• Stars
    star
    113
  • Rank 310,115 (Top 7 %)
  • Language
    Ruby
  • License
    Apache License 2.0
  • Created over 13 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OpenVPN module for puppet including client config/cert creation

OpenVPN Puppet module

Build Status Release License Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores

Puppet module to manage OpenVPN servers and clients.

Features

  • Client-specific rules and access policies
  • Generated client configurations and SSL-Certificates
  • Downloadable client configurations and SSL-Certificates for easy client configuration
  • Support for multiple server instances
  • Support for LDAP-Authentication
  • Support for server instance in client mode
  • Support for TLS

Supported OS

  • Ubuntu
  • Debian
  • CentOS
  • RedHat
  • Solaris

Dependencies

Puppet

The supported Puppet versions are listed in the metadata.json

REFERENCES

Please see REFERENCE.md for more details.

Example with hiera

---
classes:
  - openvpn

openvpn::servers:
  'winterthur':
    country: 'CH'
    province: 'ZH'
    city: 'Winterthur'
    organization: 'example.org'
    email: '[email protected]'
    server: '10.200.200.0 255.255.255.0'

openvpn::client_defaults:
  server: 'winterthur'

openvpn::clients:
  'client1': {}
  'client2': {}
  'client3': {}

openvpn::client_specific_configs:
  'client1':
    server: 'winterthur'
    ifconfig: '10.200.200.50 10.200.200.51'

openvpn::revokes:
  'client3':
    server: 'winterthur'

Don't forget the sysctl directive net.ipv4.ip_forward!

Encryption Choices

This module provides certain default parameters for the openvpn encryption settings.

These settings have been applied in line with current "best practices" but no guarantee is given for their saftey and they could change in future.

You should double check these settings yourself to make sure they are suitable for your needs and in line with current best practices.

Example for automating client deployment to nodes managed by Puppet

Exporting the configurations for a client in the VPN server manifest:

  openvpn::deploy::export { 'client1':
    server => 'winterthur',
  }

Installation, configuration and starting the OpenVPN client in a configured node manifest:

  openvpn::deploy::client { 'client1':
    server => 'winterthur',
  }

Experimenting and developing in Vagrant

This project includes a Vagrantfile which allows you to easily develop this module or try it out. The prerequisites are Vagrant and VirtualBox.

To bring up the OpenVPN server VM:

vagrant up server_ubuntu

To bring up the OpenVPN client VM:

vagrant up client_ubuntu

Client's OpenVPN configuration is generated on the server, but it needs to be deployed to the client manually as exported resources are not available in Vagrant. To get the client config from server:

vagrant ssh server_ubuntu
sudo -i
cp /etc/openvpn/winterthur/download-configs/client1.ovpn /vagrant/
exit

To copy it to the client:

vagrant ssh client_ubuntu
sudo -i
mv /vagrant/client1.ovpn /etc/openvpn/client/client1.conf

To connect directly with OpenVPN:

openvpn --config /etc/openvpn/client/client1.conf

To connect with systemd:

systemctl start openvpn-client@client1

To test connectivity between client and server:

ping 10.200.200.1
References

ssl_key_size

The default key size is now set to 2048 bits. This setting also affects the size of the dhparam file.

Why

2048 bits is OK, but both NSA and ANSSI recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.

Cipher

The default data channel cipher is now set to AES-256-GCM

Why

OpenVPN was setting its default value to BF-CBC. In newer versions of OpenVPN it warns that this is no longer a secure cipher. The OpenVPN documentation recommends using this setting.

tls_cipher

The default tls_cipher option is now set to: TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Why

Details of these ciphers and their uses can be found in the documentation links above.

Contributions

This module is maintained by Vox Pupuli. Voxpupuli welcomes new contributions to this module, especially those that include documentation and rspec tests. We are happy to provide guidance if necessary.

Please see CONTRIBUTING for more details.

Authors

More Repositories

1

json-schema

Ruby JSON Schema Validator
Ruby
1,447
star
2

puppetboard

Web frontend for PuppetDB
Python
698
star
3

hiera-eyaml

A backend for Hiera that provides per-value asymmetric encryption of sensitive data
Ruby
528
star
4

puppet-nginx

Puppet Module to manage NGINX on various UNIXes
Ruby
468
star
5

puppet-elasticsearch

Elasticsearch Puppet module
Ruby
406
star
6

beaker

Puppet Acceptance Testing Harness
Ruby
368
star
7

puppet-jenkins

Puppet module for Jenkins
Ruby
276
star
8

puppet-python

Puppet module for installing and managing Python, pip, virtualenvs and Gunicorn virtual hosts.
Ruby
197
star
9

