summaryrefslogtreecommitdiff
path: root/roles/install_openvpn
diff options
context:
space:
mode:
authorNiklas Yann Wettengel <niyawe@niyawe.de>2017-03-18 15:13:27 +0100
committerNiklas Yann Wettengel <niyawe@niyawe.de>2017-03-18 15:13:27 +0100
commit0fbee3f86b0f92f55193556945b82d51cde6d5a7 (patch)
tree2c276aa4f2ecec0bc179340bc501f48173c81453 /roles/install_openvpn
parenteb9f51f61817043d5fb3609fad922c48f84b887d (diff)
updated setup_fastd.yml
added features: - configure_sysctl - install_openvpn
Diffstat (limited to 'roles/install_openvpn')
-rw-r--r--roles/install_openvpn/files/ca.crt109
-rw-r--r--roles/install_openvpn/files/crl.pem31
-rwxr-xr-xroles/install_openvpn/files/mullvad-up.sh8
-rw-r--r--roles/install_openvpn/files/override.conf3
-rw-r--r--roles/install_openvpn/tasks/main.yml53
-rw-r--r--roles/install_openvpn/templates/mullvad.conf.j259
-rw-r--r--roles/install_openvpn/templates/mullvad.crt.j21
-rw-r--r--roles/install_openvpn/templates/mullvad.key.j21
8 files changed, 265 insertions, 0 deletions
diff --git a/roles/install_openvpn/files/ca.crt b/roles/install_openvpn/files/ca.crt
new file mode 100644
index 0000000..b795d91
--- /dev/null
+++ b/roles/install_openvpn/files/ca.crt
@@ -0,0 +1,109 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA/emailAddress=info@mullvad.net
+ Validity
+ Not Before: Mar 24 16:19:48 2009 GMT
+ Not After : Mar 22 16:19:48 2019 GMT
+ Subject: C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net/emailAddress=info@mullvad.net
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c5:00:39:5d:fe:9b:0c:b7:ff:76:a4:93:bf:26:
+ 1b:d6:c8:4a:e5:3c:ce:1c:2c:16:80:a2:61:a6:e9:
+ 63:4b:70:a1:80:6f:0e:0c:bb:a9:b6:d1:bd:f5:a0:
+ 78:82:09:4d:94:22:aa:77:7c:09:36:42:cd:a5:a6:
+ 90:73:27:42:00:31:e4:d4:8b:49:36:65:a3:25:82:
+ b8:26:d7:d1:f5:b5:a9:be:57:93:9d:7c:d6:1c:df:
+ 9a:87:81:53:0b:17:81:d1:0d:ca:dc:4d:19:13:fa:
+ 11:e6:da:68:eb:81:05:39:e3:1e:3a:3f:fc:e2:64:
+ 3c:98:3c:89:a9:42:b3:30:70:57:56:a1:f5:08:b2:
+ 75:12:a0:36:93:9d:69:e9:7e:11:71:d9:1c:e8:7d:
+ ec:03:21:11:7a:0a:7a:03:35:ba:b8:b2:0c:3a:6f:
+ 57:88:62:45:3d:0c:6c:18:ff:21:49:37:ae:40:78:
+ 6d:45:52:29:ac:21:ad:4a:01:61:67:0b:01:c4:ac:
+ b0:88:97:52:ff:cb:3a:21:f0:14:2b:c1:79:8d:79:
+ 35:14:fc:9c:3f:6c:c9:62:fc:8c:c7:a8:51:34:75:
+ 1c:23:d5:db:b9:44:08:1c:0c:17:2c:21:2a:b4:29:
+ db:15:59:e7:a9:1c:d6:19:19:ef:e4:6b:ea:78:6d:
+ 76:8d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 75:8A:14:92:0D:F3:6E:B7:36:4F:8B:4F:15:6C:3F:18:15:90:64:DE
+ X509v3 Authority Key Identifier:
+ keyid:E1:63:B4:3E:55:A3:D2:37:5F:DE:3A:91:48:51:4B:20:1A:F2:9B:C5
