Home

Awesome

openvpn Cookbook

Cookbook Version Build Status OpenCollective OpenCollective License

Installs OpenVPN and sets up a fairly basic configuration. Since OpenVPN is very complex, we provide a baseline only (see Customizing Server Configuration below).

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Platforms

Note: we currently only test the latest minor release for the last 2 major releases of each OS/distribution using Test Kitchen.

Cookbooks

Not Supported

This cookbook is designed to set up a basic installation of OpenVPN that will work for many common use cases. The following configurations are not supported by default with this cookbook:

For further modification of the cookbook see Usage below.

For more information about OpenVPN, see the official site.

Attributes

These attributes are set by the cookbook by default.

The following attributes are used to populate the easy-rsa vars file. Defaults are the same as the vars file that ships with OpenVPN.

The following are for the default values for fields place in the certificate from the vars file. Do not leave these blank.

The following lets you specify the message digest used for generating certificates by OpenVPN

The CRL will be generated, and refreshed automatically, allowing you to revoke certificates

Recipes

openvpn::default

Installs the OpenVPN package only.

openvpn::install

Installs the OpenVPN package only.

openvpn::server

Installs and configures OpenVPN as a server.

openvpn::client

Installs and configures OpenVPN as a client.

openvpn::service

Manages the OpenVPN system service (there is no need to use this recipe directly in your run_list).

openvpn::users

Utilizes a data bag called users to generate OpenVPN keys for each user.

openvpn::easy_rsa

Installs the easy-rsa package (a CLI utility to build and manage a PKI CA).

Usage

Create a role for the OpenVPN server. See above for attributes that can be entered here.

name "openvpn"
description "The server that runs OpenVPN"
run_list("recipe[openvpn::server]")
override_attributes(
  "openvpn" => {
    "gateway" => "vpn.example.com",
    "subnet" => "10.8.0.0",
    "netmask" => "255.255.0.0",
    "key" => {
      "country" => "US",
      "province" => "CA",
      "city" => "SanFrancisco",
      "org" => "Fort-Funston",
      "email" => "me@example.com"
    }
  }
)

Note: If you are using a Red Hat EL distribution, the EPEL repository is automatically enabled by Chef's recipe[yum::epel] to install the openvpn package.

To push routes to clients, add node['openvpn']['push_routes] as an array attribute, e.g. if the internal network is 192.168.100.0/24:

override_attributes(
  "openvpn" => {
    "push_routes" => [
      "192.168.100.0 255.255.255.0"
    ]
  }
)

To push other options to clients, use the node['openvpn']['push_options'] attribute and set an array of hashes or strings. For example:

override_attributes(
  "openvpn" => {
    "push_options" => {
      "dhcp-option" => [
        "DOMAIN domain.local",
        "DOMAIN-SEARCH domain.local"
      ],
      "string-option" => "string value"
    }
  }
)

This will render a config file that looks like:

push "dhcp-option DOMAIN domain.local"
push "dhcp-option DOMAIN-SEARCH domain.local"
push "string-option string value"

To automatically create new certificates and configurations for users, create data bags for each user. The only content required is the id, but this can be used in conjunction with other cookbooks by Chef Software such as users or samba. See SSL Certificates below for more about generating client certificate sets.

{
  "id": "jtimberman"
}

This cookbook also provides an 'up' script that runs when OpenVPN is started. This script is for setting up firewall rules and kernel networking parameters as needed for your environment. Modify to suit your needs, upload the cookbook and re-run chef on the openvpn server. For example, you'll probably want to enable IP forwarding (sample Linux setting is commented out). The attribute node['openvpn']["script_security"] must be set to 2 or higher to use this otherwise openvpn server startup will fail.

Resources

openvpn_user

Implements a resource for creation of users and bundles.

openvpn_config

Given a hash of config options it writes out individual openvpn config files.

If you don't want to use the default "server.conf" from the default recipe, set node['openvpn']["configure_default_server"] to false, then use this resource to configure things as you like.

Example

.pem files should be provided before (e.g.: cookbook_file)

openvpn_conf 'myvpn' do
  config({
    'client' => '',
    'dev' => 'tun',
    'proto' => 'tcp',
    'remote' => '1.2.3.4 443',
    'cipher' => 'AES-128-CBC',
    'tls-cipher' => 'DHE-RSA-AES256-SHA',
    'auth' => 'SHA1',
    'nobind' => '',
    'resolv-retry' => 'infinite',
    'persist-key' => '',
    'persist-tun' => '',
    'ca' => "/etc/openvpn/myvpn/ca.pem",
    'cert' => "/etc/openvpn/myvpn/cert.pem",
    'key' => "/etc/openvpn/myvpn/key.pem",
    'comp-lzo' => '',
    'verb' => false,
    'auth-user-pass' => "/etc/openvpn/myvpn/login.conf",
  })
end

# for systemd based systems
service 'openvpn@myvpn' do
  action [:start, :enable]
end

Customizing Server Configuration

To further customize the server configuration, there are two templates that can be modified in this cookbook.

The first is the OpenVPN server configuration file. Modify to suit your needs for more advanced features of OpenVPN. The second is an up script run when OpenVPN starts. This is where you can add firewall rules, enable IP forwarding and other OS network settings required for OpenVPN. Attributes in the cookbook are provided as defaults, you can add more via the openvpn role if you need them.

SSL Certificates

Some of the easy-rsa tools are copied to /etc/openvpn/easy-rsa to provide the minimum to generate the certificates using the default and users recipes. We provide a Rakefile to make it easier to generate client certificate sets if you're not using the data bags above. To generate new client certificates you will need rake installed (either as a gem or a package), then run:

cd /etc/openvpn/easy-rsa
source ./vars
rake client name="CLIENT_NAME" gateway="vpn.example.com"

Replace CLIENT_NAME and vpn.example.com with your desired values. The rake task will generate a tar.gz file with the configuration and certificates for the client.

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

https://opencollective.com/sous-chefs#backers

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website.

https://opencollective.com/sous-chefs/sponsor/0/website https://opencollective.com/sous-chefs/sponsor/1/website https://opencollective.com/sous-chefs/sponsor/2/website https://opencollective.com/sous-chefs/sponsor/3/website https://opencollective.com/sous-chefs/sponsor/4/website https://opencollective.com/sous-chefs/sponsor/5/website https://opencollective.com/sous-chefs/sponsor/6/website https://opencollective.com/sous-chefs/sponsor/7/website https://opencollective.com/sous-chefs/sponsor/8/website https://opencollective.com/sous-chefs/sponsor/9/website