diff --git a/README.md b/README.md
index 6e0c205e..25eb6965 100644
--- a/README.md
+++ b/README.md
@@ -537,7 +537,7 @@ gfx.canvas.accelerated = false
ssh_dispatch_run_fatal: Connection to 40.74.28.12 port 22: error in libcrypto
```
-It needs to fixed by executing `update-crypto-policies --set LEGACY` and rebooting the machine.
+It needs to be fixed by executing `update-crypto-policies --set LEGACY` (or creating your own custom crypto policy) and rebooting the machine.
21. ssh-config for Azure DevOps and GitHub:
diff --git a/inventory/hosts.yml b/inventory/hosts.yml
index 1f050dd7..6415aeb1 100644
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@@ -69,6 +69,10 @@ vpngateway:
openvpn:
hosts:
vpn1:
+ vagrant:
+ ansible_user: vagrant
+ ansible_password: vagrant
+ ansible_host: 10.0.0.43
openwrt:
vars:
diff --git a/inventory/vagrant.yml b/inventory/vagrant.yml
index b9735483..954dcec5 100644
--- a/inventory/vagrant.yml
+++ b/inventory/vagrant.yml
@@ -1,13 +1,13 @@
# This file is used by Vagrantfile
---
hosts:
- - name: "fedora35"
+ - name: "fedora"
# os: "generic/fedora35"
- os: "alvistack/fedora-35"
- hostname: "fedora35.srv"
+ os: "fedora/40-cloud-base"
+ hostname: "fedora.srv"
ip:
- "10.0.0.10"
cpu: "2"
- mem: "4096"
+ mem: "2048"
port_forward: []
hostname_alias: []
diff --git a/playbooks/vms.yml b/playbooks/vms.yml
index f11ff30f..aa2b6959 100644
--- a/playbooks/vms.yml
+++ b/playbooks/vms.yml
@@ -26,6 +26,13 @@
- reboot_required_file.stat.exists == true
- inventory_hostname != "mikeeClevo"
+- name: Provision Clevo
+ hosts:
+ - clevo
+ become: true
+ roles:
+ - servers/bootstrap
+
- name: Set variables on an imported playbook
ansible.builtin.import_playbook: generic-core.yml
vars:
@@ -50,6 +57,24 @@
- apps/docker
- servers/apps/adguard-home
+- name: Provision GW1
+ hosts:
+ - gw1
+ become: true
+ roles:
+ - servers/network-static-dns
+ - apps/openvpn-client
+ - servers/apps/vpn-gw
+
+- name: Provision VPN1
+ hosts:
+ - vpn1
+ become: true
+ roles:
+ - servers/network-static-dns
+ - servers/apps/openvpn
+ - servers/apps/vpn-gw
+
- name: Provision mikeeClevo
hosts:
- mikeeClevo
diff --git a/playbooks/vpn.yml b/playbooks/vpn.yml
new file mode 100644
index 00000000..97930207
--- /dev/null
+++ b/playbooks/vpn.yml
@@ -0,0 +1,9 @@
+---
+- name: Provision VPN1
+ hosts:
+ - vpn1
+ become: true
+ roles:
+ - servers/network-static-dns
+ - servers/apps/openvpn
+ - servers/apps/vpn-gw
diff --git a/roles/apps/openvpn-client/defaults/main.yml b/roles/apps/openvpn-client/defaults/main.yml
new file mode 100644
index 00000000..1d7b1dd3
--- /dev/null
+++ b/roles/apps/openvpn-client/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ovpn_client_templates_path: files
diff --git a/roles/apps/openvpn-client/files/client.ovpn b/roles/apps/openvpn-client/files/client.ovpn
new file mode 100644
index 00000000..0949f8c7
--- /dev/null
+++ b/roles/apps/openvpn-client/files/client.ovpn
@@ -0,0 +1,35 @@
+client
+dev tun
+proto tcp
+remote pl-waw.prod.surfshark.com 1443
+remote-random
+nobind
+tun-mtu 1500
+mssfix 1450
+ping 15
+ping-restart 0
+reneg-sec 0
+
+remote-cert-tls server
+
+auth-user-pass pass.txt
+
+#comp-lzo
+verb 3
+fast-io
+cipher AES-256-CBC
+
+auth SHA512
+
+
+-----BEGIN CERTIFICATE-----
+-----END CERTIFICATE-----
+
+key-direction 1
