-----END CERTIFICATE-----

roles/openvpn/files/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4QKreVHO7e7Qv
+w3HkGtA7zpQly/L9CkVtUxyXk7RJF1ls50powuUfQLrE0EuT3zyBg05mkpeMkeAs
+y8+QvMMzI7C6704Tfn8IVmArcD7XW3Mkd/NwwzAD1My4IZSnIlyfKI8CHyKw0gFw
+ispYDzlJcPpuvAioMNmj/NxGpexculh7r9+f9w4huTiiw45Cc/KH6Y8GHPhJbK6E
+KrFdD9q+AUAsBbvjJq78v570AdQStzUHKNnXQfxlSildhW2X6JWZ6dotjiX9oULm
+Ns2b8STz3u2uevv7sKxkvdc8rw8aenkaUj9Tgml0nZpIk/HlZGIoZcjIaaLIfA6w
+3a/AMWwbAgMBAAECggEAAmJT06ykErj3C+crghgWua9im1qYOk33uAJrTErM+mUi
+8xXLEK/05wKfaAyJ7c/lqIdabFlZPKhmji3U8bp/jBnaH5EZIYdxfVogxG8fYQn9
+42rp63ubE3GddIR6t+7p4+VSdGSSvlb5Tct98sW/qAOeOfCU7Bg1uLl84C0lcc2x
+0cWhdyxbxrzfgqlhptCc88hv/AxD5ARId6pD84oxh45PyBda/p95rnNEvZmg8pO3
+9oNlHaQkP8DsyQudoNk9ONAPckBwD/dGhWJTul5fE4xZ77D2I/q9RoyeclIdZisO
+7T6N64cKwqdrw9o5F3O9r7Wpm2k3YCYgqFU4mZWygQKBgQDvVpTtcHFFHxl79tet
+m5KBFwx+lV+nPTk6ykzjbd/DkDOriwiaF2S5fidu/OGSS4Y7Jh/AdpyrbiTbazr7
+lLwM23RMPJu2Sgghdjq/t3V+bEY2wycPMznLml5kwmEOuOzLHCeC/SpkIFxdmSTD
+gpKVhNWk4i2/EneSKMMiuvLVLQKBgQDFFF2XYHs8AANI4zMHO+7L4yk1ulMSK4t0
+8wDwaICsYvuq2MvmB2OtqvyodTQEIY5l4m/aRbM8d/+1M2CU5B6gRoZhxYKktjaR
+iktqqeMQNt0Yt7xttODDa5y7QCxGVVcCbgWN0m5GBlA0c6oQ5jDaFnoBw5H93Wmt
+TF3kUwqjZwKBgCv84MBG8zp9/cQP2RH6TtHU96HoOD1XfkY02i7Oidq6jRSRKBKS
+DBwfeIXoiljF8rS6TAmmgyLqynFdYujMLEe8qcI9PW0ibB4iSafkwv5qTflQosQj
+aRLnm0OvigEXscWethBYEUt3uyIkvGIGhIRgdpeoTjoY3csKHNssOuc9AoGAAciC
+ZElCNDPH09QCdTFMotmmWM8by1FLjL5aJtK7P1QR9OTLS4SLmVmvuZJ96v+muzNG
+UdJJoeVwEeKqIA7EXCznMGFKIlVnvv9iWU+6Nz5X185pzRBS7FG/9E3LWMOS6vm1
+4SejSczq0t6tDkQW8xI6/mMXohVrzF6hhtxdf0cCgYEAtBv4cRnGreHCVCcBOg0u
+dui6vNY13EjvbQyYLZiAgXg55t2iEbQ9XADNZuYkoAQ1fhzt8NbVEnmeGoCzvOab
+z+p5+YNzRrpuDO9642w6t+BFqmswFftAUvJ7RIBq0iMzNf2qYogaypG+UYcnku2J
+xirImv0BrII0at3DVvRnK5k=
+-----END PRIVATE KEY-----

