From ca47bb136c891d6783c4a69ea1ed0bc49b586f57 Mon Sep 17 00:00:00 2001 From: jack Date: Mon, 1 Aug 2016 21:10:19 +0300 Subject: [PATCH] moved to use an IP instead of a domain --- config.cfg | 8 ++------ digiocean.yml | 6 +++--- inventory_users | 1 + templates/easy-rsa.vars.j2 | 4 ++-- templates/ipsec.conf.j2 | 6 +++--- templates/ipsec.secrets.j2 | 2 +- templates/mobileconfig.j2 | 12 ++++++------ vpn.yml | 8 ++++---- 8 files changed, 22 insertions(+), 25 deletions(-) diff --git a/config.cfg b/config.cfg index a017cd7..0fe1206 100644 --- a/config.cfg +++ b/config.cfg @@ -5,13 +5,9 @@ easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 easyrsa_p12_export_password: vpn -# if True re-init all existing certificates. Boolean -easyrsa_reinit_existent: False +# if True re-init all existing certificates. +easyrsa_reinit_existent: True -# Domain or ip -# server_name: - this domain or ip that you will use in your VPN client -server_name: example.com -server_ip: "{{ ansible_ssh_host }}" dns_servers: - 8.8.8.8 - 8.8.4.4 diff --git a/digiocean.yml b/digiocean.yml index a100dd0..7e731b2 100644 --- a/digiocean.yml +++ b/digiocean.yml @@ -42,8 +42,8 @@ default: "7" private: no - - name: "do_server_name" - prompt: "Name the vpn server:\n" + - name: "server_name" + prompt: "Name the vpn server:\nMaybe a valid DNS name" default: "strongswan.local" private: no @@ -65,7 +65,7 @@ digital_ocean: state: present command: droplet - name: "{{ do_server_name }}" + name: "{{ server_name }}" region_id: "{{ regions[do_region] }}" size_id: "512mb" image_id: "ubuntu-16-04-x64" diff --git a/inventory_users b/inventory_users index 9d134a5..0793813 100644 --- a/inventory_users +++ b/inventory_users @@ -1,2 +1,3 @@ [user-management] +146.185.161.17 37.139.11.102 diff --git a/templates/easy-rsa.vars.j2 b/templates/easy-rsa.vars.j2 index 19447c6..f46993f 100644 --- a/templates/easy-rsa.vars.j2 +++ b/templates/easy-rsa.vars.j2 @@ -183,7 +183,7 @@ set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" # This is best left alone. Interactively you will set this manually, and BATCH # callers are expected to set this themselves. -set_var EASYRSA_REQ_CN "{{ server_name }}" +set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}" # Cryptographic digest to use. # Do not change this default unless you understand the security implications. @@ -195,4 +195,4 @@ set_var EASYRSA_REQ_CN "{{ server_name }}" # in batch mode without any user input, confirmation on dangerous operations, # or most output. Setting this to any non-blank string enables batch mode. -set_var EASYRSA_BATCH "{{ server_name }}" \ No newline at end of file +set_var EASYRSA_BATCH "{{ ansible_ssh_host }}" diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2 index ab1b56e..aadccda 100644 --- a/templates/ipsec.conf.j2 +++ b/templates/ipsec.conf.j2 @@ -15,14 +15,14 @@ conn %default left=%any leftauth=pubkey - leftid={{ server_name }} - leftcert={{ server_name }}.crt + leftid={{ ansible_ssh_host }} + leftcert={{ ansible_ssh_host }}.crt leftsendcert=always leftsubnet=0.0.0.0/0,::/0 right=%any rightauth=pubkey - rightsourceip="{{ vpn_network }"" + rightsourceip="{{ vpn_network }}" {% if service_dns is defined and service_dns == "N" %} rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %} {% else %} diff --git a/templates/ipsec.secrets.j2 b/templates/ipsec.secrets.j2 index 4cae96e..cc208a5 100644 --- a/templates/ipsec.secrets.j2 +++ b/templates/ipsec.secrets.j2 @@ -1,2 +1,2 @@ -: ECDSA {{ server_name }}.key +: ECDSA {{ ansible_ssh_host }}.key diff --git a/templates/mobileconfig.j2 b/templates/mobileconfig.j2 index 1fd2816..d1a235c 100644 --- a/templates/mobileconfig.j2 +++ b/templates/mobileconfig.j2 @@ -48,11 +48,11 @@ CertificateType ECDSA256 ServerCertificateIssuerCommonName - {{ server_name }} + {{ ansible_ssh_host }} RemoteAddress - {{ server_name }} + {{ ansible_ssh_host }} RemoteIdentifier - {{ server_name }} + {{ ansible_ssh_host }} UseConfigurationAttributeInternalIPSubnet 0 @@ -81,7 +81,7 @@ 0 UserDefinedName - {{ server_name }} IKEv2 + {{ ansible_ssh_host }} IKEv2 VPNType IKEv2 @@ -117,7 +117,7 @@ PayloadDescription Adds a CA root certificate PayloadDisplayName - {{ server_name }} + {{ ansible_ssh_host }} PayloadIdentifier com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38 PayloadType @@ -129,7 +129,7 @@ PayloadDisplayName - {{ server_name }} IKEv2 + {{ ansible_ssh_host }} IKEv2 PayloadIdentifier donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE PayloadRemovalDisallowed diff --git a/vpn.yml b/vpn.yml index 50b1ed8..6cab1da 100644 --- a/vpn.yml +++ b/vpn.yml @@ -70,9 +70,9 @@ notify: - restart strongswan - - name: Build the server pair # TODO: IP and DNS for certificate + - name: Build the server pair shell: > - ./easyrsa build-server-full {{ server_name }} nopass && + ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&& touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' @@ -104,12 +104,12 @@ - restart strongswan - name: Copy the server cert to the strongswan directory - copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ server_name }}.crt' dest=/etc/ipsec.d/certs/{{ server_name }}.crt owner=root group=root mode=0600 + copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600 notify: - restart strongswan - name: Copy the server key to the strongswan directory - copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600 + copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600 notify: - restart strongswan