OpenVPN Server - ghomem/legacy_puppet_infrastructure GitHub Wiki

OpenVPN Server

An open VPN server can be easily deployed the puppet_infrastructure in an easy and reproducible way. This is particularly interesting to build multiple VPNs, for redundancy, that allow authentication with the users that are already managed with puppet.

Creating the necessary SSL material

First, we need to create the SSL related files

MYDIR=openvpn-ssl
CADIR=$MYDIR/demoCA
mkdir $MYDIR
mkdir -p $CADIR/newcerts
touch $CADIR/index.txt
echo 01 > $CADIR/serial
cd  $MYDIR
openssl req -new -x509 -nodes -keyout ca.key -out ca.crt -days 18250
openssl req -new -nodes -keyout server.key -out server.csr
openssl ca -cert ca.crt -keyfile ca.key -in server.csr -batch -out server.crt -days 18250
openssl dhparam -out dh2048.pem 2048

and store them at:

/etc/puppetlabs/puppet/extra_files/openvpn/keys/ca.crt
/etc/puppetlabs/puppet/extra_files/openvpn/keys/server.crt
/etc/puppetlabs/puppet/extra_files/openvpn/keys/server.key
/etc/puppetlabs/puppet/extra_files/openvpn/keys/dh2048.pem

We need to ensure that the puppet user can read those files by running:

sudo chown puppet:puppet /etc/puppetlabs/puppet/extra_files/openvpn/keys/*

Creating the node declaration

The typical node declaration for an instance the receives the IP via DHCP would look like this

node 'vpn' {

  $client_dns_server = '8.8.8.8'

  include puppet_infrastructure::node_base
  include passwd_common

  $public_interface = $::networking['primary']

  class { 'puppet_infrastructure::network_dhcp': iface     => $public_interface }
  class { 'puppet_infrastructure::network_vpn' : wan_iface => $public_interface, openvpn_client_dns => $client_dns_server }

  firewall { '200 accept openvpn': proto => 'udp', dport => 1194, action => 'accept' }

}

The openvpn_client_dns is optional. If it is not passed to the network_vpn class, name resolution will be done using an internal caching nameserver running on the puppet node.

Configuring a client

In order to connect to the above described server an OpenVPN client will need:

  • the ca.crt file
  • one user+password combination that matches an entry of passwd_common (i.e. an existing ops user)
  • network access to the node machine at port 1194 UDP

The configuration can usually be done using Linux built-in interfaces such as the Network Manager applet. Nevertheless, here is a reference configuration file:

client
remote vpn.xyz.abc
ca "/path/to/ca.crt"
auth-user-pass
comp-lzo yes
dev tap
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody

This file might need fine tuning depending on the OS and version.