Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Making it work with Amazon EC2 instances #44

Closed
corby opened this issue Feb 22, 2014 · 13 comments
Closed

Making it work with Amazon EC2 instances #44

corby opened this issue Feb 22, 2014 · 13 comments

Comments

@corby
Copy link

corby commented Feb 22, 2014

Great module. But it's missing support for the standard Amazon EC2 AMI.

The following changes were needed to get it to work with Amazon:

  1. Had to install easy-rpm from epel repo which is disabled by default
    yumrepo { "epel": enabled => 1 }
    package { "easy-rsa": require => Yumrepo["epel"] }
  2. Had to make local changes to params.pp
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -16,9 +16,13 @@
 #
 class openvpn::params {

-  $group = $::osfamily ? {
-    'RedHat' => 'nobody',
-    default  => 'nogroup'
+  if ($::operatingsystem == 'Amazon') {
+    $group = 'nobody'
+  } else {
+    $group = $::osfamily ? {
+      'RedHat' => 'nobody',
+      default  => 'nogroup',
+    }
   }

   case $::osfamily {
@@ -39,6 +43,8 @@ class openvpn::params {
       if($::operatingsystemmajrelease == 'jessie/sid' or $::lsbdistdescription == 'Ubuntu 13.10'){
         $additional_packages = ['easy-rsa']
         $easyrsa_source = '/usr/share/easy-rsa/'
+      } elsif ($::operatingsystem == 'Amazon') {
+        $easyrsa_source = '/usr/share/easy-rsa/2.0'
       } else {
         $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
       }
@luxflux
Copy link
Contributor

luxflux commented Feb 26, 2014

To implement this... Could you tell me which facts the AMI has set? Especially the facts operatingsystem, osfamily, operatingsystemmajrelease, operatingsystemrelease and lsbdistdescription.

@luxflux
Copy link
Contributor

luxflux commented Mar 13, 2014

@corby any news?

@luxflux
Copy link
Contributor

luxflux commented May 10, 2014

Closed because of inactivity.

@luxflux luxflux closed this as completed May 10, 2014
@gbarton
Copy link

gbarton commented Feb 7, 2015

I could really use this as currently I run a RHEL instance within AWS when a regular AWS version would do me just fine. Not many of the variables you requested report, here is a full dump of factor:

[ec2-user@ip-10-1-3-194 ~]$ facter -p
architecture => x86_64
augeasversion => 1.0.0
domain => ec2.internal
ec2_ami_id => ami-146e2a7c
ec2_ami_launch_index => 0
ec2_ami_manifest_path => (unknown)
ec2_block_device_mapping_ami => /dev/xvda
ec2_block_device_mapping_root => /dev/xvda
ec2_hostname => ip-10-1-3-194.ec2.internal
ec2_instance_id => i-b4a06a4e
ec2_instance_type => t2.micro
ec2_local_hostname => ip-10-1-3-194.ec2.internal
ec2_local_ipv4 => 10.1.3.194
ec2_placement_availability_zone => us-east-1d
ec2_profile => default-hvm
ec2_public_hostname => xxxx.amazonaws.com
ec2_public_ipv4 => xxx.xxx.xxx.xxx
ec2_public_keys_0_openssh_key => xxxxxx
ec2_reservation_id => r-9499cb7f
ec2_security_groups => bastion
facterversion => 1.6.18
fqdn => ip-10-1-3-194.ec2.internal
hardwareisa => x86_64
hardwaremodel => x86_64
hostname => ip-10-1-3-194
id => ec2-user
interfaces => eth0,lo
ipaddress => 10.1.3.194
ipaddress_eth0 => 10.1.3.194
ipaddress_lo => 127.0.0.1
is_virtual => true
kernel => Linux
kernelmajversion => 3.14
kernelrelease => 3.14.27-25.47.amzn1.x86_64
kernelversion => 3.14.27
macaddress => 0A:40:99:F5:A6:51
macaddress_eth0 => 0A:40:99:F5:A6:51
memoryfree => 913.47 MB
memorysize => 996.29 MB
memorytotal => 996.29 MB
mtu_eth0 => 9001
mtu_lo => 65536
netmask => 255.255.255.0
netmask_eth0 => 255.255.255.0
netmask_lo => 255.0.0.0
network_eth0 => 10.1.3.0
network_lo => 127.0.0.0
operatingsystem => Amazon
operatingsystemrelease => 3.14.27-25.47.amzn1.x86_64
osfamily => Linux

path => /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin
physicalprocessorcount => 1
processor0 => Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
processorcount => 1
ps => ps -ef
puppetversion => 2.7.25
rubysitedir => /usr/lib/ruby/site_ruby/1.8
rubyversion => 1.8.7
selinux => false
sshdsakey => xxxx
sshecdsakey => xxxx
sshrsakey => xxxx
swapfree => 0.00 kB
swapsize => 0.00 kB
timezone => UTC
uniqueid => 010ac203
uptime => 0:31 hours
uptime_days => 0
uptime_hours => 0
uptime_seconds => 1872
virtual => xenhvm

Does this help? What OP said about epel not existing is true, that has to be manually added.