+
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+-----END OpenVPN Static key V1-----
+
diff --git a/roles/apps/openvpn-client/files/pass.txt b/roles/apps/openvpn-client/files/pass.txt
new file mode 100644
index 00000000..59d468ee
--- /dev/null
+++ b/roles/apps/openvpn-client/files/pass.txt
@@ -0,0 +1,2 @@
+username
+password
diff --git a/roles/apps/openvpn-client/tasks/main.yml b/roles/apps/openvpn-client/tasks/main.yml
new file mode 100644
index 00000000..c1c52799
--- /dev/null
+++ b/roles/apps/openvpn-client/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Install openvpn
+ dnf:
+ name: "openvpn"
+ state: present
+
+- name: Configure ovpn client files
+ template:
+ src: "{{ ovpn_client_templates_path }}/{{ item.src }}"
+ dest: "/etc/openvpn/client/{{ item.dest }}"
+ mode: 0664
+ backup: true
+ loop:
+ - src: client.ovpn
+ dest: client.conf
+ - src: pass.txt
+ dest: pass.txt
+
+- name: Enable service openvpn-client@client.service
+ systemd:
+ name: openvpn-client@client.service
+ enabled: true
+ state: started
diff --git a/roles/apps/vagrant/tasks/install_x86_64.yml b/roles/apps/vagrant/tasks/install_x86_64.yml
index fcd5c146..decb4f53 100644
--- a/roles/apps/vagrant/tasks/install_x86_64.yml
+++ b/roles/apps/vagrant/tasks/install_x86_64.yml
@@ -25,10 +25,13 @@
- include_tasks: get_latest_version.yml
when: vagrant_version is not defined
+- debug:
+ var: vagrant_version
+
# name: "https://releases.hashicorp.com/vagrant/{{ vagrant_version }}/vagrant_{{ vagrant_version}}_x86_64.rpm"
- name: Install vagrant from hashicorp repo
dnf:
- name: "https://releases.hashicorp.com/vagrant/{{ vagrant_version}}/vagrant-{{ vagrant_version }}-1.x86_64.rpm"
+ name: "https://releases.hashicorp.com/vagrant/{{ vagrant_version }}/vagrant-{{ vagrant_version }}-1.x86_64.rpm"
state: latest
disable_gpg_check: true
when: installed_vagrant_version.stdout != vagrant_version
diff --git a/roles/pkg_mgmt/dnf/tasks/dnf5.yml b/roles/pkg_mgmt/dnf/tasks/dnf5.yml
index a0b4d5fe..67c79aeb 100644
--- a/roles/pkg_mgmt/dnf/tasks/dnf5.yml
+++ b/roles/pkg_mgmt/dnf/tasks/dnf5.yml
@@ -9,7 +9,7 @@
- name: Bootstrap a host without python3-libdnf5 installed
ansible.builtin.raw: if dnf list --installed | grep -q -i python3-libdnf5; then echo -n "exists"; else dnf install -y python3-libdnf5; fi
- changed_when: python3_libdnf5_installed.stdout != "exists"
+ changed_when: '"exists" not in python3_libdnf5_installed.stdout'
register: python3_libdnf5_installed
- name: Install dnf5
diff --git a/roles/servers/apps/home-assistant/tasks/main.yml b/roles/servers/apps/home-assistant/tasks/main.yml
index 5b47208e..0f0ac0c9 100644
--- a/roles/servers/apps/home-assistant/tasks/main.yml
+++ b/roles/servers/apps/home-assistant/tasks/main.yml
@@ -1,27 +1,27 @@
---
-# - name: Check docker-compose executable is present
-# shell: "which docker-compose"
-# register: docker_compose_result
-# ignore_errors: true
-# changed_when: false
+- name: Check docker-compose executable is present
+ shell: "which docker-compose"
+ register: docker_compose_result
+ ignore_errors: true
+ changed_when: false
-# - fail:
-# msg: "docker-compose is not found! You need to install it first."
-# when: docker_compose_result.rc != 0
+- fail:
+ msg: "docker-compose is not found! You need to install it first."