+ DirName:/C=NA/ST=None/L=None/O=Mullvad/CN=Mullvad CA/emailAddress=info@mullvad.net
+ serial:84:68:2E:A0:51:2A:BB:D4
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha1WithRSAEncryption
+ a4:b4:62:3d:cb:7e:57:b3:bd:2a:41:e0:3b:94:d0:4c:08:69:
+ 8a:b1:73:15:13:20:c9:d7:b0:b6:5d:65:4a:4d:1d:27:cc:ca:
+ 11:0e:86:fa:65:61:26:39:c2:54:8e:da:eb:78:21:37:0e:c7:
+ a4:d2:17:8a:4b:ad:17:84:25:5e:24:0e:9a:81:ff:d1:1b:0e:
+ 32:9b:f4:81:e0:07:e9:8f:9d:c1:43:7f:40:30:01:07:7c:02:
+ c7:c4:9c:05:48:4c:bf:41:69:57:c1:d3:bb:a3:5a:01:17:96:
+ b0:c9:00:22:57:2f:84:da:45:33:6e:6c:2b:13:c5:af:75:a7:
+ b2:6b:71:6e:13:2c:97:0e:d9:93:da:6d:d9:34:c6:06:7d:0e:
+ e2:b8:d2:78:13:79:0f:ac:ac:a8:68:a9:72:73:7a:d8:ab:7b:
+ 0a:b0:54:b5:f3:ce:29:0d:47:82:0c:b4:d9:20:64:ff:ef:17:
+ 46:92:de:65:e8:67:ce:3a:92:de:e4:3e:99:73:9f:7a:7c:00:
+ 72:07:39:78:77:37:62:89:a2:db:24:fd:60:2a:e0:82:57:f6:
+ 55:94:f6:79:47:19:c9:13:3b:5d:b7:6b:66:14:d4:7d:3c:76:
+ 75:e9:a3:55:ba:b4:92:30:3b:ad:66:72:0c:39:4b:cc:95:a9:
+ bc:06:ef:2b
+-----BEGIN CERTIFICATE-----
+MIIEQjCCAyqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJOQTEN
+MAsGA1UECBMETm9uZTENMAsGA1UEBxMETm9uZTEQMA4GA1UEChMHTXVsbHZhZDET
+MBEGA1UEAxMKTXVsbHZhZCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0BtdWxsdmFk
+Lm5ldDAeFw0wOTAzMjQxNjE5NDhaFw0xOTAzMjIxNjE5NDhaMHsxCzAJBgNVBAYT
+Ak5BMQ0wCwYDVQQIEwROb25lMQ0wCwYDVQQHEwROb25lMRAwDgYDVQQKEwdNdWxs
+dmFkMRswGQYDVQQDExJtYXN0ZXIubXVsbHZhZC5uZXQxHzAdBgkqhkiG9w0BCQEW
+EGluZm9AbXVsbHZhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDFADld/psMt/92pJO/JhvWyErlPM4cLBaAomGm6WNLcKGAbw4Mu6m20b31oHiC
+CU2UIqp3fAk2Qs2lppBzJ0IAMeTUi0k2ZaMlgrgm19H1tam+V5OdfNYc35qHgVML
+F4HRDcrcTRkT+hHm2mjrgQU54x46P/ziZDyYPImpQrMwcFdWofUIsnUSoDaTnWnp
+fhFx2RzofewDIRF6CnoDNbq4sgw6b1eIYkU9DGwY/yFJN65AeG1FUimsIa1KAWFn
+CwHErLCIl1L/yzoh8BQrwXmNeTUU/Jw/bMli/IzHqFE0dRwj1du5RAgcDBcsISq0
+KdsVWeepHNYZGe/ka+p4bXaNAgMBAAGjgdgwgdUwHQYDVR0OBBYEFHWKFJIN8263
+Nk+LTxVsPxgVkGTeMIGlBgNVHSMEgZ0wgZqAFOFjtD5Vo9I3X946kUhRSyAa8pvF
+oXekdTBzMQswCQYDVQQGEwJOQTENMAsGA1UECBMETm9uZTENMAsGA1UEBxMETm9u
+ZTEQMA4GA1UEChMHTXVsbHZhZDETMBEGA1UEAxMKTXVsbHZhZCBDQTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0BtdWxsdmFkLm5ldIIJAIRoLqBRKrvUMAwGA1UdEwQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADggEBAKS0Yj3LflezvSpB4DuU0EwIaYqxcxUTIMnX
+sLZdZUpNHSfMyhEOhvplYSY5wlSO2ut4ITcOx6TSF4pLrReEJV4kDpqB/9EbDjKb
+9IHgB+mPncFDf0AwAQd8AsfEnAVITL9BaVfB07ujWgEXlrDJACJXL4TaRTNubCsT
+xa91p7JrcW4TLJcO2ZPabdk0xgZ9DuK40ngTeQ+srKhoqXJzetirewqwVLXzzikN
+R4IMtNkgZP/vF0aS3mXoZ846kt7kPplzn3p8AHIHOXh3N2KJotsk/WAq4IJX9lWU
