forked from bau-sec/ansible-openvpn-hardened
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
96 lines (85 loc) · 2.75 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
---
ssh_on_vpn_only: true
openvpn_key_country: "US"
openvpn_key_province: "California"
openvpn_key_city: "Beverly Hills"
openvpn_key_org: "ACME CORPORATION"
openvpn_key_ou: "Anvil Department"
openvpn_key_email: "user@box.com"
openvpn_clients:
- laptop
- phone
openvpn_key_size: "2048"
openvpn_cipher: "AES-256-CBC"
openvpn_auth_digest: "SHA256"
# For all available ciphers use: openvpn --show-tls
# For all available PFS ciphers (without eliptic curve cryptography) use: openvpn --show-tls | grep -e "-DHE-"
# Configuration here just uses PFS ciphers leveraging AES256 and at least SHA256
openvpn_tls_cipher: "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"
## lock easyrsa git checkout to pull in openssl fix
## https://github.com/OpenVPN/easy-rsa/issues/132
openvpn_easyrsa_version: a138c0d83b0ff1feed385c5d2d7a1c25422fe04d
openvpn_instances:
- {
proto: udp,
port: 1194,
mask: "10.9.0.0 255.255.255.0",
cidr: "10.9.0.0/24",
gateway: "10.9.0.1",
}
# Uncomment below to listen on TCP 443. This will look like normal SSL/TLS traffic
# and will be more likely to get through restrictive firewalls.
# - {
# proto: tcp,
# port: 443,
# mask: "10.8.0.0 255.255.255.0",
# cidr: "10.8.0.0/24",
# gateway: "10.8.0.1",
# }
dns_user: dns
dns_group: dns
upstream_dns_servers:
- 8.8.8.8
- 8.8.4.4
openvpn_path: "/etc/openvpn"
openvpn_path_pki: "{{ openvpn_path }}/pki"
openvpn_path_keys: "{{ openvpn_path_pki }}/private"
openvpn_path_certs: "{{ openvpn_path_pki }}/issued"
openvpn_path_reqs: "{{ openvpn_path_pki }}/reqs"
openvpn_hmac_firewall: "{{ openvpn_path_pki }}/ta.key"
openvpn_ca_cert: "{{ openvpn_path_pki }}/ca.crt"
openvpn_path_easyrsa: "{{ openvpn_path }}/easyrsa/easyrsa3"
dhparams_size: "{{ openvpn_key_size }}"
dhparams_location: "{{ openvpn_path_pki }}/dh.pem"
openvpn_crl: "{{ openvpn_path_pki }}/crl.pem"
openvpn_server_common_name_file: "{{ openvpn_path }}/openvpn_server_common_name"
openvpn_server: "{{ inventory_hostname }}"
local_creds_folder: "{{ playbook_dir }}/../fetched_creds/{{ openvpn_server }}"
required_packages:
- sudo
# Required for ansible 'expect' module
#- python-pexpect
- python-pip
- python-virtualenv
# Required for easy-rsa install in PKI tasks and audit tasks
- git
# Used to verify GPG signatures for mirrored packages
- gnupg
# Used to configure firewall rules
- iptables
# Word List dictionary used by several roles to generate random data
- "{{ package_name_words }}"
- "{{ package_name_auditd }}"
- aide
- openssl
- openvpn
- dnsmasq
- rsyslog
- logrotate
unwanted_packages:
- bind9-host
- libbind9-140
- at
- lxcfs
- rpcbind
- nfs-common