First, thank you luxflux and all contributors for this wonderful module!

I'm trying to configure an openvpn server using puppet CA as per: https://community.openvpn.net/openvpn/wiki/PuppetCA

How do I specify ca, cert, and key directives? I have tried without hiera and with, but I can't get the config generating correctly.

has no parameter named 'ca'
has no parameter named 'cert'
has no parameter named 'key'

Happens to be that I do not have perl installed on the machine I am using and execution fails because of this:

https://github.com/luxflux/puppet-openvpn/blob/master/manifests/client.pp#L224

I'm thinking of some suggested fixes.

Hi there,
I have to add "include concat::setup" to server.pp, otherwise I'll get an concat error:

Could not evaluate: Could not find command '/bin/concatfragments.sh'

I have already set pluginsync=true in puppet.conf.
Is this just happening on my machine ?
Regards
Peter

I am running a server instance as a client with certificates only.
when starting openvpn, there is following log warning:

WARNING: No server certificate verification method has been enabled.  
See http://openvpn.net/howto.html#mitm

in the documentation it's recommended to use the "ns-cert-type server" option in the client configuration which is already implemented in the client-template.
But when running a server as a client, there is no such option available.
Would it be possible to add this parameter as soon as the "remote" parameter isn't empty (which means the server is a client in my opinion ?) or are there any reasons against ?

Regards
Peter

If 'pam => true' is set for the server, then the client configuration needs to contain 'auth-user-pass', otherwise the following error is encountered:

TLS Error: Auth Username/Password was not provided by peer
TLS Error: TLS handshake failed

According to the puppet forge this module supports CentOS 6 but when I run it on CentOS 6.4 I get this:

Notice: /Stage[main]/Openvpn::Install/Package[openvpn]/ensure: created
Notice: /File[/etc/openvpn/keys]/ensure: created
Notice: /File[/etc/openvpn/site]/ensure: created
Notice: /Stage[main]/Ctrlc::Role::Openvpn/Openvpn::Server[site]/Exec[copy easy-rsa to openvpn config folder site]/returns: /bin/cp: cannot stat `/usr/share/openvpn/easy-rsa/2.0': No such file or directory
Error: /bin/cp -r /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/site/easy-rsa returned 1 instead of one of [0]

A quick check confirms that the easy-rsa scripts have either been renamed or removed from the openvpn package. The following command returns nothing.

rpm -ql openvpn | grep easy

Maybe you should include the easy-rsa scripts in the module? I'm not sure how often they change but I can't imagine it's often enough to worry.

When using a small (reduced) debian wheezy installation, openvpn::server is unable to identify it
via openvpn::params.

This is due the lack of the lsb-release package (in a minimal/reduced installation the dependency chain for lsb-release can be huge):
Without the lsb package installed $::lsbdistid and $::lsbdistrelease facts are empty and eval will fail with the message: Not supported OS / Distribution: Debian

When is that planned? There are already 30 commits diff :)

By the way: ❤️ your work!

Hi folks,

as suggested from guys on #puppet, to best way to fix that missing package dependency is to use the ensure_packages function from stdlib, I know it seems overkill but it will avoid explicitly adding package definition+dependency

With openvpn, you can run a web server on the same port as openvpn.
I wrote a small extension to support this feature.

Setting it to true does not change the AUTOSTART variable in /etc/default/openvpn.

There is no way to specify custom options for the client config, but there should be one.

E.x. there is reneg-sec (reneg-* in fact) value that should be the same on both client and server, but I can't pass it to the client using puppet.

This is my configuration:

openvpn::server { "leonard":
    country      => 'DE',
    province     => 'NRW',
    city         => 'City',
    organization => 'my.de',
    email        => '[email protected]',
    server       => "192.168.100.0 255.255.255.0",
  }

Note that i turned on the Future Parser feature and Puppet is updated to the latest version.

puppet agent --test --debug gives the following output:

[..]
Debug: Exec[generate dh param leonard](provider=shell): Executing '["/bin/sh", "-c", ". ./vars && ./clean-all && ./build-dh"]'
Debug: Executing '/bin/sh -c . ./vars && ./clean-all && ./build-dh'
: not found/sh: 2: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
/whichopensslcnf: not foundenvpn/leonard/easy-rsa
: not found: ./vars:
: not found: ./vars:
/keys If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/leonard/easy-rsa
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:

