Classes
openvpn
: This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config filesopenvpn::config
: This class sets up the openvpn enviornment as well as the default config fileopenvpn::deploy::install
: Installs the Openvpn profileopenvpn::deploy::prepare
: Base profileopenvpn::deploy::service
: Base profileopenvpn::install
: This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config filesopenvpn::service
: This class maintains the openvpn service.
Defined types
openvpn::ca
: This define creates the openvpn ca and ssl certificatesopenvpn::client
: This define creates client certs for a specified server as well as a tarball that can be directly imported into clientsopenvpn::client_specific_config
: This feature is explained here: http://openvpn.net/index.php/open-source/documentation/howto.html#policy All the parameters are explained inopenvpn::deploy::client
: Collect the exported configs for an Host and ensure a running Openvpn Serviceopenvpn::deploy::export
: Prepare all Openvpn-Client-Configs to be exportedopenvpn::revoke
: This define creates a revocation on a certificate for a specified server.openvpn::server
: This define creates the openvpn server instance which can run in server or client mode.
This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
class { 'openvpn':
autostart_all => true,
}
The following parameters are available in the openvpn
class.
Data type: Boolean
Whether openvpn instances should be started automatically on boot.
Data type: Boolean
Whether the openvpn service should be managed by puppet.
Data type: Stdlib::Absolutepath
Path of the configuration directory.
Data type: String[1]
File group of the generated config files.
Data type: Boolean
Link easy-rsa/openssl.cnf to easy-rsa/openssl-1.0.0.cnf
Data type: Optional[Stdlib::Absolutepath]
Path to openvpn-auth-pam.so
Data type: Boolean
Enable namespecific rclink's (BSD-style)
Data type: Pattern[/^[23]\.0$/]
Expected version of easyrsa.
Data type: Stdlib::Unixpath
Location of easyrsa.
Data type: Variant[String[1], Array[String[1]]]
Additional packages
Data type: Optional[Stdlib::Absolutepath]
Path to the ldap auth pam module
Data type: Hash
Hash of defaults for clients passed to openvpn::client defined type.
Default value: {}
Data type: Hash
Hash of clients passed to openvpn::client defined type.
Default value: {}
Data type: Hash
Hash of defaults for client specific configurations passed to openvpn::client_specific_config defined type.
Default value: {}
Data type: Hash
Hash of client specific configurations passed to openvpn::client_specific_config defined type.
Default value: {}
Data type: Hash
Hash of defaults for revokes passed to openvpn::revoke defined type.
Default value: {}
Data type: Hash
Hash of revokes passed to openvpn::revoke defined type.
Default value: {}
Data type: Hash
Hash of defaults for servers passed to openvpn::server defined type.
Default value: {}
Data type: Hash
Hash of servers passed to openvpn::server defined type.
Default value: {}
This class sets up the openvpn enviornment as well as the default config file
Installs the Openvpn profile
Base profile
include openvpn::deploy::prepare
The following parameters are available in the openvpn::deploy::prepare
class.
Data type: Stdlib::Absolutepath
Path of the configuration directory.
Base profile
This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
This class maintains the openvpn service.
This define creates the openvpn ca and ssl certificates
openvpn::ca {
'my_user':
server => 'contractors',
remote_host => 'vpn.mycompany.com'
}
The following parameters are available in the openvpn::ca
defined type.
Data type: String
Country to be used for the SSL certificate
Data type: String
Province to be used for the SSL certificate
Data type: String
City to be used for the SSL certificate
Data type: String
Organization to be used for the SSL certificate
Data type: String
Email address to be used for the SSL certificate
Data type: String
Common name to be used for the SSL certificate
Default value: 'server'
Data type: Optional[String]
User to drop privileges to after startup
Default value: undef
Data type: Integer
Length of SSL keys (in bits) generated by this module.
Default value: 2048
Data type: Integer
The number of days to certify the server certificate for
Default value: 3650
Data type: Integer
The number of days to certify the CA certificate for
Default value: 3650
Data type: String
Value for name_default variable in openssl.cnf and KEY_NAME in vars
Default value: ''
Data type: String
Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
Default value: ''
Data type: String
Value for commonName_default variable in openssl.cnf and KEY_CN in vars
Default value: ''
Data type: Boolean
Determins if a tls key is generated
Default value: false
Data type: Integer
Default value: 30
This define creates client certs for a specified server as well as a tarball that can be directly imported into clients
openvpn::client {
'my_user':
server => 'contractors',
remote_host => 'vpn.mycompany.com'
}
The following parameters are available in the openvpn::client
defined type.