puppet-logstash

Puppet module to manage Logstash
Puppet
192
star
10

puppet-rabbitmq

RabbitMQ Puppet Module
Ruby
174
star
11

onceover

Your gateway drug to automated infrastructure testing with Puppet
Ruby
142
star
12

puppet-mcollective

MCollective Server and Client Puppet Module
Ruby
122
star
13

puppet-consul

A Puppet Module to Manage Consul
Ruby
120
star
14

puppet-nodejs

Puppet module to install nodejs and global npm packages
Ruby
112
star
15

modulesync

Synchronize common files across your Git repositories.
Ruby
101
star
16

vagrant-librarian-puppet

A Vagrant plugin to install Puppet modules using Librarian-Puppet.
Ruby
101
star
17

puppet-r10k

Setup and configure r10k for use with git based environments in puppet
Ruby
98
star
18

pypuppetdb

Python library for working with the PuppetDB API
Python
93
star
19

puppet-mongodb

mongodb installation
Ruby
92
star
20

puppet-ghostbuster

👻 Dead code detector for Puppet
Ruby
89
star
21

puppet-letsencrypt

A Puppet module to install the Letsencrypt client and request certificates.
Ruby
86
star
22

puppet-php

Generic Puppet module to manage PHP on many platforms
Puppet
85
star
23

puppet-mode

Edit Puppet manifests with GNU Emacs 24
Emacs Lisp
77
star
24

puppet-gitlab

Puppet module to manage Gitlab (Omnibus)
Puppet
74
star
25

puppet-postfix

Puppet postfix module
HTML
72
star
26

puppet-collectd

Collectd module for Puppet
Ruby
70
star
27

puppet-syntax

Syntax checks for Puppet manifests and templates
Ruby
68
star
28

puppet-blacksmith

Ruby Gem with Puppet Module utilities
Ruby
68
star
29

puppet-network

Types and providers to manage network interfaces
Ruby
68
star
30

puppet-augeasproviders

Alternative Augeas-based providers for Puppet
Ruby
65
star
31

puppet-system

Manage Linux system resources and services from hiera configuration
Puppet
64
star
32

puppet-jira

Atlassian JIRA Puppet Module
Ruby
61
star
33

puppet-prometheus

Puppet module for prometheus
Puppet
60
star
34

puppet-archive

Compressed archive file download and extraction with native types/providers for Windows and Unix
Ruby
59
star
35

beaker-rspec

beaker-rspec is a bridge between the puppet acceptance test harness
Ruby
58
star
36

rspec-puppet-facts

Simplify your unit tests by looping on every supported Operating System and populating facts.
Ruby
58
star
37

puppet-puppetboard

Puppet module to install and manage puppetboard
Puppet
53
star
38

puppet-staging

⛔️ Deprecated in favor of puppet-archive
Ruby
51
star
39

puppet-pxe

Puppet module for deploying a PXE boot server
Puppet
49
star
40

hiera-eyaml-gpg

GPG encryption backend for the hiera-eyaml module
Ruby
49
star
41

puppet-systemd

Puppet module to manage systemd
Ruby
49
star
42

puppet-selinux

Puppet Module to manage SELinux on RHEL machines
Ruby
49
star
43

puppet-keepalived

Puppet Module to manage Keepalived
Ruby
48
star
44

puppet-prometheus_reporter

A prometheus Puppet reports exporter for Puppet
Ruby
48
star
45

puppet-iis

Module to mange IIS with Puppet
Ruby
46
star
46

puppet-corosync

Sets up and manages Corosync.
Ruby
45
star
47

puppet-dhcp

Puppet module for deploying dhcp
Ruby
42
star
48

puppet-epel

Setup/configure EPEL (extra repository for enterprise linux) with Puppet
Ruby
41
star
49

puppet-redis

Puppet Module to manage Redis
Ruby
40
star
50

puppet-openssl

Puppet OpenSSL module
Ruby
39
star
51

puppet-pkgng

A Puppet package provider for FreeBSD's PkgNG package manager.
Ruby
39
star
52

puppet-firewalld

Puppet module for managing firewalld
Ruby
39
star
53

puppet-splunk

Manage Splunk servers and forwarders using Puppet
Ruby
39
star
54

puppet-rundeck

Module for managing the installatation and configuration of the rundeck orchestration tool
Ruby
38
star
55

puppet-openldap

Manage OpenLDAP with Puppet
Ruby
35
star
56

puppet-vmwaretools

Puppet module to manage VMware Operating System Specific Packages for VMware tools installation.
Puppet
35
star
57

