From 3ab62d9034c86b2d4d0f2357c8434ddb038f8f9c Mon Sep 17 00:00:00 2001 From: Mathias Klette Date: Fri, 1 Aug 2014 11:11:53 +0200 Subject: [PATCH 1/8] bugfix failure handling of revoke * openssl version 1.0.1-4 (precise) shows 'error 23' but exits with 0 * openssl version 1.0.1f (trusty) shows 'error 23' but exits with 2 --- manifests/revoke.pp | 2 +- spec/defines/openvpn_revoke_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/revoke.pp b/manifests/revoke.pp index 81d78705..f104033b 100644 --- a/manifests/revoke.pp +++ b/manifests/revoke.pp @@ -58,7 +58,7 @@ Openvpn::Revoke[$name] exec { "revoke certificate for ${name} in context of ${server}": - command => ". ./vars && ./revoke-full ${name} ; test $? -eq 2 && touch revoked/${name}", + command => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}", cwd => "/etc/openvpn/${server}/easy-rsa", creates => "/etc/openvpn/${server}/easy-rsa/revoked/${name}", provider => 'shell', diff --git a/spec/defines/openvpn_revoke_spec.rb b/spec/defines/openvpn_revoke_spec.rb index 04b65918..d2a05fdf 100644 --- a/spec/defines/openvpn_revoke_spec.rb +++ b/spec/defines/openvpn_revoke_spec.rb @@ -26,6 +26,6 @@ end it { should contain_exec('revoke certificate for test_client in context of test_server').with( - 'command' => '. ./vars && ./revoke-full test_client ; test $? -eq 2 && touch revoked/test_client' + 'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client" )} end From ac61e09ee4bd640ab749de287aaa33dce1eb5356 Mon Sep 17 00:00:00 2001 From: Mathias Klette Date: Tue, 5 Aug 2014 17:07:13 +0200 Subject: [PATCH 2/8] client: escape email address to fix regexp matching and backtick behaviour --- manifests/client.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index 5943ef3f..e45f4237 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -264,9 +264,10 @@ notify => Exec["generate ${name}.ovpn in ${server}"], } + $name_escaped = regsubst(regsubst($name, '\.', '\\.', 'G'), '@', '\\@', 'G') exec { "generate ${name}.ovpn in ${server}": cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name}/ca.crt|){ chomp(\$ca=`cat ${name}/keys/${name}/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name}/${name}.crt|) { chomp(\$crt=`cat ${name}/keys/${name}/${name}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name}/${name}.key|){ chomp(\$key=`cat ${name}/keys/${name}/${name}.key`); print \"\n\$key\n\"} else { print} ' > ${name}.ovpn", + command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name_escaped}/ca.crt|){ chomp(\$ca=`cat ${name_escaped}/keys/${name_escaped}/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name_escaped}/${name_escaped}.crt|) { chomp(\$crt=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name_escaped}/${name_escaped}.key|){ chomp(\$key=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.key`); print \"\n\$key\n\"} else { print} ' > ${name}.ovpn", refreshonly => true, require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], From 8da17914f867945df82047e3248cb1c139944710 Mon Sep 17 00:00:00 2001 From: Mathias Klette Date: Tue, 14 Jul 2015 16:36:36 +0200 Subject: [PATCH 3/8] client: include tls-auth key also in .ovpn file --- manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index e45f4237..febc5690 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -267,7 +267,7 @@ $name_escaped = regsubst(regsubst($name, '\.', '\\.', 'G'), '@', '\\@', 'G') exec { "generate ${name}.ovpn in ${server}": cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name_escaped}/ca.crt|){ chomp(\$ca=`cat ${name_escaped}/keys/${name_escaped}/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name_escaped}/${name_escaped}.crt|) { chomp(\$crt=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name_escaped}/${name_escaped}.key|){ chomp(\$key=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.key`); print \"\n\$key\n\"} else { print} ' > ${name}.ovpn", + command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name_escaped}/ca.crt|){ chomp(\$ca=`cat ${name_escaped}/keys/${name_escaped}/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name_escaped}/${name_escaped}.crt|) { chomp(\$crt=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name_escaped}/${name_escaped}.key|){ chomp(\$key=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.key`); print \"\n\$key\n\"} elsif(m|^(tls-auth) (keys/${name_escaped}/ta.key)( .+)?|){ chomp(\$tlsauth=`cat ${name_escaped}/keys/${name_escaped}/ta.key`); print \"\n\$tlsauth\n\nkey-direction 1\"} else { print} ' > ${name}.ovpn", refreshonly => true, require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], From f999323665b28d2cb0cd7caf61b2861025807909 Mon Sep 17 00:00:00 2001 From: Dominik Schulz Date: Fri, 9 Jan 2015 20:37:17 +0100 Subject: [PATCH 4/8] Add tls-cipher options for client and server --- manifests/client.pp | 5 +++++ manifests/server.pp | 5 +++++ spec/defines/openvpn_client_spec.rb | 2 ++ spec/defines/openvpn_server_spec.rb | 2 ++ templates/client.erb | 3 +++ templates/server.erb | 3 +++ 6 files changed, 20 insertions(+) diff --git a/manifests/client.pp b/manifests/client.pp index febc5690..31658ce8 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -59,6 +59,10 @@ # String, Cipher to use for packet encryption # Default: None # +# [*tls_cipher*] +# String, TLS Ciphers to use +# Default: None +# # [*resolv_retry*] # Integer/String. How many seconds should the openvpn client try to resolve # the server's hostname @@ -178,6 +182,7 @@ $verb = '3', $pam = false, $cipher = undef, + $tls_cipher = undef, $authuserpass = false, $setenv = {}, $setenv_safe = {}, diff --git a/manifests/server.pp b/manifests/server.pp index cfbcbd5d..2da0f749 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -237,6 +237,10 @@ # String, Cipher to use for packet encryption # Default: None # +# [*tls_cipher*] +# String, TLS Ciphers to use +# Default: None +# # [*persist_key*] # Boolean. Try to retain access to resources that may be unavailable # because of privilege downgrades @@ -418,6 +422,7 @@ $key_ou = '', $verb = '', $cipher = '', + $tls_cipher = undef, $persist_key = false, $persist_tun = false, $tls_auth = false, diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index b7e3770b..31f2f8b7 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -75,6 +75,7 @@ 'persist_key' => false, 'persist_tun' => false, 'cipher' => 'BF-CBC', + 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', 'port' => '123', 'proto' => 'udp', 'remote_host' => 'somewhere', @@ -111,6 +112,7 @@ it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^setenv\s+CLIENT_CERT\s+0$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^setenv_safe\s+FORWARD_COMPATIBLE\s+1$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cipher\s+BF-CBC$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^tls-client$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verify-x509-name\s+"test_server"\s+name$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^sndbuf\s+393216$/)} diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index 746c1977..f53d4ab4 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -142,6 +142,7 @@ 'key_ou' => 'NSA', 'verb' => 'mute', 'cipher' => 'DES-CBC', + 'tls_cipher' => 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA', 'persist_key' => true, 'persist_tun' => true, 'duplicate_cn' => true, @@ -190,6 +191,7 @@ it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^management\s+1.3.3.7 1337$/) } it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^verb mute$/) } it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^cipher DES-CBC$/) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^tls-cipher\s+TLS-DHE-RSA-WITH-AES-256-CBC-SHA$/)} it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^persist-key$/) } it { should contain_file('/etc/openvpn/test_server.conf').with_content(/^persist-tun$/) } diff --git a/templates/client.erb b/templates/client.erb index ee5aa882..f3035989 100644 --- a/templates/client.erb +++ b/templates/client.erb @@ -22,6 +22,9 @@ persist-tun <% if @cipher -%> cipher <%= @cipher %> <% end -%> +<% if @tls_cipher -%> +tls-cipher <%= @tls_cipher %> +<% end -%> <% if @mute_replay_warnings -%> mute-replay-warnings <% end -%> diff --git a/templates/server.erb b/templates/server.erb index 9682c411..8a8201d4 100644 --- a/templates/server.erb +++ b/templates/server.erb @@ -93,6 +93,9 @@ verb <%= @verb %> <% if @cipher != '' -%> cipher <%= @cipher %> <% end -%> +<% if @tls_cipher -%> +tls-cipher <%= @tls_cipher %> +<% end -%> <% if @c2c -%> client-to-client <% end -%> From 335e7c54096ac69c2d80891bdee4541b6c0c4c11 Mon Sep 17 00:00:00 2001 From: Mathias Klette Date: Tue, 14 Jul 