diff --git a/roles/openvpn/defaults/main.yml b/roles/openvpn/defaults/main.yml index cb72b0a00..e29db28d8 100644 --- a/roles/openvpn/defaults/main.yml +++ b/roles/openvpn/defaults/main.yml @@ -1,7 +1,9 @@ openvpn_install: True openvpn_enable: False -openvpn_handle: UNNAMED +# For /etc/iiab/openvpn_handle +openvpn_handle: "" + # cron seems necessary on CentOS: openvpn_cron_enabled: False diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 0b265238e..31f9d9c8f 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -24,18 +24,20 @@ group: root mode: 0755 -- name: Create a folder for iiab executable not on path +# Comment out in future? Might still be relevant for CentOS but unused for ~2 years as of August 2018: +- name: Create folder /usr/lib/iiab (not on path) for iiab executable up_wan file: path: /usr/lib/iiab state: directory -- name: Configure OpenVPN +- name: Configure OpenVPN (BACKS UP FILES IF CHANGED) template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root group: root mode: "{{ item.mode }}" + backup: yes with_items: - { src: 'ca.crt', dest: '/etc/openvpn/keys/ca.crt', mode: '0644' } - { src: 'client1.crt', dest: '/etc/openvpn/keys/client1.crt', mode: '0644' } @@ -44,39 +46,52 @@ - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' } - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' } - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' } - - { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' } - - { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' } - - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' } - - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' } - - { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' } - - { src: 'iiab-remote-on', dest: '/usr/bin/iiab-remote-on', mode: '0755' } + - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' } - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' } + - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' } + # Comment out in future? Not recommended as of August 2018: + - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' } + # Comment out in future? Might still be relevant for CentOS but unused for ~2 years as of August 2018: + - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' } + # Unused for ~2 years as of August 2018: + #- { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' } + # Buggy & rarely used as of August 2018: + #- { src: 'iiab-vpn.conf.in', dest: '/etc/openvpn/iiab-vpn.conf.in', mode: '0644' } + # Buggy & rarely used as of August 2018: + #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' } -- name: Save openvpn_handle variable into /etc/iiab/openvpn_handle (BACKS UP FILE IF CHANGED) - template: - src: openvpn_handle.j2 - dest: /etc/iiab/openvpn_handle - owner: root - group: root - mode: 0644 - backup: yes +#- name: Save openvpn_handle variable into /etc/iiab/openvpn_handle (BACKS UP FILE IF CHANGED) +# template: +# src: openvpn_handle.j2 +# dest: /etc/iiab/openvpn_handle +# owner: root +# group: root +# mode: 0644 +# backup: yes +# when: openvpn_handle is defined -- name: Put up_wan in place (debuntu) - template: - src: up_wan - dest: /usr/lib/iiab/up_wan - when: is_debuntu +# Comment out in future? up_wan was being installed twice (also above) and +# was unused for ~2 years as of August 2018: (see 15-openvpn below) +#- name: Put up_wan in place (debuntu) +# template: +# src: up_wan +# dest: /usr/lib/iiab/up_wan +# when: is_debuntu +# Comment out in future? Contained serious bug (15-openvpn called +# up-wan instead of up_wan in /usr/lib/iiab/) so evidently unused +# for ~2 years, as of Aug 2018: - name: Put dispatcher up for NM (not debuntu) template: src: 15-openvpn dest: /etc/NetworkManager/dispatcher.d/ when: not is_debuntu -- name: Check for manually configured OpenVPN tunnel - stat: - path: /etc/openvpn/iiab-vpn.conf - register: stat +# Was buggy & unused for ~2 years as of August 2018: +#- name: Check for manually configured OpenVPN tunnel +# stat: +# path: /etc/openvpn/iiab-vpn.conf +# register: stat # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not @@ -108,13 +123,13 @@ name: openvpn@xscenet.service enabled: yes state: restarted - when: openvpn_enabled and not stat.exists is defined + when: openvpn_enabled - name: Enable hourly cron job for OpenVPN lineinfile: path: /etc/crontab line: "25 * * * * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null" - when: openvpn_enabled and openvpn_cron_enabled and not stat.exists is defined + when: openvpn_enabled and openvpn_cron_enabled - name: Remove hourly cron job for OpenVPN lineinfile: @@ -159,6 +174,7 @@ value: "OpenVPN is a means of connecting to other machines anywhere on the internet, via a middleman server, using Virtual Private Network techniques to create secure connections." - option: enabled value: "{{ openvpn_enabled }}" +# Uncommented as openvpn_handle variable is now mandatory: (if set to "", /etc/iiab/uuid will be used instead) - option: handle value: "{{ openvpn_handle }}" - option: cron_enabled diff --git a/roles/openvpn/templates/15-openvpn b/roles/openvpn/templates/15-openvpn index e34e63133..77e11591b 100755 --- a/roles/openvpn/templates/15-openvpn +++ b/roles/openvpn/templates/15-openvpn @@ -13,7 +13,7 @@ if [ "$2" = "up" ]; then sleep 2 /sbin/ip route list dev "$1" | grep -q '^default' && # restart the services - systemctl -q is-enabled openvpn@xscenet.service && /usr/lib/iiab/up-wan + systemctl -q is-enabled openvpn@xscenet.service && /usr/lib/iiab/up_wan fi # we added this to prevent logs from filling with openvpn errors diff --git a/roles/openvpn/templates/announcer.j2 b/roles/openvpn/templates/announcer.j2 index 8580112f9..8b4abaf96 100755 --- a/roles/openvpn/templates/announcer.j2 +++ b/roles/openvpn/templates/announcer.j2 @@ -4,17 +4,19 @@ HANDLE= UUID= if [ -f /etc/iiab/openvpn_handle ]; then - # Option #0: Might source directly from /etc/iiab/local_vars.yml in future + # Option #0: Source directly from /etc/iiab/local_vars.yml in future? # Option #1 HANDLE=`cat /etc/iiab/openvpn_handle` -else - # Option #2: Dangerous to invoke hypothetical variables :( - source /etc/iiab/iiab.env - # Option #3: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from /etc/iiab/iiab.ini, but safer now that relegated to #3 ? - if [ -z "$HANDLE" ]; then - HANDLE=`cat /etc/iiab/iiab.ini | gawk \ - '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` - fi + # Option #2: UUID is later used, if openvpn_handle is not set +# Sourcing a variable from ~4 different places is a recipe for total confusion (or worse!) +#else +# # Option #3: Dangerous to invoke hypothetical variables :( +# source /etc/iiab/iiab.env +# # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from /etc/iiab/iiab.ini, but safer now that relegated to #4 ? +# if [ -z "$HANDLE" ]; then +# HANDLE=`cat /etc/iiab/iiab.ini | gawk \ +# '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'` +# fi fi HANDLE=${HANDLE// /_} if [ -f /etc/iiab/uuid ]; then diff --git a/roles/openvpn/templates/iiab-handle.j2 b/roles/openvpn/templates/iiab-handle.j2 index 41009b0c4..f9d8edcac 100755 --- a/roles/openvpn/templates/iiab-handle.j2 +++ b/roles/openvpn/templates/iiab-handle.j2 @@ -1,13 +1,18 @@ #!