From daf7f768f06e10f010845a0328d16932cce4e635 Mon Sep 17 00:00:00 2001 From: Martin Schuette Date: Sun, 22 Jun 2014 22:03:10 +0200 Subject: [PATCH] extend ff_gw::vpn for hideme support --- README.md | 15 +++++++ files/etc/openvpn/hideme.conf | 42 +++++++++++++++++++ manifests/init.pp | 76 ++++++++++++++++++++++++++--------- 3 files changed, 113 insertions(+), 20 deletions(-) create mode 100644 files/etc/openvpn/hideme.conf diff --git a/README.md b/README.md index 17aebe6..d1ea1f7 100644 --- a/README.md +++ b/README.md @@ -128,3 +128,18 @@ The verbose flag is optional and shows all changes. To be even more catious you can also add the `--noop` flag to only show changes but not apply them. +## VPN providers + +The example above is written for a mullvad VPN using X.509 authentication. + +For hide.me with username/password auth use: +``` +class { 'ff_gw': + # ... + vpn_provider => 'hideme', + vpn_usr_name => 'username', + vpn_usr_pass => 'vpn_password', + vpn_ca_crt => '-----BEGIN CERTIFICATE----- +MIIE ... +-----END CERTIFICATE-----', +``` diff --git a/files/etc/openvpn/hideme.conf b/files/etc/openvpn/hideme.conf new file mode 100644 index 0000000..0a4c320 --- /dev/null +++ b/files/etc/openvpn/hideme.conf @@ -0,0 +1,42 @@ +client + +dev mullvad # this is important because other scripts rely on this device name +dev-type tun + +proto udp + +remote nl.hide.me 3478 + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# Set log file verbosity. +verb 3 + +# ping 5 # this is pushed by hideme +# ping-restart 15 # this is pushed by hideme + +# Allow calling of built-in executables and user-defined scripts. +script-security 3 system + +# Parses DHCP options from openvpn to update resolv.conf +route-noexec +up /etc/openvpn/mullvad/mullvad-up +down /etc/openvpn/update-dnsmasq-forward + +# hideme specifics +ca /etc/openvpn/hideme/ca.crt +auth-user-pass /etc/openvpn/hideme/auth.txt +cipher AES-128-CBC +reneg-sec 0 diff --git a/manifests/init.pp b/manifests/init.pp index e5e96ab..382b50a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,4 +1,22 @@ -class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask = '255.255.192.0', $gw_ipv6, $gw_ipv6_prefixlen = '64', $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name = false, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4 = false, $ic_vpn_ip6 = false) { +class ff_gw( + $ff_net, + $ff_mesh_net, + $ff_as, + $mesh_mac, + $gw_ipv4, $gw_ipv4_netmask = '255.255.192.0', + $gw_ipv6, $gw_ipv6_prefixlen = '64', + $secret_key, # for fastd + $vpn_provider = 'mullvad', # supported: mullvad or hideme + $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, # openvpn x.509 credentials + $vpn_usr_name = false, # openvpn user for auth-user-pass + $vpn_usr_pass = false, # openvpn password for auth-user-pass + $dhcprange_start, $dhcprange_end, + $gw_do_ic_peering = false, # configure inter city VPN + $tinc_name = false, + $tinc_keyfile = '/etc/tinc/rsa_key.priv', + $ic_vpn_ip4 = false, + $ic_vpn_ip6 = false +) { class { 'ff_gw::software': } -> class { 'ff_gw::fastd': @@ -21,9 +39,12 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask } -> class { 'ff_gw::vpn': - usr_crt => $vpn_usr_crt, - usr_key => $vpn_usr_key, - ca_crt => $vpn_ca_crt, + provider => $vpn_provider, + usr_crt => $vpn_usr_crt, + usr_key => $vpn_usr_key, + ca_crt => $vpn_ca_crt, + usr_name => $vpn_usr_name, + usr_pass => $vpn_usr_pass, } -> class { 'ff_gw::iptables': } @@ -386,10 +407,32 @@ class ff_gw::radvd($own_ipv6) { } } -class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') { - # TODO: this name is used in several places including dnsmasq - # and is even used for other providers, thus hard to change - $vpnname = 'mullvad' +class ff_gw::vpn($provider, $ca_crt, $usr_crt, $usr_key, $usr_name, $usr_pass, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') { + # TODO: note that even the hideme.conf uses the interface name 'mullvad', + # because that interface is referenced elsewhere + + # TODO: maybe we should check that provider and auth methods match + # atm we trust the caller to give the right combination + if str2bool("$usr_name") { + # hideme config with user/pass file + file { + "/etc/openvpn/${provider}/auth.txt": + ensure => file, + mode => '0600', + content => "$usr_name\n$usr_pass\n"; + } + } else { + # mullvad config with x.509 + file { + "/etc/openvpn/${provider}/client.crt": + ensure => file, + content => $usr_crt; + "/etc/openvpn/${provider}/client.key": + ensure => file, + mode => '0600', + content => $usr_key; + } + } package { 'openvpn': @@ -397,19 +440,12 @@ class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+ } -> file { - "/etc/openvpn/${vpnname}": + "/etc/openvpn/${provider}": ensure => directory; - "/etc/openvpn/${vpnname}/ca.crt": + "/etc/openvpn/${provider}/ca.crt": ensure => file, content => $ca_crt; - "/etc/openvpn/${vpnname}/client.crt": - ensure => file, - content => $usr_crt; - "/etc/openvpn/${vpnname}/client.key": - ensure => file, - mode => '0600', - content => $usr_key; - "/etc/openvpn/${vpnname}/mullvad-up": + "/etc/openvpn/${provider}/${provider}-up": ensure => file, mode => '0755', content => '#!/bin/sh @@ -417,9 +453,9 @@ ip route replace 0.0.0.0/1 via $5 table 42 ip route replace 128.0.0.0/1 via $5 table 42 /etc/openvpn/update-dnsmasq-forward exit 0'; - "/etc/openvpn/${vpnname}.conf": + "/etc/openvpn/${provider}.conf": ensure => file, - source => "puppet:///modules/ff_gw/etc/openvpn/${vpnname}.conf"; + source => "puppet:///modules/ff_gw/etc/openvpn/${provider}.conf"; "/etc/openvpn/update-dnsmasq-forward": ensure => file, mode => '0755',