Installs OpenVPN.

Configured to authenticate using LDAP.
Desarrollo-CeSPI · Jun 22, 2015 · 1ea129a · 1ea129a
1 parent c035719
commit 1ea129a
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 90 deletions.
diff --git a/Vagrantfile b/Vagrantfile
@@ -2,89 +2,26 @@
 # vi: set ft=ruby :
 
 # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-VAGRANTFILE_API_VERSION = '2'
+VAGRANTFILE_API_VERSION = "2"
 
-Vagrant.require_version '>= 1.5.0'
+Vagrant.require_version ">= 1.5.0"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  # All Vagrant configuration is done here. The most common configuration
-  # options are documented and commented below. For a complete reference,
-  # please see the online documentation at vagrantup.com.
 
-  config.vm.hostname = 'mo-openvpn-berkshelf'
-
-  # Set the version of chef to install using the vagrant-omnibus plugin
-  # NOTE: You will need to install the vagrant-omnibus plugin:
-  #
-  #   $ vagrant plugin install vagrant-omnibus
-  #
-  if Vagrant.has_plugin?("vagrant-omnibus")
-    config.omnibus.chef_version = 'latest'
-  end
-
-  # Every Vagrant virtual environment requires a box to build off of.
-  # If this value is a shorthand to a box in Vagrant Cloud then
-  # config.vm.box_url doesn't need to be specified.
-  config.vm.box = 'chef/ubuntu-14.04'
-
-
-  # Assign this VM to a host-only network IP, allowing you to access it
-  # via the IP. Host-only networks can talk to the host machine as well as
-  # any other machines on the same network, but cannot be accessed (through this
-  # network interface) by any external networks.
-  config.vm.network :private_network, type: 'dhcp'
-
-  # Create a forwarded port mapping which allows access to a specific port
-  # within the machine from a port on the host machine. In the example below,
-  # accessing "localhost:8080" will access port 80 on the guest machine.
-
-  # Share an additional folder to the guest VM. The first argument is
-  # the path on the host to the actual folder. The second argument is
-  # the path on the guest to mount the folder. And the optional third
-  # argument is a set of non-required options.
-  # config.vm.synced_folder "../data", "/vagrant_data"
-
-  # Provider-specific configuration so you can fine-tune various
-  # backing providers for Vagrant. These expose provider-specific options.
-  # Example for VirtualBox:
-  #
-  # config.vm.provider :virtualbox do |vb|
-  #   # Don't boot with headless mode
-  #   vb.gui = true
-  #
-  #   # Use VBoxManage to customize the VM. For example to change memory:
-  #   vb.customize ["modifyvm", :id, "--memory", "1024"]
-  # end
-  #
-  # View the documentation for the provider you're using for more
-  # information on available options.
-
-  # The path to the Berksfile to use with Vagrant Berkshelf
-  # config.berkshelf.berksfile_path = "./Berksfile"
-
-  # Enabling the Berkshelf plugin. To enable this globally, add this configuration
-  # option to your ~/.vagrant.d/Vagrantfile file
-  config.berkshelf.enabled = true
-
-  # An array of symbols representing groups of cookbook described in the Vagrantfile
-  # to exclusively install and copy to Vagrant's shelf.
-  # config.berkshelf.only = []
-
-  # An array of symbols representing groups of cookbook described in the Vagrantfile
-  # to skip installing and copying to Vagrant's shelf.
-  # config.berkshelf.except = []
-
-  config.vm.provision :chef_solo do |chef|
-    chef.json = {
-      mysql: {
-        server_root_password: 'rootpass',
-        server_debian_password: 'debpass',
-        server_repl_password: 'replpass'
+  config.vm.define 'app', primary: true do |app|
+    app.vm.hostname = "mo-openvpn.domain"
+    app.omnibus.chef_version = "11.16.4"
