Skip to content

Latest commit

 

History

History
1600 lines (839 loc) · 28.3 KB

REFERENCE.md

File metadata and controls

1600 lines (839 loc) · 28.3 KB

Reference

Table of Contents

Classes

Defined types

Classes

openvpn

This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files

Examples

class { 'openvpn':
  autostart_all => true,
}

Parameters

The following parameters are available in the openvpn class.

autostart_all

Data type: Boolean

Whether openvpn instances should be started automatically on boot.

manage_service

Data type: Boolean

Whether the openvpn service should be managed by puppet.

etc_directory

Data type: Stdlib::Absolutepath

Path of the configuration directory.

group

Data type: String[1]

File group of the generated config files.

link_openssl_cnf

Data type: Boolean

Link easy-rsa/openssl.cnf to easy-rsa/openssl-1.0.0.cnf

pam_module_path

Data type: Optional[Stdlib::Absolutepath]

Path to openvpn-auth-pam.so

namespecific_rclink

Data type: Boolean

Enable namespecific rclink's (BSD-style)

default_easyrsa_ver

Data type: Pattern[/^[23]\.0$/]

Expected version of easyrsa.

easyrsa_source

Data type: Stdlib::Unixpath

Location of easyrsa.

additional_packages

Data type: Variant[String[1], Array[String[1]]]

Additional packages

ldap_auth_plugin_location

Data type: Optional[Stdlib::Absolutepath]

Path to the ldap auth pam module

client_defaults

Data type: Hash

Hash of defaults for clients passed to openvpn::client defined type.

Default value: {}

clients

Data type: Hash

Hash of clients passed to openvpn::client defined type.

Default value: {}

client_specific_config_defaults

Data type: Hash

Hash of defaults for client specific configurations passed to openvpn::client_specific_config defined type.

Default value: {}

client_specific_configs

Data type: Hash

Hash of client specific configurations passed to openvpn::client_specific_config defined type.

Default value: {}

revoke_defaults

Data type: Hash

Hash of defaults for revokes passed to openvpn::revoke defined type.

Default value: {}

revokes

Data type: Hash

Hash of revokes passed to openvpn::revoke defined type.

Default value: {}

server_defaults

Data type: Hash

Hash of defaults for servers passed to openvpn::server defined type.

Default value: {}

servers

Data type: Hash

Hash of servers passed to openvpn::server defined type.

Default value: {}

openvpn::config

This class sets up the openvpn enviornment as well as the default config file

openvpn::deploy::install

Installs the Openvpn profile

openvpn::deploy::prepare

Base profile

Examples

include openvpn::deploy::prepare

Parameters

The following parameters are available in the openvpn::deploy::prepare class.

etc_directory

Data type: Stdlib::Absolutepath

Path of the configuration directory.

openvpn::deploy::service

Base profile

openvpn::install

This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files

openvpn::service

This class maintains the openvpn service.

Defined types

openvpn::ca

This define creates the openvpn ca and ssl certificates

Examples

openvpn::ca {
  'my_user':
    server      => 'contractors',
    remote_host => 'vpn.mycompany.com'
 }

Parameters

The following parameters are available in the openvpn::ca defined type.

country

Data type: String

Country to be used for the SSL certificate

province

Data type: String

Province to be used for the SSL certificate

city

Data type: String

City to be used for the SSL certificate

organization

Data type: String

Organization to be used for the SSL certificate

email

Data type: String

Email address to be used for the SSL certificate

common_name

Data type: String

Common name to be used for the SSL certificate

Default value: 'server'

group

Data type: Optional[String]

User to drop privileges to after startup

Default value: undef

ssl_key_size

Data type: Integer

Length of SSL keys (in bits) generated by this module.

Default value: 2048

key_expire

Data type: Integer

The number of days to certify the server certificate for

Default value: 3650

ca_expire

Data type: Integer

The number of days to certify the CA certificate for

Default value: 3650

key_name

Data type: String

Value for name_default variable in openssl.cnf and KEY_NAME in vars

Default value: ''

key_ou

Data type: String

Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars

Default value: ''

key_cn

Data type: String

Value for commonName_default variable in openssl.cnf and KEY_CN in vars

Default value: ''

tls_auth

Data type: Boolean

Determins if a tls key is generated

Default value: false

crl_days

Data type: Integer

Default value: 30

openvpn::client

This define creates client certs for a specified server as well as a tarball that can be directly imported into clients

