diff --git a/roles/openvpn/defaults/main.yml b/roles/openvpn/defaults/main.yml index 6ae8dd6bc..cb72b0a00 100644 --- a/roles/openvpn/defaults/main.yml +++ b/roles/openvpn/defaults/main.yml @@ -1,5 +1,10 @@ -vpn_presence: xscenet.net -openvpn_server_virtual_ip: 10.8.0.1 -openvpn_server_port: 1194 openvpn_install: True openvpn_enable: False + +openvpn_handle: UNNAMED +# cron seems necessary on CentOS: +openvpn_cron_enabled: False + +openvpn_server: xscenet.net +openvpn_server_virtual_ip: 10.8.0.1 +openvpn_server_port: 1194 diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index e195389a6..0b265238e 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -1,105 +1,149 @@ ---- - -- name: Install OpenVPN packages - package: name={{ item }} - state=present +- name: Install OpenVPN and Nmap packages + package: + name: "{{ item }}" + state: present with_items: - - openvpn - - nmap + - openvpn + - nmap tags: - download - name: Create the directory for keys - file: dest=/etc/openvpn/keys - state=directory - owner=root - group=root - mode=0755 + file: + dest: /etc/openvpn/keys + state: directory + owner: root + group: root + mode: 0755 - name: Create the directory for scripts - file: dest=/etc/openvpn/scripts - state=directory - owner=root - group=root - mode=0755 + file: + dest: /etc/openvpn/scripts + state: directory + owner: root + group: root + mode: 0755 - name: Create a folder for iiab executable not on path - file: path=/usr/lib/iiab - state=directory + file: + path: /usr/lib/iiab + state: directory - name: Configure OpenVPN - template: src={{ item.src }} - dest={{ item.dest }} - owner={{ item.owner }} - group=root - mode={{ item.mode }} + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: "{{ item.mode }}" with_items: - - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', owner: "root" , mode: '0644' } - - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', owner: "root" , mode: '0644' } - - { src: 'client1.key', dest: '/etc/openvpn/keys/client1.key', owner: "root" , mode: '0600' } - - { src: 'announce', dest: '/etc/openvpn/scripts/announce', owner: "root" , mode: '0755' } - - { src: 'announcer', dest: '/etc/openvpn/scripts/announcer', owner: "root" , mode: '0755' } - - { src: 'silence', dest: '/etc/openvpn/scripts/silence', owner: "root" , mode: '0755' } - - { src: 'xscenet.conf', dest: '/etc/openvpn/xscenet.conf', owner: "root" , mode: '0644' } - - { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', owner: "root" , mode: '0644' } - - { src: 'iiab-vpn', dest: '/usr/bin/iiab-vpn', owner: "root" , mode: '0755' } - - { src: 'iiab-handle', dest: '/usr/bin/iiab-handle', owner: "root" , mode: '0755' } - - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', owner: "root" , mode: '0755' } - - { src: 'start.j2', dest: '/usr/lib/iiab/start', owner: "root" , mode: '0755' } - - { src: 'iiab-remote-on', dest: '/usr/bin/iiab-remote-on', owner: "root" , mode: '0755' } - - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', owner: "root" , mode: '0755' } + - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', mode: '0644' } + - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', mode: '0644' } + - { src: 'client1.key', dest: '/etc/openvpn/keys/client1.key', mode: '0600' } + - { src: 'announce', dest: '/etc/openvpn/scripts/announce', mode: '0755' } + - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' } + - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' } + - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' } + - { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' } + - { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' } + - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' } + - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' } + - { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' } + - { src: 