Data type: String
Name of the corresponding openvpn endpoint
Data type: Enum['comp-lzo', '']
Which compression algorithim to use
Default value: 'comp-lzo'
Data type: Enum['tap', 'tun']
Device method
Default value: 'tun'
Data type: Integer
Set log mute level
Default value: 20
Data type: Boolean
Silence duplicate packet warnings (common on wireless networks)
Default value: true
Data type: Boolean
Whether or not to bind to a specific port number
Default value: true
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: true
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: true
Data type: String
The port the openvpn server service is running on
Default value: '1194'
Data type: Enum['tcp','udp']
What IP protocol is being used.
Default value: 'tcp'
Data type: Variant[String, Array[String]]
The IP or hostname of the openvpn server service.
Default value: $::fqdn
Data type: String
Cipher to use for packet encryption
Default value: 'AES-256-CBC'
Data type: String
TLS Ciphers to use
Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
Data type: String
How many seconds should the openvpn client try to resolve the server's hostname
Default value: 'infinite'
Data type: Enum['none', 'nointeract', 'interact']
Controls how OpenVPN responds to username/password verification errors such as the client-side response to an AUTH_FAILED message from the server or verification failure of the private key password.
Default value: 'none'
Data type: String
Level of logging verbosity
Default value: '3'
Data type: Boolean
DEPRECATED: Boolean, Enable/Disable.
Default value: false
Data type: Boolean
Set if username and password required
Default value: false
Data type: Boolean
Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. This has to be set to the same value as on the Server
Default value: false
Data type: Optional[String]
Common name of openvpn server to make an x509-name verification
Default value: undef
Data type: Hash
Set a custom environmental variable name=value to pass to script.
Default value: {}
Data type: Hash
Set a custom environmental variable OPENVPN_name=value to pass to script. This directive is designed to be pushed by the server to clients, and the prepending of "OPENVPN_" to the environmental variable is a safety precaution to prevent a LD_PRELOAD style attack from a malicious or compromised server.
Default value: {}
Data type: String
Script which we want to run when openvpn client is connecting
Default value: ''
Data type: String
Script which we want to run when openvpn client is disconneting
Default value: ''
Data type: Optional[Integer]
Set the TCP/UDP socket send buffer size.
Default value: undef
Data type: Optional[Integer]
Set the TCP/UDP socket receive buffer size.
Default value: undef
Data type: Optional[String]
The name of an openssl::ca resource to use.
Default value: undef
Data type: Hash
Hash of additional options that you want to append to the configuration file.
Default value: {}
Data type: Optional[Integer]
Set a custom expiry time to pass to script. Value is the number of days the certificate is valid for.
Default value: undef
Data type: Optional[String]
Text to place in a README file which is included in download-configs archive.
Default value: undef
Data type: Boolean
Allow server to push options like dns or routes
Default value: false
Data type: Boolean
Turn this on if you are using an external CA solution, like FreeIPA. Use this in Combination with exported_ressourced, since they don't have Access to the Serverconfig
Default value: false
Data type: Boolean
Enable or disable use of ns-cert-type. Deprecated in OpenVPN 2.4 and replaced with remote-cert-tls
Default value: true
Data type: Boolean
Enable or disable use of remote-cert-tls used with client configuration
Default value: false
This feature is explained here: http://openvpn.net/index.php/open-source/documentation/howto.html#policy All the parameters are explained in the openvpn documentation http://openvpn.net/index.php/open-source/documentation/howto.html#policy
openvpn::client_specific_config {
'vpn_client':
server => 'contractors',
iroute => ['10.0.1.0 255.255.255.0'],
ifconfig => '10.10.10.1 10.10.10.2',
dhcp_options => ['DNS 8.8.8.8']
}
The following parameters are available in the openvpn::client_specific_config
defined type.
Data type: String
Name of the corresponding openvpn endpoint
Data type: Array[String]
Array of iroute combinations.
Default value: []
Data type: Array[String]
Array of IPv6 iroute combinations.
Default value: []
Data type: Array[String]
Array of route combinations pushed to client.
Default value: []
Data type: Variant[Boolean, String]
IP configuration to push to the client.
Default value: false
Data type: Array[String]
DHCP options to push to the client.
Default value: []
Data type: Boolean
Redirect all traffic to gateway
Default value: false
Data type: Enum[present, absent]
Sets the client specific configuration file status (present or absent)
Default value: present
Collect the exported configs for an Host and ensure a running Openvpn Service
openvpn::deploy::client { 'test-client':
server => 'test_server',
}
The following parameters are available in the openvpn::deploy::client
defined type.
Data type: String
which Openvpn::Server[$server] does the config belong to?
Data type: Boolean
should the /etc/openvpn directory be managed? (warning, all unmanaged files will be purged!)
Default value: true
Prepare all Openvpn-Client-Configs to be exported
openvpn::deploy::export { 'test-client':
server => 'test_server',
}
The following parameters are available in the openvpn::deploy::export
defined type.
