kyl191 · Seb44800 · Dec 23, 2021 · Dec 23, 2021 · Dec 23, 2021 · Dec 23, 2021
diff --git a/README.md b/README.md
@@ -13,13 +13,14 @@ OSes in CI build:
 Note: I am providing code in the repository to you under an open source license. Because this is my personal repository, the license you receive to my code is from me and not my employer.
 
 # Requirements
-OpenVPN must be available as a package in yum/dnf/apt! For CentOS users, this role will run `yum install epel-release` to ensure openvpn is available.
+OpenVPN must be available as a package in yum/dnf/apt! 
+For CentOS/Rocky linux users, epel repository should be available (prerequisite).
 
 Ubuntu precise has a [weird bug](https://bugs.launchpad.net/ubuntu/+source/iptables-persistent/+bug/1002078) that might make the iptables-persistent install fail. There is a [workaround](https://forum.linode.com/viewtopic.php?p=58233#p58233).
 
 # Support Notes/Expectations
 I personally use this role to manage OpenVPN on CentOS 8. I try to keep the role on that platform fully functional with the default config.
-Please recognise that I am a single person, and I have a full time job and other commitments.
+Please recognise that I am a single person, and I have a full time job and other commitments. This initial role was extended to support Rocky Linux 8.
 
 Responses to any issues will be on a best effort basis on my part, including the possibility that I don't respond at all.
 Issues arising from use of the non-defaults (including any of the major community contributions) will be deprioritized.
@@ -87,8 +88,9 @@ These options change how OpenVPN itself works.
 | Variable                           | Type    | Choices     | Default     | Comment                                                                                                                                                         |
 |------------------------------------|---------|-------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | openvpn_auth_alg                   | string  |             | SHA256      | Set `auth` authentication algoritm.                                                                                                                             |
+| ca_chain                           | string  |             | `unset`     | Configure the Root CA Chain (openvpn CA should be an sub CA)                        |
 | openvpn_ca_key                     | dict    |             | `unset`     | Contain "crt" and "key". If not set, CA cert and key will be automatically generated on the target system.                                                      |
-| openvpn_cipher                     | string  |             | AES-256-CBC | Set `cipher` option for server and client.                                                                                                                      |
+| openvpn_cipher                     | string  |             | AES-256-GCM | Set `cipher` option for server and client. AES-256-GCM is more secure than AES-256-CBC. So it is set by default.                                                                                                                      |
 | openvpn_crl_path                   | string  |             | `unset`     | Define a path to the CRL file for server revocation check.                                                                                                      |
 | openvpn_duplicate_cn               | boolean | true, false | false       | Add `duplicate-cn` option to server config - this allows clients to connect multiple times with the one key. NOTE: client ip addresses won't be static anymore! |
 | openvpn_rsa_bits                   | int     |             | 2048        | Number of bits used to protect generated certificates                                                                                                           |
@@ -105,7 +107,7 @@ These options change how OpenVPN itself works.
 |------------------------------------|---------|-------------|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | openvpn_addl_client_options        | list    |             | empty                                            | List of user-defined client options that are not already present in the client template. (e.g. `- mssfix 1400`)                                                               |
 | openvpn_addl_server_options        | list    |             | empty                                            | List of user-defined server options that are not already present in the server template. (e.g. `- ping-timer-rem`)                                                            |
-| openvpn_compression                | string  |             | lzo                                              | Set `compress` compression option. Empty for no compression.                                                                                                                  |
+| openvpn_compression                | string  |             | empty                                            | Set `compress` compression option. Empty for no compression. Because of compression security vulnerabilities (see VORACLE), it desabled by default                                                                                                                |
 | openvpn_config_file                | string  |             | openvpn_{{ openvpn\_proto }}\_{{ openvpn_port }} | The config file name you want to use (set in vars/main.yml)                                                                                                                   |
 | openvpn_enable_management          | boolean | true, false | false                                            |                                                                                                                                                                               |
 | openvpn_ifconfig_pool_persist_file | string  |             | ipp.txt                                          |                                                                                                                                                                               |

