extend ff_gw::vpn for hideme support

This commit is contained in:
Martin Schuette 2014-06-22 22:03:10 +02:00
parent 5b8b7454e3
commit daf7f768f0
3 changed files with 113 additions and 20 deletions

View file

@ -128,3 +128,18 @@ The verbose flag is optional and shows all changes.
To be even more catious you can also add the `--noop` flag to only show changes To be even more catious you can also add the `--noop` flag to only show changes
but not apply them. but not apply them.
## VPN providers
The example above is written for a mullvad VPN using X.509 authentication.
For hide.me with username/password auth use:
```
class { 'ff_gw':
# ...
vpn_provider => 'hideme',
vpn_usr_name => 'username',
vpn_usr_pass => 'vpn_password',
vpn_ca_crt => '-----BEGIN CERTIFICATE-----
MIIE ...
-----END CERTIFICATE-----',
```

View file

@ -0,0 +1,42 @@
client
dev mullvad # this is important because other scripts rely on this device name
dev-type tun
proto udp
remote nl.hide.me 3478
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Set log file verbosity.
verb 3
# ping 5 # this is pushed by hideme
# ping-restart 15 # this is pushed by hideme
# Allow calling of built-in executables and user-defined scripts.
script-security 3 system
# Parses DHCP options from openvpn to update resolv.conf
route-noexec
up /etc/openvpn/mullvad/mullvad-up
down /etc/openvpn/update-dnsmasq-forward
# hideme specifics
ca /etc/openvpn/hideme/ca.crt
auth-user-pass /etc/openvpn/hideme/auth.txt
cipher AES-128-CBC
reneg-sec 0

View file

@ -1,4 +1,22 @@
class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask = '255.255.192.0', $gw_ipv6, $gw_ipv6_prefixlen = '64', $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name = false, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4 = false, $ic_vpn_ip6 = false) { class ff_gw(
$ff_net,
$ff_mesh_net,
$ff_as,
$mesh_mac,
$gw_ipv4, $gw_ipv4_netmask = '255.255.192.0',
$gw_ipv6, $gw_ipv6_prefixlen = '64',
$secret_key, # for fastd
$vpn_provider = 'mullvad', # supported: mullvad or hideme
$vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, # openvpn x.509 credentials
$vpn_usr_name = false, # openvpn user for auth-user-pass
$vpn_usr_pass = false, # openvpn password for auth-user-pass
$dhcprange_start, $dhcprange_end,
$gw_do_ic_peering = false, # configure inter city VPN
$tinc_name = false,
$tinc_keyfile = '/etc/tinc/rsa_key.priv',
$ic_vpn_ip4 = false,
$ic_vpn_ip6 = false
) {
class { 'ff_gw::software': } class { 'ff_gw::software': }
-> ->
class { 'ff_gw::fastd': class { 'ff_gw::fastd':
@ -21,9 +39,12 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask
} }
-> ->
class { 'ff_gw::vpn': class { 'ff_gw::vpn':
usr_crt => $vpn_usr_crt, provider => $vpn_provider,
usr_key => $vpn_usr_key, usr_crt => $vpn_usr_crt,
ca_crt => $vpn_ca_crt, usr_key => $vpn_usr_key,
ca_crt => $vpn_ca_crt,
usr_name => $vpn_usr_name,
usr_pass => $vpn_usr_pass,
} }
-> ->
class { 'ff_gw::iptables': } class { 'ff_gw::iptables': }
@ -386,10 +407,32 @@ class ff_gw::radvd($own_ipv6) {
} }
} }
class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') { class ff_gw::vpn($provider, $ca_crt, $usr_crt, $usr_key, $usr_name, $usr_pass, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') {
# TODO: this name is used in several places including dnsmasq # TODO: note that even the hideme.conf uses the interface name 'mullvad',
# and is even used for other providers, thus hard to change # because that interface is referenced elsewhere
$vpnname = 'mullvad'
# TODO: maybe we should check that provider and auth methods match
# atm we trust the caller to give the right combination
if str2bool("$usr_name") {
# hideme config with user/pass file
file {
"/etc/openvpn/${provider}/auth.txt":
ensure => file,
mode => '0600',
content => "$usr_name\n$usr_pass\n";
}
} else {
# mullvad config with x.509
file {
"/etc/openvpn/${provider}/client.crt":
ensure => file,
content => $usr_crt;
"/etc/openvpn/${provider}/client.key":
ensure => file,
mode => '0600',
content => $usr_key;
}
}
package { package {
'openvpn': 'openvpn':
@ -397,19 +440,12 @@ class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+
} }
-> ->
file { file {
"/etc/openvpn/${vpnname}": "/etc/openvpn/${provider}":
ensure => directory; ensure => directory;
"/etc/openvpn/${vpnname}/ca.crt": "/etc/openvpn/${provider}/ca.crt":
ensure => file, ensure => file,
content => $ca_crt; content => $ca_crt;
"/etc/openvpn/${vpnname}/client.crt": "/etc/openvpn/${provider}/${provider}-up":
ensure => file,
content => $usr_crt;
"/etc/openvpn/${vpnname}/client.key":
ensure => file,
mode => '0600',
content => $usr_key;
"/etc/openvpn/${vpnname}/mullvad-up":
ensure => file, ensure => file,
mode => '0755', mode => '0755',
content => '#!/bin/sh content => '#!/bin/sh
@ -417,9 +453,9 @@ ip route replace 0.0.0.0/1 via $5 table 42
ip route replace 128.0.0.0/1 via $5 table 42 ip route replace 128.0.0.0/1 via $5 table 42
/etc/openvpn/update-dnsmasq-forward /etc/openvpn/update-dnsmasq-forward
exit 0'; exit 0';
"/etc/openvpn/${vpnname}.conf": "/etc/openvpn/${provider}.conf":
ensure => file, ensure => file,
source => "puppet:///modules/ff_gw/etc/openvpn/${vpnname}.conf"; source => "puppet:///modules/ff_gw/etc/openvpn/${provider}.conf";
"/etc/openvpn/update-dnsmasq-forward": "/etc/openvpn/update-dnsmasq-forward":
ensure => file, ensure => file,
mode => '0755', mode => '0755',