@luxflux luxflux reopened this Feb 7, 2015
@luxflux
Copy link
Contributor

luxflux commented Feb 7, 2015

I added this now in a branch called amazon-wheezy-small-support and opened a pull request #134. @gbarton, could you test it?

@gbarton
Copy link

gbarton commented Feb 7, 2015

Closer!! I gave it a shot, this was the first few lines, everything else is spewing errors due to dependencies so I skipped dumping it here.

err: /Stage[main]/Openvpn::Install/File[/etc/openvpn]: Could not evaluate: Could not find group nogroup
notice: /Stage[main]/Openvpn::Install/File[/etc/openvpn/keys]: Dependency File[/etc/openvpn] has failures: true
warning: /Stage[main]/Openvpn::Install/File[/etc/openvpn/keys]: Skipping because of failed dependencies
notice: /Stage[main]/Openvpn::Install/Package[easy-rsa]/ensure: created
n

@luxflux
Copy link
Contributor

luxflux commented Feb 9, 2015

Thanks, @gbarton. I assume that it's nobody as for RedHat and updated the branch. Could you check again?

@gbarton
Copy link

gbarton commented Feb 10, 2015

Were getting closer. Tried on a fresh instance, now it hangs indefinitely here until I hit ctrl-C any ideas?

notice: /Stage[main]/Openvpn::Install/File[/etc/openvpn]/group: group changed 'root' to 'nobody'
notice: /Stage[main]/Openvpn::Install/File[/etc/openvpn/keys]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver.conf]/ensure: defined content as '{md5}a136ee503bfe031280347c24d4c22352'
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver/download-configs]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver/auth]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/Exec[copy easy-rsa to openvpn config folder testvpnserver]/returns: executed successfully
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/revoked]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/openssl.cnf]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/Exec[fix_easyrsa_file_permissions_testvpnserver]: Triggered 'refresh' from 1 events
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/vars]/content: content changed '{md5}74cc9626a611540b882ea1d43ab2e9e0' to '{md5}463948c55be7bfa73ec6d89a8673063b'
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/vars]/group: group changed 'root' to 'nobody'
^CExiting
err: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/Exec[generate dh param testvpnserver]: Could not evaluate: Puppet::Util::Log requires a message

@luxflux
Copy link
Contributor

luxflux commented Feb 25, 2015

@gbarton, my assumption would be that it's generating the dh params and waits for more entropy... Either you wait until it has enough or you try could install an entropy generator (e.g. havaged) to generate more available entropy.

Could you test again?

@gbarton
Copy link

gbarton commented Mar 1, 2015

It built! Thank you for suggesting to try one more time. For some reason a fresh yum update pushed things through, wasnt smart enough to pay attention to what came down. Does take a little while but it generates. I am unable to verify now though because I think I am running into an openvpn server change where I'm getting self signed cert errors:

Sun Mar 01 12:53:39 2015 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=XX, L=xxx, O=xxx, CN=xx CA, emailAddress=[email protected]
Sun Mar 01 12:53:39 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Mar 01 12:53:39 2015 TLS Error: TLS object -> incoming plaintext read error
Sun Mar 01 12:53:39 2015 TLS Error: TLS handshake failed

Googling says that MD5 is no longer supported (centos 7 openvpn forums), is there a way to configure it to do something else?

@gbarton
Copy link

gbarton commented Mar 2, 2015

I'm not sure whats going on. Verified my openvpn configs on another RHEL 6.6 vm and it worked great. I tried manually adding auth SHA256, and setting cypher to a few different things. None seemed to help. I also copied every single client file down to no avail. (When it works normally I just need the .ovpn file)

@luxflux
Copy link
Contributor

luxflux commented Mar 3, 2015

I just tested this on a ec2 instance (thanks @gbarton for the machine).

I tried to connect from the server itself and from my local computer with tunnelblick. It worked for both. The output can be found in this gist.

@gbarton do you have a proxy in between or something? Did you try with tcp and udp?

@luxflux
Copy link
Contributor

luxflux commented Mar 5, 2015

As the current implementation seems to work, I am going to merge it.

@luxflux luxflux closed this as completed in e708143 Mar 5, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants