Google auth

README.md

@@ -24,12 +24,14 @@ Version History
 |**13 January 2020** | v.1.0.0 | Updated for AMAZON | Sudipt Sharma |
 |**11 February 2020** | v.1.0.0 | Added tags for client create & revoke  | Sudipt Sharma |
 |**18th April 2020** | v.1.0.0 | Integrated circle-ci | Sudipt Sharma |
+|**03rd July 2021** | v.1.1.0 | Added Password authentication | Pankaj Kumar |
+|**23rd May 2023** | v.1.1.0 | Integrated Private hosted Zone  | Pankaj Kumar |
 
 Salient Features
 ----------------
 - This Role automates the VPN setup using OpenVPN.
 The role consist of two meta files
-- clientlist: Enter the namer of the client you want to add.
+- clientlist: Enter the namer of the client you want to add. (Along with password if password is enabled in variables)
 - revokelist: Enter the names of the client you want to revoke.
 
 ### Note:  
@@ -39,13 +41,20 @@ The role consist of two meta files
      > Check from the drop down menu. Then click Yes, Disable. This is needed as otherwise, your VPN  
      > server will not be able to connect to your other EC2 instances.
 
+  - To enable Private hosted zone or pass custom DNS resolver. 
+
+     > Add your DNS IP under /defaults/main.yaml at DNS_IP variable. [ Port 53 should be allowed from your machine].  
+     > For AWS Private hosted zone:- IP address of the Amazon-provided DNS servers for your VPC, which is the IP address at the base of the VPC network range "plus two." For example, if the CIDR range for your VPC is 10.0.0.0/16, the IP address of the DNS server is 10.0.0.2  
+
+
 Supported OS
 ------------
   * CentOS:7
   * CentOS:6
   * Ubuntu:bionic
   * Ubuntu:xenial
   * Amazon AMI
+  * Amazon Linux 2 AMI
 
 Dependencies
 ------------
@@ -91,14 +100,15 @@ osm_openvpn
 │   ├── easy-rsa.yaml
 │   ├── firewall.yaml
 │   ├── install.yaml
+│   ├── client_passwd_keys.yaml
+│   ├── password_dependency.yaml
 │   ├── main.yaml
 │   ├── revoke.yaml
 │   └── server_keys.yaml
 └── templates
     ├── before.rules.j2
     ├── client.conf.j2
     └── server.conf.j2
-10 directories, 31 files
 
 ```
 
@@ -113,8 +123,10 @@ Role Variables
 | openvpn_server_network | 10.8.0.0 | CIDR range given to vpn network | Optional |
 | base_directory | /etc/openvpn | Configuration path of openvpn server | Optional |
 | easy_rsa_url | url | URL to download Easy RSA | Optional |
+| password_enable | false | Enable password authentication along with file | Optional |
 | block_all_connection | false | Block all communication for openvpn client | Optional |
 | port_list | [80,443] | Allow specific ports for openvpn client & only applicable if block_all_connection == true | Optional |
+| DNS_IP | 8.8.4.4 | To enable Private hosted zone or pass custom DNS resolver | Optional |
 
 
 Example Playbook
@@ -131,6 +143,14 @@ Example Playbook
 $  ansible-playbook site.yml -i inventory
 