'iiab-remote-on', dest: '/usr/bin/iiab-remote-on', mode: '0755' } + - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' } -- name: Put up_wan in place for Debian - template: src=up_wan dest=/usr/lib/iiab/up_wan +- name: Save openvpn_handle variable into /etc/iiab/openvpn_handle (BACKS UP FILE IF CHANGED) + template: + src: openvpn_handle.j2 + dest: /etc/iiab/openvpn_handle + owner: root + group: root + mode: 0644 + backup: yes + +- name: Put up_wan in place (debuntu) + template: + src: up_wan + dest: /usr/lib/iiab/up_wan when: is_debuntu -- name: Put dispatcher up for NM - template: src=15-openvpn dest=/etc/NetworkManager/dispatcher.d/ +- name: Put dispatcher up for NM (not debuntu) + template: + src: 15-openvpn + dest: /etc/NetworkManager/dispatcher.d/ when: not is_debuntu - name: Check for manually configured OpenVPN tunnel - stat: path=/etc/openvpn/iiab-vpn.conf + stat: + path: /etc/openvpn/iiab-vpn.conf register: stat -# note that ansible does not currently handle @ in a service name -- name: Enable the OpenVPN tunnel at boot time - shell: systemctl enable openvpn@xscenet.service - when: openvpn_enabled and not stat.exists is defined and is_debuntu +# FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not +# been working with systemd service names that contained the "@" character. -- name: Enable the OpenVPN tunnel at boot time for Debian - shell: update-rc.d openvpn enable - when: openvpn_enabled and not stat.exists is defined and is_debuntu +#- name: Enable the OpenVPN tunnel at boot time (debuntu) +# shell: systemctl enable openvpn@xscenet.service +# when: openvpn_enabled and not stat.exists is defined and is_debuntu -- name: Start the OpenVPN tunnel now - shell: systemctl start openvpn@xscenet.service - when: openvpn_enabled and not stat.exists is defined and not installing +#- name: Enable the OpenVPN tunnel at boot time (debuntu) +# shell: update-rc.d openvpn enable +# when: openvpn_enabled and not stat.exists is defined and is_debuntu +#- name: Start the OpenVPN tunnel now +# shell: systemctl start openvpn@xscenet.service +# when: openvpn_enabled and not stat.exists is defined and not installing -- name: Make OpenVPN connection automatic - lineinfile: dest=/etc/crontab - line="25 * * * * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null" +# AUGUST 2018: Unexplainably, stanza below had to be placed underneath ANY +# "lineinfile: ... state: absent" stanza to make openvpn_handle propagate +# properly to xscenet.net (monitoring ncat's erroneous handle parameter by +# observing "systemctl status openvpn@xscenet" helped trace the [primary?] +# bug to roles/openvpn/templates/announcer [far better now if not perfect?]) +# Earlier "./runrole openvpn" had to be run twice to transmit +# /etc/iiab/openvpn_handle to xscenet.net -- and +# "systemctl restart openvpn@xscenet" was failing completely (no matter how +# many times it was run) to transmit /etc/iiab/openvpn_handle to xscenet.net +- name: Enable & (Re)Start openvpn@xscenet tunnel + systemd: + name: openvpn@xscenet.service + enabled: yes + state: restarted + when: openvpn_enabled and not stat.exists is defined + +- name: Enable hourly cron job for OpenVPN + lineinfile: + path: /etc/crontab + line: "25 * * * * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null" when: openvpn_enabled and openvpn_cron_enabled and not stat.exists is defined -- name: Make OpenVPN connection manual - lineinfile: dest=/etc/crontab - regexp=".