roles/openvpn/tasks/main.yml

@@ -0,0 +1,111 @@
+---
+- name: "copy openvpn_rpm_file to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/{{ wannat_global.rpm_files.openvpn_rpm_file }}"
+    dest: "/tmp/"
+
+- name: "copy radius_client_rpm_file to destination server"
+  synchronize:
+    src: "{{ role_path }}/../radius_rpm_files/{{ wannat_global.rpm_files.radius_client_rpm_file }}"
+    dest: "/tmp/"
+
+- name: "copy easy_rsa to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/{{ wannat_global.rpm_files.easy_rsa_rpm_file }}"
+    dest: "/tmp/"
+    
+- name: "install openvpn"
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - /tmp/{{ wannat_global.rpm_files.openvpn_rpm_file }}    
+
+- name: "install radius_client"
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - /tmp/{{ wannat_global.rpm_files.radius_client_rpm_file }}    
+
+- name: "install easy_rsa tool"
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - /tmp/{{ wannat_global.rpm_files.easy_rsa_rpm_file }}    
+
+- name: "Creates /etc/openvpn/server directory"
+  file:
+    path: /etc/openvpn/server
+    state: directory
+
+- name: "Creates /etc/openvpn/client directory"
+  file:
+    path: /etc/openvpn/client
+    state: directory
+    
+- name: "Creates /etc/openvpn/server/radius directory"
+  file:
+    path: /etc/openvpn/server/radius
+    state: directory
+
+- name: "copy radiusplugin.so to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/radiusplugin.so"
+    dest: "/etc/openvpn/server/radius/radiusplugin.so"
+
+- name: "copy ca.crt to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/ca.crt"
+    dest: "/etc/openvpn/server/ca.crt"
+
+- name: "copy server.key to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/server.key"
+    dest: "/etc/openvpn/server/server.key"
+
+
+- name: "copy server.crt to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/server.crt"
+    dest: "/etc/openvpn/server/server.crt"
+
+- name: "copy dh.pem to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/dh.pem"
+    dest: "/etc/openvpn/server/dh.pem"
+
+- name: "template windows_client_example.ovpn to destination server"
+  template:
+    src: "{{ role_path }}/templates/windows_client_example.ovpn"
+    dest: "/etc/openvpn/client/windows_client_example.ovpn"
+  tags: template
+  
+- name: "Template the openvpn server.conf config file"
+  template:
+    src: "{{ role_path }}/templates/server.conf.j2"
+    dest: /etc/openvpn/server/server.conf
+  tags: template
+
+- name: "Template the openvpn radius_client config file"
+  template:
+    src: "{{ role_path }}/templates/radiusplugin.cnf.j2"
+    dest: /etc/openvpn/server/radius/radiusplugin.cnf
+  tags: template
+
+- name: "Template the openvpn server service file"
+  template:
+    src: "{{ role_path }}/templates/openvpn-server.service.j2"
+    dest: /usr/lib/systemd/system/openvpn-server.service
+  tags: template
+
+- name: "enable openvpn service"
+  systemd:
+    name: openvpn-server
+    enabled: yes
+    daemon_reload: yes  
+

roles/openvpn/templates/openvpn-server.service.j2

@@ -0,0 +1,25 @@
+[Unit]
+Description=OpenVPN service
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+Type=notify
+PrivateTmp=true
+WorkingDirectory=/etc/openvpn/server
+ExecStart=/usr/sbin/openvpn --status /etc/openvpn/server/status.log --status-version 2 --suppress-timestamps --config /etc/openvpn/server/server.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
+KillMode=process
+RestartSec=5s
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

roles/openvpn/templates/radiusplugin.cnf.j2

@@ -0,0 +1,69 @@
+# The NAS identifier which is sent to the RADIUS server
+NAS-Identifier=OpenVpn
+
+# The service type which is sent to the RADIUS server
+Service-Type=5
+
+# The framed protocol which is sent to the RADIUS server
+Framed-Protocol=1
+
+# The NAS port type which is sent to the RADIUS server
+NAS-Port-Type=5
+
+# The NAS IP address which is sent to the RADIUS server
+NAS-IP-Address=192.168.44.71
+
+# Path to the OpenVPN configfile. The plugin searches there for
+# client-config-dir PATH   (searches for the path)
+# status FILE     		   (searches for the file, version must be 1)
+# client-cert-not-required (if the option is used or not)
+# username-as-common-name  (if the option is used or not)
+
+OpenVPNConfig=/etc/openvpn/server/server.conf
+
+
+# Support for topology option in OpenVPN 2.1
+# If you don't specify anything, option "net30" (default in OpenVPN) is used. 
+# You can only use one of the options at the same time.
+# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"  
+subnet=255.255.255.0
+# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
+# p2p=10.8.0.1
+
+
+# Allows the plugin to overwrite the client config in client config file directory,
+# default is true
+overwriteccfiles=true
+
+# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
+# default is false
+# useauthcontrolfile=false
+
+
+# Path to a script for vendor specific attributes.
+# Leave it out if you don't use an own script.
+# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
+
+# Path to the pipe for communication with the vsascript.
+# Leave it out if you don't use an own script.
+# vsanamedpipe=/tmp/vsapipe
+
+# A radius server definition, there could be more than one.
+# The priority of the server depends on the order in this file. The first one has the highest priority.
+server
+{
+	# The UDP port for radius accounting.
+	acctport=1813
+	# The UDP port for radius authentication.
+	authport=1812
+	# The name or ip address of the radius server.
+	name={{wannat_global.radius.server_ip}}
+	# How many times should the plugin send the if there is no response?
+	retry=1
+	# How long should the plugin wait for a response?
+	wait=1
+	# The shared secret.
+#	sharedsecret=testpw
+	sharedsecret=testing123
+}
+

