Merge branch 'master' into docs

config.cfg

@@ -54,5 +54,15 @@ strongswan_enabled_plugins:
   - stroke
   - x509
 
+ipsec_config:
+  dpdaction: 'clear'
+  dpddelay: '35s'
+  rekey: 'no'
+  keyexchange: 'ikev2'
+  ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
+  esp: 'aes128gcm16-sha2_256-ecp256!'
+  compress: 'yes'
+  fragmentation: 'yes'
+
 # IP address for the proxy and the local dns resolver
 local_service_ip: 172.16.0.1

roles/proxy/tasks/main.yml

@@ -84,3 +84,29 @@
     - restart apache2
 
 - meta: flush_handlers
+
+- name: Set facts for mobileconfigs
+  set_fact:
+    proxy_enabled: true
+
+- name: Register p12 PayloadContent
+  shell: >
+    cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+  register:  PayloadContent
+  with_items: "{{ users }}"
+
+- name: Register CA PayloadContent
+  shell: >
+    cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
+  register:  PayloadContentCA
+
+- name: Build the mobileconfigs
+  template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}_proxy.mobileconfig mode=0600
+  with_together:
+    - "{{ users }}"
+    - "{{ PayloadContent.results }}"
+  no_log: True
+
+- name: Fetch users mobileconfig
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}_proxy.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}_proxy.mobileconfig flat=yes
+  with_items: "{{ users }}"

roles/vpn/tasks/main.yml

@@ -167,6 +167,10 @@
     cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
   register:  PayloadContentCA
 
+- name: Set facts for mobileconfigs
+  set_fact:
+    proxy_enabled: false
+
 - name: Build the mobileconfigs
   template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
   with_together:
@@ -174,6 +178,16 @@
     - "{{ PayloadContent.results }}"
   no_log: True
 
+- name: Build the client ipsec config file
+  template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
+  with_items:
+    - "{{ users }}"
+
+- name: Build the client ipsec secret file
+  template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
+  with_items:
+    - "{{ users }}"
+
 - name: Fetch users P12
   fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
   with_items: "{{ users }}"
@@ -182,6 +196,22 @@
   fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
   with_items: "{{ users }}"
 
+- name: Fetch users certificates
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users keys
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users ipsec configs
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
+  with_items: "{{ users }}"
+
+- name: Fetch users ipsec secrets
+  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
+  with_items: "{{ users }}"
+
 - name: Restrict permissions
   file: path="{{ item }}" state=directory mode=0700  owner=strongswan group=root
   with_items:

roles/vpn/templates/client_ipsec.conf.j2

@@ -0,0 +1,17 @@
+conn ikev2-{{ IP_subject_alt_name }}
+{% for key, value in ipsec_config.iteritems() %}
+    {{ key }}={{ value }}
+{% endfor %}
+
+    right={{ IP_subject_alt_name }}
+    rightid={{ IP_subject_alt_name }}
+    rightsubnet=0.0.0.0/0
+    rightauth=pubkey
+
+    leftsourceip=%config
+    leftauth=pubkey
+    leftcert={{ IP_subject_alt_name }}_{{ item }}.crt
+    leftfirewall=yes
+    left=%defaultroute
+
+    auto=add

roles/vpn/templates/client_ipsec.secrets.j2

@@ -0,0 +1,2 @@
+{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
+

roles/vpn/templates/ipsec.conf.j2

@@ -3,14 +3,9 @@ config setup
     charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
 
 conn %default
-    dpdaction=clear
-    dpddelay=35s
-    rekey=no
-    keyexchange=ikev2
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp=aes128gcm16-sha2_256-ecp256!
-    compress=yes
-    fragmentation=yes
+{% for key, value in ipsec_config.iteritems() %}
+    {{ key }}={{ value }}
+{% endfor %}
 
     left=%any
     leftauth=pubkey

roles/vpn/templates/mobileconfig.j2

@@ -76,12 +76,24 @@
             <key>Proxies</key>
             <dict>
                 <key>HTTPEnable</key>
+{% if proxy_enabled is defined and proxy_enabled == true %}
+                <integer>1</integer>
+                <key>HTTPPort</key>
+                <integer>8118</integer>
+                <key>HTTPProxy</key>
+                <string>{{ local_service_ip }}</string>
+  {% else %}
                 <integer>0</integer>
+{% endif %}
                 <key>HTTPSEnable</key>
                 <integer>0</integer>
             </dict>
             <key>UserDefinedName</key>
+{% if proxy_enabled is defined and proxy_enabled == true %}
+            <string>{{ IP_subject_alt_name }} IKEv2 with proxy</string>
+  {% else %}
             <string>{{ IP_subject_alt_name }} IKEv2</string>
+{% endif %}
             <key>VPNType</key>
             <string>IKEv2</string>
         </dict>
@@ -129,9 +141,17 @@
         </dict>
     </array>
     <key>PayloadDisplayName</key>
+{% if proxy_enabled is defined and proxy_enabled == true %}
+    <string>{{ IP_subject_alt_name }} IKEv2 with proxy</string>
+  {% else %}
     <string>{{ IP_subject_alt_name }} IKEv2</string>
+{% endif %}
     <key>PayloadIdentifier</key>
+{% if proxy_enabled is defined and proxy_enabled == true %}
+    <string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BA</string>
+  {% else %}
     <string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
+{% endif %}
     <key>PayloadRemovalDisallowed</key>
     <false/>
     <key>PayloadType</key>