Merge pull request #1090 from holta/openvpn2

Fix iiab-remote-on|off which had longstanding (OpenVPN) issues

roles/openvpn/tasks/main.yml

@@ -54,7 +54,8 @@
   with_items:
     - /etc/openvpn/keys
     - /etc/openvpn/scripts
-    - /usr/lib/iiab    # For executable up_wan.  Comment out in future?  Might still be relevant for CentOS but unused for ~2 years as of August 2018.
+    # Obsolete & unused for ~2 years as of August 2018:
+    #- /usr/lib/iiab
 
 - name: Configure OpenVPN (BACKS UP FILES IF CHANGED)
   template:
@@ -77,8 +78,8 @@
     - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
     # Comment out in future?  Not recommended as of August 2018:
     - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
-    # Comment out in future?  Might still be relevant for CentOS but unused for ~2 years as of August 2018:
-    - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' }
+    # Obsolete & unused for ~2 years as of August 2018:
+    # - { src: 'up_wan', dest: '/usr/lib/iiab/up_wan', mode: '0755' }
     # Obsolete & unused for ~2 years as of August 2018:
     #- { src: 'start.j2', dest: '/usr/lib/iiab/start', mode: '0755' }
     # Obsolete & unused for ~2 years as of August 2018:
@@ -86,6 +87,18 @@
     # Obsolete & unused for ~2 years as of August 2018:
     #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
 
+- name: Create iiab-vpn-on (symlink to iiab-remote-on for now)
+  file:
+    src: /usr/bin/iiab-remote-on
+    path: /usr/bin/iiab-vpn-on
+    state: link
+
+- name: Create iiab-vpn-off (symlink to iiab-remote-off for now)
+  file:
+    src: /usr/bin/iiab-remote-off
+    path: /usr/bin/iiab-vpn-off
+    state: link
+
 # up_wan was being installed twice (also above) and was unused for ~2 years
 # as of August 2018: (see 15-openvpn below)
 #- name: Put up_wan in place (debuntu)
@@ -97,11 +110,12 @@
 # Comment out in future?  Contained serious bug (15-openvpn called
 # up-wan instead of up_wan in /usr/lib/iiab/ as of August 2018) so
 # evidently unused for ~2 years:
-- name: Put dispatcher up for NM (not debuntu)
+- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
   template:
     src: 15-openvpn
     dest: /etc/NetworkManager/dispatcher.d/
-  when: not is_debuntu    # SHOULD THIS CONDITION ACT ON THE PRESENCE OF NETWORKMANAGER?  e.g. some Ubuntu's use NM, others don't.
+  #when: not is_debuntu    # CONDITION APPEARS TOO BROAD
+  when: False              # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
 
 # Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf)
 #- name: Check for manually configured OpenVPN tunnel
@@ -158,6 +172,7 @@
 - name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?)
   lineinfile:
     path: /etc/crontab
+    # CONSIDER "restart" not just "start" if something stronger is confirmed needed?
     line: "25 *  *  *  * root (/usr/bin/systemctl start openvpn@xscenet.service) > /dev/null"
   when: openvpn_enabled and openvpn_cron_enabled
 

roles/openvpn/templates/15-openvpn

@@ -1,5 +1,6 @@
 #!/bin/bash
-# Not really used as of August 2018, but perhaps can be revived for CentOS etc
+# Not used as of August 2018: parent service "openvpn" reliably auto-starts child service "openpn@xscenet" on OS's in common use
+# But could be revived for older CentOS etc?
 
 export LC_ALL=C
 
@@ -14,7 +15,11 @@ if [ "$2" = "up" ]; then
     sleep 2
     /sbin/ip route list dev "$1" | grep -q '^default' &&
     # restart the services
-    systemctl -q is-enabled openvpn@xscenet.service && /usr/lib/iiab/up_wan
+    #systemctl -q is-enabled openvpn@xscenet.service && /usr/lib/iiab/up_wan
+    # EQUIVALENTLY:
+    systemctl is-enabled openvpn && pgrep openvpn && systemctl start openvpn@xscenet
+    # OR EQUIVALENTLY:
+    # systemctl is-enabled openvpn && systemctl is-active openvpn && systemctl start openvpn@xscenet
 fi
 
 # we added this to prevent logs from filling with openvpn errors

roles/openvpn/templates/announcer.j2

@@ -13,8 +13,9 @@ if [ -f /etc/iiab/openvpn_handle ]; then
 # /etc/iiab/openvpn_handle "obligatory" (EMPTY STRING "" IS TOLERATED, IN WHICH
 # CASE OPENVPN SERVER TRIES TO USE /etc/iiab/uuid BELOW, IN LIEU OF HANDLE...)
 
