forked from BastiPaeltz/ansible-openvpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
all.yml
84 lines (74 loc) · 3.57 KB
/
all.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# By default the DN is randomly generated and organizational mode is used.
openvpn_key_country: "US"
openvpn_key_province: "California"
openvpn_key_city: "Beverly Hills"
openvpn_key_org: "ACME CORPORATION"
openvpn_key_ou: "Anvil Department"
openvpn_key_email: "[email protected]"
# Set this to true to use cn_only DN mode instead.
# Consider uncommenting and setting openvpn_server_common_name_manual as well then.
easyrsa_dn_mode_cn_only: false
# openvpn_server_common_name_manual: "Company FooBar Ltd."
# `proto` and `port` where OpenVPN will listen at.
# `mask` and `cidr` refer to the subnets used for tunneling.
# `server_extra_options` defines config options added to the OpenVPN server config,
# e.g. `push ...` or `client-to-client`.
# `client_extra_options` defines config options added to the OpenVPN client config.
openvpn_instances:
- {
proto: udp,
port: 1194,
mask: "10.9.0.0 255.255.255.0",
cidr: "10.9.0.0/24",
server_extra_options: ['push "redirect-gateway def1"'],
client_extra_options: [],
}
# Uncomment below to listen on TCP 443. This will look like normal SSL/TLS traffic
# and will be more likely to get through restrictive firewalls.
# - {
# proto: tcp,
# port: 443,
# mask: "10.8.0.0 255.255.255.0",
# cidr: "10.8.0.0/24",
# server_extra_options: ['push "redirect-gateway def1"'],
# client_extra_options: [],
# }
# Whether sync_clients.yml playbook wil show a prompt displaying which clients to add
# and revoke before actually doing it and will only continue execution after confirmation input
# Set this to false to disable this prompt.
prompt_before_syncing_clients: true
# maintain a list of your valid_clients here, used by the `sync_clients.yml` playbook
valid_clients:
- laptop
- phone
# Whether the install.yml playbook will load iptables rules.
# If set to false you have to apply them yourself. See README section "Firewall".
load_iptables_rules: false
iptables_path: "/sbin/iptables"
openvpn_path_iptables_rules: "{{ openvpn_path }}/openvpn_iptables_rules.sh"
# path where fetched credentials are stored
local_creds_folder: "{{ playbook_dir }}/../fetched_creds/{{ openvpn_server_remote_host }}"
# This variable will be used as the `remote` directive in the OpenVPN configuration.
# So make sure this is resolvable by the clients.
# If this is not the case with `inventory_hostname`, one could use `ansible_default_ipv4.address`.
openvpn_server_remote_host: "{{ inventory_hostname }}"
openvpn_path: "/etc/openvpn"
openvpn_path_pki: "{{ openvpn_path }}/pki"
openvpn_path_keys: "{{ openvpn_path_pki }}/private"
openvpn_path_certs: "{{ openvpn_path_pki }}/issued"
openvpn_path_reqs: "{{ openvpn_path_pki }}/reqs"
openvpn_hmac_firewall: "{{ openvpn_path_pki }}/ta.key"
openvpn_ca_cert: "{{ openvpn_path_pki }}/ca.crt"
openvpn_path_easyrsa: "{{ openvpn_path }}/easyrsa/easyrsa3"
dhparams_size: "{{ openvpn_key_size }}"
dhparams_location: "{{ openvpn_path_pki }}/dh.pem"
openvpn_crl: "{{ openvpn_path_pki }}/crl.pem"
openvpn_server_common_name_file: "{{ openvpn_path }}/openvpn_server_common_name"
openvpn_key_size: "2048"
openvpn_cipher: "AES-256-CBC"
openvpn_auth_digest: "SHA256"
# For all available ciphers use: openvpn --show-tls
# For all available PFS ciphers (without eliptic curve cryptography) use: openvpn --show-tls | grep -e "-DHE-"
# Configuration here just uses PFS ciphers leveraging AES256 and at least SHA256
openvpn_tls_cipher: "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"
openvpn_easyrsa_version: v3.0.3