diff --git a/roles/natgw/templates/monit_natgw.j2 b/roles/natgw/templates/monit_natgw.j2 index 88c525a..d2f538c 100644 --- a/roles/natgw/templates/monit_natgw.j2 +++ b/roles/natgw/templates/monit_natgw.j2 @@ -17,6 +17,10 @@ while [ 1 ]; do sleep 1 ifconfig tun_natgw 192.168.1.254/24 up ifconfig tun_natgw mtu 2000 + ethtool -K tun_natgw gro off + ethtool -K tun_natgw gso off + ethtool -K tun_natgw tso off + ip rule add from {{wannat_global.natgw.vpn_client_ip_cidr}} table 1001 ip route add default via 192.168.1.253 table 1001 echo program crashed, restart at `date +"%w %Y/%m/%d, %H:%M:%S"` >> RESTART.log diff --git a/roles/openvpn/files/ca.crt b/roles/openvpn/files/ca.crt new file mode 100644 index 0000000..49b9177 --- /dev/null +++ b/roles/openvpn/files/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIJAKc5EuH/0f7oMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV +BAMMC0Vhc3ktUlNBIENBMB4XDTIxMDUyNDA5MzE0MFoXDTMxMDUyMjA5MzE0MFow +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCrJSQpFiTSiKb1ViGJ4DVFpdE8TNvA1GGJHaSZG6PH4aU57TX4ebSW +YmvOMitGBr8RcjV2FQkhsDzgLpb5Eaoz/ZPXNvFiLCclfxLwzIa/UcnnVcvIYDZp +sHhBR1xcuwyYQ9x9phlF3NOjEq9wIhl8zbzvJoVNEWn1eeFp6EwPpLJGeOJllqd5 +SIQYhu/uWHsgSOizgGlJl+CphLleacsaTWiPoynhY8sewFdwk+MOVsG+K+QigXfM +CawKlu/23pKteBC+lVZAoncsaCns2YvCm830I5vfbX7aMKa97UKFUNcPq5OFkRD1 +IzQVan7vuwjkGJWMZh63P5HUlxIEREIHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFJZD +HSezPvx6TIroZIaNknuFwMC4MEYGA1UdIwQ/MD2AFJZDHSezPvx6TIroZIaNknuF +wMC4oRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAKc5EuH/0f7oMAwGA1Ud +EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCBlv31E16y +xr3zI43F89hmo1UkBPZxKzP4bFe3CSAiv9nZbungHm13l+hJybQ9XQWstf1I+HZL +SH9Ub1ygdf4+rfS5Lm1rusgCDWWdwRjJaD11FmwMg64/fE7f0PTGyBO/r0kGLsLL +XvQOQ4pjZbQghtHkG45yp63FRuHxjw3hFmrpxEYmdWFn/0ejHjyBBwFxsA4tiu0d +ZQWWAx+/dIZ8n6MVz5MQceaKpC+x/EL9wUcSHEVF5xEa9wm9B7daewrIprERNLSq +S0XRwXFrspwUIoL0KFm/HA25LjSYRU9OlKiCCP9JsxjhhW5ExcNAxVbI0HpZY5bV +RmQ4krnQ3hYS +-----END CERTIFICATE----- diff --git a/roles/openvpn/files/dh.pem b/roles/openvpn/files/dh.pem new file mode 100644 index 0000000..8a0fd1b --- /dev/null +++ b/roles/openvpn/files/dh.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA3EtpR24J7gcdwt8SBrHEe2+lmtJKxpyg9SjuM0Gm//bX9KqsiKKl +MKZL6Rl41p1nixNkjgvuFQS9POMzv7OeiwpD0j/+delaHiTQ/+n6AvDylpqfYu2V +LEN5sVxbYTIpJV/qrA/UwE7CgYZdcjka9BcwlYeFaoI/GT7S7o0SZIqBKvk6mxM+ +jK31s6jBIXqnSfR6Yv0koo7AWIPxCbu2EPvuMnZEnXZ9EA18jbLjXeLDsh+Y3nAK +mDFJx4o/UWvUIeymuZILmhEbHAYqv6u/YQXeToyJBIQ4Gt+hW7FSIoiMW4WCBFyi +0Ht/hQGccG2+oIQvScPMxXNeM8Kq9Hly8wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/openvpn/files/easy-rsa-3.0.8-1.el7.noarch.rpm b/roles/openvpn/files/easy-rsa-3.0.8-1.el7.noarch.rpm new file mode 100644 index 0000000..ab0ca3e Binary files /dev/null and b/roles/openvpn/files/easy-rsa-3.0.8-1.el7.noarch.rpm differ diff --git a/roles/openvpn/files/libgcrypt-devel-1.5.3-14.el7.x86_64.rpm b/roles/openvpn/files/libgcrypt-devel-1.5.3-14.el7.x86_64.rpm new file mode 100644 index 0000000..ceac901 Binary files /dev/null and b/roles/openvpn/files/libgcrypt-devel-1.5.3-14.el7.x86_64.rpm differ diff --git a/roles/openvpn/files/libgpg-error-devel-1.12-3.el7.x86_64.rpm b/roles/openvpn/files/libgpg-error-devel-1.12-3.el7.x86_64.rpm new file mode 100644 index 0000000..33bbd41 Binary files /dev/null and b/roles/openvpn/files/libgpg-error-devel-1.12-3.el7.x86_64.rpm differ diff --git a/roles/openvpn/files/openvpn-2.4.11-1.el7.x86_64.rpm b/roles/openvpn/files/openvpn-2.4.11-1.el7.x86_64.rpm new file mode 100644 index 0000000..217e26d Binary files /dev/null and b/roles/openvpn/files/openvpn-2.4.11-1.el7.x86_64.rpm