Lighter OpenVPN configuration and firewall rules (closes #30)

sebschlicht · Jan 25, 2021 · f6cac7f · f6cac7f
1 parent 30f97bf
commit f6cac7f
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 7 deletions.
diff --git a/group_vars/all.yml b/group_vars/all.yml
@@ -41,14 +41,15 @@ mailing:
   sender_name: "Pi4 (Koblenz)"
 
 openvpn:
+  port: 1194
   ca_passphrase: "{{ vault_openvpn_ca_passphrase }}"
   vars:
     name: server
     country: DE
     province: RLP
     city: Koblenz
     organization: sschlicht.de
-    email_address: pi-ko@sschlicht.de
+    email_address: "{{ mailing.from_address }}"
     organizational_unit: ko
 
 samba:

diff --git a/roles/openvpn/defaults/main.yml b/roles/openvpn/defaults/main.yml
@@ -1,5 +1,6 @@
 easyrsa_folder: "{{ openvpn.easyrsa_folder | default('/usr/share/easy-rsa') }}"
 easyrsa_exe: "{{ easyrsa_folder }}/easyrsa"
+openvpn_port: "{{ openvpn.port | default(1194) }}"
 openvpn_ca_force_recreation: no
 openvpn_ca_folder: "{{ openvpn.ca_folder | default('/opt/openvpn-ca') }}"
 openvpn_ca_root_certificate: "{{ openvpn_ca_folder }}/ca.crt"

diff --git a/roles/openvpn/templates/openvpn/client.conf b/roles/openvpn/templates/openvpn/client.conf
@@ -2,7 +2,7 @@ client
 dev tun
 proto udp
 
-remote {{ openvpn_server_name }} 1194
+remote {{ openvpn_server_name }} {{ openvpn_port }}
 
 ca ca.crt
 cert {{ openvpn_client.name }}.crt

diff --git a/roles/openvpn/templates/openvpn/server.conf b/roles/openvpn/templates/openvpn/server.conf
@@ -5,7 +5,7 @@ status-version 3
 verb 3
 
 # Connection
-port 1194
+port {{ openvpn_port }}
 proto udp
 dev tun
 keepalive 1800 3600
@@ -21,10 +21,8 @@ key /etc/openvpn/server/{{ openvpn_server_name }}.key
 server 10.8.0.0 255.255.255.0
 topology subnet
 push "route 192.168.1.0 255.255.255.0"
-push "dhcp-option DNS 192.168.1.1"
+# push "redirect-gateway def1"
 push "block-outside-dns"
-push "redirect-gateway def1"
-# client-to-client
 
 # TLS Security
 cipher AES-256-CBC

diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml
@@ -46,9 +46,17 @@
   when: "('cloud' in ansible_run_tags and 'ufw' in ansible_run_tags) or ('all' in ansible_run_tags)"
   register: ufw_http
 
+- name: allow OpenVPN communication
+  ufw:
+    rule: allow
+    proto: udp
+    to_port: '1194'
+  when: "('openvpn' in ansible_run_tags and 'ufw' in ansible_run_tags) or ('all' in ansible_run_tags)"
+  register: ufw_openvpn
+
 - name: enable/reload service
   service:
     name: ufw
-    state: "{{ (ufw_samba.changed or ufw_dlna.changed or ufw_http.changed) | ternary('restarted', omit) }}"
+    state: "{{ (ufw_samba.changed or ufw_dlna.changed or ufw_http.changed or ufw_openvpn.changed) | ternary('restarted', 'started') }}"
     enabled: yes
   when: not running_in_container