/bin/bash -# script to write a handle file that identifies the openvpn client to server +# Interactive script (over)writes /etc/iiab/openvpn_handle file, identifying client to server + +echo -e '\nCORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml' +echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n' + +echo -e "Or, for a temporary solution until the next time Ansible is run," +read -p "what OpenVPN handle do you want to use? " ans echo -echo -read -p "what identifying handle would you like to use? " ans + if [ "$ans" == "" ]; then - if [ -f /etc/iiab/openvpn_handle ]; then - rm -f /etc/iiab/openvpn_handle - fi + if [ -f /etc/iiab/openvpn_handle ]; then + rm -f /etc/iiab/openvpn_handle + fi else - echo $ans > /etc/iiab/openvpn_handle + echo $ans > /etc/iiab/openvpn_handle fi {{ systemctl_program }} restart openvpn@xscenet diff --git a/roles/openvpn/templates/iiab-remote-on b/roles/openvpn/templates/iiab-remote-on.j2 similarity index 87% rename from roles/openvpn/templates/iiab-remote-on rename to roles/openvpn/templates/iiab-remote-on.j2 index 0c1215077..45c48f228 100644 --- a/roles/openvpn/templates/iiab-remote-on +++ b/roles/openvpn/templates/iiab-remote-on.j2 @@ -11,7 +11,7 @@ systemctl enable openvpn@xscenet.service systemctl start openvpn@xscenet.service sleep 5 -ping -c 2 10.8.0.1 +ping -c 2 {{ openvpn_server_virtual_ip }} # 10.8.0.1 if [ $? -eq 0 ]; then echo OpenVPN successfully started. else diff --git a/roles/openvpn/templates/iiab-vpn.conf.in b/roles/openvpn/templates/iiab-vpn.conf.in.deprecated similarity index 100% rename from roles/openvpn/templates/iiab-vpn.conf.in rename to roles/openvpn/templates/iiab-vpn.conf.in.deprecated diff --git a/roles/openvpn/templates/iiab-vpn.j2 b/roles/openvpn/templates/iiab-vpn.j2.deprecated similarity index 94% rename from roles/openvpn/templates/iiab-vpn.j2 rename to roles/openvpn/templates/iiab-vpn.j2.deprecated index 306902c1e..d463f85ed 100755 --- a/roles/openvpn/templates/iiab-vpn.j2 +++ b/roles/openvpn/templates/iiab-vpn.j2.deprecated @@ -2,7 +2,7 @@ # script to manage openvpn if [ ! -f "/etc/openvpn/iiab-vpn.conf" ]; then - VPNCONFIG='party-line.conf' + VPNCONFIG='xscenet.conf' # WAS BUGGY (set to non-existent "party-line.conf", but thankfully unused) as of August 2018 VPNIP={{ openvpn_server_virtual_ip }} else # expect the sourced file to set the above variables diff --git a/roles/openvpn/templates/party-line.conf.j2 b/roles/openvpn/templates/party-line.conf.j2.deprecated similarity index 93% rename from roles/openvpn/templates/party-line.conf.j2 rename to roles/openvpn/templates/party-line.conf.j2.deprecated index 1ff61a019..1ed627baa 100644 --- a/roles/openvpn/templates/party-line.conf.j2 +++ b/roles/openvpn/templates/party-line.conf.j2.deprecated @@ -1,3 +1,5 @@ +# REPLACED BY xscenet.conf.j2 -> /etc/openvpn/xscenet.conf + ######################################### # Sample client-side OpenVPN config file # for connecting to multi-client server. diff --git a/roles/openvpn/templates/start.j2 b/roles/openvpn/templates/start.j2 deleted file mode 100644 index 373927f51..000000000 --- a/roles/openvpn/templates/start.j2 +++ /dev/null @@ -1,27 +0,0 @@ -$!/bin/bash -$ start the openvpn tunnel if the service is enabled - -enabled={{ openvpn_enabled }} -VPNIP-{{ openvpn_server_port }} - -if [ "$enabled" = 'True' ]; then - # make sure the wan is functioning - # 8.8.8.8 is one of google's dns servers - ping -c 3 -i 3 8.8.8.8 - if [ $? -ne 0 ]; then - #echo "internet is not available, tunnel not possible" - exit 1 - fi - - # check the vpn tunnel - ping -c 5 -i 5 "$VPNIP" - # a zero return means the tunnel is up - if [ $? -eq 0 ]; then - exit 0 - else - killall openvpn - sleep 10 - #echo "Starting openvpn and waiting 10 seconds for daemon to become ready" - systemctl start openvpn@xscenet - fi -fi diff --git a/roles/openvpn/templates/start.j2.deprecated b/roles/openvpn/templates/start.j2.deprecated new file mode 100644 index 000000000..400c1feb5 --- /dev/null +++ b/roles/openvpn/templates/start.j2.deprecated @@ -0,0 +1,27 @@ +$!