external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00
Code Issues Releases Wiki Activity

Merge pull request #1079 from holta/openvpn2

Browse source 
Experimental fix for serious OpenVPN flaw
This commit is contained in:
A Holt 2018-09-02 18:03:18 -04:00 committed by GitHub
commit 4f573e4430
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
roles/openvpn/tasks/main.yml
View file

@ -154,20 +154,21 @@
# /etc/iiab/openvpn_handle to xscenet.net -- and
# "systemctl restart openvpn@xscenet" was failing completely (no matter how
# many times it was run) to transmit /etc/iiab/openvpn_handle to xscenet.net
- name: Enable & (Re)Start openvpn@xscenet tunnel
- name: Enable & (Re)Start PARENT service openvpn, which (re)starts CHILD service openvpn@xscenet (& actual tunnel)
systemd:
name: openvpn@xscenet.service
name: openvpn
daemon_reload: yes
enabled: yes
state: restarted
when: openvpn_enabled
- name: Enable hourly cron job for OpenVPN
- name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?)
lineinfile:
path: /etc/crontab
line: "25 * * * * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null"
when: openvpn_enabled and openvpn_cron_enabled
- name: Remove hourly cron job for OpenVPN
- name: Remove hourly cron job for OpenVPN (typically for CentOS only?)
lineinfile:
path: /etc/crontab
regexp: "openvpn@xscenet"
@ -176,9 +177,9 @@
state: absent
when: not openvpn_enabled or not openvpn_cron_enabled
- name: Disable & Stop openvpn@xscenet tunnel
- name: Disable & Stop PARENT service openvpn, which stops CHILD service openvpn@xscenet (& actual tunnel)
systemd:
name: openvpn@xscenet.service
name: openvpn
enabled: no
state: stopped
when: not openvpn_enabled
@ -207,7 +208,7 @@
- option: name
value: OpenVPN
- option: description
value: "OpenVPN is a means of connecting to other machines anywhere on the internet, via a middleman server, using Virtual Private Network techniques to create secure connections."
value: "OpenVPN enables live/remote support by connecting machines anywhere on the Internet, via a middleman server, using Virtual Private Network (VPN) techniques to create secure connections."
- option: enabled
value: "{{ openvpn_enabled }}"
# openvpn_handle variable can no longer be left completely undefined of August 2018 (EMPTY STRING "" IS TOLERATED, in which case OpenVPN server should use /etc/iiab/uuid in lieu of the handle)

2
roles/openvpn/templates/xscenet.conf.j2
View file

@ -1,4 +1,4 @@
# Sample client-side OpenVPN config file for connecting to multi-client server.
# Sample client-side OpenVPN config file for connecting to multi-client server
#
# Adapted from http://openvpn.sourceforge.net/20notes.html
#