+    app.vm.box = "chef/ubuntu-14.04"
+    app.vm.network :private_network, ip: "10.100.22.2"
+    app.berkshelf.enabled = true
+    app.vm.provision :chef_solo do |chef|
+      chef.json = {
       }
-    }
-
-    chef.run_list = [
-      'recipe[mo_openvpn::default]'
-    ]
+      chef.run_list = [
+        "recipe[apt::default]",
+        "recipe[mo_openvpn::default]"
+      ]
+    end
   end
+
 end
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -0,0 +1,20 @@
+# Certificates parameters.
+default['mo_openvpn']['install_dir']                      = '/etc/openvpn'
+
+default['mo_openvpn']['key']['country']                   = 'AR'
+default['mo_openvpn']['key']['province']                  = 'Buenos Aires'
+default['mo_openvpn']['key']['city']                      = 'La Plata'
+default['mo_openvpn']['key']['org']                       = 'My organization'
+default['mo_openvpn']['key']['ou']                        = 'My organizational unit'
+default['mo_openvpn']['key']['email']                     = 'user@domain'
+
+default['mo_openvpn']['ldap']['url']                      = "ldap://ldap.domain"
+default['mo_openvpn']['ldap']['basedn']                   = "ou=Usuarios,ou=myou,o=myorg"
+default['mo_openvpn']['ldap']['search_filter']            = "(uid=%u)"
+
+# Network configuration.
+default['mo_openvpn']['config']['server']                 = '10.8.0.0 255.255.255.0'
+
+# Server specific
+# client 'push routes', attribute is treated as a helper
+default['mo_openvpn']['push_routes']                      = [ "192.168.0.0 255.255.255.0" ]
diff --git a/metadata.rb b/metadata.rb
@@ -1,7 +1,9 @@
 name             'mo_openvpn'
-maintainer       'YOUR_NAME'
-maintainer_email 'YOUR_EMAIL'
-license          'All rights reserved'
+maintainer       'Christian A. Rodriguez & Leandro Di Tommaso'
+maintainer_email '[email protected] [email protected]'
+license          'MIT'
 description      'Installs/Configures mo_openvpn'
 long_description 'Installs/Configures mo_openvpn'
 version          '0.1.0'
+
+depends 'apt',   '~>2.7.0'
diff --git a/recipes/default.rb b/recipes/default.rb
@@ -1,8 +1,25 @@
-#
-# Cookbook Name:: mo_openvpn
-# Recipe:: default
-#
-# Copyright (C) 2015 YOUR_NAME
-#
-# All rights reserved - Do Not Redistribute
-#
+package 'openvpn'
+package 'openvpn-auth-ldap'
+
+template '/etc/openvpn/auth' do
+  source 'auth.erb'
+  owner 'root'
+  group 'root'
+  variables({
+     ldap_url: node['mo_openvpn']['ldap']['url'],
+     ldap_basedn: node['mo_openvpn']['ldap']['basedn'],
+     ldap_search_filter: node['mo_openvpn']['ldap']['search_filter']
+  })
+end
+
+template '/etc/openvpn/server.conf' do
+  source 'server.conf.erb'
+  owner 'root'
+  group 'root'
+  variables({
+    server_network: node['mo_openvpn']['config']['server'],
+    routes: node['mo_openvpn']['push_routes'],
+    cert_filename: "#{node['fqdn']}.crt",
+    key_filename: "#{node['fqdn']}.key"
+  })
+end
diff --git a/templates/default/auth.erb b/templates/default/auth.erb
@@ -0,0 +1,12 @@
+<LDAP>
+  URL       <%= @ldap_url %>
+  Timeout   15
+  TLSEnable no
+  FollowReferrals yes
+</LDAP>
+
+<Authorization>
+  BaseDN        <%= @ldap_base_dn %>
+  SearchFilter  <%= @ldap_search_filter %>
+  RequireGroup  false
+</Authorization>
diff --git a/templates/default/server.conf.erb b/templates/default/server.conf.erb
@@ -0,0 +1,25 @@
+port 1194
+proto udp
+dev tun
+
+ca ca.crt
+cert <%= @cert_filename %>
+key <%= @key_filename %>
+dh dh2048.pem
+
+server <%= @server_network %>
+
+ifconfig-pool-persist ipp.txt
+
+<% @routes.each do |route| %>
+  push "route <%= route %>"
+<% end %>
+
+keepalive 10 120
+comp-lzo
+persist-key
+persist-tun
+verb 3
+status openvpn-status.log
+
+plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth