From e1608b4aeca07f5e085f88377834add658a1bb4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= Date: Mon, 24 Jan 2022 05:47:18 +0200 Subject: [PATCH 1/5] Vagrant: fix host-only network IP ranges On recent VirtualBox (e.g. 6.1.30) host-only networks can only be in the 192.168.56.0/21 range without having local config changes on the Vagrant host. URL: https://www.virtualbox.org/manual/ch06.html#network_hostonly --- Vagrantfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 318bad07..c89d9d4f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -27,13 +27,13 @@ Vagrant::Config.run(2) do |config| c.vm.hostname = 'server' c.vm.box = 'ubuntu/trusty64' server_config c - c.vm.network :private_network, ip: '10.255.255.10' + c.vm.network :private_network, ip: '192.168.61.10' end config.vm.define :client_ubuntu do |c| c.vm.hostname = 'client' c.vm.box = 'ubuntu/trusty64' client_config c - c.vm.network :private_network, ip: '10.255.255.20' + c.vm.network :private_network, ip: '192.168.61.20' end end From e438e4fcc99c38ec91732152a27937ecba89112e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= Date: Mon, 24 Jan 2022 07:15:54 +0200 Subject: [PATCH 2/5] Vagrant: explicitly define IP address of the VPN server for clients Remote endpoint setup fails fails when $::fqdn fact has incorrect domain suffix (e.g. mycorp.com). That can happen, for example, when systemd-resolved has configured per-interface DNS domains. --- vagrant/server.pp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/vagrant/server.pp b/vagrant/server.pp index edf0b369..e6149823 100644 --- a/vagrant/server.pp +++ b/vagrant/server.pp @@ -9,7 +9,8 @@ } openvpn::client { 'client1': - server => 'winterthur'; + server => 'winterthur', + remote_host => '192.168.61.10', } openvpn::client_specific_config { 'client1': @@ -18,14 +19,16 @@ } openvpn::client { 'client2': - server => 'winterthur'; + server => 'winterthur', + remote_host => '192.168.61.10', } openvpn::client { 'client3': - server => 'winterthur'; + server => 'winterthur', + remote_host => '192.168.61.10', } openvpn::revoke { 'client3': - server => 'winterthur'; + server => 'winterthur', } } From d5ec567094633d2ac1962606a2bac1bfb3235517 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= Date: Mon, 24 Jan 2022 07:16:15 +0200 Subject: [PATCH 3/5] Vagrant: define server listen address explicitly This ensures that even if the primary network interface as seen by facter is wrong the server is still be able to listen to requests from clients. --- vagrant/server.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/vagrant/server.pp b/vagrant/server.pp index e6149823..29112b17 100644 --- a/vagrant/server.pp +++ b/vagrant/server.pp @@ -5,6 +5,7 @@ city => 'Winterthur', organization => 'example.org', email => 'root@example.org', + local => '192.168.61.10', server => '10.200.200.0 255.255.255.0', } From 54286ecee89361a8a7b50ff0ccf57000dbc48204 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= Date: Mon, 24 Jan 2022 07:18:21 +0200 Subject: [PATCH 4/5] Vagrant: update server and client to Ubuntu 20.04 Bringing up Ubuntu 16.04 VMs failed because librarian-puppet depended on Ruby 2.0+. Instead of attempting to fix that problem upgrade the VMs to a non-EOL operating system. --- Vagrantfile | 4 ++-- vagrant/provision_module.sh | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index c89d9d4f..332019c9 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -25,14 +25,14 @@ Vagrant::Config.run(2) do |config| config.vm.define :server_ubuntu do |c| c.vm.hostname = 'server' - c.vm.box = 'ubuntu/trusty64' + c.vm.box = 'ubuntu/focal64' server_config c c.vm.network :private_network, ip: '192.168.61.10' end config.vm.define :client_ubuntu do |c| c.vm.hostname = 'client' - c.vm.box = 'ubuntu/trusty64' + c.vm.box = 'ubuntu/focal64' client_config c c.vm.network :private_network, ip: '192.168.61.20' end diff --git a/vagrant/provision_module.sh b/vagrant/provision_module.sh index b56b4a4b..d9cb057d 100644 --- a/vagrant/provision_module.sh +++ b/vagrant/provision_module.sh @@ -3,10 +3,15 @@ set -e if [ ! -f /module-installed ]; then + wget https://apt.puppet.com/puppet7-release-focal.deb + dpkg -i puppet7-release-focal.deb + apt-get update - apt-get install -y ruby-dev git + apt-get install -y ruby-dev git puppet-agent + + export PATH=$PATH:/opt/puppetlabs/puppet/bin:/opt/puppetlabs/bin - gem install librarian-puppet --no-rdoc --no-ri + gem install librarian-puppet --no-document cp /vagrant/vagrant/Puppetfile /tmp cd /tmp && librarian-puppet install --verbose From e6aadfcf4856dedc3e5f8ab8fa0577cf1be74780 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= Date: Mon, 24 Jan 2022 07:45:40 +0200 Subject: [PATCH 5/5] Vagrant: add missing documentation --- README.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/README.md b/README.md index c1f0cc03..80625895 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,47 @@ Installation, configuration and starting the OpenVPN client in a configured node } ``` +## Experimenting and developing in Vagrant + +This project includes a Vagrantfile which allows you to easily develop this +module or try it out. The prerequisites are [Vagrant](https://www.vagrantup.com/) +and [VirtualBox](https://www.virtualbox.org/). + +To bring up the OpenVPN server VM: + + vagrant up server_ubuntu + +To bring up the OpenVPN client VM: + + vagrant up client_ubuntu + +Client's OpenVPN configuration is generated on the server, but it needs to be +deployed to the client manually as exported resources are not available in +Vagrant. To get the client config from server: + + vagrant ssh server_ubuntu + sudo -i + cp /etc/openvpn/winterthur/download-configs/client1.ovpn /vagrant/ + exit + +To copy it to the client: + + vagrant ssh client_ubuntu + sudo -i + mv /vagrant/client1.ovpn /etc/openvpn/client/client1.conf + +To connect directly with OpenVPN: + + openvpn --config /etc/openvpn/client/client1.conf + +To connect with systemd: + + systemctl start openvpn-client@client1 + +To test connectivity between client and server: + + ping 10.200.200.1 + ##### References * The readme file of [github.com/Angristan/OpenVPN-install](https://github.com/Angristan/OpenVPN-install/tree/f47fc795d5e2d53f74431aadc58ef9de5784103a) outlines some of reasoning behind