differ diff --git a/roles/openvpn/files/radiusplugin.so b/roles/openvpn/files/radiusplugin.so new file mode 100644 index 0000000..040312a Binary files /dev/null and b/roles/openvpn/files/radiusplugin.so differ diff --git a/roles/openvpn/files/radiusplugin_v2.1.tar.gz b/roles/openvpn/files/radiusplugin_v2.1.tar.gz new file mode 100644 index 0000000..47c805b Binary files /dev/null and b/roles/openvpn/files/radiusplugin_v2.1.tar.gz differ diff --git a/roles/openvpn/files/server.crt b/roles/openvpn/files/server.crt new file mode 100644 index 0000000..f81411f --- /dev/null +++ b/roles/openvpn/files/server.crt @@ -0,0 +1,87 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + f2:4d:be:15:9b:40:13:72:7f:c2:e2:4a:a7:8a:c3:f1 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=Easy-RSA CA + Validity + Not Before: May 24 09:32:14 2021 GMT + Not After : Aug 27 09:32:14 2023 GMT + Subject: CN=server + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b8:40:aa:de:54:73:bb:7b:b4:2f:c3:71:e4:1a: + d0:3b:ce:94:25:cb:f2:fd:0a:45:6d:53:1c:97:93: + b4:49:17:59:6c:e7:4a:68:c2:e5:1f:40:ba:c4:d0: + 4b:93:df:3c:81:83:4e:66:92:97:8c:91:e0:2c:cb: + cf:90:bc:c3:33:23:b0:ba:ef:4e:13:7e:7f:08:56: + 60:2b:70:3e:d7:5b:73:24:77:f3:70:c3:30:03:d4: + cc:b8:21:94:a7:22:5c:9f:28:8f:02:1f:22:b0:d2: + 01:70:8a:ca:58:0f:39:49:70:fa:6e:bc:08:a8:30: + d9:a3:fc:dc:46:a5:ec:5c:ba:58:7b:af:df:9f:f7: + 0e:21:b9:38:a2:c3:8e:42:73:f2:87:e9:8f:06:1c: + f8:49:6c:ae:84:2a:b1:5d:0f:da:be:01:40:2c:05: + bb:e3:26:ae:fc:bf:9e:f4:01:d4:12:b7:35:07:28: + d9:d7:41:fc:65:4a:29:5d:85:6d:97:e8:95:99:e9: + da:2d:8e:25:fd:a1:42:e6:36:cd:9b:f1:24:f3:de: + ed:ae:7a:fb:fb:b0:ac:64:bd:d7:3c:af:0f:1a:7a: + 79:1a:52:3f:53:82:69:74:9d:9a:48:93:f1:e5:64: + 62:28:65:c8:c8:69:a2:c8:7c:0e:b0:dd:af:c0:31: + 6c:1b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 49:95:F8:2E:DA:AA:B3:AC:22:F3:3A:BE:34:A0:B0:D1:7F:8A:8A:69 + X509v3 Authority Key Identifier: + keyid:96:43:1D:27:B3:3E:FC:7A:4C:8A:E8:64:86:8D:92:7B:85:C0:C0:B8 + DirName:/CN=Easy-RSA CA + serial:A7:39:12:E1:FF:D1:FE:E8 + + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:server + Signature Algorithm: sha256WithRSAEncryption + 4d:e4:c1:b1:a0:c1:88:f6:b9:26:9e:ff:60:13:f5:62:44:fe: + 22:48:66:27:1e:55:fc:3a:f7:a7:a5:44:c2:23:cf:1b:cc:c2: + ef:c2:d2:4a:95:41:c8:ea:52:ac:33:79:93:cc:c7:d1:c0:bf: + 05:46:f6:1c:98:6c:10:84:d8:16:dc:62:51:13:01:d9:be:4a: + ef:0c:ce:f5:74:b0:58:b8:ce:3b:01:6a:4b:d0:73:76:f6:7d: + 3f:e9:04:da:89:f7:c6:81:84:e8:c4:58:d9:86:d5:09:b9:f8: + f1:dc:8b:9e:92:19:31:33:7e:9a:e8:74:79:fa:87:43:40:87: + a3:82:21:0e:4e:31:0c:eb:6b:d3:fa:36:2e:d4:ff:34:a1:22: + 81:df:ce:9a:c1:7c:5c:7f:d6:83:f7:57:c0:b2:c6:9e:0d:5a: + 9a:7f:c0:de:ab:5c:b9:f0:4d:8b:45:72:c5:0a:87:2e:fe:26: + 5e:e2:41:3a:f7:94:97:0c:97:c4:48:38:85:d8:6e:43:7f:c9: + 5c:1d:8f:72:71:e6:8c:e5:8f:7e:b6:e5:a4:54:39:64:09:30: + 62:50:26:ae:c7:0a:32:ef:e7:c4:77:d4:21:ef:3f:32:b9:44: + 5e:e6:1e:7a:03:45:c2:47:1c:6c:2d:8c:1d:43:3d:97:ca:ae: + b8:16:36:b8 +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIRAPJNvhWbQBNyf8LiSqeKw/EwDQYJKoZIhvcNAQELBQAw +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNTI0MDkzMjE0WhcNMjMwODI3 +MDkzMjE0WjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC4QKreVHO7e7Qvw3HkGtA7zpQly/L9CkVtUxyXk7RJF1ls50po +wuUfQLrE0EuT3zyBg05mkpeMkeAsy8+QvMMzI7C6704Tfn8IVmArcD7XW3Mkd/Nw +wzAD1My4IZSnIlyfKI8CHyKw0gFwispYDzlJcPpuvAioMNmj/NxGpexculh7r9+f +9w4huTiiw45Cc/KH6Y8GHPhJbK6EKrFdD9q+AUAsBbvjJq78v570AdQStzUHKNnX +QfxlSildhW2X6JWZ6dotjiX9oULmNs2b8STz3u2uevv7sKxkvdc8rw8aenkaUj9T +gml0nZpIk/HlZGIoZcjIaaLIfA6w3a/AMWwbAgMBAAGjgaowgacwCQYDVR0TBAIw +ADAdBgNVHQ4EFgQUSZX4Ltqqs6wi8zq+NKCw0X+KimkwRgYDVR0jBD8wPYAUlkMd +J7M+/HpMiuhkho2Se4XAwLihGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBggkA +pzkS4f/R/ugwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMBEGA1Ud +EQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOCAQEATeTBsaDBiPa5Jp7/YBP1 +YkT+IkhmJx5V/Dr3p6VEwiPPG8zC78LSSpVByOpSrDN5k8zH0cC/BUb2HJhsEITY +FtxiURMB2b5K7wzO9XSwWLjOOwFqS9BzdvZ9P+kE2on3xoGE6MRY2YbVCbn48dyL +npIZMTN+muh0efqHQ0CHo4IhDk4xDOtr0/o2LtT/NKEigd/OmsF8XH/Wg/dXwLLG +ng1amn/A3qtcufBNi0VyxQqHLv4mXuJBOveUlwyXxEg4hdhuQ3/JXB2PcnHmjOWP +frblpFQ5ZAkwYlAmrscKMu/nxHfUIe8/MrlEXuYeegNFwkccbC2MHUM9l8quuBY2 +uA== +-----END CERTIFICATE----- diff --git a/roles/openvpn/files/server.key b/roles/openvpn/files/server.key new file mode 100644 index 0000000..4eb579c --- /dev/null +++ b/roles/openvpn/files/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4QKreVHO7e7Qv +w3HkGtA7zpQly/L9CkVtUxyXk7RJF1ls50powuUfQLrE0EuT3zyBg05mkpeMkeAs +y8+QvMMzI7C6704Tfn8IVmArcD7XW3Mkd/NwwzAD1My4IZSnIlyfKI8CHyKw0gFw +ispYDzlJcPpuvAioMNmj/NxGpexculh7r9+f9w4huTiiw45Cc/KH6Y8GHPhJbK6E +KrFdD9q+AUAsBbvjJq78v570AdQStzUHKNnXQfxlSildhW2X6JWZ6dotjiX9oULm +Ns2b8STz3u2uevv7sKxkvdc8rw8aenkaUj9Tgml0nZpIk/HlZGIoZcjIaaLIfA6w +3a/AMWwbAgMBAAECggEAAmJT06ykErj3C+crghgWua9im1qYOk33uAJrTErM+mUi +8xXLEK/05wKfaAyJ7c/lqIdabFlZPKhmji3U8bp/jBnaH5EZIYdxfVogxG8fYQn9 +42rp63ubE3GddIR6t+7p4+VSdGSSvlb5Tct98sW/qAOeOfCU7Bg1uLl84C0lcc2x +0cWhdyxbxrzfgqlhptCc88hv/AxD5ARId6pD84oxh45PyBda/p95rnNEvZmg8pO3 +9oNlHaQkP8DsyQudoNk9ONAPckBwD/dGhWJTul5fE4xZ77D2I/q9RoyeclIdZisO +7T6N64cKwqdrw9o5F3O9r7Wpm2k3YCYgqFU4mZWygQKBgQDvVpTtcHFFHxl79tet +m5KBFwx+lV+nPTk6ykzjbd/DkDOriwiaF2S5fidu/OGSS4Y7Jh/AdpyrbiTbazr7 +lLwM23RMPJu2Sgghdjq/t3V+bEY2wycPMznLml5kwmEOuOzLHCeC/SpkIFxdmSTD +gpKVhNWk4i2/EneSKMMiuvLVLQKBgQDFFF2XYHs8AANI4zMHO+7L4yk1ulMSK4t0 +8wDwaICsYvuq2MvmB2OtqvyodTQEIY5l4m/aRbM8d/+1M2CU5B6gRoZhxYKktjaR +iktqqeMQNt0Yt7xttODDa5y7QCxGVVcCbgWN0m5GBlA0c6oQ5jDaFnoBw5H93Wmt +TF3kUwqjZwKBgCv84MBG8zp9/cQP2RH6TtHU96HoOD1XfkY02i7Oidq6jRSRKBKS +DBwfeIXoiljF8rS6TAmmgyLqynFdYujMLEe8qcI9PW0ibB4iSafkwv5qTflQosQj +aRLnm0OvigEXscWethBYEUt3uyIkvGIGhIRgdpeoTjoY3csKHNssOuc9AoGAAciC +ZElCNDPH09QCdTFMotmmWM8by1FLjL5aJtK7P1QR9OTLS4SLmVmvuZJ96v+muzNG +UdJJoeVwEeKqIA7EXCznMGFKIlVnvv9iWU+6Nz5X185pzRBS7FG/9E3LWMOS6vm1 +4SejSczq0t6tDkQW8xI6/mMXohVrzF6hhtxdf0cCgYEAtBv4cRnGreHCVCcBOg0u +dui6vNY13EjvbQyYLZiAgXg55t2iEbQ9XADNZuYkoAQ1fhzt8NbVEnmeGoCzvOab +z+p5+YNzRrpuDO9642w6t+BFqmswFftAUvJ7RIBq0iMzNf2qYogaypG+UYcnku2J +xirImv0BrII0at3DVvRnK5k= +-----END PRIVATE KEY----- diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml new file mode 100644 index 0000000..c1f7f89 --- /dev/null +++ b/roles/openvpn/tasks/main.yml @@ -0,0 +1,111 @@ +--- +- name: "copy openvpn_rpm_file to destination server" + synchronize: + src: "{{ role_path }}/files/{{ wannat_global.rpm_files.openvpn_rpm_file }}" + dest: "/tmp/" + +- name: "copy radius_client_rpm_file to destination server" + synchronize: + src: "{{ role_path }}/../radius_rpm_files/{{ wannat_global.rpm_files.radius_client_rpm_file }}" + dest: "/tmp/" + +- name: "copy easy_rsa to destination server" + synchronize: + src: "{{ role_path }}/files/{{ wannat_global.rpm_files.easy_rsa_rpm_file }}" + dest: "/tmp/" + +- name: "install openvpn" + yum: + name: "{{ packages }}" + state: present + vars: + packages: + - /tmp/{{ wannat_global.rpm_files.openvpn_rpm_file }} + +- name: "install radius_client" + yum: + name: "{{ packages }}" + state: present + vars: + packages: + - /tmp/{{ wannat_global.rpm_files.radius_client_rpm_file }} + +- name: "install easy_rsa tool" + yum: + name: "{{ packages }}" + state: present + vars: + packages: + - /tmp/{{ wannat_global.rpm_files.easy_rsa_rpm_file }} + +- name: "Creates /etc/openvpn/server directory" + file: + path: /etc/openvpn/server + state: directory + +- name: "Creates /etc/openvpn/client directory" + file: + path: /etc/openvpn/client + state: directory + +- name: "Creates /etc/openvpn/server/radius directory" + file: + path: /etc/openvpn/server/radius + state: directory + +- name: "copy radiusplugin.so to destination server" + synchronize: + src: "{{ role_path }}/files/radiusplugin.so" + dest: "/etc/openvpn/server/radius/radiusplugin.so" + +- name: "copy ca.crt to destination server" + synchronize: + src: "{{ role_path }}/files/ca.crt" + dest: "/etc/openvpn/server/ca.crt" + +- name: "copy server.key to destination server" + synchronize: + src: "{{ role_path }}/files/server.key" + dest: "/etc/openvpn/server/server.key" + + +- name: "copy server.crt to destination server" + synchronize: + src: "{{ role_path }}/files/server.crt" + dest: "/etc/openvpn/server/server.crt" + +- name: "copy dh.pem to destination server" + synchronize: + src: "{{ role_path }}/files/dh.pem" + dest: "/etc/openvpn/server/dh.pem" + +- name: "template windows_client_example.ovpn to destination server" + template: + src: "{{ role_path }}/templates/windows_client_example.ovpn" + dest: "/etc/openvpn/client/windows_client_example.ovpn" + tags: template + +- name: "Template the openvpn server.conf config file" + template: + src: "{{ role_path }}/templates/server.conf.j2" + dest: /etc/openvpn/server/server.conf + tags: template + +- name: "Template the openvpn radius_client config file" + template: + src: "{{ role_path }}/templates/radiusplugin.cnf.j2" + dest: /etc/openvpn/server/radius/radiusplugin.cnf + tags: template + +- name: "Template the openvpn server service file" + template: + src: "{{ role_path }}/templates/openvpn-server.service.j2" + dest: /usr/lib/systemd/system/openvpn-server.service + tags: template + +- name: "enable openvpn service" + systemd: + name: openvpn-server + enabled: yes + daemon_reload: yes + diff --git a/roles/openvpn/templates/openvpn-server.service.j2 b/roles/openvpn/templates/openvpn-server.service.j2 new file mode 100644 index 0000000..aa0bbe6 --- /dev/null +++ b/roles/openvpn/templates/openvpn-server.service.j2 @@ -0,0 +1,25 @@ +[Unit] +Description=OpenVPN service +After=syslog.target network-online.target +Wants=network-online.target +Documentation=man:openvpn(8) +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + +[Service] +Type=notify +PrivateTmp=true +WorkingDirectory=/etc/openvpn/server +ExecStart=/usr/sbin/openvpn --status /etc/openvpn/server/status.log --status-version 2 --suppress-timestamps --config /etc/openvpn/server/server.conf +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE +LimitNPROC=10 +DeviceAllow=/dev/null rw +DeviceAllow=/dev/net/tun rw +ProtectSystem=true +ProtectHome=true +KillMode=process +RestartSec=5s +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/openvpn/templates/radiusplugin.cnf.j2 b/roles/openvpn/templates/radiusplugin.cnf.j2 new file mode 100644 index 0000000..4de3450 --- /dev/null +++ b/roles/openvpn/templates/radiusplugin.cnf.j2 @@ -0,0 +1,69 @@ +# The NAS identifier which is sent to the RADIUS server +NAS-Identifier=OpenVpn + +# The service type which is sent to the RADIUS server +Service-Type=5 + +# The framed protocol which is sent to the RADIUS server +Framed-Protocol=1 + +# The NAS port type which is sent to the RADIUS server +NAS-Port-Type=5 + +# The NAS IP address which is sent to the RADIUS server +NAS-IP-Address=192.168.44.71 + +# Path to the OpenVPN configfile. The plugin searches there for +# client-config-dir PATH (searches for the path) +# status FILE (searches for the file, version must be 1) +# client-cert-not-required (if the option is used or not) +# username-as-common-name (if the option is used or not) + +OpenVPNConfig=/etc/openvpn/server/server.conf + + +# Support for topology option in OpenVPN 2.1 +# If you don't specify anything, option "net30" (default in OpenVPN) is used. +# You can only use one of the options at the same time. +# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK" +subnet=255.255.255.0 +# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK" +# p2p=10.8.0.1 + + +# Allows the plugin to overwrite the client config in client config file directory, +# default is true +overwriteccfiles=true + +# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them. +# default is false +# useauthcontrolfile=false + + +# Path to a script for vendor specific attributes. +# Leave it out if you don't use an own script. +# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl + +# Path to the pipe for communication with the vsascript. +# Leave it out if you don't use an own script. +# vsanamedpipe=/tmp/vsapipe + +# A radius server definition, there could be more than one. +# The priority of the server depends on the order in this file. The first one has the highest priority. +server +{ + # The UDP port for radius accounting. + acctport=1813 + # The UDP port for radius authentication. + authport=1812 + # The name or ip address of the radius server. + name={{wannat_global.radius.server_ip}} + # How many times should the plugin send the if there is no response? + retry=1 + # How long should the plugin wait for a response? + wait=1 + # The shared secret. +# sharedsecret=testpw + sharedsecret=testing123 +} + diff --git a/roles/openvpn/templates/server.conf.j2 b/roles/openvpn/templates/server.conf.j2 new file mode 100644 index 0000000..ef56947 --- /dev/null +++ b/roles/openvpn/templates/server.conf.j2 @@ -0,0 +1,36 @@ +local 0.0.0.0 +port 1194 +proto tcp +dev tun +ca /etc/openvpn/server/ca.crt +cert /etc/openvpn/server/server.crt +key /etc/openvpn/server/server.key +dh /etc/openvpn/server/dh.pem +server 10.10.130.0 255.255.255.0 +ifconfig-pool-persist ipp.txt +push "route 10.10.130.0 255.255.255.0" +push "redirect-gateway def1" +push "remote-gateway 10.10.130.1" +;client-to-client +;duplicate-cn +keepalive 10 120 +;;;;tls-auth /etc/openvpn/server/ta.key 0 +;;;;cipher AES-256-CBC +compress lz4-v2 +push "compress lz4-v2" +;comp-lzo +max-clients 1000 +user nobody +group nobody +persist-key +persist-tun +status openvpn-status.log +log /var/log/openvpn.log +verb 9 +tun-mtu 1472 +mssfix 1400 + +username-as-common-name +client-cert-not-required #close cert, use username and password to radius for auth +plugin /etc/openvpn/server/radius/radiusplugin.so /etc/openvpn/server/radius/radiusplugin.cnf +;explicit-exit-notify 1 diff --git a/roles/openvpn/templates/windows_client_example.ovpn b/roles/openvpn/templates/windows_client_example.ovpn new file mode 100644 index 0000000..3cb77bc --- /dev/null +++ b/roles/openvpn/templates/windows_client_example.ovpn @@ -0,0 +1,44 @@ +client +dev tun +proto tcp +;;;change remote ipaddress for your environment +remote 192.168.1.1 1194 +resolv-retry infinite +nobind +;user nobody +;group nobody +persist-key +persist-tun +;;;ca ca.crt +;;;cert client.crt +;;;key client.key +remote-cert-tls server +;;;tls-auth ta.key 1 +;;;;cipher AES-256-CBC +compress lz4-v2 +verb 3 +;mute 20 +auth-user-pass + + +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIJAKc5EuH/0f7oMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV +BAMMC0Vhc3ktUlNBIENBMB4XDTIxMDUyNDA5MzE0MFoXDTMxMDUyMjA5MzE0MFow +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCrJSQpFiTSiKb1ViGJ4DVFpdE8TNvA1GGJHaSZG6PH4aU57TX4ebSW +YmvOMitGBr8RcjV2FQkhsDzgLpb5Eaoz/ZPXNvFiLCclfxLwzIa/UcnnVcvIYDZp +sHhBR1xcuwyYQ9x9phlF3NOjEq9wIhl8zbzvJoVNEWn1eeFp6EwPpLJGeOJllqd5 +SIQYhu/uWHsgSOizgGlJl+CphLleacsaTWiPoynhY8sewFdwk+MOVsG+K+QigXfM +CawKlu/23pKteBC+lVZAoncsaCns2YvCm830I5vfbX7aMKa97UKFUNcPq5OFkRD1 +IzQVan7vuwjkGJWMZh63P5HUlxIEREIHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFJZD +HSezPvx6TIroZIaNknuFwMC4MEYGA1UdIwQ/MD2AFJZDHSezPvx6TIroZIaNknuF +wMC4oRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAKc5EuH/0f7oMAwGA1Ud +EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCBlv31E16y +xr3zI43F89hmo1UkBPZxKzP4bFe3CSAiv9nZbungHm13l+hJybQ9XQWstf1I+HZL +SH9Ub1ygdf4+rfS5Lm1rusgCDWWdwRjJaD11FmwMg64/fE7f0PTGyBO/r0kGLsLL +XvQOQ4pjZbQghtHkG45yp63FRuHxjw3hFmrpxEYmdWFn/0ejHjyBBwFxsA4tiu0d +ZQWWAx+/dIZ8n6MVz5MQceaKpC+x/EL9wUcSHEVF5xEa9wm9B7daewrIprERNLSq +S0XRwXFrspwUIoL0KFm/HA25LjSYRU9OlKiCCP9JsxjhhW5ExcNAxVbI0HpZY5bV +RmQ4krnQ3hYS +-----END CERTIFICATE----- + \ No newline at end of file diff --git a/roles/radius_client/tasks/main.yml b/roles/radius_client/tasks/main.yml index f6c0cc8..da87807 100644 --- a/roles/radius_client/tasks/main.yml +++ b/roles/radius_client/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: "copy radiusclient-ng to destination server" synchronize: - src: "{{ role_path }}/../radius_rpm_files/radiusclient-ng-0.5.6-9.el7.x86_64.rpm" + src: "{{ role_path }}/../radius_rpm_files/{{ wannat_global.rpm_files.radius_client_rpm_file }}" dest: "/tmp/" - name: "install radiusclient-ng" diff --git a/roles/wangw/tasks/main.yml b/roles/wangw/tasks/main.yml index 1b3732e..cd6fb9c 100644 --- a/roles/wangw/tasks/main.yml +++ b/roles/wangw/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: "copy wangw_rpm_file to destination server" synchronize: - src: "{{ role_path }}/files/rpm/{{ wangw_global.rpm_files.wangw_rpm_file }}" + src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.wangw_rpm_file }}" dest: "/tmp/" - name: "install wangw" @@ -10,7 +10,7 @@ state: present vars: packages: - - /tmp/{{ wangw_global.rpm_files.wangw_rpm_file }} + - /tmp/{{ wannat_global.rpm_files.wangw_rpm_file }} - name: "Creates ./etc/wannat directory" file: diff --git a/roles/wangw/templates/wangw.conf.j2 b/roles/wangw/templates/wangw.conf.j2 index 36caa37..5bd2680 100644 --- a/roles/wangw/templates/wangw.conf.j2 +++ b/roles/wangw/templates/wangw.conf.j2 @@ -3,7 +3,7 @@ NAT_GW_tunnel_mode=vxlan #本地监听端口 -NAT_GW_tunnel_recv_port={{wannat_global.wangw.NAT_GW_tunnel_listen_port}} +NAT_GW_tunnel_recv_port={{wannat_global.wangw.WAN_GW_tunnel_listen_port}} #DNAT首包发送给NATGW时, 对端的监听端口 NAT_GW_tunnel_send_port={{wannat_global.wangw.NAT_GW_tunnel_remote_port}} diff --git a/roles/wire_graft/tasks/main.yml b/roles/wire_graft/tasks/main.yml index 6e5f29d..339d538 100644 --- a/roles/wire_graft/tasks/main.yml +++ b/roles/wire_graft/tasks/main.yml @@ -6,7 +6,7 @@ - name: "copy wiregraft_rpm_file to destination server" synchronize: - src: "{{ role_path }}/files/rpm/{{ wangw_global.rpm_files.wire_graft_rpm_file }}" + src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.wire_graft_rpm_file }}" dest: "/tmp/" - name: "install wiregraft" @@ -15,7 +15,7 @@ state: present vars: packages: - - /tmp/{{ wangw_global.rpm_files.wire_graft_rpm_file }} + - /tmp/{{ wannat_global.rpm_files.wire_graft_rpm_file }} - name: "Template the wire_graft.inf" template: diff --git a/roles/wire_graft_devel/files/rpm/libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm b/roles/wire_graft_devel/files/rpm/libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm deleted file mode 100644 index 6b4d6a8..0000000 Binary files a/roles/wire_graft_devel/files/rpm/libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/wire_graft_devel/files/rpm/libwire_graft-devel-1.2.1.90d29af-2.el7.x86_64.rpm b/roles/wire_graft_devel/files/rpm/libwire_graft-devel-1.2.1.90d29af-2.el7.x86_64.rpm new file mode 100644 index 0000000..c761b7a Binary files /dev/null and b/roles/wire_graft_devel/files/rpm/libwire_graft-devel-1.2.1.90d29af-2.el7.x86_64.rpm differ diff --git a/wannat-install.tmp.yml b/wannat-install.tmp.yml new file mode 100644 index 0000000..29f1597 --- /dev/null +++ b/wannat-install.tmp.yml @@ -0,0 +1,47 @@ +--- +#- hosts: wangw +# roles: +# - wangw +## - wire_graft_devel +# - wire_graft +# vars_files: +# - wannat_deploy_env/all.yml +# +#- hosts: natgw +# roles: +# - wire_graft_devel +# - natgw +# vars_files: +# - wannat_deploy_env/all.yml +# +#- hosts: toroad +# roles: +# - wire_graft_devel +# - toroad +# vars_files: +# - wannat_deploy_env/all.yml + +#- hosts: radius_client +# roles: +# - radius_client +# vars_files: +# - wannat_deploy_env/all.yml + +#- hosts: radius_server +# roles: +# - radius_server +# vars_files: +# - wannat_deploy_env/all.yml + +#- hosts: pptpd + #roles: + #- pptpd + #vars_files: + #- wannat_deploy_env/all.yml + +- hosts: openvpn + roles: + - openvpn + vars_files: + - wannat_deploy_env/all.yml + diff --git a/wannat-install.yml b/wannat-install.yml index 2f30678..5732965 100644 --- a/wannat-install.yml +++ b/wannat-install.yml @@ -38,5 +38,10 @@ - hosts: pptpd roles: - pptpd + +- hosts: openvpn + roles: + - openvpn + diff --git a/wannat_deploy_env/all.yml b/wannat_deploy_env/all.yml index b02f99c..d560c5b 100644 --- a/wannat_deploy_env/all.yml +++ b/wannat_deploy_env/all.yml @@ -9,7 +9,9 @@ wannat_global: wangw: NAT_GW_tunnel_device: "enp6s0" + WAN_GW_tunnel_listen_port: 3544 NAT_GW_tunnel_ip: "192.168.40.134" + NAT_GW_tunnel_remote_port: 3544 natgw: run_type: 0 @@ -44,13 +46,16 @@ wannat_global: radius: shared_secret: "testing123" + server_ip: "192.168.44.71" rpm_files: wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm" natgw_rpm_file: "wannat_natgw-1.3.1.a1506cb-2.el7.x86_64.rpm" - wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm" - wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm" + wire_graft_rpm_file: "libwire_graft-1.2.1.90d29af-2.el7.x86_64.rpm" + wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.1.90d29af-2.el7.x86_64.rpm" toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm" ppp_rpm_file: "ppp-2.4.5-34.el7_7.x86_64.rpm" pptpd_rpm_file: "pptpd-1.4.0-2.el7.x86_64.rpm" - + openvpn_rpm_file: "openvpn-2.4.11-1.el7.x86_64.rpm" + radius_client_rpm_file: "radiusclient-ng-0.5.6-9.el7.x86_64.rpm" + easy_rsa_rpm_file: "easy-rsa-3.0.8-1.el7.noarch.rpm" diff --git a/wannat_deploy_env/hosts b/wannat_deploy_env/hosts index 641776d..3fa25c6 100644 --- a/wannat_deploy_env/hosts +++ b/wannat_deploy_env/hosts @@ -21,3 +21,6 @@ install_sapp=false [radius_client] 192.168.40.134 +[openvpn] +192.168.44.29 + diff --git a/wannat_deploy_env/hosts.tmp b/wannat_deploy_env/hosts.tmp index 071904e..641b2db 100644 --- a/wannat_deploy_env/hosts.tmp +++ b/wannat_deploy_env/hosts.tmp @@ -2,23 +2,6 @@ ansible_user=root install_sapp=false -[wangw] -192.168.40.161 - -[natgw] -192.168.40.134 - -[toroad] -192.168.40.134 - -[pptpd] -192.168.40.134 - -[radius_server] -192.168.44.71 - -[radius_client] -192.168.40.134 - - +[openvpn] +192.168.44.29 diff --git a/xxg_integration_env/group_vars/all.yml b/xxg_integration_env/group_vars/all.yml new file mode 100644 index 0000000..43f7978 --- /dev/null +++ b/xxg_integration_env/group_vars/all.yml @@ -0,0 +1,23 @@ +wangw_global: + wangw: + NAT_GW_tunnel_device: "enp6s0" + NAT_GW_tunnel_ip: "192.168.40.134" + redis_server_ip: "192.168.44.71" + redis_server_port: 7002 + redis_index: 0 + + toroad: + redis_server_ip: "192.168.44.71" + redis_server_port: 7002 + redis_index: 0 + + wiregraft: + identification_by_which_device: "enp6s0" + toroad_server_ip: "192.168.40.134" + + rpm_files: + wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm" + wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm" + wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm" + toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm" + diff --git a/xxg_integration_env/hosts.xxg b/xxg_integration_env/hosts.xxg new file mode 100644 index 0000000..8a53859 --- /dev/null +++ b/xxg_integration_env/hosts.xxg @@ -0,0 +1,12 @@ +[all:vars] +ansible_user=root +install_sapp=false +install_device_sn=false +install_device_tag=false + +[wangw] +192.168.40.161 + +[toroad] +192.168.40.134 + diff --git a/xxg_module_test_env/group_vars/all.yml b/xxg_module_test_env/group_vars/all.yml new file mode 100644 index 0000000..b00bdc6 --- /dev/null +++ b/xxg_module_test_env/group_vars/all.yml @@ -0,0 +1,26 @@ +wangw_global: + wangw: + NAT_GW_tunnel_device: "enp8s0" + NAT_GW_tunnel_ip: "192.168.40.133" + NAT_GW_tunnel_listen_port: 3544 + NAT_GW_tunnel_remote_port: 3544 + redis_server_ip: "192.168.44.3" + redis_server_port: 7002 + redis_index: 0 + + toroad: + redis_server_ip: "192.168.44.3" + redis_server_port: 7002 + redis_index: 0 + + wiregraft: + identification_by_which_device: "enp8s0" + toroad_server_ip: "192.168.40.133" + toroad_server_port: "8888" + + rpm_files: + wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm" + wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm" + wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm" + toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm" + diff --git a/xxg_module_test_env/hosts.xxg b/xxg_module_test_env/hosts.xxg new file mode 100644 index 0000000..6c224bf --- /dev/null +++ b/xxg_module_test_env/hosts.xxg @@ -0,0 +1,12 @@ +[all:vars] +ansible_user=root +install_sapp=false +install_device_sn=false +install_device_tag=false + +[wangw] +192.168.40.21 + +[toroad] +192.168.40.133 + diff --git a/xxg_test_env/group_vars/all.yml b/xxg_test_env/group_vars/all.yml new file mode 100644 index 0000000..b00bdc6 --- /dev/null +++ b/xxg_test_env/group_vars/all.yml @@ -0,0 +1,26 @@ +wangw_global: + wangw: + NAT_GW_tunnel_device: "enp8s0" + NAT_GW_tunnel_ip: "192.168.40.133" + NAT_GW_tunnel_listen_port: 3544 + NAT_GW_tunnel_remote_port: 3544 + redis_server_ip: "192.168.44.3" + redis_server_port: 7002 + redis_index: 0 + + toroad: + redis_server_ip: "192.168.44.3" + redis_server_port: 7002 + redis_index: 0 + + wiregraft: + identification_by_which_device: "enp8s0" + toroad_server_ip: "192.168.40.133" + toroad_server_port: "8888" + + rpm_files: + wangw_rpm_file: "libwangw-1.2.1.cb66dda-2.el7.x86_64.rpm" + wire_graft_rpm_file: "libwire_graft-1.2.0.7fdacbc-2.el7.x86_64.rpm" + wire_graft_devel_rpm_file: "libwire_graft-devel-1.2.0.7fdacbc-2.el7.x86_64.rpm" + toroad_rpm_file: "toroad-1.1.11.b0562a5-2.el7.x86_64.rpm" + diff --git a/xxg_test_env/hosts.xxg b/xxg_test_env/hosts.xxg new file mode 100644 index 0000000..fc5de53 --- /dev/null +++ b/xxg_test_env/hosts.xxg @@ -0,0 +1,12 @@ +[all:vars] +ansible_user=root +install_sapp=false +install_device_sn=false +install_device_tag=false + +[wangw] +192.168.40.137 + +[toroad] +192.168.40.133 +