Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install openvpn & certs also on client nodes #231

Closed
monotek opened this issue Apr 3, 2017 · 6 comments
Closed

Install openvpn & certs also on client nodes #231

monotek opened this issue Apr 3, 2017 · 6 comments

Comments

@monotek
Copy link

monotek commented Apr 3, 2017

Why is there no option to install the already created client tarball on client nodes, which are already able to get the configuration via puppet?

Did i just missed something?
@monotek monotek changed the title Install openvpn & certs also on nodes Install openvpn & certs also on client nodes Apr 3, 2017
@ajjonesycomau
Copy link
Contributor

It's probably not as straightforward as it might seem, because the certs are generated not on the puppet node, but on the server.

The only way I've been able to think of doing this would be to use a custom facter plugin to extract the certificates from the vpn servers into puppetdb using exported resources.

The other thing I've seen done is to use the puppet certificates for the openvpn connection.

@monotek
Copy link
Author

monotek commented Apr 6, 2017 via email

@ajjonesycomau
Copy link
Contributor

Sure, assuming all relevant nodes are able to be accessed via SSH and have authorised keys setup.

@khaefeli
Copy link

khaefeli commented May 29, 2017
edited
Loading

copy it over ssh is probably not the best solution and not the "puppet way" :) but yes, would work.

I would export the client resource from the node and collect it on the openvpn server via puppetdb.
then export the client configs and "collect" them on the node.

so the clients could "self-join" the openvpn server

@khaefeli
Copy link

khaefeli commented Jun 2, 2017

I've started to work on that inside of my fork. Will create a PR when everything is finished.
https://github.com/khaefeli/puppet-openvpn/commits/master

for now, you can only manage a redundant "slave" of the openvpn server.
the master crt, key and ca.crt is copied over puppetdb and applied on the master.

I'll continue with the work after my vacation, to also support the client certificates.
This will include: applying the certs on the x openvpn server's and copy the download-config stuff over puppetdb to the client - so no manual steps are required anymore and the nodes can "self-join" a openvpn server ;)

@Philio
Copy link
Contributor

Philio commented Dec 3, 2017

Just wondering if this functionality ever made it into a release?

We wrote a module a few years ago to do the same thing - https://bitbucket.org/codacity/puppet-module-openvpn_client

If we can consolidate it into a single module it's always a bonus and less to maintain.

to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Jan 6, 2018
@to-kn
add openvpn::deploy::(export/client)
fe7bf4d 
fix linting, add credit
restructure deploy manifests
fixes voxpupuli#231
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Jan 6, 2018
@to-kn
add openvpn::deploy::(export/client)
22f7cd4 
fix linting, add credit
restructure deploy manifests
fixes voxpupuli#231
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Jan 6, 2018
@to-kn
add openvpn::deploy::(export/client)
2ad1401 
fix linting, add credit
restructure deploy manifests
fixes voxpupuli#231
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Jan 6, 2018
@to-kn
add openvpn::deploy::(export/client)
e2e0625 
fix linting, add credit
restructure deploy manifests
fixes voxpupuli#231
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Jan 6, 2018
@to-kn
add openvpn::deploy::(export/client)
f0f5d2d 
fix linting, add credit
restructure deploy manifests
fixes voxpupuli#231
@to-kn to-kn mentioned this issue Jan 6, 2018
Merged
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Jan 7, 2018
@to-kn
add openvpn::deploy::(export/client)
e13d5c3 
fix linting, add credit, add tests
fixes voxpupuli#231
to-kn added a commit to to-kn/puppet-openvpn that referenced this issue Jan 7, 2018
@to-kn
add openvpn::deploy::(export/client)
89cd5b4 
fix linting, add credit, add tests
fixes voxpupuli#231
TheBigLee added a commit to vshn/puppet-openvpn that referenced this issue Feb 12, 2020
@TheBigLee
Remove feature that exports client certs and keys to facts
b6b829c 
Exporting private keys via facts is unsafe as facts should not contain
sensitive information, as they might be accessible from undesired
systems (eg. dashboards)

This feature has been added in commit
voxpupuli@d0fd9f3
as a result of voxpupuli#231.

This commit reverts the changes and removes the added feature for
security reasons.
TheBigLee added a commit to vshn/puppet-openvpn that referenced this issue Feb 12, 2020
@TheBigLee
Remove feature that exports client certs and keys to facts
1cb0a5c 
Exporting private keys via facts is unsafe as facts should not contain
sensitive information, as they might be accessible from undesired
systems (eg. dashboards)

This feature has been added in commit voxpupuli@d0fd9f3
as a result of voxpupuli#231.

This commit reverts the changes and removes the added feature for
security reasons.
TheBigLee added a commit to vshn/puppet-openvpn that referenced this issue Feb 12, 2020
@TheBigLee
Remove feature that exports client certs and keys to facts
2f6a1b6 
Exporting private keys via facts is unsafe as facts should not contain
sensitive information, as they might be accessible from undesired
systems (eg. dashboards)

This feature has been added in commit voxpupuli/puppet-openvpn@d0fd9f3 as a result of
voxpupuli#231.

This commit reverts the changes and removes the added feature for
security reasons.
TheBigLee added a commit to vshn/puppet-openvpn that referenced this issue Feb 12, 2020
@TheBigLee
Remove feature that exports client certs and keys to facts
3fe8b02 
Exporting private keys via facts is unsafe as facts should not contain
sensitive information, as they might be accessible from undesired
systems (eg. dashboards)

This feature has been added in commit voxpupuli/puppet-openvpn@d0fd9f3 as a result of
voxpupuli#231

This commit reverts the changes and removes the added feature for
security reasons.
@TheBigLee TheBigLee mentioned this issue Feb 12, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Philio @monotek @khaefeli @ajjonesycomau