added password auto-generation & sharing credential to client on mail…

openvpn/Jenkinsfile

@@ -0,0 +1,27 @@
+#!/usr/bin/env groovy
+
+pipeline {
+    agent any
+    parameters {
+        string(name: 'CLIENT_NAME')
+        string(name: 'mail_id_of_client')
+        string(name: 'mail_id_of_administrator')
+        string(name: 'app_password_of_mail_id_of_administrator')
+    }
+    stages {
+        stage('name_parameter') {
+            steps {
+                echo "Hello ${CLIENT_NAME}"
+                echo "Hello ${mail_id_of_client}"
+                echo "Hello ${mail_id_of_administrator}"
+                echo "Hello ${app_password_of_mail_id_of_administrator}"
+            }
+        }
+
+        stage('running-playbook') {
+            steps {
+                sh 'ansible-playbook ~/workspace/$JOB_NAME/site.yml -e "username="${CLIENT_NAME}"" -e "mail="${mail_id_of_client}"" -e "mail_id_of_administrator="${mail_id_of_administrator}"" -e "app_password_of_mail_id_of_administrator="${app_password_of_mail_id_of_administrator}""'
+            }
+        }
+    }
+}

README.md → openvpn/README.md

@@ -1,35 +1,15 @@
 Ansible Role: OpenVPN
 =========
 
-[![CircleCI](https://circleci.com/gh/OT-OSM/openvpn/tree/master.svg?style=svg)](https://app.circleci.com/pipelines/github/OT-OSM/openvpn?branch=master)
 
 
-[![Opstree Solutions][opstree_avatar]][opstree_homepage]<br/>[Opstree Solutions][opstree_homepage] 
 
-  [opstree_homepage]: https://opstree.github.io/
-  [opstree_avatar]: https://img.cloudposse.com/150x150/https://github.com/opstree.png
-An ansible role to install and configure OpenVPN server.
-
-Version History
----------------
-
-|**Date**| **Version**| **Description**| **Changed By** |
-|----------|---------|---------------|-----------------|
-|**16 August 2018** | v.1.0.0 | Initial Draft | Yashvinder Hooda |
-|**8 September 2018** | v.1.0.0 | Added Role for Debian | Sudipt Sharma |
-|**9 October 2018** | v.1.0.0 | Updated Readme | Sudipt Sharma |
-|**13 November 2018** | v.1.0.0 | Updated for RHEL | Sudipt Sharma |
-|**28 February 2019** | v.1.0.0 | Added Gitlab-CI | Mahesh Kumar |
-|**31 May 2019** | v.1.0.0 | Added molecule Test-cases | Ekansh Jain |
-|**13 January 2020** | v.1.0.0 | Updated for AMAZON | Sudipt Sharma |
-|**11 February 2020** | v.1.0.0 | Added tags for client create & revoke  | Sudipt Sharma |
-|**18th April 2020** | v.1.0.0 | Integrated circle-ci | Sudipt Sharma |
 
 Salient Features
 ----------------
 - This Role automates the VPN setup using OpenVPN.
 The role consist of two meta files
-- clientlist: Enter the namer of the client you want to add.
+- clientlist: Enter the namer of the client you want to add. (Along with password if password is enabled in variables)
 - revokelist: Enter the names of the client you want to revoke.
 
 ### Note:  
@@ -38,6 +18,8 @@ The role consist of two meta files
      > From the list of instances, select the VPN instance and then Networking->Change Source/Dest. 
      > Check from the drop down menu. Then click Yes, Disable. This is needed as otherwise, your VPN  
      > server will not be able to connect to your other EC2 instances.
+
+     > Write your mail id and password in /tasks/append_clientlist.yaml
 
 Supported OS
 ------------
@@ -46,6 +28,7 @@ Supported OS
   * Ubuntu:bionic
   * Ubuntu:xenial
   * Amazon AMI
+  * Amazon Linux 2 AMI
 
 Dependencies
 ------------
@@ -86,19 +69,21 @@ osm_openvpn
 ├── README.md
 ├── revokelist
 ├── tasks
+│   ├── append_clientlist.yaml
 │   ├── client_keys.yaml
 │   ├── config.yaml
 │   ├── easy-rsa.yaml
 │   ├── firewall.yaml
 │   ├── install.yaml
+│   ├── client_passwd_keys.yaml
+│   ├── password_dependency.yaml
 │   ├── main.yaml
 │   ├── revoke.yaml
 │   └── server_keys.yaml
 └── templates
     ├── before.rules.j2
     ├── client.conf.j2
     └── server.conf.j2
-10 directories, 31 files
 
 ```
 
@@ -113,6 +98,7 @@ Role Variables
 | openvpn_server_network | 10.8.0.0 | CIDR range given to vpn network | Optional |
 | base_directory | /etc/openvpn | Configuration path of openvpn server | Optional |
 | easy_rsa_url | url | URL to download Easy RSA | Optional |
+| password_enable | false | Enable password authentication along with file | Optional |
 | block_all_connection | false | Block all communication for openvpn client | Optional |
 | port_list | [80,443] | Allow specific ports for openvpn client & only applicable if block_all_connection == true | Optional |
 
@@ -124,17 +110,28 @@ Example Playbook
 - name: It will automate OpenVPN setup
   hosts: server
   become: true
+  no_log: true
   roles:
     - role: osm_openvpn
 ...
 
 $  ansible-playbook site.yml -i inventory
 
+
+```
+Example clientlist file for password authentication
+----------------
+```
+opstree Opstree@1234
+
 ```
+
+- 
+
 - For generating client keys
 
 ```sh
-$  ansible-playbook site.yml -i inventory --tags "generate_client_keys"
+$  ansible-playbook site.yml -i inventory --tags "append_clientlist" -e "username=username_of_client" -e "mail=mail_id_of_client" --tags "generate_client_keys"
 
