Update to 2021-12-01 19:13

roles/openvpn/defaults/main.yml

@@ -0,0 +1,45 @@
+---
+
+ovpn_daemons: []
+# ovpn_daemons:
+#   - name: fws
+#     type: client|server
+#     remote: 10.11.12.13 udp 1195 # Only for client
+#     # Remote can also be a list
+#     remote:
+#       - 12.13.14.15 udp 1194
+#       - 17.18.19.20 tcp 443
+#     src_ip: [ 0.0.0.0/0 ] # Only for servers
+#     auth: psk|cert
+#     secret: # Inline takey
+#     ca: # Inline CA
+#     cert: # Inline cert
+#     key: # Inline key
+#     compress: lzo
+#     routes:
+#       - net: 10.99.0.0
+#         mask: 255.255.255.0
+#     push_routes:
+#       - net: 10.29.1.0
+#         mask: 255.255.255.0
+
+ovpn_src_ip: [ 0.0.0.0/0 ]
+ovpn_daemon_defaults:
+  type: client
+  auth: psk
+  proto: udp
+  port: 1194
+  dev: tun
+  tls_auth: False
+  tls_crypt: False
+  enabled: True
+  cipher: default
+  compress: default
+  pull: True
+  topology: subnet
+  routes: []
+  push_routes: []
+  client_to_client: False
+  duplicate_dn: False
+  # rcvbuf: 524288
+  # sndbuf: 524288

roles/openvpn/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: restart openvpn
+  service: name=openvpn@{{ item.item.name }} state=restarted
+  loop: "{{ ovpn_daemons_mod.results }}"
+  when: item.changed
+
+- name: restart all openvpn
+  service: name=openvpn@{{ item.name }} state=restarted
+  loop: "{{ ovpn_daemons }}"

roles/openvpn/tasks/main.yml

@@ -0,0 +1,93 @@
+---
+
+- name: Build config for OpenVPN tunnels
+  set_fact: ovpn_daemons_conf={{ ovpn_daemons_conf | default([]) + [ovpn_daemon_defaults | combine(item)] }}
+  loop: "{{ ovpn_daemons }}"
+  tags: ovpn
+- set_fact: ovpn_daemons={{ ovpn_daemons_conf | default([]) }}
+  tags: ovpn
+
+- name: Install OpenVPN
+  package:
+    name:
+      - openvpn
+  tags: ovpn
+
+- name: Deploy OpenVPN service template
+  template: src=openvpn@.service.j2 dest=/etc/systemd/system/openvpn@.service
+  register: ovpn_service_template
+  notify: restart all openvpn
+  tags: ovpn
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: ovpn_service_template.changed
+  tags: ovpn
+
+- name: Deploy daemons configuration
+  template: src=openvpn.conf.j2 dest=/etc/openvpn/{{ item.name }}.conf mode=640
+  loop: "{{ ovpn_daemons }}"
+  when: item.enabled
+  register: ovpn_daemons_mod
+  notify: restart openvpn
+  tags: ovpn
+
+- name: Create DH params
+  command: openssl dhparam /etc/openvpn/{{ item.iname}}.dh 2048
+  args:
+    creates: /etc/openvpn/{{ item.name }}.dh
+  loop: "{{ ovpn_daemons }}"
+  when:
+    - item.type == 'server'
+    - item.enabled
+    - item.auth == 'cert'
+  tags: ovpn
+
+- name: Build a list of UDP ports
+  set_fact: ovpn_udp_ports={{ ovpn_daemons | selectattr('enabled','equalto', True) | selectattr('proto','equalto','udp') | selectattr('type','equalto','server') | map(attribute='port') | list }}
+  tags: ovpn
+
+- name: Build a list of TCP ports
+  set_fact: ovpn_tcp_ports={{ ovpn_daemons | selectattr('enabled','equalto', True) | selectattr('proto','equalto','tcp') | selectattr('type','equalto','server') | map(attribute='port') | list }}
+  tags: ovpn
+
+- name: Handle OpenVPN UDP ports
+  iptables_raw:
+    name: ovpn_udp_ports
+    state: "{{ (ovpn_udp_ports | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state new -p udp -m multiport --dports {{ ovpn_udp_ports | join(',') }} -s {{ ovpn_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: ovpn
+
+- name: Handle OpenVPN TCP ports
+  iptables_raw:
+    name: ovpn_tcp_ports
+    state: "{{ (ovpn_tcp_ports | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ ovpn_tcp_ports | join(',') }} -s {{ ovpn_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: ovpn
+
+- name: Handle daemons status
+  service: name=openvpn@{{ item.name }} state={{ (item.enabled) | ternary('started','stopped') }} enabled={{ (item.enabled) | ternary(True,False) }}
+  loop: "{{ ovpn_daemons }}"
+  tags: ovpn
+
+- name: List managed daemons ID
+  set_fact: ovpn_managed_id={{ ovpn_daemons | map(attribute='name') | list }}
+  tags: ovpn
+
+- name: List existing conf
+  shell: find /etc/openvpn -maxdepth 1 -mindepth 1 -type f -name \*.conf -exec basename "{}" \; | sed s/\.conf//
+  register: ovpn_existing_conf
+  changed_when: False
+  tags: ovpn
+
+- name: Disable unmanaged services
+  service: name=openvpn@{{ item }} state=stopped enabled=False
+  loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
+  tags: ovpn
+
+- name: Remove unmanaged conf
+  file: path=/etc/openvpn/{{ item }}.conf state=absent
+  loop: "{{ ovpn_existing_conf.stdout_lines | difference(ovpn_managed_id) }}"
+  tags: ovpn

