From 0fbee3f86b0f92f55193556945b82d51cde6d5a7 Mon Sep 17 00:00:00 2001 From: Niklas Yann Wettengel Date: Sat, 18 Mar 2017 15:13:27 +0100 Subject: updated setup_fastd.yml added features: - configure_sysctl - install_openvpn --- roles/install_openvpn/files/ca.crt | 109 ++++++++++++++++++++++++ roles/install_openvpn/files/crl.pem | 31 +++++++ roles/install_openvpn/files/mullvad-up.sh | 8 ++ roles/install_openvpn/files/override.conf | 3 + roles/install_openvpn/tasks/main.yml | 53 ++++++++++++ roles/install_openvpn/templates/mullvad.conf.j2 | 59 +++++++++++++ roles/install_openvpn/templates/mullvad.crt.j2 | 1 + roles/install_openvpn/templates/mullvad.key.j2 | 1 + 8 files changed, 265 insertions(+) create mode 100644 roles/install_openvpn/files/ca.crt create mode 100644 roles/install_openvpn/files/crl.pem create mode 100755 roles/install_openvpn/files/mullvad-up.sh create mode 100644 roles/install_openvpn/files/override.conf create mode 100644 roles/install_openvpn/tasks/main.yml create mode 100644 roles/install_openvpn/templates/mullvad.conf.j2 create mode 100644 roles/install_openvpn/templates/mullvad.crt.j2 create mode 100644 roles/install_openvpn/templates/mullvad.key.j2 (limited to 'roles/install_openvpn') diff --git a/roles/install_openvpn/files/ca.crt b/roles/install_openvpn/files/ca.crt new file mode 100644 index 0000000..b795d91 --- /dev/null +++ b/roles/install_openvpn/files/ca.crt @@ -0,0 +1,109 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA/emailAddress=info@mullvad.net + Validity + Not Before: Mar 24 16:19:48 2009 GMT + Not After : Mar 22 16:19:48 2019 GMT + Subject: C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net/emailAddress=info@mullvad.net + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c5:00:39:5d:fe:9b:0c:b7:ff:76:a4:93:bf:26: + 1b:d6:c8:4a:e5:3c:ce:1c:2c:16:80:a2:61:a6:e9: + 63:4b:70:a1:80:6f:0e:0c:bb:a9:b6:d1:bd:f5:a0: + 78:82:09:4d:94:22:aa:77:7c:09:36:42:cd:a5:a6: + 90:73:27:42:00:31:e4:d4:8b:49:36:65:a3:25:82: + b8:26:d7:d1:f5:b5:a9:be:57:93:9d:7c:d6:1c:df: + 9a:87:81:53:0b:17:81:d1:0d:ca:dc:4d:19:13:fa: + 11:e6:da:68:eb:81:05:39:e3:1e:3a:3f:fc:e2:64: + 3c:98:3c:89:a9:42:b3:30:70:57:56:a1:f5:08:b2: + 75:12:a0:36:93:9d:69:e9:7e:11:71:d9:1c:e8:7d: + ec:03:21:11:7a:0a:7a:03:35:ba:b8:b2:0c:3a:6f: + 57:88:62:45:3d:0c:6c:18:ff:21:49:37:ae:40:78: + 6d:45:52:29:ac:21:ad:4a:01:61:67:0b:01:c4:ac: + b0:88:97:52:ff:cb:3a:21:f0:14:2b:c1:79:8d:79: + 35:14:fc:9c:3f:6c:c9:62:fc:8c:c7:a8:51:34:75: + 1c:23:d5:db:b9:44:08:1c:0c:17:2c:21:2a:b4:29: + db:15:59:e7:a9:1c:d6:19:19:ef:e4:6b:ea:78:6d: + 76:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 75:8A:14:92:0D:F3:6E:B7:36:4F:8B:4F:15:6C:3F:18:15:90:64:DE + X509v3 Authority Key Identifier: + keyid:E1:63:B4:3E:55:A3:D2:37:5F:DE:3A:91:48:51:4B:20:1A:F2:9B:C5 + DirName:/C=NA/ST=None/L=None/O=Mullvad/CN=Mullvad CA/emailAddress=info@mullvad.net + serial:84:68:2E:A0:51:2A:BB:D4 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + a4:b4:62:3d:cb:7e:57:b3:bd:2a:41:e0:3b:94:d0:4c:08:69: + 8a:b1:73:15:13:20:c9:d7:b0:b6:5d:65:4a:4d:1d:27:cc:ca: + 11:0e:86:fa:65:61:26:39:c2:54:8e:da:eb:78:21:37:0e:c7: + a4:d2:17:8a:4b:ad:17:84:25:5e:24:0e:9a:81:ff:d1:1b:0e: + 32:9b:f4:81:e0:07:e9:8f:9d:c1:43:7f:40:30:01:07:7c:02: + c7:c4:9c:05:48:4c:bf:41:69:57:c1:d3:bb:a3:5a:01:17:96: + b0:c9:00:22:57:2f:84:da:45:33:6e:6c:2b:13:c5:af:75:a7: + b2:6b:71:6e:13:2c:97:0e:d9:93:da:6d:d9:34:c6:06:7d:0e: + e2:b8:d2:78:13:79:0f:ac:ac:a8:68:a9:72:73:7a:d8:ab:7b: + 0a:b0:54:b5:f3:ce:29:0d:47:82:0c:b4:d9:20:64:ff:ef:17: + 46:92:de:65:e8:67:ce:3a:92:de:e4:3e:99:73:9f:7a:7c:00: + 72:07:39:78:77:37:62:89:a2:db:24:fd:60:2a:e0:82:57:f6: + 55:94:f6:79:47:19:c9:13:3b:5d:b7:6b:66:14:d4:7d:3c:76: + 75:e9:a3:55:ba:b4:92:30:3b:ad:66:72:0c:39:4b:cc:95:a9: + bc:06:ef:2b +-----BEGIN CERTIFICATE----- +MIIEQjCCAyqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJOQTEN +MAsGA1UECBMETm9uZTENMAsGA1UEBxMETm9uZTEQMA4GA1UEChMHTXVsbHZhZDET +MBEGA1UEAxMKTXVsbHZhZCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0BtdWxsdmFk +Lm5ldDAeFw0wOTAzMjQxNjE5NDhaFw0xOTAzMjIxNjE5NDhaMHsxCzAJBgNVBAYT +Ak5BMQ0wCwYDVQQIEwROb25lMQ0wCwYDVQQHEwROb25lMRAwDgYDVQQKEwdNdWxs +dmFkMRswGQYDVQQDExJtYXN0ZXIubXVsbHZhZC5uZXQxHzAdBgkqhkiG9w0BCQEW +EGluZm9AbXVsbHZhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDFADld/psMt/92pJO/JhvWyErlPM4cLBaAomGm6WNLcKGAbw4Mu6m20b31oHiC +CU2UIqp3fAk2Qs2lppBzJ0IAMeTUi0k2ZaMlgrgm19H1tam+V5OdfNYc35qHgVML +F4HRDcrcTRkT+hHm2mjrgQU54x46P/ziZDyYPImpQrMwcFdWofUIsnUSoDaTnWnp +fhFx2RzofewDIRF6CnoDNbq4sgw6b1eIYkU9DGwY/yFJN65AeG1FUimsIa1KAWFn +CwHErLCIl1L/yzoh8BQrwXmNeTUU/Jw/bMli/IzHqFE0dRwj1du5RAgcDBcsISq0 +KdsVWeepHNYZGe/ka+p4bXaNAgMBAAGjgdgwgdUwHQYDVR0OBBYEFHWKFJIN8263 +Nk+LTxVsPxgVkGTeMIGlBgNVHSMEgZ0wgZqAFOFjtD5Vo9I3X946kUhRSyAa8pvF +oXekdTBzMQswCQYDVQQGEwJOQTENMAsGA1UECBMETm9uZTENMAsGA1UEBxMETm9u +ZTEQMA4GA1UEChMHTXVsbHZhZDETMBEGA1UEAxMKTXVsbHZhZCBDQTEfMB0GCSqG +SIb3DQEJARYQaW5mb0BtdWxsdmFkLm5ldIIJAIRoLqBRKrvUMAwGA1UdEwQFMAMB +Af8wDQYJKoZIhvcNAQEFBQADggEBAKS0Yj3LflezvSpB4DuU0EwIaYqxcxUTIMnX +sLZdZUpNHSfMyhEOhvplYSY5wlSO2ut4ITcOx6TSF4pLrReEJV4kDpqB/9EbDjKb +9IHgB+mPncFDf0AwAQd8AsfEnAVITL9BaVfB07ujWgEXlrDJACJXL4TaRTNubCsT +xa91p7JrcW4TLJcO2ZPabdk0xgZ9DuK40ngTeQ+srKhoqXJzetirewqwVLXzzikN +R4IMtNkgZP/vF0aS3mXoZ846kt7kPplzn3p8AHIHOXh3N2KJotsk/WAq4IJX9lWU +9nlHGckTO123a2YU1H08dnXpo1W6tJIwO61mcgw5S8yVqbwG7ys= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEQjCCAyqgAwIBAgIJAIRoLqBRKrvUMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV +BAYTAk5BMQ0wCwYDVQQIEwROb25lMQ0wCwYDVQQHEwROb25lMRAwDgYDVQQKEwdN +dWxsdmFkMRMwEQYDVQQDEwpNdWxsdmFkIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QG11bGx2YWQubmV0MB4XDTA5MDMyNDA2NDcyNVoXDTE5MDMyMjA2NDcyNVowczEL +MAkGA1UEBhMCTkExDTALBgNVBAgTBE5vbmUxDTALBgNVBAcTBE5vbmUxEDAOBgNV +BAoTB011bGx2YWQxEzARBgNVBAMTCk11bGx2YWQgQ0ExHzAdBgkqhkiG9w0BCQEW +EGluZm9AbXVsbHZhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDNNzZOrq+gMaA6wfyWdNFmxlM2OB1czwFgtPiDd9f6F8m6CGYBQog3Q2Wx3yAv +hxt/uchFBCKtYz6Yh59BCxXKfNAQT2uaMC6KAvKFgz0wppi4S8YbWg2KDelNO/Zv +Rb1QT4CBWMbtYzCQZvlJpHr2ZwuXG2OiT477oMyX5Hmf+iT0drmqi+wylRr7CRBs +LBu+fxLZ2LFD5g6MATuL3ql5JLIoVjlSqIgbld74pD4WUnM61HRwFsKoCEjq409Y +QNP1xO7BeaJu3uQvg/HJhXnGZxTatXhqvdCuAPQRppQ4UnkUzxdSTrfgM3hqMony +vX1vy0dX1S8iTQCIeyzAYNObAgMBAAGjgdgwgdUwHQYDVR0OBBYEFOFjtD5Vo9I3 +X946kUhRSyAa8pvFMIGlBgNVHSMEgZ0wgZqAFOFjtD5Vo9I3X946kUhRSyAa8pvF +oXekdTBzMQswCQYDVQQGEwJOQTENMAsGA1UECBMETm9uZTENMAsGA1UEBxMETm9u +ZTEQMA4GA1UEChMHTXVsbHZhZDETMBEGA1UEAxMKTXVsbHZhZCBDQTEfMB0GCSqG +SIb3DQEJARYQaW5mb0BtdWxsdmFkLm5ldIIJAIRoLqBRKrvUMAwGA1UdEwQFMAMB +Af8wDQYJKoZIhvcNAQEFBQADggEBAMjMAFPDeFOrQsvMXD/x+CuARwegS2PDZuB5 +f1Svw3YDF6cB1jlc0F12nh9SZxaYRwKIlpYoolLCOLoUCLwQJ0gsokxLV7G4gVb8 +dzETnNq4HG/QOPwPisjoOCaEmcd0tx1EkyNY0KLqFZTS0VdmDHCn89dDFA/6yuYI +5u04uJs7c/K4qaW7X6ajOOdneqjbtPeVOvx9DWXHxA0xz4Y+/w4laX/OTRD7jySq +K9fLfRliE5zsxzpUr5EWxAnqiABoWL71SiItk5fG8k3MJJ9SVr+YnTHmE7S4KNqu +4wTksvkb0Tmjae1lRSlMd6u2AulAxVcVKAod2QVffhj+hdkYM94= +-----END CERTIFICATE----- diff --git a/roles/install_openvpn/files/crl.pem b/roles/install_openvpn/files/crl.pem new file mode 100644 index 0000000..f2ed04a --- /dev/null +++ b/roles/install_openvpn/files/crl.pem @@ -0,0 +1,31 @@ +-----BEGIN X509 CRL----- +MIIFVTCCBD0wDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCTkExDTALBgNVBAgT +BE5vbmUxDTALBgNVBAcTBE5vbmUxEDAOBgNVBAoTB011bGx2YWQxGzAZBgNVBAMT +Em1hc3Rlci5tdWxsdmFkLm5ldDEfMB0GCSqGSIb3DQEJARYQaW5mb0BtdWxsdmFk +Lm5ldBcNMTQwNDA4MjE1MjI2WhcNMjQwNDA1MjE1MjI2WjCCA48wEgIBARcNMTQw +NDA4MjEzNTAyWjASAgEDFw0xNDA0MDgyMTM1MDlaMBICASkXDTE0MDQwODIxMzUx +MFowEwICDasXDTE0MDQwODIxMzUxNFowEwICDawXDTE0MDQwODIxMzUxNVowEwIC +Da0XDTE0MDQwODIxMzUxOVowEwICDx4XDTE0MDQwODIxMzUyMFowEwICGxsXDTE0 +MDQwODIxMzUyNFowEwICPf4XDTE0MDQwODIxMzUyNVowEwICSrUXDTE0MDQwODIx +MzUzMFowFAIDAbbXFw0xNDA0MDgyMTM1MzJaMBQCAwaeUBcNMTQwNDA4MjEzNTM1 +WjAUAgMGnlUXDTE0MDQwODIxMzUzOVowFAIDCheTFw0xNDA0MDgxNjA4NDFaMBQC +AwpvDBcNMTQwNDA4MTYwOTQzWjAUAgML2jcXDTE0MDQwODIxMzU0MlowFAIDDCfI +Fw0xNDA0MDgxNzU1MzRaMBQCAwwrKhcNMTQwNDA4MTc1NzI2WjAUAgMMNWEXDTE0 +MDQwODIxMzU1MVowFAIDDDViFw0xNDA0MDgxNzU4MzZaMBQCAwyXhRcNMTQwNDA4 +MTgwMDMzWjAUAgMM99UXDTE0MDQwODIxMzU1N1owFAIDDPfWFw0xNDA0MDgxNzU3 +NDRaMBQCAwz31xcNMTQwNDA4MjEzNTU4WjAUAgMM9+MXDTE0MDQwODE3NTgyMVow +FAIDDPfkFw0xNDA0MDgxNzU4NThaMBQCAwz35RcNMTQwNDA4MTgwMjE5WjAUAgMN +FHEXDTE0MDQwODIxMzU0MVowFAIDDRSLFw0xNDA0MDgxNzU5MDhaMBQCAw1FfBcN +MTQwNDA4MjEzNjA1WjAUAgMNUWcXDTE0MDQwODIxMzYwNlowFAIDDVFoFw0xNDA0 +MDgyMTM2MDhaMBQCAw1RbBcNMTQwNDA4MjEzNjEyWjAUAgMN2AoXDTE0MDQwODIx +MzU1MFowFAIDDdgLFw0xNDA0MDgxODAxMDdaMBQCAw6G3xcNMTQwNDA4MjEzNjE2 +WjAUAgMOkpwXDTE0MDQwODE1MTY1OFowFAIDDpKdFw0xNDA0MDgxNjA5NTFaMBQC +Aw7DWhcNMTQwNDA4MTgwMDQ2WjAUAgMPFEEXDTE0MDQwODIxMzYxN1owFAIDDyaP +Fw0xNDA0MDgyMDQwNTZaMBQCAw9D1xcNMTQwNDA4MTgwMjMyWjANBgkqhkiG9w0B +AQUFAAOCAQEAvb0Y/nuHADGFRV1XG1BZNSENb7xsTrCd8n011j1i/Rpca97ivhdm +4gVZ4Fjm4aU7Hjy9dQDuwtQNcFxb0sZDY8xR2iNrBy4rMCHS0vied0QQI3e7xkYf +eIPHTcDI1IXMo7D1wbmyr5MbTnAyx2u5XrAfR1C+57NpQGrdOK2xTwRcO0ZTYan6 +iMnHMFgASHX900q9oWQL3TC9ZuhS/UQT4fcfwalK+c/0a+72i2ZECN+qQnyBbgJQ +MSN19u3Kso6hFw+AaCAFvKgcM39oNdQxKAPXl3V/P+qlflAF3W39Gyavq4z1ABln +RvHGDUXlOF/EwrWR1av036ITZQZrHiCEEw== +-----END X509 CRL----- diff --git a/roles/install_openvpn/files/mullvad-up.sh b/roles/install_openvpn/files/mullvad-up.sh new file mode 100755 index 0000000..441f857 --- /dev/null +++ b/roles/install_openvpn/files/mullvad-up.sh @@ -0,0 +1,8 @@ +#!/bin/bash +#/sbin/ip route replace default via $4 table ffmyk +sleep 3 +echo Reroute via $4 +ip route replace 0.0.0.0/1 via $4 table ffmyk +ip route replace 128.0.0.0/1 via $4 table ffmyk + +exit 0 diff --git a/roles/install_openvpn/files/override.conf b/roles/install_openvpn/files/override.conf new file mode 100644 index 0000000..e072e86 --- /dev/null +++ b/roles/install_openvpn/files/override.conf @@ -0,0 +1,3 @@ +[Service] +Restart=always +RestartSec=5 diff --git a/roles/install_openvpn/tasks/main.yml b/roles/install_openvpn/tasks/main.yml new file mode 100644 index 0000000..9d35547 --- /dev/null +++ b/roles/install_openvpn/tasks/main.yml @@ -0,0 +1,53 @@ +--- +- name: install openvpn + pacman: + name: openvpn + state: present + +- name: install ca.crt + copy: + src: ca.crt + dest: /etc/openvpn/client/ca.crt + +- name: install crl.pem + copy: + src: crl.pem + dest: /etc/openvpn/client/crl.pem + +- name: install mullvad-up.sh + copy: + src: mullvad-up.sh + dest: /etc/openvpn/client/mullvad-up.sh + mode: 0744 + +- name: install mullvad.conf + template: + src: mullvad.conf.j2 + dest: /etc/openvpn/client/mullvad.conf + +- name: install mullvad.key + template: + src: mullvad.key.j2 + dest: /etc/openvpn/client/mullvad.key + +- name: install mullvad.crt + template: + src: mullvad.crt.j2 + dest: /etc/openvpn/client/mullvad.crt + +- name: create sysetmd openvpn folder + file: + path: /etc/systemd/system/openvpn-client@mullvad.service.d + state: directory + +- name: always restart openvpn + copy: + src: override.conf + dest: /etc/systemd/system/openvpn-client@mullvad.service.d/override.conf + +- name: start and enable openvpn-client@mullvad.service + systemd: + name: openvpn-client@mullvad.service + daemon_reload: yes + enabled: yes + state: started diff --git a/roles/install_openvpn/templates/mullvad.conf.j2 b/roles/install_openvpn/templates/mullvad.conf.j2 new file mode 100644 index 0000000..718ad4c --- /dev/null +++ b/roles/install_openvpn/templates/mullvad.conf.j2 @@ -0,0 +1,59 @@ +client + +dev mullvad +dev-type tun + +proto udp + +remote {{ mullvad_country }}.mullvad.net 1300 +cipher AES-256-CBC + +# Tunnel IPv6 traffic as well as IPv4 +tun-ipv6 + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# Enable compression on the VPN link. +comp-lzo + +# Set log file verbosity. +verb 3 + +remote-cert-tls server + +ping-restart 60 + +# Allow calling of built-in executables and user-defined scripts. +script-security 2 + +# Parses DHCP options from openvpn to update resolv.conf +#up /etc/openvpn/update-resolv-conf +#down /etc/openvpn/update-resolv-conf + +ping 10 + +ca /etc/openvpn/client/ca.crt +cert /etc/openvpn/client/mullvad.crt +key /etc/openvpn/client/mullvad.key + +crl-verify /etc/openvpn/client/crl.pem + +# Limit range of possible TLS cipher-suites +tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-SEED-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA + +# Update routing information. +# Do not use standard configuration pushed via DHCP! +route-noexec +up /etc/openvpn/client/mullvad-up.sh diff --git a/roles/install_openvpn/templates/mullvad.crt.j2 b/roles/install_openvpn/templates/mullvad.crt.j2 new file mode 100644 index 0000000..b6e95f8 --- /dev/null +++ b/roles/install_openvpn/templates/mullvad.crt.j2 @@ -0,0 +1 @@ +{{ mullvad_crt }} diff --git a/roles/install_openvpn/templates/mullvad.key.j2 b/roles/install_openvpn/templates/mullvad.key.j2 new file mode 100644 index 0000000..b90d5f5 --- /dev/null +++ b/roles/install_openvpn/templates/mullvad.key.j2 @@ -0,0 +1 @@ +{{ mullvad_key }} -- cgit v1.2.3-54-g00ecf