Data type: String
which Openvpn::Server[$server] does the config belong to?
Data type: Boolean
should the ta* files be exported too?
Default value: false
This define creates a revocation on a certificate for a specified server.
openvpn::client {
'my_user':
server => 'contractors'
}
openvpn::revoke {
'my_user':
server => 'contractors'
}
The following parameters are available in the openvpn::revoke
defined type.
Data type: String
Name of the corresponding openvpn endpoint
This define creates the openvpn server instance which can run in server or client mode.
openvpn::server { 'winterthur':
country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => 'root@example.org',
server => '10.200.200.0 255.255.255.0',
}
file {
'/etc/openvpn/zurich/keys/ca.crt':
source => 'puppet:///path/to/ca.crt';
'/etc/openvpn/zurich/keys/zurich.crt':
source => 'puppet:///path/to/zurich.crt';
'/etc/openvpn/zurich/keys/zurich.key':
source => 'puppet:///path/to/zurich.key';
}
openvpn::server { 'zurich':
remote => [ 'mgmtnet3.nine.ch 1197', 'mgmtnet2.nine.ch 1197' ],
require => [ File['/etc/openvpn/zurich/keys/ca.crt'],
File['/etc/openvpn/zurich/keys/zurich.crt'],
File['/etc/openvpn/zurich/keys/zurich.key'] ];
}
The following parameters are available in the openvpn::server
defined type.
Data type: Optional[String]
Country to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String]
Province to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String]
City to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String]
Organization to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String]
Email address to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[Array]
List of OpenVPN endpoints to connect to.
Default value: undef
Data type: String
Common name to be used for the SSL certificate
Default value: 'server'
Data type: String
Which compression algorithim to use
Default value: 'comp-lzo'
Data type: String
TUN/TAP virtual network device
Default value: 'tun0'
Data type: String
Group to drop privileges to after startup
Default value: 'nobody'
Data type: Optional[String]
User to drop privileges to after startup
Default value: undef
Data type: Boolean
Persist ifconfig information to a file to retain client IP addresses between sessions
Default value: false
Data type: Boolean
Allow multiple connections on one cn
Default value: false
Data type: String
Interface for openvpn to bind to.
Default value: $facts['ipaddress_eth0']
Data type: Variant[Boolean, String]
Logfile for this openvpn server
Default value: false
Data type: String
The port the openvpn server service is running on#
Default value: '1194'
Data type: Optional[String]
The address and port to which non openvpn request shall be forwared, e.g. 127.0.0.1 8443
Default value: undef
Data type: Enum['tcp', 'udp']
What IP protocol is being used.
Default value: 'tcp'
Data type: String
Logfile for periodic dumps of the vpn service status
Default value: "/var/log/openvpn/${name}-status.log"
Data type: Enum['1', '2', '3', '']
Choose the status file format version number.
Default value: ''
Data type: String
Network to assign client addresses out of. Required in tun mode, not in tap mode
Default value: ''
Data type: String
IPv6 network to assign client addresses out of
Default value: ''
Data type: String
Server configuration to comply with existing DHCP server
Default value: ''
Data type: Array
Options to push out to the client. This can include routes, DNS servers, DNS search domains, and many other options.
Default value: []
Data type: Array
Add route to routing table after connection is established. Multiple routes can be specified.
Default value: []
Data type: Array
Add IPv6 route to routing table after connection is established. Multiple routes can be specified.
Default value: []
Data type: String
Add keepalive directive (ping and ping-restart) to server. Should match the form "n m".
Default value: ''
Data type: Integer
Length of SSL keys (in bits) generated by this module.
Default value: 2048
Data type: String
Define the network topology type
Default value: 'net30'
Data type: Boolean
Enable client to client visibility
Default value: false
Data type: Boolean
Enable/Disable.
Default value: false
Data type: Boolean
Enable/Disable.
Default value: false
Data type: Boolean
Enable/Disable.
Default value: false
Data type: String
Arguments to pass to the PAM module. For FreeIPA, set this to "openvpn login USERNAME password PASSWORD" and create HBAC Service "openvpn".
