FreeBSD vpn role #35

trailofbits · Feb 25, 2017 · 0a8c420 · 0a8c420
1 parent 6856000
commit 0a8c420
Show file tree

Hide file tree

Showing 9 changed files with 130 additions and 79 deletions.
diff --git a/docs/FreeBSD.md b/docs/FreeBSD.md
@@ -0,0 +1,22 @@
+# FreeBSD
+
+It is only possible to install Algo on existing systems only in order to avoid recompiling the kernel while deploying
+
+## Pre-paring the system
+
+Ensure that the following kernel options are enabled:
+
+```
+# sysctl kern.conftxt | grep -iE "IPSEC|crypto"
+options	IPSEC
+options IPSEC_NAT_T
+device	crypto
+```
+
+## Available roles
+
+* vpn
+
+## Installation
+
+`ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$server_ip Store_CAKEY=N" --skip-tags cloud`
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
@@ -1,6 +1,9 @@
 - name: restart rsyslog
   service: name=rsyslog state=restarted
 
+- name: restart ipfw
+  service: name=ipfw state=restarted
+
 - name: flush routing cache
   shell: echo 1 > /proc/sys/net/ipv4/route/flush
 

diff --git a/roles/common/tasks/freebsd.yml b/roles/common/tasks/freebsd.yml
@@ -33,7 +33,16 @@
     - { param: firewall_type, value: '"open"' }
     - { param: gateway_enable, value: '"YES"' }
     - { param: natd_enable, value: '"YES"' }
-    - { param: natd_interface, value: '""' }
+    - { param: natd_interface, value: '"{{ ansible_default_ipv4.device }}"' }
     - { param: natd_flags, value: '"-dynamic -m"' }
+  notify:
+    - restart ipfw
   tags:
     - always
+
+- name: FreeBSD | Activate IPFW
+  shell: >
+    kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
+    bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
+
+- meta: flush_handlers
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -7,7 +7,7 @@
 
 - include: ubuntu.yml
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
-  
+
 - include: freebsd.yml
   when: ansible_distribution == 'FreeBSD'
 
@@ -24,3 +24,5 @@
     - "{{ sysctl.forwarding }}"
   tags:
     - always
+
+- meta: flush_handlers
diff --git a/roles/vpn/tasks/distribute_keys.yml b/roles/vpn/tasks/distribute_keys.yml
@@ -0,0 +1,27 @@
+---
+
+- name: Copy the keys to the strongswan directory
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
+      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/cacerts/ca.crt"
+      owner: strongswan
+      group: "{{ root_group|default('root') }}"
+      mode: "0600"
+    - src: "configs/{{ IP_subject_alt_name }}/pki/certs/{{ IP_subject_alt_name }}.crt"
+      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt"
+      owner: strongswan
+      group: "{{ root_group|default('root') }}"
+      mode: "0600"
+    - src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ IP_subject_alt_name }}.key"
+      dest: "{{ config_prefix|default('/') }}etc/ipsec.d/private/{{ IP_subject_alt_name }}.key"
+      owner: strongswan
+      group: "{{ root_group|default('root') }}"
+      mode: "0600"
+  notify:
+    - restart strongswan
diff --git a/roles/vpn/tasks/freebsd.yml b/roles/vpn/tasks/freebsd.yml
@@ -3,17 +3,9 @@
 - set_fact:
     config_prefix: "/usr/local/"
     root_group: wheel
-
-- name: Activate IPFW
-  shell: >
-    kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
-    bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
-
-- name: Enable strongswan
-  lineinfile: dest=/etc/rc.conf regexp=^strongswan_enable= line='strongswan_enable="YES"'
-
-- set_fact:
-    strongswan_enabled_plugins:
-      - "{{ strongswan_enabled_plugins }}"
+    strongswan_additional_plugins:
       - kernel-pfroute
       - kernel-pfkey
+
+- name: FreeBSD | Enable strongswan
+  lineinfile: dest=/etc/rc.conf regexp=^strongswan_enable= line='strongswan_enable="YES"'
diff --git a/roles/vpn/tasks/ipec_configuration.yml b/roles/vpn/tasks/ipec_configuration.yml
@@ -0,0 +1,46 @@
+---
+
+- name: Setup the config files from our templates
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - src: strongswan.conf.j2
+      dest: "{{ config_prefix|default('/') }}etc/strongswan.conf"
+      owner: root
+      group: "{{ root_group|default('root') }}"
+      mode: "0644"
+    - src: ipsec.conf.j2
+      dest: "{{ config_prefix|default('/') }}etc/ipsec.conf"
+      owner: root
+      group: "{{ root_group|default('root') }}"
+      mode: "0644"
+    - src: ipsec.secrets.j2
+      dest: "{{ config_prefix|default('/') }}etc/ipsec.secrets"
+      owner: strongswan
+      group: "{{ root_group|default('root') }}"
+      mode: "0600"
+  notify:
+    - restart strongswan
+
+- name: Get loaded plugins
+  shell: >
+    find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; | cut -f1 -d.
+  register: strongswan_plugins
+
+- name: Disable unneeded plugins
+  lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present
+  notify:
+    - restart strongswan
+  when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins
+  with_items: "{{ strongswan_plugins.stdout_lines }}"
+
+- name: Ensure that required plugins are enabled
+  lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
+  notify:
+    - restart strongswan
+  when: item in strongswan_enabled_plugins or item in strongswan_additional_plugins
+  with_items: "{{ strongswan_plugins.stdout_lines }}"
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
@@ -16,9 +16,6 @@
     algo_params: "rsa:2048"
   when: Win10_Enabled is defined and Win10_Enabled == "Y"
 
