From a9b10baf1deb070d6212947b2d2443daf3a4a4f4 Mon Sep 17 00:00:00 2001
From: Evgeniy Ivanov <e601809@gmail.com>
Date: Thu, 18 Aug 2016 12:17:46 +0300
Subject: [PATCH] Some fixes

---
 config.cfg                           |  1 +
 non-cloud.yml                        | 14 ++++++++++----
 roles/vpn/tasks/main.yml             |  6 +++---
 roles/vpn/templates/easy-rsa.vars.j2 |  4 ++--
 roles/vpn/templates/ipsec.conf.j2    |  4 ++--
 roles/vpn/templates/ipsec.secrets.j2 |  2 +-
 roles/vpn/templates/mobileconfig.j2  | 12 ++++++------
 7 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/config.cfg b/config.cfg
index 4daa91a..cb161ee 100644
--- a/config.cfg
+++ b/config.cfg
@@ -10,6 +10,7 @@ easyrsa_reinit_existent: False
 vpn_network: 10.19.48.0/24
 vpn_network_ipv6: 'fd9d:bc11:4021:69ce::/64'
 server_name: "{{ ansible_ssh_host }}"
+IP_subject_alt_name: "{{ ansible_ssh_host }}"
 
 # Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False)
 service_dns: True
diff --git a/non-cloud.yml b/non-cloud.yml
index 40842b2..a68b014 100644
--- a/non-cloud.yml
+++ b/non-cloud.yml
@@ -6,6 +6,7 @@
 
     - name: "server_ip"
       prompt: "Enter IP address of your server: (use localhost for local installation)\n"
+      default: localhost
       private: no
 
     - name: "server_user"
@@ -26,7 +27,11 @@
     - name: "easyrsa_p12_export_password"
       prompt: "Enter the password for p12 certificates:\n"
       default: "vpn"
-      private: yes         
+      private: yes
+      
+    - name: "IP_subject_alt_name"
+      prompt: "Enter public IP address of your server: (IMPORTANT! This IP is using to verify the certificate)\n"
+      private: no
 
   tasks:
     - name: Add the server to the vpn-host group
@@ -38,6 +43,7 @@
         dns_enabled: "{{ dns_enabled }}"
         auditd_enabled: " {{ auditd_enabled }}"
         easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+        IP_subject_alt_name: "{{ IP_subject_alt_name }}"
 
 - name: Post-provisioning tasks
   hosts: vpn-host
@@ -53,9 +59,9 @@
       raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
 
   roles:
-    - common
-    - security
-    - proxy
+    #- common
+    #- security
+    #- proxy
     - vpn
     - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
     - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 8bbbcb5..3751ea2 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -67,7 +67,7 @@
 
 - name: Build the server pair
   shell: >
-    ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&&
+    ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass&&
     touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
   args:
     chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -99,12 +99,12 @@
   - restart strongswan
 
 - name: Copy the server cert to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600
+  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=root group=root mode=0600
   notify:
   - restart strongswan
 
 - name: Copy the server key to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600
+  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=root group=root mode=0600
   notify:
   - restart strongswan
 
diff --git a/roles/vpn/templates/easy-rsa.vars.j2 b/roles/vpn/templates/easy-rsa.vars.j2
index f46993f..50159aa 100644
--- a/roles/vpn/templates/easy-rsa.vars.j2
+++ b/roles/vpn/templates/easy-rsa.vars.j2
@@ -183,7 +183,7 @@ set_var EASYRSA_SSL_CONF   "$EASYRSA/openssl-1.0.cnf"
 # This is best left alone. Interactively you will set this manually, and BATCH
 # callers are expected to set this themselves.
 
-set_var EASYRSA_REQ_CN     "{{ ansible_ssh_host }}"
+set_var EASYRSA_REQ_CN     "{{ IP_subject_alt_name }}"
 
 # Cryptographic digest to use.
 # Do not change this default unless you understand the security implications.
@@ -195,4 +195,4 @@ set_var EASYRSA_REQ_CN     "{{ ansible_ssh_host }}"
 # in batch mode without any user input, confirmation on dangerous operations,
 # or most output. Setting this to any non-blank string enables batch mode.
 
-set_var EASYRSA_BATCH      "{{ ansible_ssh_host }}"
+set_var EASYRSA_BATCH      "{{ IP_subject_alt_name }}"
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index 8bb6181..cd00596 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -15,8 +15,8 @@ conn %default
     
     left=%any
     leftauth=pubkey
-    leftid={{ ansible_ssh_host }}
-    leftcert={{ ansible_ssh_host }}.crt
+    leftid={{ IP_subject_alt_name }}
+    leftcert={{ IP_subject_alt_name }}.crt
     leftsendcert=always
     leftsubnet=0.0.0.0/0,::/0
 
diff --git a/roles/vpn/templates/ipsec.secrets.j2 b/roles/vpn/templates/ipsec.secrets.j2
index cc208a5..d5793ae 100644
--- a/roles/vpn/templates/ipsec.secrets.j2
+++ b/roles/vpn/templates/ipsec.secrets.j2
@@ -1,2 +1,2 @@
-: ECDSA {{ ansible_ssh_host }}.key
+: ECDSA {{ IP_subject_alt_name }}.key
 
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index d1a235c..3fc3668 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -48,11 +48,11 @@
                 <key>CertificateType</key>
                 <string>ECDSA256</string>
                 <key>ServerCertificateIssuerCommonName</key>
-                <string>{{ ansible_ssh_host }}</string>                
+                <string>{{ IP_subject_alt_name }}</string>                
                 <key>RemoteAddress</key>
-                <string>{{ ansible_ssh_host }}</string>
+                <string>{{ IP_subject_alt_name }}</string>
                 <key>RemoteIdentifier</key>
-                <string>{{ ansible_ssh_host }}</string>
+                <string>{{ IP_subject_alt_name }}</string>
                 <key>UseConfigurationAttributeInternalIPSubnet</key>
                 <integer>0</integer>
             </dict>
@@ -81,7 +81,7 @@
                 <integer>0</integer>
             </dict>
             <key>UserDefinedName</key>
-            <string>{{ ansible_ssh_host }} IKEv2</string>
+            <string>{{ IP_subject_alt_name }} IKEv2</string>
             <key>VPNType</key>
             <string>IKEv2</string>
         </dict>
@@ -117,7 +117,7 @@
             <key>PayloadDescription</key>
             <string>Adds a CA root certificate</string>
             <key>PayloadDisplayName</key>
-            <string>{{ ansible_ssh_host }}</string>
+            <string>{{ IP_subject_alt_name }}</string>
             <key>PayloadIdentifier</key>
             <string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
             <key>PayloadType</key>
@@ -129,7 +129,7 @@
         </dict>
     </array>
     <key>PayloadDisplayName</key>
-    <string>{{ ansible_ssh_host }} IKEv2</string>
+    <string>{{ IP_subject_alt_name }} IKEv2</string>
     <key>PayloadIdentifier</key>
     <string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
     <key>PayloadRemovalDisallowed</key>