Add support for OpenVPN bridged mode

README.md

@@ -82,6 +82,20 @@ openvpn_ldap_group_search_filter: '"cn=OpenVPNUsers"'
 openvpn_simple_auth: yes
 openvpn_simple_auth_password: password
 
+# Use bridged mode (default is routed)
+# WARNING: this may cause the playbook to fail the first time
+# the network configuration is changed;
+# if this happens just run the playbook again
+openvpn_bridge:
+    address: 10.0.0.1
+    netmask: 255.255.255.0
+    network: 10.0.0.0
+    broadcast: 10.0.0.255
+    dhcp_start: 10.0.0.2
+    dhcp_end: 10.0.0.254
+openvpn_server_options:
+    - "dev-type tap"
+    - "tls-server"
 ```
 
 #### Usage

defaults/main.yml

@@ -11,6 +11,7 @@ openvpn_port: 1194
 openvpn_proto: udp
 openvpn_dev: tun
 openvpn_server: 10.8.0.0 255.255.255.0              # Set empty for skip
+openvpn_bridge: {}
 openvpn_max_clients: 100
 openvpn_log: /var/log/openvpn.log                   # Log's directory
 openvpn_keepalive: "10 120"

tasks/install.deb.yml

@@ -12,3 +12,8 @@
 - name: Install LDAP dependencies (Debian)
   apt: name=openvpn-auth-ldap force=yes
   when: openvpn_use_ldap
+
+- name: Install bridge dependencies (Debian)
+  apt: name={{item}}
+  when: openvpn_bridge
+  with_items: [bridge-utils]

tasks/openvpn.yml

@@ -10,5 +10,7 @@
 
 - include: configure.yml
 
+- include: setup-bridge.yml
+
 - name: Ensure OpenVPN is started
   service: name=openvpn state=started enabled=yes

tasks/setup-bridge.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Setup bridge
+  when: openvpn_bridge
+  template:
+    src: bridge-interface.j2
+    dest: "/etc/network/interfaces.d/{{ openvpn_dev }}"
+  register: bridge
+  tags: [bridge]
+
+- name: Restart networking
+  service: name=networking state=restarted
+  when: openvpn_bridge and bridge|changed
+  tags: [bridge]
+
+- file:
+    path: "/etc/network/interfaces.d/{{ openvpn_dev }}"
+    state: absent
+  when: not openvpn_bridge
+  tags: [bridge]

templates/bridge-interface.j2

@@ -0,0 +1,19 @@
+# DO NOT EDIT THIS FILE BECAUSE IT IS AUTOMATICALLY GENERATED FROM ANSIBLE
+
+# OpenVPN interface
+auto {{ openvpn_dev }}
+iface {{ openvpn_dev }} inet manual
+       pre-up openvpn --mktun --dev {{ openvpn_dev }} --dev-type tap
+       post-down openvpn --rmtun --dev {{ openvpn_dev }} --dev-type tap
+       up ifconfig $IFACE 0.0.0.0 up
+       down ifconfig $IFACE down
+
+# Bridge
+auto br-{{ openvpn_dev }}
+iface br-{{ openvpn_dev }} inet static
+       bridge_ports {{ openvpn_dev }}
+       bridge_stp off
+       address 10.27.253.1
+       netmask 255.255.255.0
+       network 10.27.253.0
+       broadcast 10.27.253.255

templates/server.conf.j2

@@ -56,15 +56,26 @@ client-config-dir {{ openvpn_client_config_dir }}
 topology {{ openvpn_topology }}
 {% endif %}
 
+{% if openvpn_server and not openvpn_bridge %}
 # Configure server mode and supply a VPN subnet for OpenVPN to draw client
 # addresses from. The server will take 10.8.0.1 for itself, the rest will be
 # made available to clients. Each client will be able to reach the server on
 # 10.8.0.1. Comment this line out if you are ethernet bridging. See the man
 # page for more info.
-{% if openvpn_server %}
 server {{ openvpn_server }}
-{% else %}
-;server 10.8.0.0
+{% endif %}
+{% if openvpn_bridge %}
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface.  Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0.  Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients.  Leave this line commented
+# out unless you are ethernet bridging.
+server-bridge {{ openvpn_bridge.address }} {{ openvpn_bridge.netmask }} {{ openvpn_bridge.dhcp_start }} {{ openvpn_bridge.dhcp_end }}
 {% endif %}
 
 # Maintain a record of client <-> virtual IP address associations in this file.