 ```
 
@@ -178,56 +175,13 @@ Install Openvpn GUI for ubuntu 18.04 bionic beaver
 
 After installing go to network settings
 
-<img src="https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/vpn.jpg" height="350" width="700">
 
 Add VPN to your network settings
 
-<img src="https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/addvpn.jpg" height="450" width="700">
-
-Then VPN settings and add browse your client.ovpn
-
-![client](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/client.png)
 
 Install Openvpn GUI for ubuntu 16.04 xenial
 
 ```sh
    apt install network-manager-openvpn-gnome -y
 ```
 
-After installing go to network settings
-
-![add_connection](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/add_connection.png)
-
-Add .ovpn file to your network settings
-
-![import_file](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/import_file.png)
-
-Then select the .client.ovpn file.
-
-![select_file](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/select_file.png)
-
-Then save the client.ovpn file.
-
-![save_key](https://raw.githubusercontent.com/OT-OSM/openvpn/master/media/save_key.png)
-
-
-Future Proposed Changes
------------------------
-- Fix the role to run on bare metal
-
-References
-----------
-- **[Source Code](https://openvpn.net/)**
-- **[Guide Followed](https://www.cyberciti.biz/faq/ubuntu-18-04-lts-set-up-openvpn-server-in-5-minutes/)**
-
-## License
-* MIT / BSD
-
-## Author Information
-
-### Contributors
-
-[![Sudipt Sharma][sudipt_avatar]][sudipt_homepage]<br/>[Sudipt Sharma][sudipt_homepage] 
-
-  [sudipt_homepage]: https://github.com/iamsudipt
-  [sudipt_avatar]: https://img.cloudposse.com/75x75/https://github.com/iamsudipt.png

defaults/main.yml → openvpn/defaults/main.yml

@@ -11,11 +11,17 @@ base_directory: "etc/openvpn"
 epel_repo: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
 easy_rsa_url: "https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz"
 easy_rsa_pkg: "EasyRSA-3.0.4"
+yum_pip:
+  - "{{ 'python3-devel' if ansible_facts['python'].version.major == 3 else 'python-devel' }}"
+  - "{{ 'python3-pip' if ansible_facts['python'].version.major == 3 else 'python-pip' }}"
 openvpn_monitor_giturl: "https://github.com/furlongm/openvpn-monitor.git"
 apache_dir_ubuntu: "/etc/apache2/conf-available/openvpn-monitor.conf"
 apache_dir_centos: "/etc/httpd/conf.d/openvpn-monitor.conf"
 client_list: clientlist
 revoke_list: revokelist
 block_all_connection: false
+password_enable: true
+out_interface: "eth0"
+in_interface: "tun0"
 port_list: [80, 443]
 ...

openvpn/tasks/append_clientlist.yaml

@@ -0,0 +1,19 @@
+---
+- set_fact:
+    my_pass: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
+
+- name: append credentials in clientlist
+  lineinfile:
+    line: "{{ username }} {{ my_pass }}"
+    path: openvpn/clientlist
+
+- mail:
+    host: smtp.gmail.com
+    port: 587
+    username: "{{ mail_id_of_administrator }}"
+    password: "{{ app_password_of_mail_id_of_administrator }}"
+    to: "{{ mail }}"
+    subject: Credentials for connecting OPENVPN
+    body: Username= {{ username }}
+          Password= {{ my_pass }}
+  delegate_to: localhost

