summaryrefslogtreecommitdiff
path: root/roles/ocserv
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ocserv')
-rw-r--r--roles/ocserv/handlers/main.yml11
-rw-r--r--roles/ocserv/tasks/check_ocserv_exists.yaml16
-rw-r--r--roles/ocserv/tasks/configure_ocserv.yaml40
-rw-r--r--roles/ocserv/tasks/create_users_ocserv.yaml18
-rw-r--r--roles/ocserv/tasks/install_ocserv.yaml63
-rw-r--r--roles/ocserv/tasks/main.yaml3
-rw-r--r--roles/ocserv/tasks/setup_ocserv.yaml8
-rw-r--r--roles/ocserv/templates/ca.tmpl.j28
-rw-r--r--roles/ocserv/templates/crl.tmpl.j22
-rw-r--r--roles/ocserv/templates/ocserv.conf.j248
-rw-r--r--roles/ocserv/templates/ocserv.rc.j214
-rw-r--r--roles/ocserv/templates/server.tmpl.j27
12 files changed, 238 insertions, 0 deletions
diff --git a/roles/ocserv/handlers/main.yml b/roles/ocserv/handlers/main.yml
new file mode 100644
index 00000000..dcc18f2c
--- /dev/null
+++ b/roles/ocserv/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: restart_ocserv
+ ansible.builtin.service:
+ name: ocserv
+ state: restarted
+ enabled: true
+
+- name: remove_ocserv_tempdir
+ ansible.builtin.file:
+ path: "{{ ocserv_tempdir.path }}"
+ state: absent
diff --git a/roles/ocserv/tasks/check_ocserv_exists.yaml b/roles/ocserv/tasks/check_ocserv_exists.yaml
new file mode 100644
index 00000000..bb4734ce
--- /dev/null
+++ b/roles/ocserv/tasks/check_ocserv_exists.yaml
@@ -0,0 +1,16 @@
+---
+- name: "Check if ocserv is already installed"
+ ansible.builtin.stat:
+ path: /var/reactance/ocserv
+ register: ocserv_directory
+
+- name: "Install ocserv if directory doesn't exist"
+ ansible.builtin.include_tasks: install_ocserv.yaml
+ when: ocserv_directory.stat.exists == false
+
+- name: "Configure ocserv"
+ ansible.builtin.include_tasks: configure_ocserv.yaml
+ when: ocserv_directory.stat.exists == false
+
+- name: "Create ocserv users"
+ ansible.builtin.include_tasks: create_users_ocserv.yaml
diff --git a/roles/ocserv/tasks/configure_ocserv.yaml b/roles/ocserv/tasks/configure_ocserv.yaml
new file mode 100644
index 00000000..53e771c0
--- /dev/null
+++ b/roles/ocserv/tasks/configure_ocserv.yaml
@@ -0,0 +1,40 @@
+---
+- name: "template out config"
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ loop:
+ - src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
+ - src: ca.tmpl.j2
+ dest: /var/reactance/ocserv/certs/ca.tmpl
+ - src: server.tmpl.j2
+ dest: /var/reactance/ocserv/certs/server.tmpl
+ - src: crl.tmpl.j2
+ dest: /var/reactance/ocserv/certs/crl.tmpl
+
+# generate ca, server certs, crl file
+- name: "generate ca, server certs"
+ ansible.builtin.shell: "{{ item }}"
+ loop:
+ - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/ca-key.pem"
+ - "certtool --generate-self-signed --load-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/ca.tmpl --outfile /var/reactance/ocserv/certs/ca-cert.pem"
+ - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/server-key.pem"
+ - "certtool --generate-certificate --load-privkey /var/reactance/ocserv/certs/server-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/server.tmpl --outfile /var/reactance/ocserv/certs/server-cert.pem"
+ - "certtool --generate-crl --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --template /var/reactance/ocserv/certs/crl.tmpl --outfile /var/reactance/ocserv/certs/crl.pem"
+ no_log: true
+
+- name: "template out nat rules in pf.conf"
+ ansible.builtin.blockinfile:
+ path: /etc/pf.conf
+ create: true
+ backup: true
+ marker: "### REACTANCE - Ocserv NAT - {mark} ###"
+ insertafter: "EOF"
+ block: |