+9nlHGckTO123a2YU1H08dnXpo1W6tJIwO61mcgw5S8yVqbwG7ys=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEQjCCAyqgAwIBAgIJAIRoLqBRKrvUMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
+BAYTAk5BMQ0wCwYDVQQIEwROb25lMQ0wCwYDVQQHEwROb25lMRAwDgYDVQQKEwdN
+dWxsdmFkMRMwEQYDVQQDEwpNdWxsdmFkIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QG11bGx2YWQubmV0MB4XDTA5MDMyNDA2NDcyNVoXDTE5MDMyMjA2NDcyNVowczEL
+MAkGA1UEBhMCTkExDTALBgNVBAgTBE5vbmUxDTALBgNVBAcTBE5vbmUxEDAOBgNV
+BAoTB011bGx2YWQxEzARBgNVBAMTCk11bGx2YWQgQ0ExHzAdBgkqhkiG9w0BCQEW
+EGluZm9AbXVsbHZhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDNNzZOrq+gMaA6wfyWdNFmxlM2OB1czwFgtPiDd9f6F8m6CGYBQog3Q2Wx3yAv
+hxt/uchFBCKtYz6Yh59BCxXKfNAQT2uaMC6KAvKFgz0wppi4S8YbWg2KDelNO/Zv
+Rb1QT4CBWMbtYzCQZvlJpHr2ZwuXG2OiT477oMyX5Hmf+iT0drmqi+wylRr7CRBs
+LBu+fxLZ2LFD5g6MATuL3ql5JLIoVjlSqIgbld74pD4WUnM61HRwFsKoCEjq409Y
+QNP1xO7BeaJu3uQvg/HJhXnGZxTatXhqvdCuAPQRppQ4UnkUzxdSTrfgM3hqMony
+vX1vy0dX1S8iTQCIeyzAYNObAgMBAAGjgdgwgdUwHQYDVR0OBBYEFOFjtD5Vo9I3
+X946kUhRSyAa8pvFMIGlBgNVHSMEgZ0wgZqAFOFjtD5Vo9I3X946kUhRSyAa8pvF
+oXekdTBzMQswCQYDVQQGEwJOQTENMAsGA1UECBMETm9uZTENMAsGA1UEBxMETm9u
+ZTEQMA4GA1UEChMHTXVsbHZhZDETMBEGA1UEAxMKTXVsbHZhZCBDQTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0BtdWxsdmFkLm5ldIIJAIRoLqBRKrvUMAwGA1UdEwQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADggEBAMjMAFPDeFOrQsvMXD/x+CuARwegS2PDZuB5
+f1Svw3YDF6cB1jlc0F12nh9SZxaYRwKIlpYoolLCOLoUCLwQJ0gsokxLV7G4gVb8
+dzETnNq4HG/QOPwPisjoOCaEmcd0tx1EkyNY0KLqFZTS0VdmDHCn89dDFA/6yuYI
+5u04uJs7c/K4qaW7X6ajOOdneqjbtPeVOvx9DWXHxA0xz4Y+/w4laX/OTRD7jySq
+K9fLfRliE5zsxzpUr5EWxAnqiABoWL71SiItk5fG8k3MJJ9SVr+YnTHmE7S4KNqu
+4wTksvkb0Tmjae1lRSlMd6u2AulAxVcVKAod2QVffhj+hdkYM94=
+-----END CERTIFICATE-----
diff --git a/roles/install_openvpn/files/crl.pem b/roles/install_openvpn/files/crl.pem
new file mode 100644
index 0000000..f2ed04a
--- /dev/null
+++ b/roles/install_openvpn/files/crl.pem
@@ -0,0 +1,31 @@
+-----BEGIN X509 CRL-----
+MIIFVTCCBD0wDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCTkExDTALBgNVBAgT
+BE5vbmUxDTALBgNVBAcTBE5vbmUxEDAOBgNVBAoTB011bGx2YWQxGzAZBgNVBAMT
+Em1hc3Rlci5tdWxsdmFkLm5ldDEfMB0GCSqGSIb3DQEJARYQaW5mb0BtdWxsdmFk
+Lm5ldBcNMTQwNDA4MjE1MjI2WhcNMjQwNDA1MjE1MjI2WjCCA48wEgIBARcNMTQw
+NDA4MjEzNTAyWjASAgEDFw0xNDA0MDgyMTM1MDlaMBICASkXDTE0MDQwODIxMzUx
+MFowEwICDasXDTE0MDQwODIxMzUxNFowEwICDawXDTE0MDQwODIxMzUxNVowEwIC
+Da0XDTE0MDQwODIxMzUxOVowEwICDx4XDTE0MDQwODIxMzUyMFowEwICGxsXDTE0
+MDQwODIxMzUyNFowEwICPf4XDTE0MDQwODIxMzUyNVowEwICSrUXDTE0MDQwODIx
+MzUzMFowFAIDAbbXFw0xNDA0MDgyMTM1MzJaMBQCAwaeUBcNMTQwNDA4MjEzNTM1