roles/openvpn/templates/server.conf.j2

@@ -0,0 +1,36 @@
+local 0.0.0.0
+port 1194
+proto tcp
+dev tun
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/server.crt
+key /etc/openvpn/server/server.key
+dh /etc/openvpn/server/dh.pem
+server 10.10.130.0 255.255.255.0
+ifconfig-pool-persist ipp.txt
+push "route 10.10.130.0 255.255.255.0"
+push "redirect-gateway def1"
+push "remote-gateway 10.10.130.1"
+;client-to-client
+;duplicate-cn
+keepalive 10 120
+;;;;tls-auth /etc/openvpn/server/ta.key 0
+;;;;cipher AES-256-CBC
+compress lz4-v2
+push "compress lz4-v2"
+;comp-lzo
+max-clients 1000
+user nobody
+group nobody
+persist-key
+persist-tun
+status openvpn-status.log
+log  /var/log/openvpn.log
+verb 9
+tun-mtu 1472
+mssfix 1400
+
+username-as-common-name
+client-cert-not-required #close cert, use username and password to radius for auth 
+plugin /etc/openvpn/server/radius/radiusplugin.so /etc/openvpn/server/radius/radiusplugin.cnf
+;explicit-exit-notify 1

roles/openvpn/templates/windows_client_example.ovpn

@@ -0,0 +1,44 @@
+client
+dev tun
+proto tcp
+;;;change remote ipaddress for your environment
+remote 192.168.1.1 1194
+resolv-retry infinite
+nobind
+;user nobody
+;group nobody
+persist-key
+persist-tun
+;;;ca ca.crt
+;;;cert client.crt
+;;;key client.key
+remote-cert-tls server
+;;;tls-auth ta.key 1
+;;;;cipher AES-256-CBC
+compress lz4-v2
+verb 3
+;mute 20
+auth-user-pass
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIJAKc5EuH/0f7oMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC0Vhc3ktUlNBIENBMB4XDTIxMDUyNDA5MzE0MFoXDTMxMDUyMjA5MzE0MFow
+FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCrJSQpFiTSiKb1ViGJ4DVFpdE8TNvA1GGJHaSZG6PH4aU57TX4ebSW
+YmvOMitGBr8RcjV2FQkhsDzgLpb5Eaoz/ZPXNvFiLCclfxLwzIa/UcnnVcvIYDZp
+sHhBR1xcuwyYQ9x9phlF3NOjEq9wIhl8zbzvJoVNEWn1eeFp6EwPpLJGeOJllqd5
+SIQYhu/uWHsgSOizgGlJl+CphLleacsaTWiPoynhY8sewFdwk+MOVsG+K+QigXfM
+CawKlu/23pKteBC+lVZAoncsaCns2YvCm830I5vfbX7aMKa97UKFUNcPq5OFkRD1
+IzQVan7vuwjkGJWMZh63P5HUlxIEREIHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFJZD
+HSezPvx6TIroZIaNknuFwMC4MEYGA1UdIwQ/MD2AFJZDHSezPvx6TIroZIaNknuF
+wMC4oRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAKc5EuH/0f7oMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCBlv31E16y
+xr3zI43F89hmo1UkBPZxKzP4bFe3CSAiv9nZbungHm13l+hJybQ9XQWstf1I+HZL
+SH9Ub1ygdf4+rfS5Lm1rusgCDWWdwRjJaD11FmwMg64/fE7f0PTGyBO/r0kGLsLL
+XvQOQ4pjZbQghtHkG45yp63FRuHxjw3hFmrpxEYmdWFn/0ejHjyBBwFxsA4tiu0d
+ZQWWAx+/dIZ8n6MVz5MQceaKpC+x/EL9wUcSHEVF5xEa9wm9B7daewrIprERNLSq
+S0XRwXFrspwUIoL0KFm/HA25LjSYRU9OlKiCCP9JsxjhhW5ExcNAxVbI0HpZY5bV
+RmQ4krnQ3hYS
+-----END CERTIFICATE-----
+</ca>

roles/radius_client/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: "copy radiusclient-ng to destination server"
   synchronize:
-    src: "{{ role_path }}/../radius_rpm_files/radiusclient-ng-0.5.6-9.el7.x86_64.rpm"
+    src: "{{ role_path }}/../radius_rpm_files/{{ wannat_global.rpm_files.radius_client_rpm_file }}"
     dest: "/tmp/"
 