-# CLARIF: "systemctl restart openvpn@xscenet" still runs even if the above is
-# defied.  e.g. if an implementer deletes /etc/iiab/openvpn_handle by accident.
+# CLARIF: "systemctl restart openvpn" still works tolerably even if the above
+# is defied, auto-starting child service openvpn@xscenet per usual
+# (e.g. if /etc/iiab/openvpn_handle is deleted by accident!)
 
 #else
 #    # Option #3: Dangerous to invoke hypothetical variables :(

roles/openvpn/templates/iiab-handle.j2

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Interactive script (over)writes /etc/iiab/openvpn_handle file, identifying client to server
+# DEPRECATED interactive script (over)writes /etc/iiab/openvpn_handle file, identifying client to server
 
 echo -e '\nCORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml'
 echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n'
@@ -16,3 +16,5 @@ else
     echo $ans > /etc/iiab/openvpn_handle
 fi
 {{ systemctl_program }} restart openvpn@xscenet
+# This would also work: (but would bounce all VPN connections, if others exist, causing unnec disruption if so)
+#{{ systemctl_program }} restart openvpn

roles/openvpn/templates/iiab-remote-off

@@ -1,17 +1,29 @@
 #!/bin/bash
-# script to turn on openvpn
 
-# do nothing if it is not installed
+# /usr/bin/iiab-remote-off should fully turn off multiple remote support
+# services like OpenVPN and others, to reduce risk of remote attacks.
+
+echo -e '\nWARNING: To disable OpenVPN long-term, it'"'"'s recommended you:\n'
+
+echo -e '1) Set this variable in /etc/local/local_vars.yml'
+echo -e '   openvpn_enabled: False\n'
+
+echo -e '2) Run:'
+echo -e '   cd /opt/iiab/iiab'
+echo -e '   sudo ./runrole openvpn\n'
+
+# Do nothing if OpenVPN not installed
 which openvpn
 if [ $? -ne 0 ]; then
-    echo Cannot find the OpenVPN program (openvpn).
+    echo 'Cannot find the OpenVPN program (openvpn).'
     exit 1
 fi
-systemctl disable openvpn@xscenet.service
-systemctl stop openvpn@xscenet.service
+
+systemctl disable openvpn
+systemctl stop openvpn
 
 sleep 5
-ps -e|grep vpn
+ps -e | grep openvpn    # 2018-09-05: "ps -e | grep vpn" no longer works (nor would "pgrep vpn") when invoked from iiab-vpn-off (as filename itself causes [multiple] "vpn" instances to appear in process list!)
 if [ $? -eq 0 ]; then
     echo OpenVPN failed to stop.
 else

roles/openvpn/templates/iiab-remote-on.j2

@@ -1,14 +1,27 @@
 #!/bin/bash
-# script to turn on openvpn
 
-# do nothing if it is not installed
+# /usr/bin/iiab-remote-on should turn on multiple remote support services like
+# OpenVPN and others, for remote support, so they work even after reboot.
+
+echo -e '\nWARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n'
+
+echo -e '1) Set these variables in /etc/local/local_vars.yml'
+echo -e '   openvpn_install: True'
+echo -e '   openvpn_enabled: True\n'
+
+echo -e '2) Run:'
+echo -e '   cd /opt/iiab/iiab'
+echo -e '   sudo ./runrole openvpn\n'
+
+# Do nothing if OpenVPN not installed
 which openvpn
 if [ $? -ne 0 ]; then
-    echo Cannot find the OpenVPN program (openvpn).
+    echo 'Cannot find the OpenVPN program (openvpn).'
     exit 1
 fi
-systemctl enable openvpn@xscenet.service
-systemctl start openvpn@xscenet.service
+
+systemctl enable openvpn
+systemctl start openvpn
 
 sleep 5
 ping -c 2 {{ openvpn_server_virtual_ip }}    # 10.8.0.1

roles/openvpn/templates/up_wan.deprecated

@@ -1,5 +1,6 @@
 #!/bin/bash
-# Not really used as of August 2018, but perhaps can be revived for CentOS etc
+# Not used as of August 2018: parent service "openvpn" reliably auto-starts child service "openpn@xscenet" on OS's in common use
+# But could be revived for older CentOS etc?
 
 # If the wan has recently come up, see if we need to start openvpn