puppet-snmp

Puppet module to manage Net-SNMP.
Ruby
34
star
58

puppet-unattended_upgrades

Unattended-upgrades for APT
Ruby
33
star
59

puppet-dnsquery

DNS query functions for Puppet
Ruby
32
star
60

puppet-hiera

Hiera hierarchy module for templating `hiera.yaml`
Ruby
32
star
61

puppet-kafka

The kafka module for managing the installation and configuration of Apache Kafka
Puppet
30
star
62

puppet-fail2ban

This module installs, configures and manages the Fail2ban service.
Ruby
30
star
63

ra10ke

Rake tasks related to R10K and Puppetfile
Ruby
29
star
64

puppet-wildfly

Puppet module to install, configure and manage Wildfly (8/9/10+), JBoss EAP (6.1+/7.0+) and some Wildfly based products like apiman, Keycloak and Infinispan.
Ruby
29
star
65

puppet-windowsfeature

Library that uses ServerAdministration api that comes with Windows Server 2008 and Windows Server 2012 to add / remove windows features
Ruby
29
star
66

puppet-catalog-diff-viewer

A viewer for the puppet-catalog-diff tool
JavaScript
28
star
67

puppet-unbound

Puppet module for deploying the swiss-army of DNS, Unbound
Ruby
28
star
68

metadata-json-lint

Tool to check the validity of Puppet metadata.json files
Ruby
27
star
69

hiera-file

File backend for Hiera
Ruby
26
star
70

puppet-vault_lookup

Ruby
25
star
71

puppetdb-ruby

Ruby client library for interacting with PuppetDB API
Ruby
24
star
72

puppet-alternatives

Manage Debian alternatives links
Ruby
24
star
73

puppet-telegraf

A Puppet module for installing and configuring InfluxData's Telegraf
Ruby
24
star
74

puppet-healthcheck

Puppet resources to evaluate the health and status of things.
Ruby
22
star
75

puppet-puppetserver

Puppet module for puppetserver
Ruby
21
star
76

puppet-confluence

A puppet module to install confluence
Ruby
20
star
77

puppet-drbd

Basic module for configuring active-passive drbd resources
Puppet
20
star
78

puppet-stash

A puppet module to install atlassian stash
Ruby
19
star
79

puppet-kmod

manage kernel module with puppet
Ruby
18
star
80

puppet-mrepo

Puppet module for creating and managing RPM based repository mirrors.
Puppet
17
star
81

puppet-ssh_keygen

Generation of ssh keys with ssh-keygen
Ruby
17
star
82

puppet-windows_firewall

puppet module for configuring the windows firewall
Ruby
17
star
83

puppet-nomad

Puppet module for managing Nomad
Ruby
16
star
84

puppet-gluster

Create and manage Gluster pools, volumes, and mounts
Ruby
16
star
85

puppet-kibana

Kibana Puppet module by Elastic.
Ruby
16
star
86

puppet-filemapper

Map files to puppet resources and back
Ruby
15
star
87

puppet-proxysql

Puppet module to configure ProxySQL
Ruby
15
star
88

puppet-cron

Puppet module to manage cron jobs via /etc/cron.d
Ruby
14
star
89

puppet-tea

Puppet 4.6 Types: Abstracted & Extracted
Ruby
14
star
90

puppet-ca_cert

A puppet module for managing (non-system) CA certificates.
Ruby
14
star
91

puppet-minecraft

Puppet - Minecraft: Separately maintained fork of brannan's puppet-module-minecraft
Ruby
14
star
92

puppet-chrony

Puppet module for Chrony with Systemd
Ruby
13
star
93

puppet-smokeping

Puppet module to install and configure smokeping. Including target and slave definition
Puppet
13
star
94

puppet-cassandra

Installs Cassandra & DataStax Agent on RHEL/Ubuntu/Debian.
Ruby
13
star
95

puppet-googleauthenticator

Google-authenticator module for Puppet
Puppet
13
star
96

puppet-bareos

Puppet Module to manage bareos
Puppet
13
star
97

puppet-misp

This module installs and configures MISP (Malware Information Sharing Platform)
HTML
13
star
98

puppet_webhook

Sinatra-based application that triggers puppet-related commands from VCS Webhook calls
Ruby
13
star
99

puppet-extlib

This module provides functions that are out of scope for stdlib.
Ruby
13
star
100

puppet-gitlab_ci_runner

Module to mange gitlab CI runners. Extracted from https://github.com/voxpupuli/puppet-gitlab
Ruby
13
star