+ when: docker_compose_result.rc != 0
-# - name: Ensure passlib is installed
-# delegate_to: localhost
-# pip:
-# name:
-# - passlib
-# state: present
+- name: Ensure passlib is installed
+ delegate_to: localhost
+ pip:
+ name:
+ - passlib
+ state: present
-# # TODO: add stat to check if docker-compose file exists before running cleanup
+# TODO: add stat to check if docker-compose file exists before running cleanup
# - include_tasks: cleanup.yml
# when: home_assistant_clean
-# - import_tasks: custom.yml
+- import_tasks: custom.yml
- import_tasks: config.yml
-# - import_tasks: config_mosquitto.yml
-# - import_tasks: install.yml
+- import_tasks: config_mosquitto.yml
+- import_tasks: install.yml
diff --git a/roles/servers/apps/openvpn/defaults/main.yml b/roles/servers/apps/openvpn/defaults/main.yml
index b0e57e5a..ec4b0118 100644
--- a/roles/servers/apps/openvpn/defaults/main.yml
+++ b/roles/servers/apps/openvpn/defaults/main.yml
@@ -1,17 +1,38 @@
---
-ssl_path: "/etc/openvpn/ssl"
-easyrsa_path: "/usr/share/easy-rsa/3"
-pki_path: "/etc/openvpn/pki"
-certs_path: "{{ pki_path }}/issued"
-keys_path: "{{ pki_path }}/private"
+openvpn_configs_path: "/etc/openvpn"
-common_name: "vpn.example.com"
+openvpn_server_config_path: "{{ openvpn_configs_path }}/server"
+# 995 - ssl pop3
+openvpn_server_port: 995
-ca_path: "{{ pki_path }}/ca.crt"
-dh_path: "{{ pki_path }}/dh.pem"
+openvpn_ssl_path: "{{ openvpn_configs_path }}/ssl"
+openvpn_ca_cert_path: "{{ openvpn_ssl_path }}/ca"
+openvpn_client_cert_path: "{{ openvpn_ssl_path }}/client"
+openvpn_server_cert_path: "{{ openvpn_ssl_path }}/server"
+openvpn_certs_common_name: "vpn.example.com"
-server_crt_name: server
-server_crt_path: "{{ certs_path }}/{{ server_crt_name }}.crt"
+openvpn_clients:
+ - vagrant
+ - test
-client_crts:
- - client
+openvpn_pull_client_name: "vagrant"
+openvpn_pull_client_config_path: "/tmp/certs_vpn"
+
+### Old
+# easyrsa_path: "/usr/share/easy-rsa/3"
+# pki_path: "/etc/openvpn/pki"
+# certs_path: "{{ pki_path }}/issued"
+# keys_path: "{{ pki_path }}/private"
+
+# common_name: "vpn.example.com"
+
+# ca_path: "{{ pki_path }}/ca.crt"
+# dh_path: "{{ pki_path }}/dh.pem"
+
+# server_crt_name: server
+# server_crt_path: "{{ certs_path }}/{{ server_crt_name }}.crt"
+
+# # client_crts:
+# # - client
+
+# server_port: 443
diff --git a/roles/servers/apps/openvpn/handlers/main.yml b/roles/servers/apps/openvpn/handlers/main.yml
new file mode 100644
index 00000000..39e96580
--- /dev/null
+++ b/roles/servers/apps/openvpn/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart_openvpn_server
+ service:
+ name: openvpn-server@server
+ state: restarted
diff --git a/roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml b/roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml
index ebf42098..6a6cb078 100644
--- a/roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml
+++ b/roles/servers/apps/openvpn/tasks/certs_ansible_openssl.yml
@@ -1,96 +1,25 @@
---
-- package:
+- name: Install python3-pip
+ package:
name: python3-pip
state: present
-- pip:
- name: pyOpenSSL
+- name: Install ansible pip dependencies
+ pip:
+ name: "{{ pkgs }}"
state: present
-
-- file:
- path: "{{ ssl_path }}"
+ vars:
+ pkgs:
+ - pyOpenSSL
+ - packaging
+
+- name: Create directory for certs
+ file:
+ path: "{{ openvpn_ssl_path }}"
state: directory
-- openssl_privatekey:
- path: "{{ ssl_path }}/ca.pem"
-
-- openssl_csr:
- path: "{{ ssl_path }}/ca.csr"
- privatekey_path: "{{ ssl_path }}/ca.pem"
- basic_constraints_critical: true
- basic_constraints: CA:TRUE
- key_usage_critical: true
- key_usage:
- - cRLSign
- - digitalSignature
- - keyCertSign
- common_name: "{{ certs_path }}"
-
-- name: Generate CA a Self Signed OpenSSL certificate
- openssl_certificate:
- path: "{{ ssl_path }}/ca.crt"
- privatekey_path: "{{ ssl_path }}/ca.pem"
- csr_path: "{{ ssl_path }}/ca.csr"
- provider: selfsigned
-
-- openssl_privatekey:
- path: "{{ ssl_path }}/server.pem"
-
-- openssl_csr:
- path: "{{ ssl_path }}/server.csr"
- privatekey_path: "{{ ssl_path }}/server.pem"
- basic_constraints_critical: true
- basic_constraints: CA:FALSE
- key_usage_critical: true
- key_usage:
- - nonRepudiation
- - digitalSignature
- - keyEncipherment
- - keyAgreement
- extended_key_usage_critical: true
- extended_key_usage: serverAuth
- common_name: "{{ certs_path }}"
-
-- name: Generate Server Self Signed OpenSSL certificate
- openssl_certificate:
- path: "{{ ssl_path }}/server.crt"
- privatekey_path: "{{ ssl_path }}/server.pem"
- csr_path: "{{ ssl_path }}/server.csr"
- provider: ownca
- ownca_path: "{{ ssl_path }}/ca.crt"
- ownca_privatekey_path: "{{ ssl_path }}/ca.pem"
-
-
-- openssl_privatekey:
- path: "{{ ssl_path }}/client.pem"
-
-- openssl_csr:
- path: "{{ ssl_path }}/client.csr"
- privatekey_path: "{{ ssl_path }}/client.pem"
- basic_constraints_critical: true
- basic_constraints: CA:FALSE
- key_usage_critical: true
- key_usage:
- - nonRepudiation
- - digitalSignature
- - keyEncipherment
- extended_key_usage_critical: true
- extended_key_usage: clientAuth
- common_name: "{{ certs_path }}"
-
-- name: Generate a Self Signed OpenSSL certificate
- community.crypto.x509_certificate:
- path: "{{ ssl_path }}/client.crt"
- privatekey_path: "{{ ssl_path }}/client.pem"
- csr_path: "{{ ssl_path }}/client.csr"
- provider: ownca
- ownca_path: "{{ ssl_path }}/ca.crt"
- ownca_privatekey_path: "{{ ssl_path }}/ca.pem"
-
-- openssl_dhparam:
- path: "{{ ssl_path }}/dhparams.pem"
-
-- name: Openssl TLS key_usage
- shell: openvpn --genkey --secret {{ ssl_path }}/tls.key
- args:
- creates: "{{ ssl_path }}/tls.key"
+- import_tasks: "openssl/ca.yml"
+- import_tasks: "openssl/server.yml"
+- import_tasks: "openssl/server_extras.yml"
+- include_tasks: "openssl/client.yml"
+ loop: "{{ openvpn_clients }}"
diff --git a/roles/servers/apps/openvpn/tasks/get_certs.yml b/roles/servers/apps/openvpn/tasks/get_certs.yml
index a6170864..d820ce6e 100644
--- a/roles/servers/apps/openvpn/tasks/get_certs.yml
+++ b/roles/servers/apps/openvpn/tasks/get_certs.yml
@@ -1,22 +1,29 @@
---
-# - file:
-# path: "/tmp/certs_vpn"
-# state: directory
-# delegate_to: localhost
+- name: "Create {{ openvpn_pull_client_config_path }}"
+ file:
+ path: "{{ openvpn_pull_client_config_path }}"
+ state: directory
+ delegate_to: localhost
+ become: false
- name: "Download client certs"
fetch:
- src: "/etc/openvpn/ssl/{{ item }}"
- dest: "/tmp/certs_vpn/{{ item }}"
+ src: "{{ item.path }}/{{ item.name }}"
+ dest: "{{ openvpn_pull_client_config_path }}/{{ item.name }}"
flat: true
with_items:
- - ca.crt
- - client.crt
- - client.pem
- - tls.key
-
+ - path: "{{ openvpn_ca_cert_path }}"
+ name: "ca.crt"
+ - path: "{{ openvpn_client_cert_path }}/{{ openvpn_pull_client_name }}"
+ name: "client.crt"
+ - path: "{{ openvpn_client_cert_path }}/{{ openvpn_pull_client_name }}"
+ name: "client.pem"
+ - path: "{{ openvpn_ssl_path }}"
+ name: "tls.key"
+
- name: Add client openvpn config file
template:
src: client.conf.j2
- dest: /tmp/certs_vpn/client.conf
+ dest: "{{ openvpn_pull_client_config_path }}/client.conf"
delegate_to: localhost
+ become: false
diff --git a/roles/servers/apps/openvpn/tasks/install.yml b/roles/servers/apps/openvpn/tasks/install.yml
index e2771cae..aa91d8a7 100644
--- a/roles/servers/apps/openvpn/tasks/install.yml
+++ b/roles/servers/apps/openvpn/tasks/install.yml
@@ -8,11 +8,13 @@
# with_items:
# - epel-release
-- package:
- name: "{{ item }}"
+- name: Installing OpenVPN pkgs
+ package:
+ name: "{{ pkgs }}"
state: present
- with_items:
- - openvpn
- - easy-rsa
- - iptables-services
- - iptables
+ vars:
+ pkgs:
+ - openvpn
+ - easy-rsa
+ - iptables-services
+ - iptables
diff --git a/roles/servers/apps/openvpn/tasks/main.yml b/roles/servers/apps/openvpn/tasks/main.yml
index 28cf0991..5c9a2e4e 100644
--- a/roles/servers/apps/openvpn/tasks/main.yml
+++ b/roles/servers/apps/openvpn/tasks/main.yml
@@ -1,7 +1,13 @@
---
-- include_tasks: install.yml
-# - include_tasks: certs_shell_easy-rsa.yml
-- include_tasks: certs_ansible_openssl.yml
-- include_tasks: server_config.yml
-- include_tasks: server_iptables.yml
