A playbook to manage a PKI for OpenVPN
ansible-playbook \
-i inventory.yml \
playbook.yml \
--extra-vars="variable_host=<host-ip> variable_user=<host-user> variable_private_key=<ssh-private-key-location>"
NOTE: for commodity, we create the whole PKI on the same server. You should rather have dedicated CA (validating and signing certs) and the vpn (run openvpn) servers
This playbook creates the PKI allowing clients to tunnel their traffic to an OpenVPN server (variable_host
, variable_user
and variable_private_key
). When a client referenced in clients
list is not registered on the VPN server, it is automatically created.
- install easyrsa
3.0.8
in a dedicatedeasyrsa
home dir - init the PKI
- generate
ca.crt
andca.key
- generate
server.key
andserver.req
- sign
server.req
and createserver.crt
- generated pre-shared
ta.key
- template
server.conf
andclient.base.conf
- (optional) if ufw is installed, allow traffic through
openvpn_port
, setDEFAULT_FORWARD_POLICY
and IP masquerading - start openvpn server systemd service
- generate
<client>.req
and<client>.key
for non already existing clients - sign
<client>.req
create<client>.cert
for non already existing clients - generate client config files
- copy client config files to localhost's
openvpn_client_configs_dest