+WjAUAgMGnlUXDTE0MDQwODIxMzUzOVowFAIDCheTFw0xNDA0MDgxNjA4NDFaMBQC
+AwpvDBcNMTQwNDA4MTYwOTQzWjAUAgML2jcXDTE0MDQwODIxMzU0MlowFAIDDCfI
+Fw0xNDA0MDgxNzU1MzRaMBQCAwwrKhcNMTQwNDA4MTc1NzI2WjAUAgMMNWEXDTE0
+MDQwODIxMzU1MVowFAIDDDViFw0xNDA0MDgxNzU4MzZaMBQCAwyXhRcNMTQwNDA4
+MTgwMDMzWjAUAgMM99UXDTE0MDQwODIxMzU1N1owFAIDDPfWFw0xNDA0MDgxNzU3
+NDRaMBQCAwz31xcNMTQwNDA4MjEzNTU4WjAUAgMM9+MXDTE0MDQwODE3NTgyMVow
+FAIDDPfkFw0xNDA0MDgxNzU4NThaMBQCAwz35RcNMTQwNDA4MTgwMjE5WjAUAgMN
+FHEXDTE0MDQwODIxMzU0MVowFAIDDRSLFw0xNDA0MDgxNzU5MDhaMBQCAw1FfBcN
+MTQwNDA4MjEzNjA1WjAUAgMNUWcXDTE0MDQwODIxMzYwNlowFAIDDVFoFw0xNDA0
+MDgyMTM2MDhaMBQCAw1RbBcNMTQwNDA4MjEzNjEyWjAUAgMN2AoXDTE0MDQwODIx
+MzU1MFowFAIDDdgLFw0xNDA0MDgxODAxMDdaMBQCAw6G3xcNMTQwNDA4MjEzNjE2
+WjAUAgMOkpwXDTE0MDQwODE1MTY1OFowFAIDDpKdFw0xNDA0MDgxNjA5NTFaMBQC
+Aw7DWhcNMTQwNDA4MTgwMDQ2WjAUAgMPFEEXDTE0MDQwODIxMzYxN1owFAIDDyaP
+Fw0xNDA0MDgyMDQwNTZaMBQCAw9D1xcNMTQwNDA4MTgwMjMyWjANBgkqhkiG9w0B
+AQUFAAOCAQEAvb0Y/nuHADGFRV1XG1BZNSENb7xsTrCd8n011j1i/Rpca97ivhdm
+4gVZ4Fjm4aU7Hjy9dQDuwtQNcFxb0sZDY8xR2iNrBy4rMCHS0vied0QQI3e7xkYf
+eIPHTcDI1IXMo7D1wbmyr5MbTnAyx2u5XrAfR1C+57NpQGrdOK2xTwRcO0ZTYan6
+iMnHMFgASHX900q9oWQL3TC9ZuhS/UQT4fcfwalK+c/0a+72i2ZECN+qQnyBbgJQ
+MSN19u3Kso6hFw+AaCAFvKgcM39oNdQxKAPXl3V/P+qlflAF3W39Gyavq4z1ABln
+RvHGDUXlOF/EwrWR1av036ITZQZrHiCEEw==
+-----END X509 CRL-----
diff --git a/roles/install_openvpn/files/mullvad-up.sh b/roles/install_openvpn/files/mullvad-up.sh
new file mode 100755
index 0000000..441f857
--- /dev/null
+++ b/roles/install_openvpn/files/mullvad-up.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#/sbin/ip route replace default via $4 table ffmyk
+sleep 3
+echo Reroute via $4
+ip route replace 0.0.0.0/1 via $4 table ffmyk
+ip route replace 128.0.0.0/1 via $4 table ffmyk
+
+exit 0
diff --git a/roles/install_openvpn/files/override.conf b/roles/install_openvpn/files/override.conf
new file mode 100644
index 0000000..e072e86
--- /dev/null
+++ b/roles/install_openvpn/files/override.conf
@@ -0,0 +1,3 @@
+[Service]
+Restart=always
+RestartSec=5
diff --git a/roles/install_openvpn/tasks/main.yml b/roles/install_openvpn/tasks/main.yml
new file mode 100644
index 0000000..9d35547
--- /dev/null
+++ b/roles/install_openvpn/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+- name: install openvpn
+ pacman:
+ name: openvpn
+ state: present
+
+- name: install ca.crt
+ copy:
+ src: ca.crt
+ dest: /etc/openvpn/client/ca.crt
+
+- name: install crl.pem
+ copy:
+ src: crl.pem
+ dest: /etc/openvpn/client/crl.pem
+
+- name: install mullvad-up.sh
+ copy:
+ src: mullvad-up.sh
+ dest: /etc/openvpn/client/mullvad-up.sh
+ mode: 0744
+