+ match out on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from {{ ocserv_network | default("172.16.16.0/24") }} to any nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
+ match in on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from any to {{ ocserv_network | default("172.16.16.0/24") }} nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
+# default(ansible_all_ipv4_addresses[0]) is added, in case a default route doesn't exist
+
+- name: "generate public, private key pair"
+ ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/ocserv/certs/server-key.pem -out /var/reactance/ocserv/certs/server-cert.pem -sha256 -days 3650 -nodes -subj /CN=example &>/dev/null"
diff --git a/roles/ocserv/tasks/create_users_ocserv.yaml b/roles/ocserv/tasks/create_users_ocserv.yaml
new file mode 100644
index 00000000..12748e7a
--- /dev/null
+++ b/roles/ocserv/tasks/create_users_ocserv.yaml
@@ -0,0 +1,18 @@
+---
+- name: "ocserv user management"
+ ocserv:
+ users: "{{ all_users|default([]) + ocserv_users|default([]) }}"
+ notify:
+ - restart_ocserv
+# no_log: true
+ register: ocserv_user_pass_dict
+
+- name: "make temp dir"
+ ansible.builtin.file:
+ path: /var/reactance/.temp/
+ state: directory
+
+- name: "add ocserv user password pair to dict"
+ ansible.builtin.copy:
+ content: "{{ ocserv_user_pass_dict['msg']|default({}) | to_json }}"
+ dest: /var/reactance/.temp/ocserv_user_pass_dict
diff --git a/roles/ocserv/tasks/install_ocserv.yaml b/roles/ocserv/tasks/install_ocserv.yaml
new file mode 100644
index 00000000..a31a2ee5
--- /dev/null
+++ b/roles/ocserv/tasks/install_ocserv.yaml
@@ -0,0 +1,63 @@
+---
+# ocserv has built-in chroot functionality
+
+# it's fine here, other roles won't be running any pkg_add
+- name: "install ocserv"
+ community.general.openbsd_pkg:
+ name: ocserv--
+ state: present
+
+- name: "create directory"
+ ansible.builtin.file:
+ path: "{{ item }}"
+ state: directory
+ owner: _vpn
+ group: _vpn
+ mode: 0700
+ loop:
+ - /var/reactance/ocserv
+ - /var/reactance/ocserv/run
+ - /var/reactance/ocserv/certs
+
+- name: "create log file"
+ ansible.builtin.file:
+ path: /var/log/ocserv.log
+ state: touch
+ mode: "0600"
+ changed_when: false
+
+- name: "create temporary directory"
+ ansible.builtin.tempfile:
+ state: directory
+ suffix: temp
+ register: ocserv_tempdir
+ notify:
+ - remove_ocserv_tempdir
+
+- name: "template out config"
+ ansible.builtin.template:
+ src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
+
+- name: "template out init script"
+ ansible.builtin.template:
+ src: ocserv.rc.j2
+ dest: "{{ ocserv_tempdir.path }}/ocserv.rc"
+
+# will fail without it
+- name: "copy ocserv-worker"
+ ansible.builtin.copy:
+ owner: _vpn
+ group: _vpn
+ remote_src: true
+ src: /usr/local/sbin/ocserv-worker
+ dest: /var/reactance/ocserv/ocserv-worker
+ mode: 0770
+
+- name: "install init script"
+ ansible.builtin.shell: "install -m 755 -g bin {{ ocserv_tempdir.path }}/ocserv.rc /etc/rc.d/ocserv && rm -rf /var/reactance/ocserv/ocserv.rc"
+
+- name: "remove /etc/ocserv (we are using /var/reactance/ocserv)"
+ ansible.builtin.file:
+ path: /etc/ocserv
+ state: absent
diff --git a/roles/ocserv/tasks/main.yaml b/roles/ocserv/tasks/main.yaml
new file mode 100644
index 00000000..4ed25a48
--- /dev/null
+++ b/roles/ocserv/tasks/main.yaml
@@ -0,0 +1,3 @@
+---
+- name: "setup ocserv"
+ include_tasks: check_ocserv_exists.yaml
diff --git a/roles/ocserv/tasks/setup_ocserv.yaml b/roles/ocserv/tasks/setup_ocserv.yaml
new file mode 100644
index 00000000..d2a9bb59
