extend ff_gw::vpn for hideme support
This commit is contained in:
parent
5b8b7454e3
commit
daf7f768f0
15
README.md
15
README.md
|
@ -128,3 +128,18 @@ The verbose flag is optional and shows all changes.
|
|||
To be even more catious you can also add the `--noop` flag to only show changes
|
||||
but not apply them.
|
||||
|
||||
## VPN providers
|
||||
|
||||
The example above is written for a mullvad VPN using X.509 authentication.
|
||||
|
||||
For hide.me with username/password auth use:
|
||||
```
|
||||
class { 'ff_gw':
|
||||
# ...
|
||||
vpn_provider => 'hideme',
|
||||
vpn_usr_name => 'username',
|
||||
vpn_usr_pass => 'vpn_password',
|
||||
vpn_ca_crt => '-----BEGIN CERTIFICATE-----
|
||||
MIIE ...
|
||||
-----END CERTIFICATE-----',
|
||||
```
|
||||
|
|
42
files/etc/openvpn/hideme.conf
Normal file
42
files/etc/openvpn/hideme.conf
Normal file
|
@ -0,0 +1,42 @@
|
|||
client
|
||||
|
||||
dev mullvad # this is important because other scripts rely on this device name
|
||||
dev-type tun
|
||||
|
||||
proto udp
|
||||
|
||||
remote nl.hide.me 3478
|
||||
|
||||
# Keep trying indefinitely to resolve the
|
||||
# host name of the OpenVPN server. Very useful
|
||||
# on machines which are not permanently connected
|
||||
# to the internet such as laptops.
|
||||
resolv-retry infinite
|
||||
|
||||
# Most clients don't need to bind to
|
||||
# a specific local port number.
|
||||
nobind
|
||||
|
||||
# Try to preserve some state across restarts.
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# Set log file verbosity.
|
||||
verb 3
|
||||
|
||||
# ping 5 # this is pushed by hideme
|
||||
# ping-restart 15 # this is pushed by hideme
|
||||
|
||||
# Allow calling of built-in executables and user-defined scripts.
|
||||
script-security 3 system
|
||||
|
||||
# Parses DHCP options from openvpn to update resolv.conf
|
||||
route-noexec
|
||||
up /etc/openvpn/mullvad/mullvad-up
|
||||
down /etc/openvpn/update-dnsmasq-forward
|
||||
|
||||
# hideme specifics
|
||||
ca /etc/openvpn/hideme/ca.crt
|
||||
auth-user-pass /etc/openvpn/hideme/auth.txt
|
||||
cipher AES-128-CBC
|
||||
reneg-sec 0
|
|
@ -1,4 +1,22 @@
|
|||
class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask = '255.255.192.0', $gw_ipv6, $gw_ipv6_prefixlen = '64', $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name = false, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4 = false, $ic_vpn_ip6 = false) {
|
||||
class ff_gw(
|
||||
$ff_net,
|
||||
$ff_mesh_net,
|
||||
$ff_as,
|
||||
$mesh_mac,
|
||||
$gw_ipv4, $gw_ipv4_netmask = '255.255.192.0',
|
||||
$gw_ipv6, $gw_ipv6_prefixlen = '64',
|
||||
$secret_key, # for fastd
|
||||
$vpn_provider = 'mullvad', # supported: mullvad or hideme
|
||||
$vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, # openvpn x.509 credentials
|
||||
$vpn_usr_name = false, # openvpn user for auth-user-pass
|
||||
$vpn_usr_pass = false, # openvpn password for auth-user-pass
|
||||
$dhcprange_start, $dhcprange_end,
|
||||
$gw_do_ic_peering = false, # configure inter city VPN
|
||||
$tinc_name = false,
|
||||
$tinc_keyfile = '/etc/tinc/rsa_key.priv',
|
||||
$ic_vpn_ip4 = false,
|
||||
$ic_vpn_ip6 = false
|
||||
) {
|
||||
class { 'ff_gw::software': }
|
||||
->
|
||||
class { 'ff_gw::fastd':
|
||||
|
@ -21,9 +39,12 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask
|
|||
}
|
||||
->
|
||||
class { 'ff_gw::vpn':
|
||||
usr_crt => $vpn_usr_crt,
|
||||
usr_key => $vpn_usr_key,
|
||||
ca_crt => $vpn_ca_crt,
|
||||
provider => $vpn_provider,
|
||||
usr_crt => $vpn_usr_crt,
|
||||
usr_key => $vpn_usr_key,
|
||||
ca_crt => $vpn_ca_crt,
|
||||
usr_name => $vpn_usr_name,
|
||||
usr_pass => $vpn_usr_pass,
|
||||
}
|
||||
->
|
||||
class { 'ff_gw::iptables': }
|
||||
|
@ -386,10 +407,32 @@ class ff_gw::radvd($own_ipv6) {
|
|||
}
|
||||
}
|
||||
|
||||
class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') {
|
||||
# TODO: this name is used in several places including dnsmasq
|
||||
# and is even used for other providers, thus hard to change
|
||||
$vpnname = 'mullvad'
|
||||
class ff_gw::vpn($provider, $ca_crt, $usr_crt, $usr_key, $usr_name, $usr_pass, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') {
|
||||
# TODO: note that even the hideme.conf uses the interface name 'mullvad',
|
||||
# because that interface is referenced elsewhere
|
||||
|
||||
# TODO: maybe we should check that provider and auth methods match
|
||||
# atm we trust the caller to give the right combination
|
||||
if str2bool("$usr_name") {
|
||||
# hideme config with user/pass file
|
||||
file {
|
||||
"/etc/openvpn/${provider}/auth.txt":
|
||||
ensure => file,
|
||||
mode => '0600',
|
||||
content => "$usr_name\n$usr_pass\n";
|
||||
}
|
||||
} else {
|
||||
# mullvad config with x.509
|
||||
file {
|
||||
"/etc/openvpn/${provider}/client.crt":
|
||||
ensure => file,
|
||||
content => $usr_crt;
|
||||
"/etc/openvpn/${provider}/client.key":
|
||||
ensure => file,
|
||||
mode => '0600',
|
||||
content => $usr_key;
|
||||
}
|
||||
}
|
||||
|
||||
package {
|
||||
'openvpn':
|
||||
|
@ -397,19 +440,12 @@ class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+
|
|||
}
|
||||
->
|
||||
file {
|
||||
"/etc/openvpn/${vpnname}":
|
||||
"/etc/openvpn/${provider}":
|
||||
ensure => directory;
|
||||
"/etc/openvpn/${vpnname}/ca.crt":
|
||||
"/etc/openvpn/${provider}/ca.crt":
|
||||
ensure => file,
|
||||
content => $ca_crt;
|
||||
"/etc/openvpn/${vpnname}/client.crt":
|
||||
ensure => file,
|
||||
content => $usr_crt;
|
||||
"/etc/openvpn/${vpnname}/client.key":
|
||||
ensure => file,
|
||||
mode => '0600',
|
||||
content => $usr_key;
|
||||
"/etc/openvpn/${vpnname}/mullvad-up":
|
||||
"/etc/openvpn/${provider}/${provider}-up":
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
content => '#!/bin/sh
|
||||
|
@ -417,9 +453,9 @@ ip route replace 0.0.0.0/1 via $5 table 42
|
|||
ip route replace 128.0.0.0/1 via $5 table 42
|
||||
/etc/openvpn/update-dnsmasq-forward
|
||||
exit 0';
|
||||
"/etc/openvpn/${vpnname}.conf":
|
||||
"/etc/openvpn/${provider}.conf":
|
||||
ensure => file,
|
||||
source => "puppet:///modules/ff_gw/etc/openvpn/${vpnname}.conf";
|
||||
source => "puppet:///modules/ff_gw/etc/openvpn/${provider}.conf";
|
||||
"/etc/openvpn/update-dnsmasq-forward":
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
|
|
Loading…
Reference in a new issue