+- import_tasks: install.yml
+
+# - import_tasks: certs_shell_easy-rsa.yml
+- import_tasks: certs_ansible_openssl.yml
+
+- import_tasks: server_config.yml
- import_tasks: get_certs.yml
+- import_tasks: selinux.yml
+
+# - import_tasks: server_iptables.yml
+# systemctl stop openvpn-server@server
+# less /var/log/openvpn.log
diff --git a/roles/servers/apps/openvpn/tasks/openssl/ca.yml b/roles/servers/apps/openvpn/tasks/openssl/ca.yml
new file mode 100644
index 00000000..e3233c6a
--- /dev/null
+++ b/roles/servers/apps/openvpn/tasks/openssl/ca.yml
@@ -0,0 +1,29 @@
+---
+- name: Create directory for CA certs
+ file:
+ path: "{{ openvpn_ca_cert_path }}"
+ state: directory
+
+- name: Generating CA private key
+ openssl_privatekey:
+ path: "{{ openvpn_ca_cert_path }}/ca.pem"
+
+- name: Generating CA CSR
+ openssl_csr:
+ path: "{{ openvpn_ca_cert_path }}/ca.csr"
+ privatekey_path: "{{ openvpn_ca_cert_path }}/ca.pem"
+ basic_constraints_critical: true
+ basic_constraints: CA:TRUE
+ key_usage_critical: true
+ key_usage:
+ - cRLSign
+ - digitalSignature
+ - keyCertSign
+ common_name: "{{ openvpn_certs_common_name }}"
+
+- name: Generate CA a Self Signed OpenSSL certificate
+ openssl_certificate:
+ path: "{{ openvpn_ca_cert_path }}/ca.crt"
+ privatekey_path: "{{ openvpn_ca_cert_path }}/ca.pem"
+ csr_path: "{{ openvpn_ca_cert_path }}/ca.csr"
+ provider: selfsigned
diff --git a/roles/servers/apps/openvpn/tasks/openssl/client.yml b/roles/servers/apps/openvpn/tasks/openssl/client.yml
new file mode 100644
index 00000000..6ebd31b0
--- /dev/null
+++ b/roles/servers/apps/openvpn/tasks/openssl/client.yml
@@ -0,0 +1,36 @@
+---
+- name: Create directory for CLIENT certs
+ file:
+ path: "{{ openvpn_client_cert_path }}/{{ item }}"
+ state: directory
+
+- name: Generating CLIENT private key
+ openssl_privatekey:
+ path: "{{ openvpn_client_cert_path }}/{{ item }}/client.pem"
+
+- name: Generating CLIENT CSR
+ openssl_csr:
+ path: "{{ openvpn_client_cert_path }}/{{ item }}/client.csr"
+ privatekey_path: "{{ openvpn_client_cert_path }}/{{ item }}/client.pem"
+ basic_constraints_critical: true
+ basic_constraints: CA:FALSE
+ key_usage_critical: true
+ key_usage:
+ - nonRepudiation
+ - digitalSignature
+ - keyEncipherment
+ extended_key_usage_critical: true
+ extended_key_usage: clientAuth
+ common_name: "{{ openvpn_certs_common_name }}"
+ subject_alt_name:
+ - "DNS: {{ item }}.{{ openvpn_certs_common_name }}"
+
+
+- name: Generate CLIENT certificate
+ community.crypto.x509_certificate:
+ path: "{{ openvpn_client_cert_path }}/{{ item }}/client.crt"
+ privatekey_path: "{{ openvpn_client_cert_path }}/{{ item }}/client.pem"
+ csr_path: "{{ openvpn_client_cert_path }}/{{ item }}/client.csr"
+ provider: ownca
+ ownca_path: "{{ openvpn_ca_cert_path }}/ca.crt"
+ ownca_privatekey_path: "{{ openvpn_ca_cert_path }}/ca.pem"
diff --git a/roles/servers/apps/openvpn/tasks/openssl/server.yml b/roles/servers/apps/openvpn/tasks/openssl/server.yml
new file mode 100644
index 00000000..eeebb3a2
--- /dev/null
+++ b/roles/servers/apps/openvpn/tasks/openssl/server.yml
@@ -0,0 +1,34 @@
+---
+- name: Create directory for SERVER certs
+ file:
+ path: "{{ openvpn_server_cert_path }}"
+ state: directory
+
+- name: Generating SERVER private key
+ openssl_privatekey:
+ path: "{{ openvpn_server_cert_path }}/server.pem"
+
+- name: Generating SERVER CSR
+ openssl_csr:
+ path: "{{ openvpn_server_cert_path }}/server.csr"
+ privatekey_path: "{{ openvpn_server_cert_path }}/server.pem"
+ basic_constraints_critical: true
+ basic_constraints: CA:FALSE
+ key_usage_critical: true
+ key_usage:
+ - nonRepudiation
+ - digitalSignature
+ - keyEncipherment
+ - keyAgreement
+ extended_key_usage_critical: true
+ extended_key_usage: serverAuth
+ common_name: "{{ openvpn_certs_common_name }}"
+
+- name: Generate SERVER certificate
+ openssl_certificate:
+ path: "{{ openvpn_server_cert_path }}/server.crt"
+ privatekey_path: "{{ openvpn_server_cert_path }}/server.pem"
+ csr_path: "{{ openvpn_server_cert_path }}/server.csr"
+ provider: ownca
