WARNING: This role is still in development. DO NOT TRY TO USE IN PRODUCTION!

Role to deploy OpenVPN Client-to-Site VPN setups.

Molecule Logs: Short, Full

This role uses the OpenSource OpenVPN Community edition.

Why use the community edition?

• Pros:

  • No license fees - one server can scale up to thousands of clients without any major costs
  • All major functionalities are covered by the opensource edition
  • Manageable using Ansible

• Cons

  • This edition has no graphical (web-) user-interface!

    If you are searching for a pretty web-ui to click at => check out the OpenVPN Access Server

Tested:

• Debian 11
• Debian 12

# latest
ansible-galaxy role install git+https://github.com/ansibleguy/infra_openvpn

# from galaxy
ansible-galaxy install ansibleguy.infra_openvpn

# or to custom role-path
ansible-galaxy install ansibleguy.infra_openvpn --roles-path ./roles

# install dependencies
ansible-galaxy install -r requirements.yml

You want a simple Ansible GUI? Check-out my Ansible WebUI

Define the config as needed:

openvpn:

You might want to use 'ansible-vault' to encrypt your passwords:

ansible-vault encrypt_string

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml

There are also some useful tags available: * *

To debug errors - you can set the 'debug' variable at runtime:

# WARNING: Will log passwords!
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes

To let OpenVPN services be automatically restarted (without interactive prompts):

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e auto_restart=yes

• Package installation

  • Ansible dependencies (minimal)

• Configuration *

  • Default config: *

  • Default opt-ins: *

  • Default opt-outs: *

• Info: If you want to know more about configuring OpenVPN-community - check out their comprehensive documentation

  Interesting pages:

  • Security overview

  • Hardening, Hardening (older Version)

• Info: ChromeOS uses the Open-Network-Configuration (ONC) format.

  It is formatted in JSON and pretty hard to debug as you do not get any useful error messages.

  The profile-template provided by this role might not work for every edge-case.

  If you need to troubleshoot it - look into the ONC documentation. But be aware: not every option might work practically as documented..

• Warning: If a OpenVPN instance should support connections to ChromeOS clients - you will need to set the 'openvpn.instances.[name].security.tls_crypt' option to 'false' as this is not (currently) supported by the ChromeOS implementation.

• Note: this role currently only supports debian-based systems

• Note: Most of the role's functionality can be opted in or out.

  For all available options - see the default-config located in the main defaults-file!

• Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!

• Info: If you want to user openvpn.unprivileged: true for gained system-security the installed OpenVPN binary needs to support iproute2!

  The role will check if the binary is compatible and fail is that is not the case!

  Options how to gain support for iproute2:

  • You will have to use a binary that was compiled with that option enabled
    • Re-Compile OpenVPN yourself as seen in this example script (without the 'uninstall')
    • Or configure the role to download a re-compiled binary from my ansibleguy/openvpn-recompiled repository!
  • Uninstall existing OpenVPN packages/binaries
  • Copy/link the openvpn binary to /usr/local/bin

• Info: If you are using multi-factor-authentication you might run into issues when some clients (like ChromeOS) do not support a second input field for the second secret!

  You might need to set openvpn.server.auth.mfa_separator to any unusual characters you like. (per example: <<<)

  This enables you to input both secret1 (password) and secret2 (totp pin) in the same input field! Like so: p4ssW0rd<<<001122

  The default separator : will always be supported - even if you set a custom one. This allows both ways to be supported.