An Ansible Role that installs and configures OpenVPN server on Debian.

Available variables are listed below, along with default values (see defaults/main.yml):

openvpn_etcdir: /etc/openvpn

OpenVPN server configuration location

openvpn_datadir: "{{ openvpn_etcdir }}/data"

openvpn_pki_dir: "{{ openvpn_etcdir }}/pki"

Directory for our internal PKI

openvpn_configure_forwarding: true

Enable IP fowarding

openvpn_host: "{{ inventory_hostname }}"

Hostname used for the OpenVPN server

openvpn_port: 1194
openvpn_proto: udp

Protocol and port to use for the OpenVPN server

openvpn_dev: tun
openvpn_server: 10.8.0.0 255.255.255.0
openvpn_bridge: {}
openvpn_max_clients: 100
openvpn_log: /var/log/openvpn.log
openvpn_keepalive: "10 120"
openvpn_ifconfig_pool_persist: ipp.txt

openvpn_comp_lzo: true

Enable or disable LZO compression

openvpn_cipher: BF-CBC
openvpn_status: openvpn-status.log

Status log file name

openvpn_verb: 3

Verbosity level of our VPN server

openvpn_tls_key: "{{ openvpn_pki_dir }}/ta.key"

openvpn_user: nobody
openvpn_group: nogroup

User and group running the OpenVPN server (we recommand to use non privileged user)

openvpn_resolv_retry: infinite
openvpn_client_to_client: true

openvpn_route_ranges: []

Network ranges that the connecting clients should try to reach using the VPN connection.

openvpn_dns_servers: []

DNS servers to push to the connecting client to avoid leaks via DNS queries

openvpn_client_options: []

Allows to define additional client options

openvpn_server_options: []

Allows to define additional server options

openvpn_key_country: US
openvpn_key_province: CA
openvpn_key_city: SanFrancisco
openvpn_key_org: Fort-Funston
openvpn_key_email: [email protected]
openvpn_key_size: 2048

Variables to manages server keys and certificates

openvpn_clients_revoke: []

List of clients certificates to revoke

openvpn_unified_client_profiles: false

Allows to generate unified ovpn file for clients (one file containing config, certificates and keys)

openvpn_clients: []

List of known clients (this variable is used to generate keys, certificates, config,... related to the known clients)

List of variables available to configure OpenVPN

openvpn_use_ldap: false

Enable or disable LDAP authentication

openvpn_ldap_tlsenable: false

Enable or disable TLS when using LDAP authentication

openvpn_ldap_follow_referrals: false

Enable or disable to follow referrals when using LDAP authentication

openvpn_use_pam: true
openvpn_use_pam_users: []

openvpn_simple_auth: false
openvpn_simple_auth_password: ""

Allow to download the created client credentials to a specified local (relative to control host) directory openvpn_download_clients: false openvpn_download_dir: "{{ playbook_dir }}/client_credentials/"

A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- hosts: vpn-user.user.dalibo.net
  become: true
  vars:
    openvpn_key_size: 2048
    openvpn_key_country: FR
    openvpn_key_province: Paris
    openvpn_key_city: Paris
    openvpn_key_org: MyCompany
    openvpn_key_email: [email protected]
    openvpn_unified_client_profiles: true
    openvpn_clients:
        - john
        - doe
        - smith
  roles:
    - {hanxhx.openvpn}

BSD

An optional section for the role authors to include contact information, or a website (HTML is not allowed).