+ ownca_path: "{{ openvpn_ca_cert_path }}/ca.crt"
+ ownca_privatekey_path: "{{ openvpn_ca_cert_path }}/ca.pem"
diff --git a/roles/servers/apps/openvpn/tasks/openssl/server_extras.yml b/roles/servers/apps/openvpn/tasks/openssl/server_extras.yml
new file mode 100644
index 00000000..0ca54f4c
--- /dev/null
+++ b/roles/servers/apps/openvpn/tasks/openssl/server_extras.yml
@@ -0,0 +1,21 @@
+---
+- name: Generate dhparam
+ openssl_dhparam:
+ path: "{{ openvpn_ssl_path }}/dhparams.pem"
+ # size: 1024
+ size: 2048
+
+# - name: Generate dhparam
+# delegate_to: 127.0.0.1
+# openssl_dhparam:
+# path: "/tmp/dhparams.pem"
+
+# - name: Copy dhparam
+# copy:
+# src: "/tmp/dhparams.pem"
+# dest: "{{ ssl_path }}/dhparams.pem"
+
+- name: Generate OpenSSL TLS
+ shell: openvpn --genkey --secret {{ openvpn_ssl_path }}/tls.key
+ args:
+ creates: "{{ openvpn_ssl_path }}/tls.key"
diff --git a/roles/servers/apps/openvpn/tasks/selinux.yml b/roles/servers/apps/openvpn/tasks/selinux.yml
new file mode 100644
index 00000000..4ad13f32
--- /dev/null
+++ b/roles/servers/apps/openvpn/tasks/selinux.yml
@@ -0,0 +1,7 @@
+---
+- name: Allow OpenVPN to listen on custom TCP port
+ seport:
+ ports: "{{ openvpn_server_port }}"
+ proto: tcp
+ setype: openvpn_port_t
+ state: present
diff --git a/roles/servers/apps/openvpn/tasks/server_config.yml b/roles/servers/apps/openvpn/tasks/server_config.yml
index c9fd5f96..5c380fc3 100644
--- a/roles/servers/apps/openvpn/tasks/server_config.yml
+++ b/roles/servers/apps/openvpn/tasks/server_config.yml
@@ -1,12 +1,20 @@
---
-- template:
+- name: Create directory for SERVER config
+ file:
+ path: "{{ openvpn_server_config_path }}"
+ state: directory
+
+- name: Put server.conf
+ notify: restart_openvpn_server
+ template:
src: server.conf.j2
- dest: /etc/openvpn/server.conf
+ dest: "{{ openvpn_server_config_path }}/server.conf"
# owner: bin
# group: wheel
# mode: 0644
-- service:
+- name: Start openvpn-server@server service
+ service:
name: openvpn-server@server
state: started
enabled: true
diff --git a/roles/servers/apps/openvpn/tasks/server_iptables.yml b/roles/servers/apps/openvpn/tasks/server_iptables.yml
index 4b91f111..b0a1d847 100644
--- a/roles/servers/apps/openvpn/tasks/server_iptables.yml
+++ b/roles/servers/apps/openvpn/tasks/server_iptables.yml
@@ -1,85 +1,85 @@
---
-# - iptables:
-# table: nat
-# chain: POSTROUTING
-# in_interface: eth0
-# protocol: tcp
-# match: tcp
-# destination_port: 80
-# jump: REDIRECT
-# to_ports: 8600
-# comment: Redirect web traffic to port 8600
-# become: yes
+- iptables:
+ table: nat
+ chain: POSTROUTING
+ in_interface: eth0
+ protocol: tcp
+ match: tcp
+ destination_port: 80
+ jump: REDIRECT
+ to_ports: 8600
+ comment: Redirect web traffic to port 8600
+ become: yes
-# - iptables:
-# table: filter
-# chain: FORWARD
-# # protocol: udp
-# # match: udp
-# jump: ACCEPT
-# # ctstate: NEW
-# in_interface: tun0
-# out_interface: eth1
-# comment: Openvpn forward
-# action: insert
-# become: yes
+- iptables:
+ table: filter
+ chain: FORWARD
+ # protocol: udp
+ # match: udp
+ jump: ACCEPT
+ # ctstate: NEW
+ in_interface: tun0
+ out_interface: eth1
+ comment: Openvpn forward
+ action: insert
+ become: yes
-# # -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-# - iptables:
-# table: filter
-# chain: FORWARD
-# # protocol: udp
-# # match: udp
-# jump: ACCEPT
-# ctstate: ESTABLISHED,RELATED
-# comment: Openvpn forward2
-# action: insert
-# become: yes
+# -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+- iptables:
+ table: filter
+ chain: FORWARD
+ # protocol: udp
+ # match: udp
+ jump: ACCEPT
+ ctstate: ESTABLISHED,RELATED
+ comment: Openvpn forward2
+ action: insert
+ become: yes
-# - iptables:
-# table: filter
-# chain: INPUT
-# protocol: tcp
-# match: tcp
-# jump: ACCEPT
-# ctstate: NEW
-# destination_port: 443
-# comment: Openvpn entry
-# action: insert
-# become: yes
+- iptables:
+ table: filter
+ chain: INPUT
+ protocol: tcp
+ match: tcp
+ jump: ACCEPT
+ ctstate: NEW
+ destination_port: 443
+ comment: Openvpn entry
+ action: insert
+ become: yes
-# - iptables:
-# table: filter
-# chain: INPUT
-# protocol: tcp
-# match: tcp
-# jump: ACCEPT
-# ctstate: NEW
-# destination_port: 80
-# comment: sshd port
-# action: insert
-# become: yes
+- iptables:
+ table: filter
+ chain: INPUT
+ protocol: tcp
+ match: tcp
+ jump: ACCEPT
+ ctstate: NEW
+ destination_port: 80
+ comment: sshd port
+ action: insert
+ become: yes
-# - iptables:
-# table: filter
-# chain: INPUT
-# protocol: tcp
-# ctstate: NEW
-# jump: ACCEPT
-# # ctstate: NEW
-# destination_port: 22
-# state: absent
-# become: yes
+- iptables:
+ table: filter
+ chain: INPUT
+ protocol: tcp
+ ctstate: NEW
+ jump: ACCEPT
+ # ctstate: NEW
+ destination_port: 22
+ state: absent
+ become: yes
-# - iptables:
-# table: nat
-# chain: POSTROUTING
-# jump: MASQUERADE
-# source: 10.69.0.0/24
-# out_interface: eth1
-# comment: Openvpn
-# become: yes
+- iptables:
+ table: nat
+ chain: POSTROUTING
+ jump: MASQUERADE
+ source: 10.69.0.0/24
+ out_interface: eth1
+ comment: Openvpn
+ become: yes
# - shell: iptables --delete INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# - shell: iptables-save > /etc/sysconfig/iptables
-# iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE
+# iptables -t nat -A POSTROUTING -s 10.69.0.24 -o eth0 -j MASQUERADE
diff --git a/roles/servers/apps/openvpn/templates/client.conf.j2 b/roles/servers/apps/openvpn/templates/client.conf.j2
index b0fb82d8..b24f77f8 100644
--- a/roles/servers/apps/openvpn/templates/client.conf.j2
+++ b/roles/servers/apps/openvpn/templates/client.conf.j2
@@ -1,13 +1,26 @@
client
-tls-client
ca ca.crt
cert client.crt
key client.pem
-tls-auth tls.key 1
+
+tls-crypt tls.key 0
+auth SHA256
+auth-nocache
+cipher AES-128-GCM
+tls-client
+tls-version-min 1.2
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
+
proto tcp
-remote {{ common_name }} 443 tcp
+remote {{ openvpn_certs_common_name }} {{ openvpn_server_port }} tcp
dev tun
#topology subnet
pull
+
+# verify-x509-name {{ openvpn_certs_common_name }} name
+
+persist-key
+persist-tun
+
user nobody
group nobody
diff --git a/roles/servers/apps/openvpn/templates/server.conf.j2 b/roles/servers/apps/openvpn/templates/server.conf.j2
index afab8c74..9dc06c21 100644
--- a/roles/servers/apps/openvpn/templates/server.conf.j2
+++ b/roles/servers/apps/openvpn/templates/server.conf.j2
@@ -1,5 +1,5 @@
#change with your port
-port 443
+port {{ openvpn_server_port }}
#You can use udp or tcp
proto tcp
@@ -8,19 +8,30 @@ proto tcp
dev tun
#Certificate Configuration
-tls-auth {{ ssl_path }}/tls.key 0
+# tls-auth {{ openvpn_ssl_path }}/tls.key 0
+
+dh none
+ecdh-curve prime256v1
+tls-crypt {{ openvpn_ssl_path }}/tls.key 0
+auth SHA256
+cipher AES-128-GCM
+ncp-ciphers AES-128-GCM
+tls-server
+tls-version-min 1.2
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
+
#ca certificate
-ca {{ ssl_path }}/ca.crt
+ca {{ openvpn_ca_cert_path }}/ca.crt
#Server Certificate
-cert {{ ssl_path }}/server.crt
+cert {{ openvpn_server_cert_path }}/server.crt
#Server Key and keep this is secret
-key {{ ssl_path }}/server.pem
+key {{ openvpn_server_cert_path }}/server.pem
#See the size a dh key in /etc/openvpn/keys/
-dh {{ ssl_path }}/dhparams.pem
+#dh {{ openvpn_ssl_path }}/dhparams.pem
#Internal IP will get when already connect
server 10.69.0.0 255.255.255.0
diff --git a/roles/servers/apps/vpn-gw/files/iptables b/roles/servers/apps/vpn-gw/files/iptables
new file mode 100644
index 00000000..f3b059d8
--- /dev/null
+++ b/roles/servers/apps/vpn-gw/files/iptables
@@ -0,0 +1,16 @@
+*filter
+:INPUT ACCEPT [64:3539]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [61:7684]
+-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o tun0 -j ACCEPT
+-A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth1 -o tun0 -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT [2:311]
+:INPUT ACCEPT [1:107]
+:OUTPUT ACCEPT [1:520]
+:POSTROUTING ACCEPT [1:520]
+-A POSTROUTING -o tun0 -j MASQUERADE
+COMMIT
diff --git a/roles/servers/apps/vpn-gw/files/iptables-vpn b/roles/servers/apps/vpn-gw/files/iptables-vpn
new file mode 100644