 - name: "install radiusclient-ng"

roles/wangw/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: "copy wangw_rpm_file to destination server"
   synchronize:
-    src: "{{ role_path }}/files/rpm/{{ wangw_global.rpm_files.wangw_rpm_file }}"
+    src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.wangw_rpm_file }}"
     dest: "/tmp/"
     
 - name: "install wangw"
@@ -10,7 +10,7 @@
     state: present
   vars:
     packages:
-    - /tmp/{{ wangw_global.rpm_files.wangw_rpm_file }}    
+    - /tmp/{{ wannat_global.rpm_files.wangw_rpm_file }}    
     
 - name: "Creates ./etc/wannat directory"
   file:

roles/wangw/templates/wangw.conf.j2

@@ -3,7 +3,7 @@
 NAT_GW_tunnel_mode=vxlan
 
 #本地监听端口
-NAT_GW_tunnel_recv_port={{wannat_global.wangw.NAT_GW_tunnel_listen_port}}
+NAT_GW_tunnel_recv_port={{wannat_global.wangw.WAN_GW_tunnel_listen_port}}
 
 #DNAT首包发送给NATGW时, 对端的监听端口
 NAT_GW_tunnel_send_port={{wannat_global.wangw.NAT_GW_tunnel_remote_port}}

roles/wire_graft/tasks/main.yml

@@ -6,7 +6,7 @@
     
 - name: "copy wiregraft_rpm_file to destination server"
   synchronize:
-    src: "{{ role_path }}/files/rpm/{{ wangw_global.rpm_files.wire_graft_rpm_file }}"
+    src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.wire_graft_rpm_file }}"
     dest: "/tmp/"
     
 - name: "install wiregraft"
@@ -15,7 +15,7 @@
     state: present
   vars:
     packages:
-    - /tmp/{{ wangw_global.rpm_files.wire_graft_rpm_file }}        
+    - /tmp/{{ wannat_global.rpm_files.wire_graft_rpm_file }}        
 
 - name: "Template the wire_graft.inf"
   template:

wannat-install.tmp.yml

@@ -0,0 +1,47 @@
+---
+#- hosts: wangw
+#  roles:
+#    - wangw
+##    - wire_graft_devel
+#    - wire_graft
+#  vars_files:
+#    - wannat_deploy_env/all.yml
+#
+#- hosts: natgw
+#  roles:
+#    - wire_graft_devel
+#    - natgw
+#  vars_files:
+#    - wannat_deploy_env/all.yml
+#    
+#- hosts: toroad
+#  roles:
+#    - wire_graft_devel
+#    - toroad
+#  vars_files:
+#    - wannat_deploy_env/all.yml
+
+#- hosts: radius_client    
+#  roles:
+#    - radius_client
+#  vars_files:
+#    - wannat_deploy_env/all.yml
+
+#- hosts: radius_server
+#  roles:
+#    - radius_server
+#  vars_files:
+#    - wannat_deploy_env/all.yml
+    
+#- hosts: pptpd
+  #roles:
+    #- pptpd
+  #vars_files:
+    #- wannat_deploy_env/all.yml
+
+- hosts: openvpn
+  roles:
+    - openvpn
+  vars_files:
+    - wannat_deploy_env/all.yml
+   

wannat-install.yml

@@ -38,5 +38,10 @@
 - hosts: pptpd
   roles:
     - pptpd
+
+- hosts: openvpn
+  roles:
+    - openvpn
+    
     
 

wannat_deploy_env/all.yml

@@ -9,7 +9,9 @@ wannat_global:
         
     wangw:
         NAT_GW_tunnel_device: "enp6s0"
+        WAN_GW_tunnel_listen_port: 3544
         NAT_GW_tunnel_ip: "192.168.40.134"
+        NAT_GW_tunnel_remote_port: 3544
         
     natgw:
         run_type: 0
@@ -44,13 +46,16 @@ wannat_global:
         
     radius:
         shared_secret: "testing123"
+        server_ip: "192.168.44.71"
         
