blob: ad3b928ee045dca0c1236eb9d924cc649dcb9406 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
---
- name: install openvpn
apt: name=openvpn state=latest
- name: copy root certificate
copy: src=ca.crt dest=/etc/openvpn/ca.crt
notify: restart openvpn
- name: copy dh parameters
copy: src=dh4096.pem dest=/etc/openvpn/dh4096.pem
notify: restart openvpn
- name: copy server config
copy: src=server.conf dest=/etc/openvpn/server.conf
notify: restart openvpn
- name: copy crl
copy: src=crl.pem dest=/etc/openvpn/crl.pem
notify: restart openvpn # restart to terminate all connections and enforce crl
- name: copy server certificate
copy:
src="host_files/{{inventory_hostname}}/etc/openvpn/server.crt"
dest=/etc/openvpn/server.crt
notify: restart openvpn
- name: copy server key
copy:
src="host_files/{{inventory_hostname}}/etc/openvpn/server.key"
dest=/etc/openvpn/server.key
mode=0600
notify: restart openvpn
- name: enable ip forwarding
sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes
- name: firewall - update default forward policy
lineinfile: dest=/etc/default/ufw regexp=^DEFAULT_FORWARD_POLICY line=DEFAULT_FORWARD_POLICY="ACCEPT"
notify: restart ufw
- name: firewall - add NAT rules
blockinfile:
dest: /etc/ufw/before.rules
insertbefore: BOF
block: |
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
COMMIT
notify: restart ufw
- name: firewall - allow openvpn
ufw: rule=allow port=1194 proto=udp
notify: restart ufw
|