Rocky support and other proposals #170
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 9 commits
December 23, 2021 14:33
But its config directory is not in the right place.
Create one in "{{ openvpn_base_dir }}/auth".
- Suppor password protected private key
- set "udp4" if dual stack not enabled
kyl191
requested changes
Dec 24, 2021
|
|
||
| Ubuntu precise has a [weird bug](https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1002078) that might make the iptables-persistent install fail. There is a [workaround](https://forum.linode.com/viewtopic.php?p=58233#p58233). | ||
|
|
||
| # Support Notes/Expectations | ||
| I personally use this role to manage OpenVPN on CentOS 8. I try to keep the role on that platform fully functional with the default config. | ||
| Please recognise that I am a single person, and I have a full time job and other commitments. | ||
| Please recognise that I am a single person, and I have a full time job and other commitments. This initial role was extended to support Rocky Linux 8. |
| | openvpn_ca_key | dict | | `unset` | Contain "crt" and "key". If not set, CA cert and key will be automatically generated on the target system. | | ||
| | openvpn_cipher | string | | AES-256-CBC | Set `cipher` option for server and client. | | ||
| | openvpn_cipher | string | | AES-256-GCM | Set `cipher` option for server and client. AES-256-GCM is more secure than AES-256-CBC. So it is set by default. | |
There was a problem hiding this comment.
+1 on changing the default to GCM, but you can drop the comment change.
| @@ -14,13 +14,13 @@ openvpn_redirect_gateway: true | |||
| openvpn_resolv_retry: 5 | |||
| openvpn_server_hostname: "{{ inventory_hostname }}" | |||
| openvpn_server_netmask: 255.255.255.0 | |||
| openvpn_server_network: 10.9.0.0 | |||
| openvpn_server_network: 192.168.254.0 | |||
| - name: Fail on no firewall detected | ||
| fail: | ||
| msg: "No firewall detected, install one before proceeding (firewalld||ufw||iptables)" | ||
| - name: Install firewalld if no firewall detected |
There was a problem hiding this comment.
Remove this - firewall has impact on other parts of the system beyond OpenVPN, it's more appropriate to have this as a task in the ansible file that includes the playbook.
| when: firewalld.rc != 0 and ufw.rc != 0 and iptables.rc != 0 | ||
|
|
||
| - name: Check for firewalld | ||
| shell: command -v firewall-cmd |
There was a problem hiding this comment.
just an fyi - which is used earlier because it's an external binary, it doesn't require shell
| {% endif %} | ||
| dev tun | ||
|
|
||
| {% if ca_chain is defined %} |
| @@ -7,11 +7,16 @@ port {{ openvpn_port }} | |||
| {% if openvpn_dualstack %} | |||
| proto {{ openvpn_proto }}6 | |||
| {% else %} | |||
| proto {{ openvpn_proto }} | |||
| proto {{ openvpn_proto }}4 | |||
There was a problem hiding this comment.
Why add 4 here? Set openvpn_proto to 4 instead?
| @@ -110,6 +115,8 @@ management-client-user {{ openvpn_management_client_user }} | |||
| ### LDAP AUTH ### | |||
| {% if ansible_os_family == 'Debian' %} | |||
| plugin /usr/lib/openvpn/openvpn-auth-ldap.so "{{ openvpn_base_dir }}/auth/ldap.conf" | |||
| {% elif ansible_machine == "x86_64" and ansible_distribution == "Rocky" %} | |||
| @@ -118,7 +125,7 @@ plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so "{{ openvpn_base_dir }}/ | |||
| {% if ldap.verify_client_cert is defined %} | |||
| verify-client-cert {{ ldap.verify_client_cert }} | |||
| {% else %} | |||
| client-cert-not-required | |||
There was a problem hiding this comment.
Can't you set ldap.verify_client_cert to require?
| @@ -5,7 +5,7 @@ openvpn_client_register_dns: true | |||
| openvpn_client_to_client: false | |||
| openvpn_custom_dns: [] | |||
| openvpn_dns_servers: [] | |||
| openvpn_dualstack: true | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi all,
It is my first contribution. So be cool :-)