Examples

openvpn::client {
  'my_user':
    server      => 'contractors',
    remote_host => 'vpn.mycompany.com'
 }

Parameters

The following parameters are available in the openvpn::client defined type.

server

Data type: String

Name of the corresponding openvpn endpoint

compression

Data type: Enum['comp-lzo', '']

Which compression algorithim to use

Default value: 'comp-lzo'

dev

Data type: Enum['tap', 'tun']

Device method

Default value: 'tun'

mute

Data type: Integer

Set log mute level

Default value: 20

mute_replay_warnings

Data type: Boolean

Silence duplicate packet warnings (common on wireless networks)

Default value: true

nobind

Data type: Boolean

Whether or not to bind to a specific port number

Default value: true

persist_key

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: true

persist_tun

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: true

port

Data type: String

The port the openvpn server service is running on

Default value: '1194'

proto

Data type: Enum['tcp','udp']

What IP protocol is being used.

Default value: 'tcp'

remote_host

Data type: Variant[String, Array[String]]

The IP or hostname of the openvpn server service.

Default value: $::fqdn

cipher

Data type: String

Cipher to use for packet encryption

Default value: 'AES-256-CBC'

tls_cipher

Data type: String

TLS Ciphers to use

Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'

resolv_retry

Data type: String

How many seconds should the openvpn client try to resolve the server's hostname

Default value: 'infinite'

auth_retry

Data type: Enum['none', 'nointeract', 'interact']

Controls how OpenVPN responds to username/password verification errors such as the client-side response to an AUTH_FAILED message from the server or verification failure of the private key password.

Default value: 'none'

verb

Data type: String

Level of logging verbosity

Default value: '3'

pam

Data type: Boolean

DEPRECATED: Boolean, Enable/Disable.

Default value: false

authuserpass

Data type: Boolean

Set if username and password required

Default value: false

tls_auth

Data type: Boolean

Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. This has to be set to the same value as on the Server

Default value: false

x509_name

Data type: Optional[String]

Common name of openvpn server to make an x509-name verification

Default value: undef

setenv

Data type: Hash

Set a custom environmental variable name=value to pass to script.

Default value: {}

setenv_safe

Data type: Hash

Set a custom environmental variable OPENVPN_name=value to pass to script. This directive is designed to be pushed by the server to clients, and the prepending of "OPENVPN_" to the environmental variable is a safety precaution to prevent a LD_PRELOAD style attack from a malicious or compromised server.

Default value: {}

up

Data type: String

Script which we want to run when openvpn client is connecting

Default value: ''

down

Data type: String

Script which we want to run when openvpn client is disconneting

Default value: ''

sndbuf

Data type: Optional[Integer]

Set the TCP/UDP socket send buffer size.

Default value: undef

rcvbuf

Data type: Optional[Integer]

Set the TCP/UDP socket receive buffer size.

Default value: undef

shared_ca

Data type: Optional[String]

The name of an openssl::ca resource to use.

Default value: undef

custom_options

Data type: Hash

Hash of additional options that you want to append to the configuration file.

Default value: {}

expire

Data type: Optional[Integer]

Set a custom expiry time to pass to script. Value is the number of days the certificate is valid for.

Default value: undef

readme

Data type: Optional[String]

Text to place in a README file which is included in download-configs archive.

Default value: undef

pull

Data type: Boolean

Allow server to push options like dns or routes

Default value: false

server_extca_enabled

Data type: Boolean

Turn this on if you are using an external CA solution, like FreeIPA. Use this in Combination with exported_ressourced, since they don't have Access to the Serverconfig

Default value: false

ns_cert_type

Data type: Boolean

Enable or disable use of ns-cert-type. Deprecated in OpenVPN 2.4 and replaced with remote-cert-tls

Default value: true

remote_cert_tls

Data type: Boolean

Enable or disable use of remote-cert-tls used with client configuration

Default value: false

openvpn::client_specific_config

This feature is explained here: http://openvpn.net/index.php/open-source/documentation/howto.html#policy All the parameters are explained in the openvpn documentation http://openvpn.net/index.php/open-source/documentation/howto.html#policy

Examples

openvpn::client_specific_config {
  'vpn_client':
    server       => 'contractors',
    iroute       => ['10.0.1.0 255.255.255.0'],
    ifconfig     => '10.10.10.1 10.10.10.2',
    dhcp_options => ['DNS 8.8.8.8']
 }

Parameters

The following parameters are available in the openvpn::client_specific_config defined type.

server

Data type: String

Name of the corresponding openvpn endpoint

iroute

Data type: Array[String]

Array of iroute combinations.