 ```
+Example clientlist file for password authentication
+----------------
+```
+opstree TyH76$th9I
+pankaj Abgf$56Gt
+
+```
+
 - For generating client keys
 
 ```sh
@@ -178,15 +198,15 @@ Install Openvpn GUI for ubuntu 18.04 bionic beaver
 
 After installing go to network settings
 
-<img src="https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/vpn.jpg" height="350" width="700">
+<img src="media/vpn.jpg" height="350" width="700">
 
 Add VPN to your network settings
 
-<img src="https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/addvpn.jpg" height="450" width="700">
+<img src="media/addvpn.jpg" height="350" width="700">
 
 Then VPN settings and add browse your client.ovpn
 
-![client](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/client.png)
+<img src="media/client.png" height="350" width="700">
 
 Install Openvpn GUI for ubuntu 16.04 xenial
 
@@ -196,19 +216,19 @@ Install Openvpn GUI for ubuntu 16.04 xenial
 
 After installing go to network settings
 
-![add_connection](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/add_connection.png)
+<img src="media/add_connection.png" height="350" width="700">
 
 Add .ovpn file to your network settings
 
-![import_file](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/import_file.png)
+<img src="media/import_file.png" height="350" width="700">
 
 Then select the .client.ovpn file.
 
-![select_file](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/select_file.png)
+<img src="media/select_file.png" height="350" width="700">
 
 Then save the client.ovpn file.
 
-![save_key](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/save_key.png)
+<img src="media/save_key.png" height="350" width="700">
 
 
 Future Proposed Changes
@@ -227,7 +247,13 @@ References
 
 ### Contributors
 
-[![Sudipt Sharma][sudipt_avatar]][sudipt_homepage]<br/>[Sudipt Sharma][sudipt_homepage] 
+<a href = "https://github.com/iamsudipt">
+  <img src = "https://img.cloudposse.com/75x75/https://github.com/iamsudipt.png"/>
+</a>&nbsp;
+
+<a href = "https://www.linkedin.com/in/pankaj-kumar-33bb65170">
+  <img src = "https://ca.slack-edge.com/T2AGPFQ9X-USNEVM1CN-b9585c51a347-80" height="75" width="75"/>
+</a>
 
-  [sudipt_homepage]: https://github.com/iamsudipt
-  [sudipt_avatar]: https://img.cloudposse.com/75x75/https://github.com/iamsudipt.png
+<a href = "https://github.com/iamsudipt"><span style="font-size:12px;">Sudipt Sharma</span></a>&nbsp;
+<a href = "https://www.linkedin.com/in/pankaj-kumar-33bb65170"><span style="font-size:12px;">Pankaj Kumar</span></a>

clientlist

@@ -1 +0,0 @@
-

defaults/main.yml

@@ -11,11 +11,18 @@ base_directory: "etc/openvpn"
 epel_repo: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
 easy_rsa_url: "https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz"
 easy_rsa_pkg: "EasyRSA-3.0.4"
+yum_pip:
+  - "{{ 'python3-devel' if ansible_facts['python'].version.major == 3 else 'python-devel' }}"
+  - "{{ 'python3-pip' if ansible_facts['python'].version.major == 3 else 'python-pip' }}"
 openvpn_monitor_giturl: "https://github.com/furlongm/openvpn-monitor.git"
 apache_dir_ubuntu: "/etc/apache2/conf-available/openvpn-monitor.conf"
 apache_dir_centos: "/etc/httpd/conf.d/openvpn-monitor.conf"
 client_list: clientlist
 revoke_list: revokelist
 block_all_connection: false
+password_enable: false
+out_interface: "eth0"
+in_interface: "tun0"
 port_list: [80, 443]
+DNS_IP: "8.8.4.4"
 ...

tasks/client_passwd_keys.yaml

@@ -0,0 +1,67 @@
+---
+- name: Creating OpenVPN Client certificate and key pair
+  expect:
+    command: ./easyrsa build-client-full "{{ item.split(' ')[0] | trim }}"
+    chdir: /etc/openvpn/easy-rsa/
+    creates: "/etc/openvpn/easy-rsa/pki/issued/{{ item.split(' ')[0] | trim }}.crt"
+    responses:
+      Enter PEM pass phrase: "{{ item.split(' ')[1] | trim }}"
+      Verifying - Enter PEM pass phrase: "{{ item.split(' ')[1] | trim }}"
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+
+- name: Creating certificate revocation list
+  command: ./easyrsa gen-crl
+  environment:
+    EASYRSA_CRL_DAYS: 3650
+  args:
+    chdir: //{{ base_directory }}/easy-rsa/
+    creates: /{{ base_directory }}/easy-rsa/pki/crl.pem
+
+- name: Copying certificate revocation list
+  copy:
+    src: /{{ base_directory }}/easy-rsa/pki/crl.pem
+    dest: /{{ base_directory }}
+    owner: nobody
+    group: nogroup
+    remote_src: yes
+
+- name: Copying client keys to openvpn directory
+  copy:
+    src: "/{{ base_directory }}/easy-rsa/pki/private/{{ item.split(' ')[0] | trim }}.key"
+    dest: /{{ base_directory }}
+    remote_src: yes
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() | trim }}"
+  ignore_errors: true
+
+- name: Copying client certificate to openvpn directory
+  copy:
+    src: "/{{ base_directory }}/easy-rsa/pki/issued/{{ item.split(' ')[0] | trim }}.crt"
+    dest: /{{ base_directory }}
+    remote_src: yes
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+
+- name: Copying the sample script to generate client keys
+  copy:
+  args:
+    src: make_config.sh
+    dest: /{{ base_directory }}/
+    mode: 0700
+
+- name: Creating client certificate and key
+  command: ./make_config.sh "{{ item.split(' ')[0] | trim }}"
+  args:
+    chdir: /{{ base_directory }}/
+    creates: /{{ base_directory }}/"{{ item.split(' ')[0] | trim }}".ovpn
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+
+- name: Copying the client.ovpn to localhost
