Stouts.openvpn/templates/server.conf.j2 at 0e51e638fd5bd31a0216e22712c7edeb9d3f76b2 · Stouts/Stouts.openvpn · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
# {{ ansible_managed }}

# Which local IP address should OpenVPN listen on? (optional)
{% if openvpn_local is defined -%}
local {{ openvpn_local }}
{% else -%}
;local a.b.c.d
{% endif %}

# Which TCP/UDP port should OpenVPN listen on? If you want to run multiple
# OpenVPN instances on the same machine, use a different port number for each
# one.  You will need to open up this port on your firewall.
port {{ openvpn_port }}

# TCP or UDP server?
proto {{ openvpn_proto }}

{% if openvpn_ipv6_enabled %}
proto {{ openvpn_proto }}6
{% endif %}

{% if openvpn_portshare is defined %}
# Port sharing
port-share 127.0.0.1 {{ openvpn_portshare }}
{% endif %}

# Encrypt packets with cipher algorithm
cipher {{ openvpn_cipher }}

# "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet
# tunnel. Use "dev tap0" if you are ethernet bridging and have precreated a
# tap0 virtual interface and bridged it with your ethernet interface. If you
# want to control access policies over the VPN, you must create firewall rules
# for the the TUN/TAP interface. On non-Windows systems, you can give an
# explicit unit number, such as tun0. On Windows, use "dev-node" for this. On
# most systems, the VPN will not function unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev {{ openvpn_dev }}
{% if openvpn_ipv6_enabled %}
dev {{ openvpn_dev }}-ipv6
{% endif %}

# SSL/TLS root certificate (ca), certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file.  The server
# and all clients will use the same ca file.
#
# See the "easy-rsa" directory for a series of scripts for generating RSA
# certificates and private keys.  Remember to use a unique Common Name for the
# server and each of the client certificates.
#
# Any X509 key management system can be used. OpenVPN can also use a PKCS #12
# formatted key file (see "pkcs12" directive in man page).
ca {{ openvpn_keydir }}/ca.crt
cert {{ openvpn_keydir }}/issued/server.crt
key {{ openvpn_keydir }}/private/server.key  # This file should be kept secret

# Diffie hellman parameters. Generate your own with: openssl dhparam -out
# dh1024.pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys.
dh {{ openvpn_keydir }}/dh.pem

{% if openvpn_tls_auth -%}
# Use a static pre-shared key (PSK)
tls-auth {{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }} 0
tls-server
{% endif %}

# Client configuration directory.
{% if openvpn_ccd is defined -%}
client-config-dir {{ openvpn_ccd }}
{% endif %}

# Which VPN topology to use? (net30, subnet, p2p)
{% if openvpn_topology is defined -%}
topology {{ openvpn_topology }}
{% endif %}

{% if openvpn_server and not openvpn_bridge %}
# Configure server mode and supply a VPN subnet for OpenVPN to draw client
# addresses from. The server will take 10.8.0.1 for itself, the rest will be
# made available to clients. Each client will be able to reach the server on
# 10.8.0.1. Comment this line out if you are ethernet bridging. See the man
# page for more info.
server {{ openvpn_server }}
{% if openvpn_ipv6_enabled and openvpn_ipv6_server is defined %}
server-ipv6 {{ openvpn_ipv6_server }}
ifconfig-ipv6 {{ openvpn_ipv6_ifconfig }}
push "route-ipv6-default {{ openvpn_ipv6_route_default }}"
{% endif %}
{% endif %}
{% if openvpn_bridge %}
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
server-bridge {{ openvpn_bridge.address }} {{ openvpn_bridge.netmask }} {{ openvpn_bridge.dhcp_start }} {{ openvpn_bridge.dhcp_end }}

{% if ansible_os_family == 'RedHat' %}
# Tap management through script
up "/etc/openvpn/up.sh br-{{ openvpn_dev }}"
down "/etc/openvpn/down.sh br-{{ openvpn_dev }}"
script-security 2
{% endif %}
{% endif %}

# Maintain a record of client <-> virtual IP address associations in this file.
# If OpenVPN goes down or is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was previously assigned.
ifconfig-pool-persist {{ openvpn_ifconfig_pool_persist }}

# The keepalive directive causes ping-like messages to be sent back and forth
# over the link so that each side knows when the other side has gone down. Ping
# every 10 seconds, assume that remote peer is down if no ping received during
# a 120 second time period.
{%- if openvpn_keepalive != '' %}
keepalive {{ openvpn_keepalive }}
{% endif %}

# Enable compression on the VPN link. If you enable it here, you must also
# enable it in the client config file.
{% if openvpn_comp_lzo -%}
comp-lzo
{% else -%}
;comp-lzo
{% endif %}

# The persist options will try to avoid accessing certain resources on restart
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing current connections, truncated and
# rewritten every minute.
status {{openvpn_status}}

# By default, log messages will go to the syslog (or on Windows, if running as
# a service, they will go to the "\Program Files\OpenVPN\log" directory). Use
# log or log-append to override this default. "log" will truncate the log file
# on OpenVPN startup, while "log-append" will append to it.  Use one or the
# other (but not both).
;log         openvpn.log
log-append  {{openvpn_log}}

# Set the appropriate level of log file verbosity.
#
# 0 is silent, except for fatal errors 4 is reasonable for general usage 5 and
# 6 can help to debug connection problems 9 is extremely verbose
verb {{openvpn_verb}}

# The maximum number of concurrently connected clients we want to allow.
max-clients {{openvpn_max_clients}}

# It's a good idea to reduce the OpenVPN daemon's privileges after
# initialization.
#
# You can uncomment this out on non-Windows systems.
{% if openvpn_user -%}
user {{openvpn_user}}
{% else -%}
;user nobody
{% endif %}
{% if openvpn_group -%}
group {{openvpn_group}}
{% else -%}
group nogroup
{% endif %}

{% if openvpn_client_to_client %}
client-to-client
{% endif %}

{% if openvpn_use_pam %}
client-cert-not-required
plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn
{% endif %}

{% if openvpn_use_ldap %}
plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf"
{% endif %}

{% if openvpn_simple_auth and openvpn_simple_auth_password %}
auth-user-pass-verify auth-client.sh via-env
script-security 3 execve
{% endif %}

{% for option in openvpn_server_options %}
{{option}}
{% endfor %}

{% if crl_pem_file.stat.exists %}
crl-verify {{ openvpn_keydir }}/crl.pem
{% endif %}

{% for dns in openvpn_dns_servers %}
push "dhcp-option DNS {{ dns }}"
{% endfor %}

{% for push_route in openvpn_route_ranges %}
push "route {{ push_route }}"
{% endfor %}

{% for push_route_ipv6 in openvpn_ipv6_route_ranges %}
push "route-ipv6 {{ push_route_ipv6 }}"
{% endfor %}