*/usr/bin/systemctl*" - state=absent +- name: Remove hourly cron job for OpenVPN + lineinfile: + path: /etc/crontab + regexp: "openvpn@xscenet" + # Potentially DANGEROUS as others use systemctl too: + #regexp: ".*/usr/bin/systemctl*" + state: absent when: not openvpn_enabled or not openvpn_cron_enabled +- name: Disable & Stop openvpn@xscenet tunnel + systemd: + name: openvpn@xscenet.service + enabled: no + state: stopped + when: not openvpn_enabled -- name: Stop starting the OpenVPN tunnel at boot time - shell: systemctl disable openvpn@xscenet.service - when: not openvpn_enabled and not is_debuntu +#- name: Stop starting the OpenVPN tunnel at boot time (not debuntu) +# shell: systemctl disable openvpn@xscenet.service +# when: not openvpn_enabled and not is_debuntu -- name: Stop starting the OpenVPN tunnel at boot time for Debian - shell: update-rc.d openvpn disable - when: not openvpn_enabled and is_debuntu +#- name: Stop starting the OpenVPN tunnel at boot time (debuntu) +# shell: update-rc.d openvpn disable +# when: not openvpn_enabled and is_debuntu -- name: Stop OpenVPN tunnel immediately - shell: systemctl stop openvpn@xscenet.service - ignore_errors: True - when: not openvpn_enabled and not installing +#- name: Stop OpenVPN tunnel immediately +# shell: systemctl stop openvpn@xscenet.service +# ignore_errors: True +# when: not openvpn_enabled and not installing - name: Add 'openvpn' to list of services at /etc/iiab/iiab.ini @@ -112,12 +156,16 @@ - option: name value: OpenVPN - option: description - value: '"OpenVPN is a means of connecting to a server anywhere on the internet, via a middleman server."' - - option: middleman_url - value: "{{ vpn_presence }}" - - option: port - value: "{{ openvpn_server_port }}" + value: "OpenVPN is a means of connecting to other machines anywhere on the internet, via a middleman server, using Virtual Private Network techniques to create secure connections." - option: enabled value: "{{ openvpn_enabled }}" + - option: handle + value: "{{ openvpn_handle }}" - option: cron_enabled value: "{{ openvpn_cron_enabled }}" + - option: server + value: "{{ openvpn_server }}" + - option: server_virtual_ip + value: "{{ openvpn_server_virtual_ip }}" + - option: server_port + value: "{{ openvpn_server_port }}" diff --git a/roles/openvpn/templates/announcer b/roles/openvpn/templates/announcer deleted file mode 100755 index 7842cfcf0..000000000 --- a/roles/openvpn/templates/announcer +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -x -# small daemon to identify this machine to the openvpn server - -HANDLE= -UUID= -source /etc/iiab/iiab.env -if [ -z "$HANDLE" ]; then - HANDLE=`cat /etc/iiab/iiab.ini | gawk \ - '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` -fi -if [ -z "$HANDLE" ]; then - if [ -f /etc/iiab/handle ]; then - HANDLE=`cat /etc/iiab/handle` - fi -fi -if [ -f /etc/iiab/uuid ]; then - UUID=`cat /etc/iiab/uuid` -fi -# start the daemon which will serve the handle on demand -source /etc/init.d/functions -SERVER=/usr/bin/ncat -PID_FILE=/var/run/openvpn/announce.pid -HANDLE=${HANDLE// /_} -{% if is_debuntu %} -ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` -$SERVER -l -k -p1705 --exec "/bin/echo $ID" & -{% else %} -daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & -{% endif %} diff --git a/roles/openvpn/templates/announcer.j2 b/roles/openvpn/templates/announcer.j2 new file mode 100755 index 000000000..8580112f9 --- /dev/null +++ b/roles/openvpn/templates/announcer.j2 @@ -0,0 +1,37 @@ +#!