+  fetch:
+    src: "/{{ base_directory }}/{{ item.split(' ')[0] | trim }}.ovpn"
+    dest: /tmp/
+    flat: yes
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+...

tasks/firewall.yaml

@@ -24,7 +24,7 @@
     action: append
     chain: POSTROUTING
     source: "{{ openvpn_server_network }}/24"
-    out_interface: eth0
+    out_interface: "{{ out_interface }}"
     jump: MASQUERADE
     comment: "Perform NAT readdressing"
 
@@ -36,7 +36,7 @@
     source: "{{ openvpn_server_network }}/24"
     jump: ACCEPT
     destination_port: "{{ item }}"
-    in_interface: tun0
+    in_interface: "{{ in_interface }}"
     comment: "Perform Ports Allow for openvpn client"
   when: block_all_connection
   with_items:
@@ -49,7 +49,7 @@
     chain: FORWARD
     source: "{{ openvpn_server_network }}/24"
     jump: DROP
-    in_interface: tun0
+    in_interface: "{{ in_interface }}"
     comment: "Perform all communication blocking for openvpn client"
   when: block_all_connection
 

tasks/main.yaml

@@ -17,8 +17,19 @@
 - name: Including config.yaml for OpenVPN setup
   include: config.yaml
 
+- name: Dependecies for password authentication
+  include: password_dependency.yaml
+  when: password_enable
+
 - name: Including client_keys.yaml for OpenVPN setup
   include: client_keys.yaml
+  when: not password_enable
+  tags:
+    - generate_client_keys
+
+- name: Including client_keys.yaml for OpenVPN setup with password
+  include: client_passwd_keys.yaml
+  when: password_enable
   tags:
     - generate_client_keys
 

tasks/password_dependency.yaml

@@ -0,0 +1,16 @@
+---
+- name: Install pip
+  apt:
+    update_cache: yes
+    name: pip
+  when: ansible_distribution == "Ubuntu" or ansible_distribution=="Debian"
+
+- name: Install pip
+  yum:
+    update_cache: yes
+    name: "{{ yum_pip }}"
+  when: ansible_distribution == "CentOS" or ansible_distribution=="RedHat" or ansible_distribution == "Amazon"
+
+- name: Install pexpect
+  pip:
+    name: pexpect

tasks/server_keys.yaml

@@ -59,4 +59,4 @@
     - /{{ base_directory }}/easy-rsa/pki/issued/{{ server_name }}.crt
     - /{{ base_directory }}/easy-rsa/pki/private/{{ server_name }}.key
     - /{{ base_directory }}/easy-rsa/pki/dh.pem
-...
+...

templates/before.rules.j2

@@ -12,32 +12,32 @@
 -A OUTPUT -p icmp -j ACCEPT
 
 # Allow SSH.
--A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
--A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
+-A INPUT -i {{ out_interface }} -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
+-A OUTPUT -o {{ out_interface }} -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
 
 # Allow UDP traffic on port 1194.
--A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
--A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
+-A INPUT -i {{ out_interface }} -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
+-A OUTPUT -o {{ out_interface }} -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
 
-# Allow DNS resolution and limited HTTP/S on eth0.
+# Allow DNS resolution and limited HTTP/S on {{ out_interface }}.
 # Necessary for updating the server and keeping time.
--A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
--A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
--A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
--A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
+-A INPUT -i {{ out_interface }} -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
+-A OUTPUT -o {{ out_interface }} -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
+-A INPUT -i {{ out_interface }} -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
+-A OUTPUT -o {{ out_interface }} -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
 
--A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT
--A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
--A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
--A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
+-A INPUT -i {{ out_interface }} -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT
+-A OUTPUT -o {{ out_interface }} -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
+-A INPUT -i {{ out_interface }} -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
+-A OUTPUT -o {{ out_interface }} -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
 
 # Allow traffic on the TUN interface.
--A INPUT -i tun0 -j ACCEPT
--A FORWARD -i tun0 -j ACCEPT
--A OUTPUT -o tun0 -j ACCEPT
+-A INPUT -i {{ in_interface }} -j ACCEPT
+-A FORWARD -i {{ in_interface }} -j ACCEPT
+-A OUTPUT -o {{ in_interface }} -j ACCEPT
 
 # Allow forwarding traffic only from the VPN.
--A FORWARD -i tun0 -o eth0 -s {{ openvpn_server_network }}/24 -j ACCEPT
+-A FORWARD -i {{ in_interface }} -o {{ out_interface }} -s {{ openvpn_server_network }}/24 -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Log any packets which don't fit the rules above...

templates/client.conf.j2

@@ -4,6 +4,7 @@ proto udp
 sndbuf 0
 rcvbuf 0
 remote my-server-1 1194
+dhcp-option DNS {{DNS_IP}}
 resolv-retry infinite
 nobind
 persist-key

templates/server.conf.j2

@@ -10,11 +10,11 @@ dh dh.pem
 auth SHA512
 tls-auth ta.key 0
 topology subnet
-server 10.8.0.0 255.255.255.0
+server {{openvpn_server_network}} 255.255.255.0
 ifconfig-pool-persist ipp.txt
 push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS {{DNS_IP}}"
 push "dhcp-option DNS 8.8.8.8"
-push "dhcp-option DNS 8.8.4.4"
 keepalive 10 120
 cipher AES-256-CBC
 comp-lzo