The OpenVPN Server Role install and configure OpenVPN with help of Ansible. The Server role should be run in combination with the OpenVPN Client Role.
The OpenVPN module requires that an Ubuntu machine is running with a public IP-address.
For AWS there is an OpenVPN terraform module that provision an Ubuntu machine in the public subnet of the VPC.
- Ansible is requred in order to use the OpenVPN roles
- SSH key pair
Ansible automatically install OpenVPN with all dependencies and configurations.
Run the following commands in order to install the server role and the client role
ansible-galaxy install git+https://github.com/tieto-cem/openvpn-server-role.git,v1.2.0
ansible-galaxy install git+https://github.com/tieto-cem/openvpn-client-role.git,v1.1.0Create the playbook, e.g. with this example. The project structure for the example look like this:
.
├── inventory
| └── project_inventory
├── group_vars
| └── project_vars
├── install-openvpn.yml
├── install.sh
└── obtain-keys.shRedefine the inventory file, project_inventory, use the public IP address of the Ubuntu machine. Also modify the location to the projects private SSH key.
[example-project]
34.100.10.1
[all:vars]
ansible_connection=ssh
ansible_ssh_private_key_file=~/.ssh/example-project.pem
ansible_ssh_user=ubuntu
ansible_python_interpreter=/usr/bin/python3.5Redefine the group variables in the group_vars file, project_vars.
| Variable | Description |
|---|---|
| VpnClients | List of VPN keys that should be generated |
| ServerName | Name of the server, will be part of keys etc |
| RedrirectTraffic | If true all traffic will get routed trough the VPN server. Normally this can be false |
| ServerNetwork | Network reserved for the server |
| LocalNetworks | Clients will route all traffic trough the VPN server within these IP-ranges |
| DhcpOptions | Optional - Allows server to push DHCP options (like nameserver) to client |
| NetworkInterface | Network interface for the public IP |
Run the playbook in order to install OpenVPN and create user keys (you can also use the install.sh in the example directory).
ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook install-openvpn.yml -i inventoryThe client keys exist on the server and can only be obtain with sudo rights.
Run the following command to obtain client keys (obtain-keys.sh is located in the example directory)
./obtain-keys.sh -i /location/to/private/example-project.pem -s ubuntu@IP_ADDRESS -c usernameInstall stable version of Tunnelblick.
Extract your key file (your-name.tar.gz) into an empty directory e.g. vpn. Run the commands in a terminal window
mkdir ~/Documents/vpn && cd ~/Documents/vpn
tar zxf /location/to/your-name.tar.gzOpen Finder and locate the folder ~/Documents/vpn.
Double click on the the conf file e.g. cem-openvpn-your-name.conf and choose to install for "Only Me".
Click on the small Tunnelblick icon in the top menu bar and choose "Connect cem-openvpn-your-name".
Install OpenVPN
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | sudo apt-key add -
echo "deb http:https://build.openvpn.net/debian/openvpn/release/2.4 xenial main" | sudo tee /etc/apt/sources.list.d/openvpn-aptrepo.list
sudo apt update && sudo apt install openvpnExtract your key file (your-name.tar.gz) into /etc/openvpn.
cd /etc/openvpn/
sudo tar zxf /location/to/your-name.tar.gzStart OpenVPN client
sudo systemctl status openvpn@cem-openvpn-your-nameStop OpenVPN client
sudo systemctl stop openvpn@cem-openvpn-your-nameInstall latest version of OpenVPN for Windows.
Extract Extract your key file (your-name.tar.gz) into C:\Program Files\OpenVPN\config. WinZip can be used for extracting .tar.gz files.
Right click on the small OpenVPN icon in the windows taskbar on the right hand bottom corner and select connect.
MIT © Tieto CEM