ansible-lint isn't complaining anymore. It's also added to the CI system so the role shouldn't regress.
I've also added truthy/falsy to clauses to make sure a value is always coerced to a bool.
Actually supported - I make sure an OpenVPN connection works before putting up a Ansible Galaxy release:
- Fedora 38+ (OpenVPN 2.6)
- CentOS Stream 9/AlmaLinux/Rocky/RHEL 9+ (OpenVPN 2.5)
Kind of supported - CI does sanity checks:
- Ubuntu 22.04+ (OpenVPN 2.5, list of distro releases)
- Debian 12 (OpenVPN 2.6, list of distro releases)
Community contributions - no automated checks, they might work:
- FreeBSD
- Solaris
Older OSes might work - there's no explicit blocking, but workarounds will be removed with EOLed OSes to simplify the role.
- CentOS 6 - no longer ignore errors when setting sysctls
- CentOS 7 - Potentially affected by defaulting service name to the systemd style
- Fedora <33 - no longer installing
python2-dnfandpython2-firewalldfor Ansible to run on Python 2.
Known issue: RHEL-alike 8 can't manage packages using ansible-core >=2.17.0, you will need to use an earlier version of Ansible.
Other notes on RHEL-alike 8 variants:
- AlmaLinux 8 and Rocky Linux 8 need an out-of-band python upgrade with
dnf install python3.9and setting theansible_python_interpretervalue to/usr/bin/python3.9 - CentOS 8 and CentOS Stream 8 packages were vaulted (CentOS 8 announcement, Stream 8 announcement), which breaks Yum downloading packages
Biggest change (as far as I can tell) is OpenVPN deprecated cipher and replaced it with data-cipher. All the supported OSes are OpenVPN2.5+, so I've updated the server config to use data-cipher when openvpn_cipher is set.
If the event you need fallback support on the server for older clients, set the value data-ciphers-fallback through the playbook option openvpn_addl_server_options.
If you're forced to use OpenVPN 2.4 or earlier, this should work:
- Unset
openvpn_cipherin your vars file, egopenvpn_cipher: ~ - Include
cipherinopenvpn_addl_server_options, egopenvpn_addl_server_options: ["cipher AES-256-CBC"]
Similarly on the client, you can use openvpn_addl_client_options to set cipher if needed.
Discussion in this issue.
This thing has honestly made me nervous since merging it because I don't have anything that uses LDAP. I trust that it functions, but a compliation issue was reported.
Turns out Fedora/EPEL, Debian, and Ubuntu all provide packages for openvpn-auth-ldap so I'm dropping the compilation step to simplify the role.
- Fedora/EPEL: https://packages.fedoraproject.org/pkgs/openvpn-auth-ldap/openvpn-auth-ldap/index.html
- Debian: https://packages.debian.org/search?keywords=openvpn-auth-ldap
- Ubuntu: https://launchpad.net/ubuntu/+source/openvpn-auth-ldap
If you need it and there's no prebuilt package, manually build & configure it yourself and set the variable openvpn_use_prebuilt_ldap_plugin to False to skip the failing package install.
CentOS 8+, Ubuntu 22.04 and Debian 12 are all using systemd service units, so I've updated the default openvpn_service_name to be systemd style. I've kept the existing openvpn value for Solaris and FreeBSD, hopefully it works there.
The CRL crontab is also replaced by a systemd timer.
Fedora/CentOS use firewalld and Debian recommends firewalld. Ubuntu is alone in using ufw
nftables is the replacement for iptables, firewalld uses nftables as the default backend. Unfortunately there is no nftables support in Ansible yet, so I'm choosing to drop iptables and suggest firewalld as the replacement.
This will realistically be done when iptables starts requiring more maintenance than it does right now.
The Fedora & CentOS connection testing is currently manual. (This is also blocking the better testing of the Debian & Ubuntu distros).
The CI currently tests the role on AlmaLinux/Rocky Linux 8 using the highest supported Ansible version for CentOS 8 as a control node - ansible-8.7.0/ansible-core-2.15.13, but this is limited to running the playbook without attempting an OpenVPN connection.
This is partly because the minimum ansible-core version for this role is 2.11 - if this run starts failing, I'll know the minimum ansible-core version will need to be bumped.
At some point in the future I'll switch to testing different ansible-core versions explicitly, and drop the RHEL-alike 8 CI builds at that time.
-
Added
auth SHA256so MACs on the individual packets are done with SHA256 instead of SHA1. -
Added
tls-version-min 1.2to drop SSL3 + TLS v1.0 support. This breaks older clients (2.3.2+), but those versions have been out for a while. -
Restricted the
tls-ciphers allowed to a subset of Mozilla's modern cipher list + DHE for older clients. ECDSA support is included for when ECDSA keys can be used. -
New keys are 2048 bit by default, downgraded from 4096 bit. This is based on Mozilla's SSL guidance, combined with the expectation of being able to use ECDSA keys in a later revision of this playbook.
-
As part of the move to 2048 bit keys, the 4096 bit DH parameters are no longer distributed. It was originally distributed since generating it took ~75 minutes, but the new 2048 bit parameters take considerably less time.
Points 2 & 3 are gated by the openvpn_use_modern_tls variable, which defaults to true.
OpenVPN has at least two kinds of certification validation available: (Extended) Key Usage checks, and certificate content validation.
Previously only the client was verifying that the server cert had the correct usage, now the verification is bi-directional.
Added the ability to verify the common name that is part of each certificate. This required changing the common names that each certificate is generated with, which means that the ability to wipe out the existing keys was added as well.
Again, both these changes are gated by a variable (openvpn_verify_cn). Because this requires rather large client changes, it is off by default.
Added the ability to wipe out & reinstall OpenVPN. Currently it leaves firewall rules behind, but other than that everything is removed.
Use ansible-playbook -v openvpn.yml --extra-vars="openvpn_uninstall=true" --tags uninstall to just run the uninstall portion.
Previously, you had to explicitly use udp6 or tcp6 to use IPv6. OpenVPN isn't dual stacked if you use plain udp/tcp, which results in being unable to connect to the OpenVPN server if it has an AAAA record, on your device has a functional IPv6 connection, since the client will choose which stack to use if you just use plain udp/tcp.
Since this playbook is only on Linux, which supports IPv4 connections on IPv6 sockets, the server config is now IPv6 by default (https://github.com/OpenVPN/openvpn/blob/master/README.IPv6#L50), by means of using {{ openvpn_proto }}6 in the server template. Specifying a *6 protocol for openvpn_proto is now an error, and will cause OpenVPN to fail to start.