Forge Home

openvpn

OpenVPN server puppet module

107,513 downloads

3,649 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 10.3.0 (latest)
  • 10.2.1
  • 10.2.0
  • 10.1.0
  • 10.0.0
  • 9.1.0
  • 9.0.0
  • 8.3.0
  • 8.2.0
  • 8.1.0
  • 8.0.0
  • 7.4.0
  • 7.3.0
  • 7.2.0
  • 7.1.0
  • 7.0.0
  • 6.0.0
  • 5.0.0
  • 4.1.1
  • 4.1.0
released Aug 24th 2022
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
  • Puppet >= 6.1.0 < 8.0.0
  • , , , , Archlinux, FreeBSD, Solaris

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppet-openvpn', '10.3.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppet-openvpn
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppet-openvpn --version 10.3.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: vpn, openvpn

Documentation

puppet/openvpn — version 10.3.0 Aug 24th 2022

OpenVPN Puppet module

Build Status Release License Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores

Puppet module to manage OpenVPN servers and clients.

Features

  • Client-specific rules and access policies
  • Generated client configurations and SSL-Certificates
  • Downloadable client configurations and SSL-Certificates for easy client configuration
  • Support for multiple server instances
  • Support for LDAP-Authentication
  • Support for server instance in client mode
  • Support for TLS

Supported OS

  • Ubuntu
  • Debian
  • CentOS
  • RedHat
  • Solaris

Dependencies

Puppet

The supported Puppet versions are listed in the metadata.json

REFERENCES

Please see REFERENCE.md for more details.

Example with hiera

---
classes:
  - openvpn

openvpn::servers:
  'winterthur':
    country: 'CH'
    province: 'ZH'
    city: 'Winterthur'
    organization: 'example.org'
    email: 'root@example.org'
    server: '10.200.200.0 255.255.255.0'

openvpn::client_defaults:
  server: 'winterthur'

openvpn::clients:
  'client1': {}
  'client2': {}
  'client3': {}

openvpn::client_specific_configs:
  'client1':
    server: 'winterthur'
    ifconfig: '10.200.200.50 10.200.200.51'

openvpn::revokes:
  'client3':
    server: 'winterthur'

Don't forget the sysctl directive net.ipv4.ip_forward!

Encryption Choices

This module provides certain default parameters for the openvpn encryption settings.

These settings have been applied in line with current "best practices" but no guarantee is given for their saftey and they could change in future.

You should double check these settings yourself to make sure they are suitable for your needs and in line with current best practices.

Example for automating client deployment to nodes managed by Puppet

Exporting the configurations for a client in the VPN server manifest:

  openvpn::deploy::export { 'client1':
    server => 'winterthur',
  }

Installation, configuration and starting the OpenVPN client in a configured node manifest:

  openvpn::deploy::client { 'client1':
    server => 'winterthur',
  }

Experimenting and developing in Vagrant

This project includes a Vagrantfile which allows you to easily develop this module or try it out. The prerequisites are Vagrant and VirtualBox.

To bring up the OpenVPN server VM:

vagrant up server_ubuntu

To bring up the OpenVPN client VM:

vagrant up client_ubuntu

Client's OpenVPN configuration is generated on the server, but it needs to be deployed to the client manually as exported resources are not available in Vagrant. To get the client config from server:

vagrant ssh server_ubuntu
sudo -i
cp /etc/openvpn/winterthur/download-configs/client1.ovpn /vagrant/
exit

To copy it to the client:

vagrant ssh client_ubuntu
sudo -i
mv /vagrant/client1.ovpn /etc/openvpn/client/client1.conf

To connect directly with OpenVPN:

openvpn --config /etc/openvpn/client/client1.conf

To connect with systemd:

systemctl start openvpn-client@client1

To test connectivity between client and server:

ping 10.200.200.1
References

ssl_key_size

The default key size is now set to 2048 bits. This setting also affects the size of the dhparam file.

Why

2048 bits is OK, but both NSA and ANSSI recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.

Cipher

The default data channel cipher is now set to AES-256-GCM

Why

OpenVPN was setting its default value to BF-CBC. In newer versions of OpenVPN it warns that this is no longer a secure cipher. The OpenVPN documentation recommends using this setting.

tls_cipher

The default tls_cipher option is now set to: TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Why

Details of these ciphers and their uses can be found in the documentation links above.

Contributions

This module is maintained by Vox Pupuli. Voxpupuli welcomes new contributions to this module, especially those that include documentation and rspec tests. We are happy to provide guidance if necessary.

Please see CONTRIBUTING for more details.

Authors