     rpm_files:
         wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm"    
         natgw_rpm_file: "wannat_natgw-1.3.1.a1506cb-2.el7.x86_64.rpm"    
-        wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm"
-        wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm"
+        wire_graft_rpm_file: "libwire_graft-1.2.1.90d29af-2.el7.x86_64.rpm"
+        wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.1.90d29af-2.el7.x86_64.rpm"
         toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm"
         ppp_rpm_file: "ppp-2.4.5-34.el7_7.x86_64.rpm"
         pptpd_rpm_file: "pptpd-1.4.0-2.el7.x86_64.rpm"
-
+        openvpn_rpm_file: "openvpn-2.4.11-1.el7.x86_64.rpm"
+        radius_client_rpm_file: "radiusclient-ng-0.5.6-9.el7.x86_64.rpm"
+        easy_rsa_rpm_file: "easy-rsa-3.0.8-1.el7.noarch.rpm"

wannat_deploy_env/hosts

@@ -21,3 +21,6 @@ install_sapp=false
 [radius_client]
 192.168.40.134
 
+[openvpn]
+192.168.44.29
+

wannat_deploy_env/hosts.tmp

@@ -2,23 +2,6 @@
 ansible_user=root
 install_sapp=false
 
-[wangw]
-192.168.40.161
-
-[natgw]
-192.168.40.134
-
-[toroad]
-192.168.40.134
-
-[pptpd]
-192.168.40.134
-
-[radius_server]
-192.168.44.71
-
-[radius_client]
-192.168.40.134
-
-
+[openvpn]
+192.168.44.29
 

xxg_integration_env/group_vars/all.yml

@@ -0,0 +1,23 @@
+wangw_global:           
+    wangw:
+        NAT_GW_tunnel_device: "enp6s0"
+        NAT_GW_tunnel_ip: "192.168.40.134"
+        redis_server_ip: "192.168.44.71"
+        redis_server_port: 7002
+        redis_index: 0
+
+    toroad:
+        redis_server_ip: "192.168.44.71"
+        redis_server_port: 7002
+        redis_index: 0
+    
+    wiregraft:
+        identification_by_which_device: "enp6s0"
+        toroad_server_ip: "192.168.40.134"
+        
+    rpm_files:
+        wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm"    
+        wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm"
+        wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm"
+        toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm"
+

xxg_integration_env/hosts.xxg

@@ -0,0 +1,12 @@
+[all:vars]
+ansible_user=root
+install_sapp=false
+install_device_sn=false
+install_device_tag=false
+
+[wangw]
+192.168.40.161
+
+[toroad]
+192.168.40.134
+

xxg_module_test_env/group_vars/all.yml

@@ -0,0 +1,26 @@
+wangw_global:            
+    wangw:
+        NAT_GW_tunnel_device: "enp8s0"
+        NAT_GW_tunnel_ip: "192.168.40.133"
+        NAT_GW_tunnel_listen_port: 3544
+        NAT_GW_tunnel_remote_port: 3544
+        redis_server_ip: "192.168.44.3"
+        redis_server_port: 7002
+        redis_index: 0
+
+    toroad:
+        redis_server_ip: "192.168.44.3"
+        redis_server_port: 7002
+        redis_index: 0
+    
+    wiregraft:
+        identification_by_which_device: "enp8s0"
+        toroad_server_ip: "192.168.40.133"
+        toroad_server_port: "8888"
+        
+    rpm_files:
+        wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm"    
+        wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm"
+        wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm"
+        toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm"
+        

xxg_module_test_env/hosts.xxg

@@ -0,0 +1,12 @@
+[all:vars]
+ansible_user=root
+install_sapp=false
+install_device_sn=false
+install_device_tag=false
+
+[wangw]
+192.168.40.21
+
+[toroad]
+192.168.40.133
+

xxg_test_env/group_vars/all.yml

@@ -0,0 +1,26 @@
+wangw_global:            
+    wangw:
+        NAT_GW_tunnel_device: "enp8s0"
+        NAT_GW_tunnel_ip: "192.168.40.133"
+        NAT_GW_tunnel_listen_port: 3544
+        NAT_GW_tunnel_remote_port: 3544
+        redis_server_ip: "192.168.44.3"
+        redis_server_port: 7002
+        redis_index: 0
+
+    toroad:
+        redis_server_ip: "192.168.44.3"
+        redis_server_port: 7002
+        redis_index: 0
+    
+    wiregraft:
+        identification_by_which_device: "enp8s0"
+        toroad_server_ip: "192.168.40.133"
+        toroad_server_port: "8888"
+        
+    rpm_files:
+        wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm"    
+        wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm"
+        wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm"
+        toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm"
+        

xxg_test_env/hosts.xxg

@@ -0,0 +1,12 @@
+[all:vars]
+ansible_user=root
+install_sapp=false
+install_device_sn=false
+install_device_tag=false
+
+[wangw]
+192.168.40.137
+
+[toroad]
+192.168.40.133
+