: not foundge[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/Exec[generate dh param leonard]/returns: change from notrun to 0 failed: /bin/sh: 2: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
/whichopensslcnf: not foundenvpn/leonard/easy-rsa
: not found: ./vars:
: not found: ./vars:
/keys If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/leonard/easy-rsa
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:
: not found: ./vars:

Notice: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/Exec[initca leonard]: Dependency Exec[generate dh param leonard] has failures: true
Warning: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/Exec[initca leonard]: Skipping because of failed dependencies
Notice: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/Exec[generate server cert leonard]: Dependency Exec[generate dh param leonard] has failures: true
Warning: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/Exec[generate server cert leonard]: Skipping because of failed dependencies
Notice: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/Exec[create crl.pem on leonard]: Dependency Exec[generate dh param leonard] has failures: true
Warning: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/Exec[create crl.pem on leonard]: Skipping because of failed dependencies
Notice: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/File[/etc/openvpn/leonard/easy-rsa/keys/crl.pem]: Dependency Exec[generate dh param leonard] has failures: true
Warning: /Stage[main]/Server::Setup::Vpn/Openvpn::Server[leonard]/File[/etc/openvpn/leonard/easy-rsa/keys/crl.pem]: Skipping because of failed dependencies

When I set ssl_key_size to 2048, the "generate dh param ${name}" rule is re-executed on every single apply, instead of just the first time.

It seems that Exec["generate dh param ${name}"] in server.pp expects the command to create dh1024.pem (hardcoded), when the command now creates dh2048.pem.

I think it wants dh${ssl_key_size}.pem instead of dh1024.pem.

Currently 41 commits behind master

Thanks

Hello,
There is a contradiction between documentation and code for dev parameter in server.pp: the documentation says that default is tun, but in the code the default is tun0, which prevents setting up multiple VPN server on the same host using the default dev value.
Using tun instead of tun0 would allow dynamic device naming.
From the openvpn manpage:

--dev tunX | tapX | null
    TUN/TAP virtual network device ( X can be omitted for a dynamic device.) 

If needed I can provide a PR for updating the doc or the code.

Thanks!

Is it possible to use this module with an existing PKI with deployed server certificates?

Here is a log:

2016-08-12 23:22:58,830 WARN  [qtp90253819-63] [puppetserver] Puppet Unknown variable: '::openvpn::params::systemd'. at /etc/puppetlabs/code/environments/production/modules/openvpn/manifests/init.pp:98:8
2016-08-12 23:22:58,838 WARN  [qtp90253819-63] [puppetserver] Puppet Unknown variable: '::openvpn::params::systemd'. at /etc/puppetlabs/code/environments/production/modules/openvpn/manifests/server.pp:447:8
2016-08-12 23:22:58,841 WARN  [qtp90253819-63] [puppetserver] Puppet Unknown variable: '::openvpn::params::pam_module_path'. at /etc/puppetlabs/code/environments/production/modules/openvpn/manifests/server.pp:471:22
2016-08-12 23:22:58,848 WARN  [qtp90253819-63] [puppetserver] Puppet Unknown variable: 'openvpn::params::group'. at /etc/puppetlabs/code/environments/production/modules/openvpn/manifests/server.pp:474:16
2016-08-12 23:22:58,857 WARN  [qtp90253819-63] [puppetserver] Puppet Unknown variable: '::openvpn::params::systemd'. at /etc/puppetlabs/code/environments/production/modules/openvpn/manifests/server.pp:571:6

Also, openvpn service will be stop work, because the group key in the opvn server config file has no value.

group 
user nobody

Cheers,
Jan

For systemd, the OpenVPN service is generally named based on the configuration file, e.g. running systemctl start openvpn@${name} would start up OpenVPN and use the file /etc/openvpn/${name}.conf as the configuration file.

The overall OpenVPN service is a template, which systemd substitutes in for based on what's given in @${name}. This is handy, but it also means that running systemctl start openvpn doesn't do anything and in fact fails.

In short, when the machine is using systemd, the service name shouldn't just be "openvpn", it should be "openvpn@${name}", where "name" is the basename of the configuration file in use, without the ".conf". This makes the puppet task fails to execute, while it otherwise it works perfectly.

I suggest one of the following solutions; on systemd systems (Fedora, Arch, etc.)

