extend ff_gw::vpn for hideme support
This commit is contained in:
parent
5b8b7454e3
commit
daf7f768f0
15
README.md
15
README.md
|
@ -128,3 +128,18 @@ The verbose flag is optional and shows all changes.
|
||||||
To be even more catious you can also add the `--noop` flag to only show changes
|
To be even more catious you can also add the `--noop` flag to only show changes
|
||||||
but not apply them.
|
but not apply them.
|
||||||
|
|
||||||
|
## VPN providers
|
||||||
|
|
||||||
|
The example above is written for a mullvad VPN using X.509 authentication.
|
||||||
|
|
||||||
|
For hide.me with username/password auth use:
|
||||||
|
```
|
||||||
|
class { 'ff_gw':
|
||||||
|
# ...
|
||||||
|
vpn_provider => 'hideme',
|
||||||
|
vpn_usr_name => 'username',
|
||||||
|
vpn_usr_pass => 'vpn_password',
|
||||||
|
vpn_ca_crt => '-----BEGIN CERTIFICATE-----
|
||||||
|
MIIE ...
|
||||||
|
-----END CERTIFICATE-----',
|
||||||
|
```
|
||||||
|
|
42
files/etc/openvpn/hideme.conf
Normal file
42
files/etc/openvpn/hideme.conf
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
client
|
||||||
|
|
||||||
|
dev mullvad # this is important because other scripts rely on this device name
|
||||||
|
dev-type tun
|
||||||
|
|
||||||
|
proto udp
|
||||||
|
|
||||||
|
remote nl.hide.me 3478
|
||||||
|
|
||||||
|
# Keep trying indefinitely to resolve the
|
||||||
|
# host name of the OpenVPN server. Very useful
|
||||||
|
# on machines which are not permanently connected
|
||||||
|
# to the internet such as laptops.
|
||||||
|
resolv-retry infinite
|
||||||
|
|
||||||
|
# Most clients don't need to bind to
|
||||||
|
# a specific local port number.
|
||||||
|
nobind
|
||||||
|
|
||||||
|
# Try to preserve some state across restarts.
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
|
||||||
|
# Set log file verbosity.
|
||||||
|
verb 3
|
||||||
|
|
||||||
|
# ping 5 # this is pushed by hideme
|
||||||
|
# ping-restart 15 # this is pushed by hideme
|
||||||
|
|
||||||
|
# Allow calling of built-in executables and user-defined scripts.
|
||||||
|
script-security 3 system
|
||||||
|
|
||||||
|
# Parses DHCP options from openvpn to update resolv.conf
|
||||||
|
route-noexec
|
||||||
|
up /etc/openvpn/mullvad/mullvad-up
|
||||||
|
down /etc/openvpn/update-dnsmasq-forward
|
||||||
|
|
||||||
|
# hideme specifics
|
||||||
|
ca /etc/openvpn/hideme/ca.crt
|
||||||
|
auth-user-pass /etc/openvpn/hideme/auth.txt
|
||||||
|
cipher AES-128-CBC
|
||||||
|
reneg-sec 0
|
|
@ -1,4 +1,22 @@
|
||||||
class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask = '255.255.192.0', $gw_ipv6, $gw_ipv6_prefixlen = '64', $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name = false, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4 = false, $ic_vpn_ip6 = false) {
|
class ff_gw(
|
||||||
|
$ff_net,
|
||||||
|
$ff_mesh_net,
|
||||||
|
$ff_as,
|
||||||
|
$mesh_mac,
|
||||||
|
$gw_ipv4, $gw_ipv4_netmask = '255.255.192.0',
|
||||||
|
$gw_ipv6, $gw_ipv6_prefixlen = '64',
|
||||||
|
$secret_key, # for fastd
|
||||||
|
$vpn_provider = 'mullvad', # supported: mullvad or hideme
|
||||||
|
$vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, # openvpn x.509 credentials
|
||||||
|
$vpn_usr_name = false, # openvpn user for auth-user-pass
|
||||||
|
$vpn_usr_pass = false, # openvpn password for auth-user-pass
|
||||||
|
$dhcprange_start, $dhcprange_end,
|
||||||
|
$gw_do_ic_peering = false, # configure inter city VPN
|
||||||
|
$tinc_name = false,
|
||||||
|
$tinc_keyfile = '/etc/tinc/rsa_key.priv',
|
||||||
|
$ic_vpn_ip4 = false,
|
||||||
|
$ic_vpn_ip6 = false
|
||||||
|
) {
|
||||||
class { 'ff_gw::software': }
|
class { 'ff_gw::software': }
|
||||||
->
|
->
|
||||||
class { 'ff_gw::fastd':
|
class { 'ff_gw::fastd':
|
||||||
|
@ -21,9 +39,12 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask
|
||||||
}
|
}
|
||||||
->
|
->
|
||||||
class { 'ff_gw::vpn':
|
class { 'ff_gw::vpn':
|
||||||
usr_crt => $vpn_usr_crt,
|
provider => $vpn_provider,
|
||||||
usr_key => $vpn_usr_key,
|
usr_crt => $vpn_usr_crt,
|
||||||
ca_crt => $vpn_ca_crt,
|
usr_key => $vpn_usr_key,
|
||||||
|
ca_crt => $vpn_ca_crt,
|
||||||
|
usr_name => $vpn_usr_name,
|
||||||
|
usr_pass => $vpn_usr_pass,
|
||||||
}
|
}
|
||||||
->
|
->
|
||||||
class { 'ff_gw::iptables': }
|
class { 'ff_gw::iptables': }
|
||||||
|
@ -386,10 +407,32 @@ class ff_gw::radvd($own_ipv6) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') {
|
class ff_gw::vpn($provider, $ca_crt, $usr_crt, $usr_key, $usr_name, $usr_pass, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') {
|
||||||
# TODO: this name is used in several places including dnsmasq
|
# TODO: note that even the hideme.conf uses the interface name 'mullvad',
|
||||||
# and is even used for other providers, thus hard to change
|
# because that interface is referenced elsewhere
|
||||||
$vpnname = 'mullvad'
|
|
||||||
|
# TODO: maybe we should check that provider and auth methods match
|
||||||
|
# atm we trust the caller to give the right combination
|
||||||
|
if str2bool("$usr_name") {
|
||||||
|
# hideme config with user/pass file
|
||||||
|
file {
|
||||||
|
"/etc/openvpn/${provider}/auth.txt":
|
||||||
|
ensure => file,
|
||||||
|
mode => '0600',
|
||||||
|
content => "$usr_name\n$usr_pass\n";
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
# mullvad config with x.509
|
||||||
|
file {
|
||||||
|
"/etc/openvpn/${provider}/client.crt":
|
||||||
|
ensure => file,
|
||||||
|
content => $usr_crt;
|
||||||
|
"/etc/openvpn/${provider}/client.key":
|
||||||
|
ensure => file,
|
||||||
|
mode => '0600',
|
||||||
|
content => $usr_key;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
package {
|
package {
|
||||||
'openvpn':
|
'openvpn':
|
||||||
|
@ -397,19 +440,12 @@ class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+
|
||||||
}
|
}
|
||||||
->
|
->
|
||||||
file {
|
file {
|
||||||
"/etc/openvpn/${vpnname}":
|
"/etc/openvpn/${provider}":
|
||||||
ensure => directory;
|
ensure => directory;
|
||||||
"/etc/openvpn/${vpnname}/ca.crt":
|
"/etc/openvpn/${provider}/ca.crt":
|
||||||
ensure => file,
|
ensure => file,
|
||||||
content => $ca_crt;
|
content => $ca_crt;
|
||||||
"/etc/openvpn/${vpnname}/client.crt":
|
"/etc/openvpn/${provider}/${provider}-up":
|
||||||
ensure => file,
|
|
||||||
content => $usr_crt;
|
|
||||||
"/etc/openvpn/${vpnname}/client.key":
|
|
||||||
ensure => file,
|
|
||||||
mode => '0600',
|
|
||||||
content => $usr_key;
|
|
||||||
"/etc/openvpn/${vpnname}/mullvad-up":
|
|
||||||
ensure => file,
|
ensure => file,
|
||||||
mode => '0755',
|
mode => '0755',
|
||||||
content => '#!/bin/sh
|
content => '#!/bin/sh
|
||||||
|
@ -417,9 +453,9 @@ ip route replace 0.0.0.0/1 via $5 table 42
|
||||||
ip route replace 128.0.0.0/1 via $5 table 42
|
ip route replace 128.0.0.0/1 via $5 table 42
|
||||||
/etc/openvpn/update-dnsmasq-forward
|
/etc/openvpn/update-dnsmasq-forward
|
||||||
exit 0';
|
exit 0';
|
||||||
"/etc/openvpn/${vpnname}.conf":
|
"/etc/openvpn/${provider}.conf":
|
||||||
ensure => file,
|
ensure => file,
|
||||||
source => "puppet:///modules/ff_gw/etc/openvpn/${vpnname}.conf";
|
source => "puppet:///modules/ff_gw/etc/openvpn/${provider}.conf";
|
||||||
"/etc/openvpn/update-dnsmasq-forward":
|
"/etc/openvpn/update-dnsmasq-forward":
|
||||||
ensure => file,
|
ensure => file,
|
||||||
mode => '0755',
|
mode => '0755',
|
||||||
|
|
Loading…
Reference in a new issue