extend ff_gw::vpn for hideme support

2014-06-22 22:03:10 +02:00 · 2014-06-22 22:03:10 +02:00 · daf7f768f0
parent 5b8b7454e3
commit daf7f768f0
3 changed files with 113 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -128,3 +128,18 @@ The verbose flag is optional and shows all changes.
 To be even more catious you can also add the `--noop` flag to only show changes
 but not apply them.

+## VPN providers
+
+The example above is written for a mullvad VPN using X.509 authentication.
+
+For hide.me with username/password auth use:
+```
+class { 'ff_gw':
+    # ...
+	vpn_provider => 'hideme',
+	vpn_usr_name => 'username',
+	vpn_usr_pass => 'vpn_password',
+    vpn_ca_crt   => '-----BEGIN CERTIFICATE-----
+MIIE ...
+-----END CERTIFICATE-----',
+```
--- a/files/etc/openvpn/hideme.conf
+++ b/files/etc/openvpn/hideme.conf
@ -0,0 +1,42 @@
+client
+
+dev mullvad   # this is important because other scripts rely on this device name
+dev-type tun
+
+proto udp
+
+remote nl.hide.me 3478
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Set log file verbosity.
+verb 3
+
+# ping 5          # this is pushed by hideme
+# ping-restart 15 # this is pushed by hideme
+
+# Allow calling of built-in executables and user-defined scripts.
+script-security 3 system
+
+# Parses DHCP options from openvpn to update resolv.conf
+route-noexec
+up    /etc/openvpn/mullvad/mullvad-up
+down  /etc/openvpn/update-dnsmasq-forward
+
+# hideme specifics
+ca /etc/openvpn/hideme/ca.crt
+auth-user-pass /etc/openvpn/hideme/auth.txt
+cipher AES-128-CBC
+reneg-sec 0
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -1,4 +1,22 @@
-class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask = '255.255.192.0', $gw_ipv6, $gw_ipv6_prefixlen = '64', $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name = false, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4 = false, $ic_vpn_ip6 = false) {
+class ff_gw(
+	$ff_net,
+	$ff_mesh_net,
+	$ff_as,
+	$mesh_mac,
+	$gw_ipv4, $gw_ipv4_netmask = '255.255.192.0',
+	$gw_ipv6, $gw_ipv6_prefixlen = '64',
+	$secret_key,                                      # for fastd
+	$vpn_provider = 'mullvad',                        # supported: mullvad or hideme
+	$vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key,          # openvpn x.509 credentials
+	$vpn_usr_name = false,                            # openvpn user for auth-user-pass
+	$vpn_usr_pass = false,                            # openvpn password for auth-user-pass
+	$dhcprange_start, $dhcprange_end,
+	$gw_do_ic_peering = false,                        # configure inter city VPN
+	$tinc_name = false,
+	$tinc_keyfile = '/etc/tinc/rsa_key.priv',
+	$ic_vpn_ip4 = false,
+	$ic_vpn_ip6 = false
+) {
  class { 'ff_gw::software': }
  ->
  class { 'ff_gw::fastd':
@ -21,9 +39,12 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv4_netmask
  }
  ->
  class { 'ff_gw::vpn':
-    usr_crt => $vpn_usr_crt,
-    usr_key => $vpn_usr_key,
-    ca_crt  => $vpn_ca_crt,
+    provider => $vpn_provider,
+    usr_crt  => $vpn_usr_crt,
+    usr_key  => $vpn_usr_key,
+    ca_crt   => $vpn_ca_crt,
+    usr_name => $vpn_usr_name,
+    usr_pass => $vpn_usr_pass,
  }
  ->
  class { 'ff_gw::iptables': }
@ -386,10 +407,32 @@ class ff_gw::radvd($own_ipv6) {
  }
 }

-class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') {
-  # TODO: this name is used in several places including dnsmasq
-  # and is even used for other providers, thus hard to change
-  $vpnname = 'mullvad'
+class ff_gw::vpn($provider, $ca_crt, $usr_crt, $usr_key, $usr_name, $usr_pass, $openvpn_version = '2.3.2-7~bpo70+1', $ensure = 'running') {
+  # TODO: note that even the hideme.conf uses the interface name 'mullvad',
+  #       because that interface is referenced elsewhere
+
+  # TODO: maybe we should check that provider and auth methods match
+  #       atm we trust the caller to give the right combination
+  if str2bool("$usr_name") {
+    # hideme config with user/pass file
+    file {
+      "/etc/openvpn/${provider}/auth.txt":
+        ensure  => file,
+        mode    => '0600',
+        content => "$usr_name\n$usr_pass\n";
+    }
+  } else {
+    # mullvad config with x.509
+    file {
+      "/etc/openvpn/${provider}/client.crt":
+        ensure  => file,
+        content => $usr_crt;
+      "/etc/openvpn/${provider}/client.key":
+        ensure  => file,
+        mode    => '0600',
+        content => $usr_key;
+    }
+  }

  package {
    'openvpn':
@ -397,19 +440,12 @@ class ff_gw::vpn($ca_crt, $usr_crt, $usr_key, $openvpn_version = '2.3.2-7~bpo70+
  }
  ->
  file {
-    "/etc/openvpn/${vpnname}":
+    "/etc/openvpn/${provider}":
      ensure => directory;
-    "/etc/openvpn/${vpnname}/ca.crt":
+    "/etc/openvpn/${provider}/ca.crt":
      ensure  => file,
      content => $ca_crt;
-    "/etc/openvpn/${vpnname}/client.crt":
-      ensure  => file,
-      content => $usr_crt;
-    "/etc/openvpn/${vpnname}/client.key":
-      ensure  => file,
-      mode    => '0600',
-      content => $usr_key;
-    "/etc/openvpn/${vpnname}/mullvad-up":
+    "/etc/openvpn/${provider}/${provider}-up":
      ensure  => file,
      mode    => '0755',
      content => '#!/bin/sh
@ -417,9 +453,9 @@ ip route replace 0.0.0.0/1 via $5 table 42
 ip route replace 128.0.0.0/1 via $5 table 42
 /etc/openvpn/update-dnsmasq-forward
 exit 0';
-    "/etc/openvpn/${vpnname}.conf":
+    "/etc/openvpn/${provider}.conf":
      ensure => file,
-      source => "puppet:///modules/ff_gw/etc/openvpn/${vpnname}.conf";
+      source => "puppet:///modules/ff_gw/etc/openvpn/${provider}.conf";
    "/etc/openvpn/update-dnsmasq-forward":
      ensure => file,
      mode    => '0755',