/bin/bash -x +# Small daemon to identify this machine to the OpenVPN server + +HANDLE= +UUID= +if [ -f /etc/iiab/openvpn_handle ]; then + # Option #0: Might source directly from /etc/iiab/local_vars.yml in future + # Option #1 + HANDLE=`cat /etc/iiab/openvpn_handle` +else + # Option #2: Dangerous to invoke hypothetical variables :( + source /etc/iiab/iiab.env + # Option #3: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from /etc/iiab/iiab.ini, but safer now that relegated to #3 ? + if [ -z "$HANDLE" ]; then + HANDLE=`cat /etc/iiab/iiab.ini | gawk \ + '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` + fi +fi +HANDLE=${HANDLE// /_} +if [ -f /etc/iiab/uuid ]; then + UUID=`cat /etc/iiab/uuid` +fi + +SERVER=/usr/bin/ncat +ID=`printf "HANDLE = %s|UUID = %s" $HANDLE $UUID` +# August 2018: Removal of trailing slash tested on Raspbian, Ubuntu 18.04 & Ubuntu 16.04 +#ID=`printf "HANDLE = %s|UUID = %s|" $HANDLE $UUID` + +# Start the daemon which will serve the handle on demand +{% if is_debuntu %} +$SERVER -l -k -p1705 --exec "/bin/echo $ID" & +{% else %} +source /etc/init.d/functions +PID_FILE=/var/run/openvpn/announce.pid +daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $ID\"" & +#daemon --pidfile=${PID_FILE} $SERVER "-l -k -p1705 --exec \"/usr/bin/echo $(printf 'HANDLE = %s|UUID = %s' $HANDLE $UUID)\"" & +{% endif %} diff --git a/roles/openvpn/templates/iiab-handle b/roles/openvpn/templates/iiab-handle.j2 similarity index 67% rename from roles/openvpn/templates/iiab-handle rename to roles/openvpn/templates/iiab-handle.j2 index f780fbcb7..41009b0c4 100755 --- a/roles/openvpn/templates/iiab-handle +++ b/roles/openvpn/templates/iiab-handle.j2 @@ -4,10 +4,10 @@ echo echo read -p "what identifying handle would you like to use? " ans if [ "$ans" == "" ]; then - if [ -f /etc/iiab/handle ]; then - rm -f /etc/iiab/handle + if [ -f /etc/iiab/openvpn_handle ]; then + rm -f /etc/iiab/openvpn_handle fi else - echo $ans > /etc/iiab/handle + echo $ans > /etc/iiab/openvpn_handle fi {{ systemctl_program }} restart openvpn@xscenet diff --git a/roles/openvpn/templates/iiab-vpn b/roles/openvpn/templates/iiab-vpn.j2 similarity index 100% rename from roles/openvpn/templates/iiab-vpn rename to roles/openvpn/templates/iiab-vpn.j2 diff --git a/roles/openvpn/templates/openvpn_handle.j2 b/roles/openvpn/templates/openvpn_handle.j2 new file mode 100644 index 000000000..bd1965bc6 --- /dev/null +++ b/roles/openvpn/templates/openvpn_handle.j2 @@ -0,0 +1 @@ +{{ openvpn_handle }} diff --git a/roles/openvpn/templates/party-line.conf.j2 b/roles/openvpn/templates/party-line.conf.j2 index 7d95b2ac6..1ff61a019 100644 --- a/roles/openvpn/templates/party-line.conf.j2 +++ b/roles/openvpn/templates/party-line.conf.j2 @@ -14,7 +14,7 @@ port {{ openvpn_server_port }} dev tun -remote {{ vpn_presence }} +remote {{ openvpn_server }} # TLS parms diff --git a/roles/openvpn/templates/xscenet.conf b/roles/openvpn/templates/xscenet.conf.j2 similarity index 96% rename from roles/openvpn/templates/xscenet.conf rename to roles/openvpn/templates/xscenet.conf.j2 index 1ea80f447..cf83779de 100644 --- a/roles/openvpn/templates/xscenet.conf +++ b/roles/openvpn/templates/xscenet.conf.j2 @@ -9,7 +9,7 @@ port {{ openvpn_server_port }} dev tun -remote {{ vpn_presence }} +remote {{ openvpn_server }} # TLS parms diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 76df8d252..772f23096 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -186,13 +186,19 @@ mysql_root_password: fixmysql sshd_enabled: True # OpenVPN -vpn_presence: xscenet.net -openvpn_server_port: 1194 -openvpn_server_virtual_ip: 