diff --git a/config.cfg b/config.cfg
index 4daa91a..cb161ee 100644
--- a/config.cfg
+++ b/config.cfg
@@ -10,6 +10,7 @@ easyrsa_reinit_existent: False
vpn_network: 10.19.48.0/24
vpn_network_ipv6: 'fd9d:bc11:4021:69ce::/64'
server_name: "{{ ansible_ssh_host }}"
+IP_subject_alt_name: "{{ ansible_ssh_host }}"
# Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False)
service_dns: True
diff --git a/non-cloud.yml b/non-cloud.yml
index 40842b2..a68b014 100644
--- a/non-cloud.yml
+++ b/non-cloud.yml
@@ -6,6 +6,7 @@
- name: "server_ip"
prompt: "Enter IP address of your server: (use localhost for local installation)\n"
+ default: localhost
private: no
- name: "server_user"
@@ -26,7 +27,11 @@
- name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n"
default: "vpn"
- private: yes
+ private: yes
+
+ - name: "IP_subject_alt_name"
+ prompt: "Enter public IP address of your server: (IMPORTANT! This IP is using to verify the certificate)\n"
+ private: no
tasks:
- name: Add the server to the vpn-host group
@@ -38,6 +43,7 @@
dns_enabled: "{{ dns_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+ IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Post-provisioning tasks
hosts: vpn-host
@@ -53,9 +59,9 @@
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- - common
- - security
- - proxy
+ #- common
+ #- security
+ #- proxy
- vpn
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 8bbbcb5..3751ea2 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -67,7 +67,7 @@
- name: Build the server pair
shell: >
- ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&&
+ ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass&&
touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -99,12 +99,12 @@
- restart strongswan
- name: Copy the server cert to the strongswan directory
- copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600
+ copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=root group=root mode=0600
notify:
- restart strongswan
- name: Copy the server key to the strongswan directory
- copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600
+ copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=root group=root mode=0600
notify:
- restart strongswan
diff --git a/roles/vpn/templates/easy-rsa.vars.j2 b/roles/vpn/templates/easy-rsa.vars.j2
index f46993f..50159aa 100644
--- a/roles/vpn/templates/easy-rsa.vars.j2
+++ b/roles/vpn/templates/easy-rsa.vars.j2
@@ -183,7 +183,7 @@ set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.
-set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}"
+set_var EASYRSA_REQ_CN "{{ IP_subject_alt_name }}"
# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
@@ -195,4 +195,4 @@ set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}"
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.
-set_var EASYRSA_BATCH "{{ ansible_ssh_host }}"
+set_var EASYRSA_BATCH "{{ IP_subject_alt_name }}"
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index 8bb6181..cd00596 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -15,8 +15,8 @@ conn %default
left=%any
leftauth=pubkey
- leftid={{ ansible_ssh_host }}
- leftcert={{ ansible_ssh_host }}.crt
+ leftid={{ IP_subject_alt_name }}
+ leftcert={{ IP_subject_alt_name }}.crt
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
diff --git a/roles/vpn/templates/ipsec.secrets.j2 b/roles/vpn/templates/ipsec.secrets.j2
index cc208a5..d5793ae 100644
--- a/roles/vpn/templates/ipsec.secrets.j2
+++ b/roles/vpn/templates/ipsec.secrets.j2
@@ -1,2 +1,2 @@
-: ECDSA {{ ansible_ssh_host }}.key
+: ECDSA {{ IP_subject_alt_name }}.key
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index d1a235c..3fc3668 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -48,11 +48,11 @@
CertificateType
ECDSA256
ServerCertificateIssuerCommonName
- {{ ansible_ssh_host }}
+ {{ IP_subject_alt_name }}
RemoteAddress
- {{ ansible_ssh_host }}
+ {{ IP_subject_alt_name }}
RemoteIdentifier
- {{ ansible_ssh_host }}
+ {{ IP_subject_alt_name }}
UseConfigurationAttributeInternalIPSubnet
0
@@ -81,7 +81,7 @@
0
UserDefinedName
- {{ ansible_ssh_host }} IKEv2
+ {{ IP_subject_alt_name }} IKEv2
VPNType
IKEv2
@@ -117,7 +117,7 @@
PayloadDescription
Adds a CA root certificate
PayloadDisplayName
- {{ ansible_ssh_host }}
+ {{ IP_subject_alt_name }}
PayloadIdentifier
com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38
PayloadType
@@ -129,7 +129,7 @@
PayloadDisplayName
- {{ ansible_ssh_host }} IKEv2
+ {{ IP_subject_alt_name }} IKEv2
PayloadIdentifier
donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE
PayloadRemovalDisallowed