openvpn: Add configuration for OPS VPNs

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>

openvpn/init.sls

@@ -148,6 +148,9 @@ Cleanup /etc/openvpn/{{ netname }}:
 # OPS VPN?
 #
 {% if 'ops-vpn' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', [])  %}
+libpam-ldap:
+  pkg.installed
+
 /etc/pam.d/openvpn:
   file.managed:
     - source: salt://openvpn/ldap-auth/openvpn.pam.d
@@ -159,8 +162,38 @@ Cleanup /etc/openvpn/{{ netname }}:
     - context:
       server_uri: {{ salt['pillar.get']('ldap:global:server_uri') }}
       base_dn: {{ salt['pillar.get']('ldap:global:base_dn') }}
+
+/etc/pam_ldap.conf:
+  file.managed:
+    - source: salt://openvpn/ldap-auth/pam_ldap.conf.tmpl
+    - template: jinja
+    - context:
+      server_uri: {{ salt['pillar.get']('ldap:global:server_uri') }}
+      base_dn: {{ salt['pillar.get']('ldap:global:base_dn') }}
       bind_dn: {{ salt['pillar.get']('ldap:openvpn:bind_dn') }}
       bind_pw: {{ salt['pillar.get']('ldap:openvpn:bind_pw') }}
+
+/etc/openvpn/ops.conf:
+  file.managed:
+    - source: salt://openvpn/ops.conf.tmpl
+    - template: jinja
+    - context:
+      config: {{ salt['pillar.get']('ops:openvpn') }}
+    - require:
+      - pkg: libpam-ldap
+      - file: /etc/pam.d/openvpn
+      - file: /etc/pam_ldap.conf
+      - file: /etc/ldap/ldap.conf
+    - watch_in:
+      - service: openvpn@ops
+
+openvpn@ops:
+  service.running:
+    - enable: True
+    - reload: True
+    - require:
+      - file: /etc/systemd/system/openvpn@.service
+      - file: /etc/openvpn/ops.conf
 {% else %}
 
 /etc/pam.d/openvpn:
@@ -168,4 +201,7 @@ Cleanup /etc/openvpn/{{ netname }}:
 
 /etc/ldap/ldap.conf:
   file.absent
+
+/etc/pam_ldap.conf:
+  file.absent
 {% endif %}

openvpn/ldap-auth/ldap.conf.tmpl

@@ -8,11 +8,6 @@
 URI	{{ server_uri }}
 BASE	{{ base_dn }}
 
-{% if bind_dn and bind_pw %}
-BINDDN {{ bind_dn }}
-BINDPW {{ bind_pw }}
-{% endif %}
-
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never

openvpn/ldap-auth/pam_ldap.conf.tmpl

@@ -0,0 +1,13 @@
+#
+# PAM LDAP configuration (Salt managed)
+#
+
+uri {{ server_uri }}
+base {{ base_dn }}
+
+ldap_version 3
+
+{% if bind_dn and bind_pw %}
+binddn {{ bind_dn }}
+bindpw {{ bind_pw }}
+{% endif %}

openvpn/ops.conf.tmpl

@@ -0,0 +1,51 @@
+#
+# FFHO OPS VPN
+#
+
+proto {{ config['proto'] }}
+port {{ config['port'] }}
+{%- if "bind-dev" in config %}
+bind-dev        {{ config['bind-dev'] }}
+{% endif %}
+
+tls-server
+
+dev-type tun
+dev tun-ops
+tun-mtu 1400
+
+ca	/etc/ssl/certs/ffho-cacert.pem
+cert	/etc/ssl/certs/{{ config['fqdn'] }}.cert.pem
+key	/etc/ssl/private/{{ config['fqdn'] }}.key.pem
+dh	/etc/ssl/dhparam.pem
+
+# Auth via LDAP
+plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
+verify-client-cert none
+username-as-common-name
+
+# Server mode and client subnets
+server {{ config['servers'][grains.id]['prefix_v4'] }}
+server-ipv6 {{ config['servers'][grains.id]['prefix_v6'] }}
+topology subnet
+
+# Push route for aggregates
+{%- for prefix in config['routes'] %}
+  {%- set kw = 'route-ipv6' if ':' in prefix else 'route' %}
+push "{{ kw }} {{ prefix }}"
+{%- endfor %}
+
+# push "dhcp-option DNS 10.132.251.53"
+
+persist-key
+persist-tun
+
+keepalive 10 120
+
+data-ciphers {{ config.get ('data-ciphers', 'AES-256-GCM:AES-128-GCM') }}
+data-ciphers-fallback {{ config.get ('data-ciphers-fallback', 'AES-256-CBC') }}
+
+# Log a short status
+status /var/log/openvpn/openvpn-status-ops.log
+
+verb 1