/bin/bash +$ start the openvpn tunnel if the service is enabled + +enabled={{ openvpn_enabled }} +VPNIP={{ openvpn_server_port }} + +if [ "$enabled" = 'True' ]; then + # make sure the wan is functioning + # 8.8.8.8 is one of google's dns servers + ping -c 3 -i 3 8.8.8.8 + if [ $? -ne 0 ]; then + #echo "internet is not available, tunnel not possible" + exit 1 + fi + + # check the vpn tunnel + ping -c 5 -i 5 "$VPNIP" + # a zero return means the tunnel is up + if [ $? -eq 0 ]; then + exit 0 + else + killall openvpn + sleep 10 + #echo "Starting openvpn and waiting 10 seconds for daemon to become ready" + systemctl start openvpn@xscenet + fi +fi diff --git a/roles/openvpn/templates/up_wan b/roles/openvpn/templates/up_wan index 4a392b2d6..bf344146e 100755 --- a/roles/openvpn/templates/up_wan +++ b/roles/openvpn/templates/up_wan @@ -2,8 +2,8 @@ # if the wan has recently come up, see if we need to start openvpn systemctl is-enabled openvpn if [ $? -eq 0 ]; then - pgrep openvpn - if [ $? -ne 0 ]; then - systemctl start openvpn@xscenet - fi + pgrep openvpn + if [ $? -ne 0 ]; then + systemctl start openvpn@xscenet + fi fi diff --git a/roles/openvpn/templates/xsce-vpn.conf.in b/roles/openvpn/templates/xsce-vpn.conf.in.deprecated similarity index 100% rename from roles/openvpn/templates/xsce-vpn.conf.in rename to roles/openvpn/templates/xsce-vpn.conf.in.deprecated diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 772f23096..245bc85c3 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -190,7 +190,7 @@ openvpn_install: True openvpn_enabled: False # For /etc/iiab/openvpn_handle -openvpn_handle: UNNAMED +openvpn_handle: "" # cron seems necessary on CentOS: openvpn_cron_enabled: False diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index dc32d67d0..603bd2901 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -87,7 +87,7 @@ openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: UNNAMED +openvpn_handle: "" # The following seems necessary on CentOS: # openvpn_cron_enabled: True diff --git a/vars/local_vars_big_vpn.yml b/vars/local_vars_big_vpn.yml index 32c7d1482..081ea50b5 100644 --- a/vars/local_vars_big_vpn.yml +++ b/vars/local_vars_big_vpn.yml @@ -87,7 +87,7 @@ openvpn_install: True openvpn_enabled: True # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: UNNAMED +openvpn_handle: "" # The following seems necessary on CentOS: # openvpn_cron_enabled: True diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index cfa727c5d..9290dfee8 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -87,7 +87,7 @@ openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: UNNAMED +openvpn_handle: "" # The following seems necessary on CentOS: # openvpn_cron_enabled: True diff --git a/vars/local_vars_medium_vpn.yml b/vars/local_vars_medium_vpn.yml index 9a670735d..41f30edad 100644 --- a/vars/local_vars_medium_vpn.yml +++ b/vars/local_vars_medium_vpn.yml @@ -87,7 +87,7 @@ openvpn_install: True openvpn_enabled: True # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: UNNAMED +openvpn_handle: "" # The following seems necessary on CentOS: # openvpn_cron_enabled: True diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index 80d71a43a..2a6a7d2f4 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -87,7 +87,7 @@ openvpn_install: True openvpn_enabled: False # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: UNNAMED +openvpn_handle: "" # The following seems necessary on CentOS: # openvpn_cron_enabled: True diff --git a/vars/local_vars_min_vpn.yml b/vars/local_vars_min_vpn.yml index 93c19e580..349513bcf 100644 --- a/vars/local_vars_min_vpn.yml +++ b/vars/local_vars_min_vpn.yml @@ -87,7 +87,7 @@ openvpn_install: True openvpn_enabled: True # Set /etc/iiab/openvpn_handle in advance here: -openvpn_handle: UNNAMED +openvpn_handle: "" # The following seems necessary on CentOS: # openvpn_cron_enabled: True