openvpn/tasks/client_passwd_keys.yaml

@@ -0,0 +1,67 @@
+---
+- name: Creating OpenVPN Client certificate and key pair
+  expect:
+    command: ./easyrsa build-client-full "{{ item.split(' ')[0] | trim }}"
+    chdir: /etc/openvpn/easy-rsa/
+    creates: "/etc/openvpn/easy-rsa/pki/issued/{{ item.split(' ')[0] | trim }}.crt"
+    responses:
+      Enter PEM pass phrase: "{{ item.split(' ')[1] | trim }}"
+      Verifying - Enter PEM pass phrase: "{{ item.split(' ')[1] | trim }}"
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+
+- name: Creating certificate revocation list
+  command: ./easyrsa gen-crl
+  environment:
+    EASYRSA_CRL_DAYS: 3650
+  args:
+    chdir: //{{ base_directory }}/easy-rsa/
+    creates: /{{ base_directory }}/easy-rsa/pki/crl.pem
+
+- name: Copying certificate revocation list
+  copy:
+    src: /{{ base_directory }}/easy-rsa/pki/crl.pem
+    dest: /{{ base_directory }}
+    owner: nobody
+    group: nogroup
+    remote_src: yes
+
+- name: Copying client keys to openvpn directory
+  copy:
+    src: "/{{ base_directory }}/easy-rsa/pki/private/{{ item.split(' ')[0] | trim }}.key"
+    dest: /{{ base_directory }}
+    remote_src: yes
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() | trim }}"
+  ignore_errors: true
+
+- name: Copying client certificate to openvpn directory
+  copy:
+    src: "/{{ base_directory }}/easy-rsa/pki/issued/{{ item.split(' ')[0] | trim }}.crt"
+    dest: /{{ base_directory }}
+    remote_src: yes
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+
+- name: Copying the sample script to generate client keys
+  copy:
+  args:
+    src: make_config.sh
+    dest: /{{ base_directory }}/
+    mode: 0700
+
+- name: Creating client certificate and key
+  command: ./make_config.sh "{{ item.split(' ')[0] | trim }}"
+  args:
+    chdir: /{{ base_directory }}/
+    creates: /{{ base_directory }}/"{{ item.split(' ')[0] | trim }}".ovpn
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+
+- name: Copying the client.ovpn to localhost
+  fetch:
+    src: "/{{ base_directory }}/{{ item.split(' ')[0] | trim }}.ovpn"
+    dest: /tmp/
+    flat: yes
+  with_items: "{{ lookup('file', '{{ client_list }}').splitlines() }}"
+  ignore_errors: true
+...

tasks/firewall.yaml → openvpn/tasks/firewall.yaml

@@ -24,7 +24,7 @@
     action: append
     chain: POSTROUTING
     source: "{{ openvpn_server_network }}/24"
-    out_interface: eth0
+    out_interface: "{{ out_interface }}"
     jump: MASQUERADE
     comment: "Perform NAT readdressing"
 
@@ -36,7 +36,7 @@
     source: "{{ openvpn_server_network }}/24"
     jump: ACCEPT
     destination_port: "{{ item }}"
-    in_interface: tun0
+    in_interface: "{{ in_interface }}"
     comment: "Perform Ports Allow for openvpn client"
   when: block_all_connection
   with_items:
@@ -49,7 +49,7 @@
     chain: FORWARD
     source: "{{ openvpn_server_network }}/24"
     jump: DROP
-    in_interface: tun0
+    in_interface: "{{ in_interface }}"
     comment: "Perform all communication blocking for openvpn client"
   when: block_all_connection
 

tasks/main.yaml → openvpn/tasks/main.yaml

@@ -1,4 +1,9 @@
 ---
+- name: Including append_clientlist.yaml
+  include: append_clientlist.yaml
+  tags:
+    - append_clientlist
+
 - name: Including install.yaml OpenVPN tasks
   include: install.yaml
 
@@ -17,8 +22,19 @@
 - name: Including config.yaml for OpenVPN setup
   include: config.yaml
 
+- name: Dependecies for password authentication
+  include: password_dependency.yaml
+  when: password_enable
+
 - name: Including client_keys.yaml for OpenVPN setup
   include: client_keys.yaml
+  when: not password_enable
+  tags:
+    - generate_client_keys
+
+- name: Including client_keys.yaml for OpenVPN setup with password
+  include: client_passwd_keys.yaml
+  when: password_enable
   tags:
     - generate_client_keys
 

openvpn/tasks/password_dependency.yaml

@@ -0,0 +1,16 @@
+---
+- name: Install pip
+  apt:
+    update_cache: yes
+    name: pip
+  when: ansible_distribution == "Ubuntu" or ansible_distribution=="Debian"
+
+- name: Install pip
+  yum:
+    update_cache: yes
+    name: "{{ yum_pip }}"
+  when: ansible_distribution == "CentOS" or ansible_distribution=="RedHat" or ansible_distribution == "Amazon"
+
+- name: Install pexpect
+  pip:
+    name: pexpect

tasks/server_keys.yaml → openvpn/tasks/server_keys.yaml

@@ -59,4 +59,4 @@
     - /{{ base_directory }}/easy-rsa/pki/issued/{{ server_name }}.crt
     - /{{ base_directory }}/easy-rsa/pki/private/{{ server_name }}.key
     - /{{ base_directory }}/easy-rsa/pki/dh.pem
-...
+...