Default value: []

iroute_ipv6

Data type: Array[String]

Array of IPv6 iroute combinations.

Default value: []

route

Data type: Array[String]

Array of route combinations pushed to client.

Default value: []

ifconfig

Data type: Variant[Boolean, String]

IP configuration to push to the client.

Default value: false

dhcp_options

Data type: Array[String]

DHCP options to push to the client.

Default value: []

redirect_gateway

Data type: Boolean

Redirect all traffic to gateway

Default value: false

ensure

Data type: Enum[present, absent]

Sets the client specific configuration file status (present or absent)

Default value: present

openvpn::deploy::client

Collect the exported configs for an Host and ensure a running Openvpn Service

Examples

openvpn::deploy::client { 'test-client':
  server => 'test_server',
}

Parameters

The following parameters are available in the openvpn::deploy::client defined type.

server

Data type: String

which Openvpn::Server[$server] does the config belong to?

manage_etc

Data type: Boolean

should the /etc/openvpn directory be managed? (warning, all unmanaged files will be purged!)

Default value: true

openvpn::deploy::export

Prepare all Openvpn-Client-Configs to be exported

Examples

openvpn::deploy::export { 'test-client':
  server => 'test_server',
}

Parameters

The following parameters are available in the openvpn::deploy::export defined type.

server

Data type: String

which Openvpn::Server[$server] does the config belong to?

tls_auth

Data type: Boolean

should the ta* files be exported too?

Default value: false

openvpn::revoke

This define creates a revocation on a certificate for a specified server.

Examples

openvpn::client {
  'my_user':
    server      => 'contractors'
}
openvpn::revoke {
  'my_user':
    server      => 'contractors'
 }

Parameters

The following parameters are available in the openvpn::revoke defined type.

server

Data type: String

Name of the corresponding openvpn endpoint

openvpn::server

This define creates the openvpn server instance which can run in server or client mode.

Examples

install
openvpn::server { 'winterthur':
    country      => 'CH',
    province     => 'ZH',
    city         => 'Winterthur',
    organization => 'example.org',
    email        => 'root@example.org',
    server       => '10.200.200.0 255.255.255.0',
}
a server in client mode
file {
  '/etc/openvpn/zurich/keys/ca.crt':
    source => 'puppet:///path/to/ca.crt';
  '/etc/openvpn/zurich/keys/zurich.crt':
    source => 'puppet:///path/to/zurich.crt';
  '/etc/openvpn/zurich/keys/zurich.key':
    source => 'puppet:///path/to/zurich.key';
}
openvpn::server { 'zurich':
  remote  => [ 'mgmtnet3.nine.ch 1197', 'mgmtnet2.nine.ch 1197' ],
  require => [ File['/etc/openvpn/zurich/keys/ca.crt'],
               File['/etc/openvpn/zurich/keys/zurich.crt'],
               File['/etc/openvpn/zurich/keys/zurich.key'] ];
}

Parameters

The following parameters are available in the openvpn::server defined type.

country

Data type: Optional[String]

Country to be used for the SSL certificate, mandatory for server mode.

Default value: undef

province

Data type: Optional[String]

Province to be used for the SSL certificate, mandatory for server mode.

Default value: undef

city

Data type: Optional[String]

City to be used for the SSL certificate, mandatory for server mode.

Default value: undef

organization

Data type: Optional[String]

Organization to be used for the SSL certificate, mandatory for server mode.

Default value: undef

email

Data type: Optional[String]

Email address to be used for the SSL certificate, mandatory for server mode.

Default value: undef

remote

Data type: Optional[Array]

List of OpenVPN endpoints to connect to.

Default value: undef

common_name

Data type: String

Common name to be used for the SSL certificate

Default value: 'server'

compression

Data type: String

Which compression algorithim to use

Default value: 'comp-lzo'

dev

Data type: String

TUN/TAP virtual network device

Default value: 'tun0'

user

Data type: String

Group to drop privileges to after startup

Default value: 'nobody'

group

Data type: Optional[String]

User to drop privileges to after startup

Default value: undef

ipp

Data type: Boolean

Persist ifconfig information to a file to retain client IP addresses between sessions

Default value: false

duplicate_cn

Data type: Boolean

Allow multiple connections on one cn

Default value: false

local

Data type: String

Interface for openvpn to bind to.