diff --git a/defaults/main/openvpn.yml b/defaults/main/openvpn.yml
@@ -5,7 +5,7 @@ openvpn_client_register_dns: true
 openvpn_client_to_client: false
 openvpn_custom_dns: []
 openvpn_dns_servers: []
-openvpn_dualstack: true
+openvpn_dualstack: false
 openvpn_keepalive_ping: 5
 openvpn_keepalive_timeout: 30
 openvpn_port: 1194
@@ -14,13 +14,13 @@ openvpn_redirect_gateway: true
 openvpn_resolv_retry: 5
 openvpn_server_hostname: "{{ inventory_hostname }}"
 openvpn_server_netmask: 255.255.255.0
-openvpn_server_network: 10.9.0.0
+openvpn_server_network: 192.168.254.0
 openvpn_set_dns: true
 openvpn_tun_mtu:
 
 # Security
 openvpn_auth_alg: SHA256
-openvpn_cipher: AES-256-CBC
+openvpn_cipher: AES-256-GCM
 openvpn_duplicate_cn: false
 openvpn_rsa_bits: 2048
 openvpn_use_crl: false
@@ -34,7 +34,7 @@ openvpn_script_security: 1
 # Operations
 openvpn_addl_client_options: []
 openvpn_addl_server_options: []
-openvpn_compression: lzo
+openvpn_compression: ""
 openvpn_enable_management: false
 openvpn_ifconfig_pool_persist_file: ipp.txt
 openvpn_management_bind: /var/run/openvpn/management unix

diff --git a/tasks/config.yml b/tasks/config.yml
@@ -37,6 +37,15 @@
     mode: a+x
   when: openvpn_script_client_disconnect is defined
 
+- name: Ensure LDAP config directory exists
+  file:
+    path: "{{ openvpn_base_dir }}/auth"
+    state: directory
+    owner: root
+    group: root
+    mode: "0644"
+  when: openvpn_use_ldap
+
 - name: Install LDAP config
   template:
     src: ldap.conf.j2

diff --git a/tasks/firewall.yml b/tasks/firewall.yml
@@ -25,11 +25,19 @@
     msg: "Both FirewallD and UFW are detected, firewall situation is unknown"
   when: openvpn_firewall == 'auto' and firewalld.rc == 0 and ufw.rc == 0
 
-- name: Fail on no firewall detected
-  fail:
-    msg: "No firewall detected, install one before proceeding (firewalld||ufw||iptables)"
+- name: Install firewalld if no firewall detected
+  package:
+    name: firewalld
+    state: present
   when: firewalld.rc != 0 and ufw.rc != 0 and iptables.rc != 0
 
+- name: Check for firewalld
+  shell: command -v firewall-cmd
+  register: firewalld
+  check_mode: no
+  changed_when: false  # Never report as changed
+  failed_when: false
+
 - name: Add port rules (iptables)
   include: iptables.yml
   when: >-

diff --git a/tasks/install.yml b/tasks/install.yml
@@ -28,13 +28,13 @@
     state: present
   when:
     - openvpn_use_ldap
-    - ansible_distribution == "CentOS" and ansible_distribution_major_version != "8"
+#     - ansible_distribution == "CentOS" and ansible_distribution_major_version != "8"
 
-- name: Compile LDAP plugin
-  include_tasks: compile_ldap_plugin.yml
-  when:
-    - openvpn_use_ldap
-    - ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
+# - name: Compile LDAP plugin
+#   include_tasks: compile_ldap_plugin.yml
+#   when:
+#     - openvpn_use_ldap
+#     - ansible_distribution == "CentOS" and ansible_distribution_major_version == "8"
 
 # RHEL has the group 'nobody', 'Debian/Ubuntu' have 'nogroup'
 # standardize on 'nogroup'

diff --git a/tasks/server_keys.yml b/tasks/server_keys.yml
@@ -16,6 +16,13 @@
     - openssl-server.ext
     - openssl-ca.ext
 
+- name: Copy CA Chain
+  copy:
+    content: "{{ ca_chain }}"
+    dest: "{{ openvpn_key_dir }}/ca-chain.crt"
+    mode: 0444
+  when: ca_chain is defined
+
 - name: Copy CA key
   copy:
     content: "{{ openvpn_ca_key.key }}"
@@ -66,10 +73,12 @@
     mode: 0400
 