+- name: install mullvad.conf
+ template:
+ src: mullvad.conf.j2
+ dest: /etc/openvpn/client/mullvad.conf
+
+- name: install mullvad.key
+ template:
+ src: mullvad.key.j2
+ dest: /etc/openvpn/client/mullvad.key
+
+- name: install mullvad.crt
+ template:
+ src: mullvad.crt.j2
+ dest: /etc/openvpn/client/mullvad.crt
+
+- name: create sysetmd openvpn folder
+ file:
+ path: /etc/systemd/system/openvpn-client@mullvad.service.d
+ state: directory
+
+- name: always restart openvpn
+ copy:
+ src: override.conf
+ dest: /etc/systemd/system/openvpn-client@mullvad.service.d/override.conf
+
+- name: start and enable openvpn-client@mullvad.service
+ systemd:
+ name: openvpn-client@mullvad.service
+ daemon_reload: yes
+ enabled: yes
+ state: started
diff --git a/roles/install_openvpn/templates/mullvad.conf.j2 b/roles/install_openvpn/templates/mullvad.conf.j2
new file mode 100644
index 0000000..718ad4c
--- /dev/null
+++ b/roles/install_openvpn/templates/mullvad.conf.j2
@@ -0,0 +1,59 @@
+client
+
+dev mullvad
+dev-type tun
+
+proto udp
+
+remote {{ mullvad_country }}.mullvad.net 1300
+cipher AES-256-CBC
+
+# Tunnel IPv6 traffic as well as IPv4
+tun-ipv6
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server. Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# Enable compression on the VPN link.
+comp-lzo
+
+# Set log file verbosity.
+verb 3
+
+remote-cert-tls server
+
+ping-restart 60
+
+# Allow calling of built-in executables and user-defined scripts.
+script-security 2
+
+# Parses DHCP options from openvpn to update resolv.conf
+#up /etc/openvpn/update-resolv-conf
+#down /etc/openvpn/update-resolv-conf
+
+ping 10
+
+ca /etc/openvpn/client/ca.crt
+cert /etc/openvpn/client/mullvad.crt
+key /etc/openvpn/client/mullvad.key
+
+crl-verify /etc/openvpn/client/crl.pem
+
+# Limit range of possible TLS cipher-suites
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-SEED-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
+
+# Update routing information.
+# Do not use standard configuration pushed via DHCP!
+route-noexec
+up /etc/openvpn/client/mullvad-up.sh
diff --git a/roles/install_openvpn/templates/mullvad.crt.j2 b/roles/install_openvpn/templates/mullvad.crt.j2
new file mode 100644
index 0000000..b6e95f8
--- /dev/null
+++ b/roles/install_openvpn/templates/mullvad.crt.j2
@@ -0,0 +1 @@
+{{ mullvad_crt }}
diff --git a/roles/install_openvpn/templates/mullvad.key.j2 b/roles/install_openvpn/templates/mullvad.key.j2
new file mode 100644
index 0000000..b90d5f5
--- /dev/null
+++ b/roles/install_openvpn/templates/mullvad.key.j2
@@ -0,0 +1 @@
+{{ mullvad_key }}