-- name: Install StrongSwan
-  package: name=strongswan state=present
-
 - name: Ensure that the strongswan group exist
   group: name=strongswan state=present
 
@@ -31,62 +28,12 @@
 - include: freebsd.yml
   when: ansible_distribution == 'FreeBSD'
 
-- name: Setup the strongswan.conf file from our template
-  template: src=strongswan.conf.j2 dest={{ config_prefix|default('/') }}etc/strongswan.conf owner=root group="{{ root_group|default('root') }}" mode=0644
-  notify:
-    - restart strongswan
-
-- name: Setup the ipsec.conf file from our template
-  template: src=ipsec.conf.j2 dest={{ config_prefix|default('/') }}etc/ipsec.conf owner=root group="{{ root_group|default('root') }}" mode=0644
-  notify:
-    - restart strongswan
-
-- name: Setup the ipsec.secrets file
-  template: src=ipsec.secrets.j2 dest={{ config_prefix|default('/') }}etc/ipsec.secrets owner=strongswan group="{{ root_group|default('root') }}" mode=0600
-  notify:
-    - restart strongswan
-
-- name: Get loaded plugins
-  shell: >
-    find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; | cut -f1 -d.
-  register: strongswan_plugins
-
-- name: Disable unneeded plugins
-  lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present
-  notify:
-    - restart strongswan
-  when: item not in strongswan_enabled_plugins
-  with_items: "{{ strongswan_plugins.stdout_lines }}"
-
-- name: Ensure that required plugins are enabled
-  lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
-  notify:
-    - restart strongswan
-  when: item in strongswan_enabled_plugins
-  with_items: "{{ strongswan_plugins.stdout_lines }}"
+- name: Install StrongSwan
+  package: name=strongswan state=present
 
+- include: ipec_configuration.yml
 - include: openssl.yml
-
-- name: Copy the CA cert to the strongswan directory
-  copy: src='configs/{{ IP_subject_alt_name }}/pki/cacert.pem' dest={{ config_prefix|default('/') }}etc/ipsec.d/cacerts/ca.crt owner=strongswan group="{{ root_group|default('root') }}" mode=0600
-  notify:
-    - restart strongswan
-
-- name: Copy the server cert to the strongswan directory
-  copy: src='configs/{{ IP_subject_alt_name }}/pki/certs/{{ IP_subject_alt_name }}.crt' dest={{ config_prefix|default('/') }}etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group="{{ root_group|default('root') }}" mode=0600
-  notify:
-    - restart strongswan
-
-- name: Copy the server key to the strongswan directory
-  copy: src='configs/{{ IP_subject_alt_name }}/pki/private/{{ IP_subject_alt_name }}.key' dest={{ config_prefix|default('/') }}etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group="{{ root_group|default('root') }}" mode=0600
-  notify:
-    - restart strongswan
-
-- name: Restrict permissions for the remote private directories
-  file: path="{{ item }}" state=directory mode=0700 owner=strongswan group="{{ root_group|default('root') }}"
-  with_items:
-    - "{{ config_prefix|default('/') }}etc/ipsec.d/private"
-
+- include: distribute_keys.yml
 - include: client_configs.yml
 
 - meta: flush_handlers

diff --git a/roles/vpn/tasks/ubuntu.yml b/roles/vpn/tasks/ubuntu.yml
@@ -1,9 +1,12 @@
 ---
 
-- name: Update apt cache
-  apt: update_cache=yes
+- set_fact:
+    strongswan_additional_plugins:
 
-- name: Enforcing ipsec with apparmor
+- name: Ubuntu | Install StrongSwan
+  apt: name=strongswan state=latest update_cache=yes install_recommends=yes
+
+- name: Ubuntu | Enforcing ipsec with apparmor
   shell: aa-enforce "{{ item }}"
   when: apparmor_enabled is defined and apparmor_enabled == true
   with_items:
@@ -14,32 +17,32 @@
     - restart apparmor
   tags: ['apparmor']
 
-- name: Enable services
+- name: Ubuntu | Enable services
   service: name={{ item }} enabled=yes
   with_items:
     - apparmor
     - strongswan
     - netfilter-persistent
 
-- name: Configure iptables so IPSec traffic can traverse the tunnel
+- name: Ubuntu | Configure iptables so IPSec traffic can traverse the tunnel
   iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE
   when: (security_enabled is not defined) or
         (security_enabled is defined and security_enabled != "y")
   notify:
     - save iptables
 
-- name: Configure ip6tables so IPSec traffic can traverse the tunnel
+- name: Ubuntu | Configure ip6tables so IPSec traffic can traverse the tunnel
   iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
   when: ((security_enabled is not defined) or
         (security_enabled is defined and security_enabled != "y")) and
         ipv6_support is defined and ipv6_support == "yes"
   notify:
     - save iptables
 
-- name: Ensure that the strongswan service directory exist
+- name: Ubuntu | Ensure that the strongswan service directory exist
   file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755  owner=root group=root
 
-- name: Setup the cgroup limitations for the ipsec daemon
+- name: Ubuntu | Setup the cgroup limitations for the ipsec daemon
   template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
   notify:
     - daemon-reload