diff --git a/README.md b/README.md index 094f8e2..1ebf40f 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,19 @@ openvpn_ldap_group_search_filter: '"cn=OpenVPNUsers"' openvpn_simple_auth: yes openvpn_simple_auth_password: password +# Use bridged mode (default is routed) +# WARNING: this may need cause the playbook to fail the first time +# the network configuration is changed; if this happens just run the playbook again +openvpn_bridge: + address: 10.0.0.1 + netmask: 255.255.255.0 + network: 10.0.0.0 + broadcast: 10.0.0.255 + dhcp_start: 10.0.0.2 + dhcp_end: 10.0.0.254 +openvpn_server_options: + - "dev-type tap" + - "tls-server" ``` #### Usage diff --git a/defaults/main.yml b/defaults/main.yml index c7a48ab..9225e60 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,7 @@ openvpn_port: 1194 openvpn_proto: udp openvpn_dev: tun openvpn_server: 10.8.0.0 255.255.255.0 # Set empty for skip +openvpn_bridge: {} openvpn_max_clients: 100 openvpn_log: /var/log/openvpn.log # Log's directory openvpn_keepalive: "10 120" diff --git a/tasks/install.deb.yml b/tasks/install.deb.yml index 4299d1f..a2a576a 100644 --- a/tasks/install.deb.yml +++ b/tasks/install.deb.yml @@ -12,3 +12,8 @@ - name: Install LDAP dependencies (Debian) apt: name=openvpn-auth-ldap force=yes when: openvpn_use_ldap + +- name: Install bridge dependencies (Debian) + apt: name={{item}} + when: openvpn_bridge + with_items: [bridge-utils] diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml index e5531dd..fd8d3ad 100644 --- a/tasks/openvpn.yml +++ b/tasks/openvpn.yml @@ -10,5 +10,7 @@ - include: configure.yml +- include: setup-bridge.yml + - name: Ensure OpenVPN is started service: name=openvpn state=started enabled=yes diff --git a/tasks/setup-bridge.yml b/tasks/setup-bridge.yml new file mode 100644 index 0000000..77918c2 --- /dev/null +++ b/tasks/setup-bridge.yml @@ -0,0 +1,21 @@ +--- + +- name: Setup bridge + when: openvpn_bridge + template: + src: bridge-interface.j2 + dest: "/etc/network/interfaces.d/{{ openvpn_dev }}" + register: bridge + notify: [networking restart] + tags: [bridge] + +- name: Restart networking + service: name=networking state=restarted + when: openvpn_bridge and bridge|changed + tags: [bridge] + +- file: + path: "/etc/network/interfaces.d/{{ openvpn_dev }}" + state: absent + when: not openvpn_bridge + tags: [bridge] diff --git a/templates/bridge-interface.j2 b/templates/bridge-interface.j2 new file mode 100644 index 0000000..9068c7f --- /dev/null +++ b/templates/bridge-interface.j2 @@ -0,0 +1,19 @@ +# DO NOT EDIT THIS FILE BECAUSE IT IS AUTOMATICALLY GENERATED FROM ANSIBLE + +# OpenVPN interface +auto {{ openvpn_dev }} +iface {{ openvpn_dev }} inet manual + pre-up openvpn --mktun --dev {{ openvpn_dev }} --dev-type tap + post-down openvpn --rmtun --dev {{ openvpn_dev }} --dev-type tap + up ifconfig $IFACE 0.0.0.0 up + down ifconfig $IFACE down + +# Bridge +auto br-{{ openvpn_dev }} +iface br-{{ openvpn_dev }} inet static + bridge_ports {{ openvpn_dev }} + bridge_stp off + address 10.27.253.1 + netmask 255.255.255.0 + network 10.27.253.0 + broadcast 10.27.253.255 diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index ed91c87..e76e42a 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -56,15 +56,26 @@ client-config-dir {{ openvpn_client_config_dir }} topology {{ openvpn_topology }} {% endif %} +{% if openvpn_server and not openvpn_bridge %} # Configure server mode and supply a VPN subnet for OpenVPN to draw client # addresses from. The server will take 10.8.0.1 for itself, the rest will be # made available to clients. Each client will be able to reach the server on # 10.8.0.1. Comment this line out if you are ethernet bridging. See the man # page for more info. -{% if openvpn_server %} server {{ openvpn_server }} -{% else %} -;server 10.8.0.0 +{% endif %} +{% if openvpn_bridge %} +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +server-bridge {{ openvpn_bridge.address }} {{ openvpn_bridge.netmask }} {{ openvpn_bridge.dhcp_start }} {{ openvpn_bridge.dhcp_end }} {% endif %} # Maintain a record of client <-> virtual IP address associations in this file.