--- /dev/null
+++ b/roles/ocserv/tasks/setup_ocserv.yaml
@@ -0,0 +1,8 @@
+---
+- name: "generate server cert and key"
+ ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/ocserv/certs/server-key.pem -out /var/reactance/ocserv/certs/server-cert.pem -sha256 -days 3650 -nodes -subj '/CN=JohnDane'"
+
+- name: "template out ocserv config"
+ ansible.builtin.template:
+ src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
diff --git a/roles/ocserv/templates/ca.tmpl.j2 b/roles/ocserv/templates/ca.tmpl.j2
new file mode 100644
index 00000000..c595f0c3
--- /dev/null
+++ b/roles/ocserv/templates/ca.tmpl.j2
@@ -0,0 +1,8 @@
+cn = "VPN CA"
+organization = "Big Corp"
+serial = 1
+expiration_days = -1
+ca
+signing_key
+cert_signing_key
+crl_signing_key
diff --git a/roles/ocserv/templates/crl.tmpl.j2 b/roles/ocserv/templates/crl.tmpl.j2
new file mode 100644
index 00000000..b70745fd
--- /dev/null
+++ b/roles/ocserv/templates/crl.tmpl.j2
@@ -0,0 +1,2 @@
+crl_next_update = 365
+crl_number = 1
diff --git a/roles/ocserv/templates/ocserv.conf.j2 b/roles/ocserv/templates/ocserv.conf.j2
new file mode 100644
index 00000000..4f722487
--- /dev/null
+++ b/roles/ocserv/templates/ocserv.conf.j2
@@ -0,0 +1,48 @@
+chroot-dir = /var/reactance/ocserv
+auth = "certificate"
+tcp-port = {{ ocserv_port | default("4430") }}
+run-as-user = _vpn
+run-as-group = _vpn
+
+socket-file = run/ocserv-socket
+server-cert = /var/reactance/ocserv/certs/server-cert.pem
+server-key = /var/reactance/ocserv/certs/server-key.pem
+ca-cert = /var/reactance/ocserv/certs/ca-cert.pem
+crl = /var/reactance/ocserv/certs/crl.pem
+
+max-clients = 10000
+max-same-clients = 2
+rate-limit-ms = 100
+server-stats-reset-time = 604800
+keepalive = 32400
+dpd = 90
+mobile-dpd = 1800
+switch-to-tcp-timeout = 25
+try-mtu-discovery = false
+cert-user-oid = 0.9.2342.19200300.100.1.1
+compression = true
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
+auth-timeout = 240
+min-reauth-time = 300
+max-ban-score = 80
+ban-reset-time = 1200
+cookie-timeout = 300
+deny-roaming = false
+rekey-time = 172800
+rekey-method = ssl
+use-occtl = true
+pid-file = /var/reactance/ocserv/run/ocserv.pid
+log-level = 3
+device = vpns
+predictable-ips = true
+ipv4-network = {{ ocserv_network | default("172.16.16.0/24") }}
+tunnel-all-dns = true
+{% if not lookup('vars', 'disable_dns', default=false) %}
+dns = {{ (ocserv_network|default("172.16.16.0/24"))|ansible.utils.nthhost(2) }}
+{% else %}
+dns = 9.9.9.9
+{% endif %}
+ping-leases = false
+route = default
+cisco-client-compat = true
+max-ban-score = 20
diff --git a/roles/ocserv/templates/ocserv.rc.j2 b/roles/ocserv/templates/ocserv.rc.j2
new file mode 100644
index 00000000..f68a06ff
--- /dev/null
+++ b/roles/ocserv/templates/ocserv.rc.j2
@@ -0,0 +1,14 @@
+#!/bin/ksh
+# $OpenBSD: ocserv
+daemon="/usr/local/sbin/ocserv"
+daemon_flags="-c /var/reactance/ocserv/ocserv.conf"
+
+. /etc/rc.d/rc.subr
+
+pexp="ocserv: ocserv-main"
+
+rc_pre() {
+ /usr/bin/install -d -o _vpn /var/reactance/ocserv/run/
+}
+
+rc_cmd $1
diff --git a/roles/ocserv/templates/server.tmpl.j2 b/roles/ocserv/templates/server.tmpl.j2
new file mode 100644
index 00000000..f5eb7b66
--- /dev/null
+++ b/roles/ocserv/templates/server.tmpl.j2
@@ -0,0 +1,7 @@
+cn = "VPN server"
+ip_address = "{{ ansible_default_ipv4.address|default(ansible_all_ipv4_addresses[0]) }}"
+organization = "MyCompany"
+expiration_days = -1
+signing_key
+encryption_key
+tls_www_server
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 22:29:41 +0000