 - name: Sign server key
-  command: openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -CAcreateserial -extfile openssl-server.ext
+  command: "openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -CAcreateserial -extfile openssl-server.ext -passin pass:$certkeypass"
   args:
     chdir: "{{ openvpn_key_dir }}"
     creates: server.crt
+  environment: 
+    certkeypass: "{{ openvpn_ca_key.key_pwd }}"
 
 - name: Copy tls-auth key
   copy:
@@ -150,6 +159,8 @@
   args:
     chdir: "{{ openvpn_key_dir }}"
     creates: "{{ openvpn_key_dir }}/ca-crl.pem"
+  environment: 
+    certkeypass: "{{ openvpn_ca_key.key_pwd }}"
 
 - name: Install crl-cron script
   template:

diff --git a/tasks/set_facts.yml b/tasks/set_facts.yml
@@ -18,7 +18,7 @@
     (ansible_distribution == "Fedora" and ansible_distribution_version|int >= 27)
     or
     (
-      ( (ansible_distribution == "CentOS") or (ansible_distribution == "RedHat") )
+      ( ansible_distribution_file_variety | lower == "redhat" )
       and
       (ansible_distribution_version | int) >= 8
     )
@@ -30,7 +30,7 @@
     (ansible_distribution == "Fedora" and ansible_distribution_version|int >= 27)
     or
     (
-      (ansible_distribution == "CentOS" or ansible_distribution == "RedHat")
+      ( ansible_distribution_file_variety | lower == "redhat" )
       and
       (ansible_distribution_version | int) >= 8
     )
diff --git a/templates/ldap.conf.j2 b/templates/ldap.conf.j2
@@ -1,6 +1,6 @@
 <LDAP>
     # LDAP server URL
-    URL {{ ldap.url }}
+    URL ldap://{{ ldap.url }}
 
 {% if not ldap.anonymous_bind %}
     # Bind DN (If your LDAP server doesn't support anonymous binds)
@@ -56,7 +56,7 @@
     <Group>
         BaseDN "{{ ldap.group_base_dn }}"
         SearchFilter "{{ ldap.group_search_filter }}"
-        MemberAttribute uniqueMember
+        MemberAttribute "member"
         # Add group members to a PF table (disabled)
         #PFTable ips_vpn_eng
     </Group>

diff --git a/templates/revoke.sh.j2 b/templates/revoke.sh.j2
@@ -7,7 +7,7 @@ cd ${CADIR}
 
 gen_crl () {
   # regenerate the certificate revocation list
-  openssl ca -gencrl -config ca.conf -out ca-crl.pem
+  openssl ca -gencrl -config ca.conf -out ca-crl.pem -passin pass:$certkeypass
 }
 
 revoke () {

diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
@@ -7,11 +7,16 @@ port {{ openvpn_port }}
 {% if openvpn_dualstack %}
 proto {{ openvpn_proto }}6
 {% else %}
-proto {{ openvpn_proto }}
+proto {{ openvpn_proto }}4
 {% endif %}
 dev tun
 
+{% if ca_chain is defined %}
+ca {{ openvpn_key_dir }}/ca-chain.crt
+{% else %}
 ca {{ openvpn_key_dir }}/ca.crt
+{% endif %}
+
 cert {{ openvpn_key_dir }}/server.crt
 key {{ openvpn_key_dir }}/server.key
 dh {{ openvpn_key_dir }}/dh.pem
@@ -110,6 +115,8 @@ management-client-user {{ openvpn_management_client_user }}
 ### LDAP AUTH ###
 {% if ansible_os_family == 'Debian' %}
 plugin /usr/lib/openvpn/openvpn-auth-ldap.so "{{ openvpn_base_dir }}/auth/ldap.conf"
+{% elif ansible_machine == "x86_64" and ansible_distribution == "Rocky" %}
+plugin /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so "{{ openvpn_base_dir }}/auth/ldap.conf"
 {% elif ansible_machine == "x86_64" %}
 plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "{{ openvpn_base_dir }}/auth/ldap.conf"
 {% else %}
@@ -118,7 +125,7 @@ plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so "{{ openvpn_base_dir }}/
 {% if ldap.verify_client_cert is defined %}
 verify-client-cert {{ ldap.verify_client_cert }}
 {% else %}
-client-cert-not-required
+verify-client-cert require
 {% endif %}
 {% endif %}