Default value: 'login'
Data type: Boolean
Enable management interface
Default value: false
Data type: String
IP address where the management interface will listen
Default value: 'localhost'
Data type: Variant[Stdlib::Port::Unprivileged,Enum['unix']]
Port where the management interface will listen
Default value: 7505
Data type: String
Script which we want to run when openvpn server starts
Default value: ''
Data type: String
Script which we want to run when openvpn server stops
Default value: ''
Data type: Boolean
If true then set username-as-common-name
Default value: false
Data type: Boolean
If true then set client-cert-not-required
Default value: false
Data type: Boolean
If ldap is enabled, do stuff
Default value: false
Data type: String
URL of LDAP server. ie. ldap://URL:PORT
Default value: ''
Data type: String
LDAP DN to bind as#
Default value: ''
Data type: String
LDAP password for ldapbinddn
Default value: ''
Data type: String
Place in the LDAP tree to look for users
Default value: ''
Data type: String
User SearchFilter for LDAP accounts
Default value: ''
Data type: String
Place in the LDAP tree to look for groups
Default value: ''
Data type: Boolean
If defined use group block in ldap.conf
Default value: false
Data type: String
Group SearchFilter for LDAP accounts
Default value: ''
Data type: String
Attribute for MemberAttribute. Used with ldapfilter
Default value: ''
Data type: Boolean
Enable TLS for the LDAP authentication
Default value: false
Data type: String
LDAP TLS authentication: path to the CA certificate.
Default value: ''
Data type: String
LDAP TLS authentication: path to the CA certificates.
Default value: ''
Data type: String
LDAP TLS authentication: path to the tls client certificate
Default value: ''
Data type: String
LDAP TLS authentication: path to the tls client key
Default value: ''
Data type: String
Level of logging verbosity
Default value: ''
Data type: String
Cipher to use for packet encryption
Default value: 'AES-256-CBC'
Data type: String
TLS Ciphers to use
Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: false
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: false
Data type: Integer
The number of days to certify the server certificate for
Default value: 3650
Data type: Integer
The number of days to certify the CA certificate for
Default value: 3650
Data type: String
Value for name_default variable in openssl.cnf and KEY_NAME in vars
Default value: ''
Data type: String
Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
Default value: ''
Data type: String
Value for commonName_default variable in openssl.cnf and KEY_CN in vars
Default value: ''
Data type: Boolean
Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.
Default value: false
Data type: Boolean
If proto not tcp it lets you choose if the parameter tls-server is set or not.
Default value: false
Data type: Boolean
Allows you to set this server up as a tls-client connection.
Default value: false
Data type: Optional[Integer]
Value for timeout before trying the next server.
Default value: undef
Data type: Boolean
Do not start clocking timeouts until a remote peer connects.
Default value: false
Data type: Optional[Integer]
Set the TCP/UDP socket send buffer size.
Default value: undef
Data type: Optional[Integer]
Set the TCP/UDP socket receive buffer size.
Default value: undef
Data type: Optional[String]
Name of a openssl::ca resource to use config with
Default value: undef
Data type: Boolean
Enable CRL checking. Disabling this is not recommended.
Default value: true
Data type: Boolean
Enables automatic renewing of crl.pem.
Default value: false
Data type: String
Sets the "period" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good
Default value: 'monthly'
Data type: Integer
Sets the "repeat" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good
Default value: 2
Data type: Boolean
Turn this on if you are using an external CA solution, like FreeIPA. Once enabled, you must configure the remaining extca_* parameters.
Default value: false
Data type: Optional[String]
External CA: Path to the CA certificate.
Default value: undef
Data type: Optional[String]
External CA: Path to the CA's CRL file. For FreeIPA-based CAs, CRLs expire every four hours, which means you may need your own solution for maintaining a local copy of your CA's CRL. Otherwise, you can set crl_verify to false (not recommended).
Default value: undef
Data type: Optional[String]
External CA: Path to the external CA issued OpenVPN server certificate.
Default value: undef
Data type: Optional[String]
External CA: Path to the key file that corresponds to $extca_server_cert_file
Default value: undef
Data type: Optional[String]
External CA: Path to your Dillie-Hellman parameter file. You will need to create one yourself. Make sure key-size matches the public key size of your CA-issued server certificate. Like this: openssl dhparam -out /path/to/dh.pem 2048 Note: This is only required if you are enabling $tls_server.
Default value: undef
Data type: Optional[String]
External CA: If you are enabling $extca_enabled and $tls_auth, you will also need to create the tls-auth key file and specify its location here. The file can be created like this: openvpn --genkey --secret /path/to/ta.key. Note: you will need to distribute this file to your clients as well.
Default value: undef
Data type: Optional[Boolean]
Enable autostart for server if openvpn::autostart_all is false.
Default value: undef
Data type: Boolean
Enable or disable use of ns-cert-type for the session. Generally used with client configuration Deprecated in OpenVPN 2.4 and replaced with remote-cert-tls
Default value: true
Data type: Boolean
Enable or disable use of remote-cert-tls for the session. Generally used with client configuration
Default value: false
Data type: Boolean
Whether or not to bind to a specific port number.#
Default value: false
Data type: Optional[String]
A pre-shared static key.
Default value: undef
Data type: Hash
Hash of additional options to append to the configuration file.
Default value: {}
Data type: Variant[Boolean, Integer]
Default value: false