Default value: $facts['ipaddress_eth0']

logfile

Data type: Variant[Boolean, String]

Logfile for this openvpn server

Default value: false

port

Data type: String

The port the openvpn server service is running on#

Default value: '1194'

portshare

Data type: Optional[String]

The address and port to which non openvpn request shall be forwared, e.g. 127.0.0.1 8443

Default value: undef

proto

Data type: Enum['tcp', 'udp']

What IP protocol is being used.

Default value: 'tcp'

status_log

Data type: String

Logfile for periodic dumps of the vpn service status

Default value: "/var/log/openvpn/${name}-status.log"

status_version

Data type: Enum['1', '2', '3', '']

Choose the status file format version number.

Default value: ''

server

Data type: String

Network to assign client addresses out of. Required in tun mode, not in tap mode

Default value: ''

server_ipv6

Data type: String

IPv6 network to assign client addresses out of

Default value: ''

server_bridge

Data type: String

Server configuration to comply with existing DHCP server

Default value: ''

push

Data type: Array

Options to push out to the client. This can include routes, DNS servers, DNS search domains, and many other options.

Default value: []

route

Data type: Array

Add route to routing table after connection is established. Multiple routes can be specified.

Default value: []

route_ipv6

Data type: Array

Add IPv6 route to routing table after connection is established. Multiple routes can be specified.

Default value: []

keepalive

Data type: String

Add keepalive directive (ping and ping-restart) to server. Should match the form "n m".

Default value: ''

ssl_key_size

Data type: Integer

Length of SSL keys (in bits) generated by this module.

Default value: 2048

topology

Data type: String

Define the network topology type

Default value: 'net30'

c2c

Data type: Boolean

Enable client to client visibility

Default value: false

tcp_nodelay

Data type: Boolean

Enable/Disable.

Default value: false

ccd_exclusive

Data type: Boolean

Enable/Disable.

Default value: false

pam

Data type: Boolean

Enable/Disable.

Default value: false

pam_module_arguments

Data type: String

Arguments to pass to the PAM module. For FreeIPA, set this to "openvpn login USERNAME password PASSWORD" and create HBAC Service "openvpn".

Default value: 'login'

management

Data type: Boolean

Enable management interface

Default value: false

management_ip

Data type: String

IP address where the management interface will listen

Default value: 'localhost'

management_port

Data type: Variant[Stdlib::Port::Unprivileged,Enum['unix']]

Port where the management interface will listen

Default value: 7505

up

Data type: String

Script which we want to run when openvpn server starts

Default value: ''

down

Data type: String

Script which we want to run when openvpn server stops

Default value: ''

username_as_common_name

Data type: Boolean

If true then set username-as-common-name

Default value: false

client_cert_not_required

Data type: Boolean

If true then set client-cert-not-required

Default value: false

ldap_enabled

Data type: Boolean

If ldap is enabled, do stuff

Default value: false

ldap_server

Data type: String

URL of LDAP server. ie. ldap://URL:PORT

Default value: ''

ldap_binddn

Data type: String

LDAP DN to bind as#

Default value: ''

ldap_bindpass

Data type: String

LDAP password for ldapbinddn

Default value: ''

ldap_u_basedn

Data type: String

Place in the LDAP tree to look for users

Default value: ''

ldap_u_filter

Data type: String

User SearchFilter for LDAP accounts

Default value: ''

ldap_g_basedn

Data type: String

Place in the LDAP tree to look for groups

Default value: ''

ldap_gmember

Data type: Boolean

If defined use group block in ldap.conf

Default value: false

ldap_g_filter

Data type: String

Group SearchFilter for LDAP accounts

Default value: ''

ldap_memberatr

Data type: String

Attribute for MemberAttribute. Used with ldapfilter

Default value: ''

ldap_tls_enable

Data type: Boolean

Enable TLS for the LDAP authentication

Default value: false

ldap_tls_ca_cert_file

Data type: String

LDAP TLS authentication: path to the CA certificate.

Default value: ''

ldap_tls_ca_cert_dir

Data type: String

LDAP TLS authentication: path to the CA certificates.