10.8.0.1 -openvpn_cron_enabled: False openvpn_install: True openvpn_enabled: False +# For /etc/iiab/openvpn_handle +openvpn_handle: UNNAMED + +# cron seems necessary on CentOS: +openvpn_cron_enabled: False + +openvpn_server: xscenet.net +openvpn_server_virtual_ip: 10.8.0.1 +openvpn_server_port: 1194 + # roles/network runs here (MANY SETTINGS ABOVE) # Homepage diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 7e693f6c3..dc32d67d0 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -85,9 +85,12 @@ allow_apache_sudo: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False + +# Set /etc/iiab/openvpn_handle in advance here: +openvpn_handle: UNNAMED + # The following seems necessary on CentOS: # openvpn_cron_enabled: True -# If changing the above, remember to run "cd /opt/iiab/iiab; ./runrole openvpn" # roles/network runs here (MANY SETTINGS ABOVE) diff --git a/vars/local_vars_big_vpn.yml b/vars/local_vars_big_vpn.yml index 33e5aa6e8..32c7d1482 100644 --- a/vars/local_vars_big_vpn.yml +++ b/vars/local_vars_big_vpn.yml @@ -85,9 +85,12 @@ allow_apache_sudo: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: True + +# Set /etc/iiab/openvpn_handle in advance here: +openvpn_handle: UNNAMED + # The following seems necessary on CentOS: # openvpn_cron_enabled: True -# If changing the above, remember to run "cd /opt/iiab/iiab; ./runrole openvpn" # roles/network runs here (MANY SETTINGS ABOVE) diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index fd109e255..cfa727c5d 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -85,9 +85,12 @@ allow_apache_sudo: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False + +# Set /etc/iiab/openvpn_handle in advance here: +openvpn_handle: UNNAMED + # The following seems necessary on CentOS: # openvpn_cron_enabled: True -# If changing the above, remember to run "cd /opt/iiab/iiab; ./runrole openvpn" # roles/network runs here (MANY SETTINGS ABOVE) diff --git a/vars/local_vars_medium_vpn.yml b/vars/local_vars_medium_vpn.yml index b82c44260..9a670735d 100644 --- a/vars/local_vars_medium_vpn.yml +++ b/vars/local_vars_medium_vpn.yml @@ -85,9 +85,12 @@ allow_apache_sudo: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: True + +# Set /etc/iiab/openvpn_handle in advance here: +openvpn_handle: UNNAMED + # The following seems necessary on CentOS: # openvpn_cron_enabled: True -# If changing the above, remember to run "cd /opt/iiab/iiab; ./runrole openvpn" # roles/network runs here (MANY SETTINGS ABOVE) diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 8f5ee2ba1..80d71a43a 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -85,9 +85,12 @@ allow_apache_sudo: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: False + +# Set /etc/iiab/openvpn_handle in advance here: +openvpn_handle: UNNAMED + # The following seems necessary on CentOS: # openvpn_cron_enabled: True -# If changing the above, remember to run "cd /opt/iiab/iiab; ./runrole openvpn" # roles/network runs here (MANY SETTINGS ABOVE) diff --git a/vars/local_vars_min_vpn.yml b/vars/local_vars_min_vpn.yml index 015bc0ee0..93c19e580 100644 --- a/vars/local_vars_min_vpn.yml +++ b/vars/local_vars_min_vpn.yml @@ -85,9 +85,12 @@ allow_apache_sudo: True # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security openvpn_install: True openvpn_enabled: True + +# Set /etc/iiab/openvpn_handle in advance here: +openvpn_handle: UNNAMED + # The following seems necessary on CentOS: # openvpn_cron_enabled: True -# If changing the above, remember to run "cd /opt/iiab/iiab; ./runrole openvpn" # roles/network runs here (MANY SETTINGS ABOVE)