diff --git a/config.cfg b/config.cfg
index a017cd7..0fe1206 100644
--- a/config.cfg
+++ b/config.cfg
@@ -5,13 +5,9 @@ easyrsa_ca_expire: 3650
easyrsa_cert_expire: 3650
easyrsa_p12_export_password: vpn
-# if True re-init all existing certificates. Boolean
-easyrsa_reinit_existent: False
+# if True re-init all existing certificates.
+easyrsa_reinit_existent: True
-# Domain or ip
-# server_name: - this domain or ip that you will use in your VPN client
-server_name: example.com
-server_ip: "{{ ansible_ssh_host }}"
dns_servers:
- 8.8.8.8
- 8.8.4.4
diff --git a/digiocean.yml b/digiocean.yml
index a100dd0..7e731b2 100644
--- a/digiocean.yml
+++ b/digiocean.yml
@@ -42,8 +42,8 @@
default: "7"
private: no
- - name: "do_server_name"
- prompt: "Name the vpn server:\n"
+ - name: "server_name"
+ prompt: "Name the vpn server:\nMaybe a valid DNS name"
default: "strongswan.local"
private: no
@@ -65,7 +65,7 @@
digital_ocean:
state: present
command: droplet
- name: "{{ do_server_name }}"
+ name: "{{ server_name }}"
region_id: "{{ regions[do_region] }}"
size_id: "512mb"
image_id: "ubuntu-16-04-x64"
diff --git a/inventory_users b/inventory_users
index 9d134a5..0793813 100644
--- a/inventory_users
+++ b/inventory_users
@@ -1,2 +1,3 @@
[user-management]
+146.185.161.17
37.139.11.102
diff --git a/templates/easy-rsa.vars.j2 b/templates/easy-rsa.vars.j2
index 19447c6..f46993f 100644
--- a/templates/easy-rsa.vars.j2
+++ b/templates/easy-rsa.vars.j2
@@ -183,7 +183,7 @@ set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.
-set_var EASYRSA_REQ_CN "{{ server_name }}"
+set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}"
# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
@@ -195,4 +195,4 @@ set_var EASYRSA_REQ_CN "{{ server_name }}"
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.
-set_var EASYRSA_BATCH "{{ server_name }}"
\ No newline at end of file
+set_var EASYRSA_BATCH "{{ ansible_ssh_host }}"
diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2
index ab1b56e..aadccda 100644
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@@ -15,14 +15,14 @@ conn %default
left=%any
leftauth=pubkey
- leftid={{ server_name }}
- leftcert={{ server_name }}.crt
+ leftid={{ ansible_ssh_host }}
+ leftcert={{ ansible_ssh_host }}.crt
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
right=%any
rightauth=pubkey
- rightsourceip="{{ vpn_network }""
+ rightsourceip="{{ vpn_network }}"
{% if service_dns is defined and service_dns == "N" %}
rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
{% else %}
diff --git a/templates/ipsec.secrets.j2 b/templates/ipsec.secrets.j2
index 4cae96e..cc208a5 100644
--- a/templates/ipsec.secrets.j2
+++ b/templates/ipsec.secrets.j2
@@ -1,2 +1,2 @@
-: ECDSA {{ server_name }}.key
+: ECDSA {{ ansible_ssh_host }}.key
diff --git a/templates/mobileconfig.j2 b/templates/mobileconfig.j2
index 1fd2816..d1a235c 100644
--- a/templates/mobileconfig.j2
+++ b/templates/mobileconfig.j2
@@ -48,11 +48,11 @@
CertificateType
ECDSA256
ServerCertificateIssuerCommonName
- {{ server_name }}
+ {{ ansible_ssh_host }}
RemoteAddress
- {{ server_name }}
+ {{ ansible_ssh_host }}
RemoteIdentifier
- {{ server_name }}
+ {{ ansible_ssh_host }}
UseConfigurationAttributeInternalIPSubnet
0
@@ -81,7 +81,7 @@
0
UserDefinedName
- {{ server_name }} IKEv2
+ {{ ansible_ssh_host }} IKEv2
VPNType
IKEv2
@@ -117,7 +117,7 @@
PayloadDescription
Adds a CA root certificate
PayloadDisplayName
- {{ server_name }}
+ {{ ansible_ssh_host }}
PayloadIdentifier
com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38
PayloadType
@@ -129,7 +129,7 @@
PayloadDisplayName
- {{ server_name }} IKEv2
+ {{ ansible_ssh_host }} IKEv2
PayloadIdentifier
donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE
PayloadRemovalDisallowed
diff --git a/vpn.yml b/vpn.yml
index 50b1ed8..6cab1da 100644
--- a/vpn.yml
+++ b/vpn.yml
@@ -70,9 +70,9 @@
notify:
- restart strongswan
- - name: Build the server pair # TODO: IP and DNS for certificate
+ - name: Build the server pair
shell: >
- ./easyrsa build-server-full {{ server_name }} nopass &&
+ ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&&
touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -104,12 +104,12 @@
- restart strongswan
- name: Copy the server cert to the strongswan directory
- copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ server_name }}.crt' dest=/etc/ipsec.d/certs/{{ server_name }}.crt owner=root group=root mode=0600
+ copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600
notify:
- restart strongswan
- name: Copy the server key to the strongswan directory
- copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600
+ copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600
notify:
- restart strongswan