Default value: ''

ldap_tls_client_cert_file

Data type: String

LDAP TLS authentication: path to the tls client certificate

Default value: ''

ldap_tls_client_key_file

Data type: String

LDAP TLS authentication: path to the tls client key

Default value: ''

verb

Data type: String

Level of logging verbosity

Default value: ''

cipher

Data type: String

Cipher to use for packet encryption

Default value: 'AES-256-CBC'

tls_cipher

Data type: String

TLS Ciphers to use

Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'

persist_key

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: false

persist_tun

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: false

key_expire

Data type: Integer

The number of days to certify the server certificate for

Default value: 3650

ca_expire

Data type: Integer

The number of days to certify the CA certificate for

Default value: 3650

key_name

Data type: String

Value for name_default variable in openssl.cnf and KEY_NAME in vars

Default value: ''

key_ou

Data type: String

Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars

Default value: ''

key_cn

Data type: String

Value for commonName_default variable in openssl.cnf and KEY_CN in vars

Default value: ''

tls_auth

Data type: Boolean

Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

Default value: false

tls_server

Data type: Boolean

If proto not tcp it lets you choose if the parameter tls-server is set or not.

Default value: false

tls_client

Data type: Boolean

Allows you to set this server up as a tls-client connection.

Default value: false

server_poll_timeout

Data type: Optional[Integer]

Value for timeout before trying the next server.

Default value: undef

ping_timer_rem

Data type: Boolean

Do not start clocking timeouts until a remote peer connects.

Default value: false

sndbuf

Data type: Optional[Integer]

Set the TCP/UDP socket send buffer size.

Default value: undef

rcvbuf

Data type: Optional[Integer]

Set the TCP/UDP socket receive buffer size.

Default value: undef

shared_ca

Data type: Optional[String]

Name of a openssl::ca resource to use config with

Default value: undef

crl_verify

Data type: Boolean

Enable CRL checking. Disabling this is not recommended.

Default value: true

crl_auto_renew

Data type: Boolean

Enables automatic renewing of crl.pem.

Default value: false

crl_renew_schedule_period

Data type: String

Sets the "period" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good

Default value: 'monthly'

crl_renew_schedule_repeat

Data type: Integer

Sets the "repeat" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good

Default value: 2

extca_enabled

Data type: Boolean

Turn this on if you are using an external CA solution, like FreeIPA. Once enabled, you must configure the remaining extca_* parameters.

Default value: false

extca_ca_cert_file

Data type: Optional[String]

External CA: Path to the CA certificate.

Default value: undef

extca_ca_crl_file

Data type: Optional[String]

External CA: Path to the CA's CRL file. For FreeIPA-based CAs, CRLs expire every four hours, which means you may need your own solution for maintaining a local copy of your CA's CRL. Otherwise, you can set crl_verify to false (not recommended).

Default value: undef

extca_server_cert_file

Data type: Optional[String]

External CA: Path to the external CA issued OpenVPN server certificate.

Default value: undef

extca_server_key_file

Data type: Optional[String]

External CA: Path to the key file that corresponds to $extca_server_cert_file

Default value: undef

extca_dh_file

Data type: Optional[String]

External CA: Path to your Dillie-Hellman parameter file. You will need to create one yourself. Make sure key-size matches the public key size of your CA-issued server certificate. Like this: openssl dhparam -out /path/to/dh.pem 2048 Note: This is only required if you are enabling $tls_server.

Default value: undef

extca_tls_auth_key_file

Data type: Optional[String]

External CA: If you are enabling $extca_enabled and $tls_auth, you will also need to create the tls-auth key file and specify its location here. The file can be created like this: openvpn --genkey --secret /path/to/ta.key. Note: you will need to distribute this file to your clients as well.

Default value: undef

autostart

Data type: Optional[Boolean]

Enable autostart for server if openvpn::autostart_all is false.

Default value: undef

ns_cert_type

Data type: Boolean

Enable or disable use of ns-cert-type for the session. Generally used with client configuration Deprecated in OpenVPN 2.4 and replaced with remote-cert-tls

Default value: true

remote_cert_tls

Data type: Boolean

Enable or disable use of remote-cert-tls for the session. Generally used with client configuration

Default value: false

nobind

Data type: Boolean

Whether or not to bind to a specific port number.#

Default value: false

secret

Data type: Optional[String]

A pre-shared static key.

Default value: undef

custom_options

Data type: Hash

Hash of additional options to append to the configuration file.

Default value: {}

fragment

Data type: Variant[Boolean, Integer]

Default value: false