index 00000000..0f76ed90
--- /dev/null
+++ b/roles/servers/apps/vpn-gw/files/iptables-vpn
@@ -0,0 +1,25 @@
+# Generated by iptables-save v1.8.10 on Thu Nov 7 16:07:43 2024
+*nat
+:PREROUTING ACCEPT [2:120]
+:INPUT ACCEPT [2:120]
+:OUTPUT ACCEPT [2:101]
+:POSTROUTING ACCEPT [2:101]
+-A POSTROUTING -o tun0 -j MASQUERADE
+-A POSTROUTING -s 10.69.0.0/24 -o eth0 -j MASQUERADE
+-A POSTROUTING -s 10.69.0.0/24 -o eth1 -j MASQUERADE
+-A POSTROUTING -s 10.69.0.0/24 -o enp1s0 -j MASQUERADE
+COMMIT
+# Completed on Thu Nov 7 16:07:43 2024
+# Generated by iptables-save v1.8.10 on Thu Nov 7 16:07:43 2024
+*filter
+:INPUT ACCEPT [323:32134]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [223:34702]
+-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o tun0 -j ACCEPT
+-A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth1 -o tun0 -j ACCEPT
+-A FORWARD -i tun0 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i enp1s0 -o tun0 -j ACCEPT
+COMMIT
+# Completed on Thu Nov 7 16:07:43 2024
diff --git a/roles/servers/apps/vpn-gw/handlers/main.yml b/roles/servers/apps/vpn-gw/handlers/main.yml
new file mode 100644
index 00000000..694c6fb1
--- /dev/null
+++ b/roles/servers/apps/vpn-gw/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart_iptables
+ service:
+ name: iptables
+ state: restarted
diff --git a/roles/servers/apps/vpn-gw/tasks/main.yml b/roles/servers/apps/vpn-gw/tasks/main.yml
new file mode 100644
index 00000000..84bb411f
--- /dev/null
+++ b/roles/servers/apps/vpn-gw/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+# dnf install -y iptables-services
+
+# sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
+# sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+# sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
+
+# sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE
+# sudo iptables -A FORWARD -i nordlynx -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+# sudo iptables -A FORWARD -i eth0 -o nordlynx -j ACCEPT
+
+# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+# iptables-save > /etc/sysconfig/iptables
+# systemctl enable iptables
+
+- name: Disable and stop firewalld
+ ansible.builtin.service:
+ name: "{{ item }}"
+ state: stopped
+ enabled: false
+ ignore_errors: true
+ loop:
+ - firewalld
+ - nftables
+
+- name: Install iptables-services
+ dnf:
+ name: "iptables-services"
+ state: present
+
+
+- name: Allow ip forwarding for tun network
+ lineinfile:
+ path: /etc/sysctl.conf
+ line: "{{ item }}"
+ loop:
+ - "net.ipv4.ip_forward=1"
+ register: sysctl_changes
+
+- name: Reload sysctl
+ shell: sysctl -p
+ when: sysctl_changes.changed
+
+- name: Configure iptables files
+ notify: restart_iptables
+ copy:
+ src: "files/iptables-vpn"
+ dest: "/etc/sysconfig/iptables"
+ mode: 0664
+ backup: true
+
+- name: Enable service iptables
+ systemd:
+ name: iptables
+ enabled: true
+ state: started
diff --git a/roles/servers/bootstrap/defaults/main.yml b/roles/servers/bootstrap/defaults/main.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/roles/servers/bootstrap/defaults/main.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/servers/bootstrap/tasks/main.yml b/roles/servers/bootstrap/tasks/main.yml
new file mode 100644
index 00000000..a00261f4
--- /dev/null
+++ b/roles/servers/bootstrap/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+- import_tasks: user.yml
+- import_tasks: ssh_keys.yml
diff --git a/roles/servers/bootstrap/tasks/ssh_keys.yml b/roles/servers/bootstrap/tasks/ssh_keys.yml
new file mode 100644
index 00000000..64e26be9
--- /dev/null
+++ b/roles/servers/bootstrap/tasks/ssh_keys.yml
@@ -0,0 +1,12 @@
+---
+- name: Copy ssh pub key
+ template:
+ src: "{{ ssh_keys_path }}/servers/id_rsa.pub"
+ dest: "~/.ssh/authorized_keys"
+ mode: 0600
+ backup: true
+ become: true
+ become_user: "{{ item }}"
+ with_items:
+ - "{{ user_name }}"
+ # - root
diff --git a/roles/servers/bootstrap/tasks/user.yml b/roles/servers/bootstrap/tasks/user.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/roles/servers/bootstrap/tasks/user.yml
@@ -0,0 +1 @@
+---