2015 16:35:23 +0200 Subject: [PATCH 5/8] client: allow to define custom expiry time --- manifests/client.pp | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/manifests/client.pp b/manifests/client.pp index 31658ce8..c2f8995b 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -131,6 +131,11 @@ # [*custom_options*] # Hash of additional options that you want to append to the configuration file. # +# [*expire*] +# Integer. Set a custom expiry time to pass to script. Value is the number of +# days the certificate is valid for. +# Default: undef +# # === Examples # # openvpn::client { @@ -194,6 +199,7 @@ $rcvbuf = undef, $shared_ca = undef, $custom_options = {}, + $expire = undef, ) { if $pam { @@ -207,8 +213,18 @@ Openvpn::Ca[$ca_name] -> Openvpn::Client[$name] + if $expire { + if is_integer($expire){ + $env_expire = "KEY_EXPIRE=${expire}" + } else { + warning("Custom expiry time ignored: only integer is accepted but ${expire} is given.") + } + } else { + $env_expire = '' + } + exec { "generate certificate for ${name} in context of ${ca_name}": - command => ". ./vars && ./pkitool ${name}", + command => ". ./vars && ${env_expire} ./pkitool ${name}", cwd => "/etc/openvpn/${ca_name}/easy-rsa", creates => "/etc/openvpn/${ca_name}/easy-rsa/keys/${name}.crt", provider => 'shell'; From 955d601251d5525444e9683bef1a055c468ce208 Mon Sep 17 00:00:00 2001 From: Mathias Klette Date: Tue, 14 Jul 2015 17:14:24 +0200 Subject: [PATCH 6/8] client: allow to define README text to be included in client config archive --- manifests/client.pp | 17 +++++++++++++++++ spec/defines/openvpn_client_spec.rb | 2 ++ 2 files changed, 19 insertions(+) diff --git a/manifests/client.pp b/manifests/client.pp index c2f8995b..0b56095f 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -136,6 +136,11 @@ # days the certificate is valid for. # Default: undef # +# [*readme*] +# String. Text to place in a README file which is included in download-configs +# archive. +# Default: undef +# # === Examples # # openvpn::client { @@ -200,6 +205,7 @@ $shared_ca = undef, $custom_options = {}, $expire = undef, + $readme = undef, ) { if $pam { @@ -264,6 +270,17 @@ } } + if $readme { + file {"/etc/openvpn/${server}/download-configs/${name}/README": + ensure => file, + owner => root, + group => root, + mode => '0444', + content => $readme, + notify => Exec["tar the thing ${server} with ${name}"]; + } + } + file { "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": owner => root, group => root, diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index 31f2f8b7..39c8b230 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -88,6 +88,7 @@ 'x509_name' => 'test_server', 'sndbuf' => 393216, 'rcvbuf' => 393215, + 'readme' => 'readme text', } } let(:facts) { { :fqdn => 'somehost', @@ -117,6 +118,7 @@ it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verify-x509-name\s+"test_server"\s+name$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^sndbuf\s+393216$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^rcvbuf\s+393215$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/README').with_content(/^readme text$/)} end context "omitting the cipher key" do From 0f6f5789a351f9b3bd6f7aa273d409b9cdd72be1 Mon Sep 17 00:00:00 2001 From: Mathias Klette Date: Wed, 12 Aug 2015 16:54:27 +0200 Subject: [PATCH 7/8] client: add tunnelblick configs to config tarball --- manifests/client.pp | 33 +++++++++++++++++++++++------ spec/defines/openvpn_client_spec.rb | 2 +- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 0b56095f..027b9504 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -265,7 +265,10 @@ ensure => link, target => "/etc/openvpn/${server}/easy-rsa/keys/ta.key", require => Exec["generate certificate for ${name} in context of ${server}"], - before => Exec["tar the thing ${server} with ${name}"], + before => [ + Exec["tar the thing ${server} with ${name}"], + Exec["generate ${name}.ovpn in ${server}"], + ], notify => Exec["tar the thing ${server} with ${name}"], } } @@ -281,31 +284,47 @@ } } + file { + "/etc/openvpn/${server}/download-configs/${name}.tblk": + ensure => directory; + + "/etc/openvpn/${server}/download-configs/${name}.tblk/${name}.ovpn": + ensure => link, + target => "/etc/openvpn/${server}/download-configs/${name}.ovpn", + require => [ + Exec["generate ${name}.ovpn in ${server}"], + File["/etc/openvpn/${server}/download-configs/${name}.tblk"], + ], + before => Exec["tar the thing ${server} with ${name}"]; + } + file { "/etc/openvpn/${server}/download-configs/${name}/${name}.conf": owner => root, group => root, mode => '0444', content => template('openvpn/client.erb'), - notify => Exec["tar the thing ${server} with ${name}"], + notify => Exec["generate ${name}.ovpn in ${server}"], } exec { "tar the thing ${server} with ${name}": cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name}", + command => "/bin/rm ${name}.tar.gz; tar --exclude=\\*.conf.d -chzvf ${name}.tar.gz ${name} ${name}.tblk", refreshonly => true, require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/ca.crt"], File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.key"], - File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt"] + File["/etc/openvpn/${server}/download-configs/${name}/keys/${name}/${name}.crt"], + File["/etc/openvpn/${server}/download-configs/${name}.ovpn"], + File["/etc/openvpn/${server}/download-configs/${name}.tblk"], + File["/etc/openvpn/${server}/download-configs/${name}.tblk/${name}.ovpn"], ], - notify => Exec["generate ${name}.ovpn in ${server}"], } $name_escaped = regsubst(regsubst($name, '\.', '\\.', 'G'), '@', '\\@', 'G') exec { "generate ${name}.ovpn in ${server}": cwd => "/etc/openvpn/${server}/download-configs/", - command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name_escaped}/ca.crt|){ chomp(\$ca=`cat ${name_escaped}/keys/${name_escaped}/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name_escaped}/${name_escaped}.crt|) { chomp(\$crt=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name_escaped}/${name_escaped}.key|){ chomp(\$key=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.key`); print \"\n\$key\n\"} elsif(m|^(tls-auth) (keys/${name_escaped}/ta.key)( .+)?|){ chomp(\$tlsauth=`cat ${name_escaped}/keys/${name_escaped}/ta.key`); print \"\n\$tlsauth\n\nkey-direction 1\"} else { print} ' > ${name}.ovpn", + command => "/bin/rm ${name}.ovpn; cat ${name}/${name}.conf | perl -lne 'if(m|^ca keys/${name_escaped}/ca.crt|){ chomp(\$ca=`cat ${name_escaped}/keys/${name_escaped}/ca.crt`); print \"\n\$ca\n\"} elsif(m|^cert keys/${name_escaped}/${name_escaped}.crt|) { chomp(\$crt=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.crt`); print \"\n\$crt\n\"} elsif(m|^key keys/${name_escaped}/${name_escaped}.key|){ chomp(\$key=`cat ${name_escaped}/keys/${name_escaped}/${name_escaped}.key`); print \"\n\$key\n\"} elsif(m|^(tls-auth) (keys/${name_escaped}/ta.key)( .+)?|){ chomp(\$tlsauth=`cat ${name_escaped}/keys/${name_escaped}/ta.key`); print \"\n\$tlsauth\n\nkey-direction 1\"} elsif(m/^(up|down) /){ next; } else { print} ' > ${name}.ovpn", refreshonly => true, require => [ File["/etc/openvpn/${server}/download-configs/${name}/${name}.conf"], @@ -318,5 +337,7 @@ file { "/etc/openvpn/${server}/download-configs/${name}.ovpn": mode => '0400', require => Exec["generate ${name}.ovpn in ${server}"], + notify => Exec["tar the thing ${server} with ${name}"], } + } diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index 39c8b230..24afc7c6 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -35,7 +35,7 @@ it { should contain_exec('tar the thing test_server with test_client').with( 'cwd' => '/etc/openvpn/test_server/download-configs/', - 'command' => '/bin/rm test_client.tar.gz; tar --exclude=\*.conf.d -chzvf test_client.tar.gz test_client' + 'command' => '/bin/rm test_client.tar.gz; tar --exclude=\*.conf.d -chzvf test_client.tar.gz test_client test_client.tblk' ) } context "setting the minimum parameters" do From 268de481c074280eca2ed615cffad9118f337c18 Mon Sep 17 00:00:00 2001 From: Mathias Klette Date: Mon, 14 Sep 2015 14:18:14 +0200 Subject: [PATCH 8/8] server: fix arrow alignment --- manifests/server.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index 2da0f749..7310e6cf 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -571,10 +571,10 @@ if $::openvpn::params::systemd { if $::openvpn::manage_service { service { "openvpn@${name}": - ensure => running, - enable => true, + ensure => running, + enable => true, provider => 'systemd', - require => [ File["/etc/openvpn/${name}.conf"], Openvpn::Ca[$ca_name] ] + require => [ File["/etc/openvpn/${name}.conf"], Openvpn::Ca[$ca_name] ] } } }