roles/openvpn/templates/openvpn.conf.j2

@@ -0,0 +1,111 @@
+###########################################################
+## {{ ansible_managed }}
+###########################################################
+
+
+port {{ item.port }}
+dev {{ item.dev + item.name }}
+persist-tun
+persist-key
+{% if item.ifconfig is defined %}
+ifconfig {{ item.ifconfig }}
+{% else %}
+topology {{ item.topology }}
+{% endif %}
+{% if item.type == 'server' %}
+proto {{ (item.proto == 'tcp') | ternary('tcp-server',item.proto) }}
+{% for route in item.push_routes %}
+route {{ route.net }} {{ route.mask }}
+{% endfor %}
+{% else %}
+resolv-retry infinite
+nobind
+proto {{ (item.proto == 'tcp') | ternary('tcp-client',item.proto) }}
+{%   if item.remote is string %}
+remote {{ item.remote | string }}
+{%   elif item.remote is iterable %}
+{%     for remote in item.remote %}
+remote {{ remote }}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+
+{% if item.auth == 'cert' %}
+{%   if item.remote_cn is defined %}
+verify-x509-name {{ item.remote_cn }} name
+{%   endif %}
+tls-{{ item.type }}
+{%   if item.type == 'server' %}
+remote-cert-tls client
+{%     if item.duplicate_dn %}
+duplicate-cn
+{%     endif %}
+dh /etc/openvpn/{{ item }}.sh
+{%   elif item.type == 'client' %}
+remote-cert-tls server
+{%     if item.pull %}
+pull
+{%     endif %}
+{%   endif %}
+
+{%   if item.pkcs12 is defined %}
+<pkcs12>
+{{ item.pkcs12 }}
+</pkcs12>
+{%   elif item.ca is defined and item.cert is defined and item.key is defined %}
+<ca>
+{{ item.ca }}
+</ca>
+<cert>
+{{ item.cert }}
+</cert>
+<key>
+{{ item.key }}
+</key>
+{%   endif %}
+{% if item.tls_crypt %}
+<tls-crypt>
+{{ item.tls_crypt }}
+</tls-crypt>
+{% elif item.tls_auth %}
+<tls-auth>
+{{ item.tls_auth }}
+</tls-auth>
+key-direction {{ (item.type == 'server') | ternary('0','1') }}
+{% endif %}
+{% elif item.auth == 'psk' %}
+<secret>
+{{ item.secret }}
+</secret>
+{% endif %}
+
+{% if item.cipher != 'default' %}
+cipher {{ item.cipher }}
+{% endif %}
+{% if item.auth_hash is defined %}
+auth {{ item.auth_hash }}
+{% endif %}
+passtos
+{% if item.compress != 'default' %}
+compress {{ item.compress }}
+{% endif %}
+
+{% for route in item.routes %}
+route {{ route.net }} {{ route.mask }}
+{% endfor %}
+
+keepalive 10 60
+{% if item.proto == 'udp' %}
+mtu-test
+{% endif %}
+
+{% if item.rcvbuf is defined %}
+rcvbuf {{ item.rcvbuf }}
+{% endif %}
+{% if item.sndbuf is defined %}
+sndbuf {{ item.sndbuf }}
+{% endif %}
+
+{% if item.proto == 'udp' %}
+fast-io
+{% endif %}

roles/openvpn/templates/openvpn@.service.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+Type=notify
+PrivateTmp=true
+WorkingDirectory=/etc/openvpn/
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+