• Make the service name configurable manually
• Automatically make the service name based on the name of the configuration file
• Make it possible to disable the checks for the OpenVPN service, the user can do it themselves

I think the second option is obviously superior, but that's just me. I am working on tweaking this myself, but I'm not that great with Puppet.

Do you use Hiera? If so, I'd like to refactor this so the default config options specified in the manifests are instead located in hiera.

Changes needed:

• The service description must check for systemd and use openvpn.$servername as servicename.
• RHEL7 does not have the openvpn-ldap-auth package

Hi!
I am about to start coding a little path when I noticed that I could not checkout the latest tag.
maybe it needs to be pushed?
will start working on 2.8.0
R.

For those who wish to use custom scripts for user authentication instead of PAM it would be useful to be able to specify "auth-user-pass-verify" in the server config.

It looks like the openvpn::server does not have the ensure parameter.

Hi

after upgrading the openvpn module, puppet runs into an error

puppet agent -t 
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, cannot currently create client configs when corresponding openvpn::server is extca_enabled at /etc/puppetlabs/code/environments/production/modules/openvpn/manifests/client.pp:224:23 at /etc/puppetlabs/code/environments/production/site/profile/manifests/openvpn/server.pp:48 on node hostname

puppet --version
4.5.0

I do not defined the param extca_enabled on my resources. Settings extca_enabled to false will throw the error, too.

It's been a while after 2.5.0. Maybe it's time to release the new version?

The generated client .ovpn files have the following options set:

ca keys/<client-name>/ca.crt
cert keys/<client-name>/<client-name>.crt
key keys/<client-name>/<client-name>.key

Because the directives are present in the file, the mobile client will not import the .ovpn file due to the files not being present. Simply removing those three lines from the generated .ovpn file allows it to import successfully since those keys are also contained inline in the .ovpn file itself. If having those directives is necessary for some other reason, perhaps an option could be introduced to control the generation of those directives.

I am not sure whether this is a bug or a feature, but it would be nice to be able to use this module like so in my manifest/site.pp:

node 'openvpnserver' {
openvpn::server { 'perftestserver':
country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => '[email protected]',
server => '10.200.200.0 255.255.255.0'
}
}
node 'default' {
openvpn::client { 'perftestclient':
server => 'perftestserver',
}
}

When I try to use it like this, the client's complain that there is no Openvpn::server[perftestserver] available. As a workaround, I have had to generate all the configs on the server, and serve them as a file to the clients. Is this something that can be fixed?

Hey,
Doesn't affect me, but it looks like openvpn-auth-ldap is available in the EPEL 6 repos for redhat/centos 6.x machines.
Cheers

Hi,

Is possible to use this module with signed certificates? If yes, how?
Would be possible to add those information to the module readme? It would be awesome :).

Thanks a lot

Hi, I'm a bit confused as to how I setup a client using this module. If I have generated a client config, is there a way to use that config in another host using a define? If I use the openvpn::server { remote=> ...} method it doesn't seem to create the correct configuration.

kind regards,
Tarjei

Hi,

I have enable tls-auth on my openvpn server. I would be nice, if the tls-auth key can be included to the ovpn file.

It is required, if i want to enable ovpn on my mobile phone.

Check: https://community.openvpn.net/openvpn/wiki/IOSinline

If the port is changed with:

openvpn::server { 'name':
port => '443',
}

it will be used for the server but not for the clients, so the config of the clients will have to be manually fixed before it works

Great module. But it's missing support for the standard Amazon EC2 AMI.

The following changes were needed to get it to work with Amazon:

1. Had to install easy-rpm from epel repo which is disabled by default
   yumrepo { "epel": enabled => 1 }
   package { "easy-rsa": require => Yumrepo["epel"] }
2. Had to make local changes to params.pp

--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -16,9 +16,13 @@
 #
 class openvpn::params {

-  $group = $::osfamily ? {
-    'RedHat' => 'nobody',
-    default  => 'nogroup'
+  if ($::operatingsystem == 'Amazon') {
+    $group = 'nobody'
+  } else {
+    $group = $::osfamily ? {
+      'RedHat' => 'nobody',
+      default  => 'nogroup',
+    }
   }

   case $::osfamily {
@@ -39,6 +43,8 @@ class openvpn::params {
       if($::operatingsystemmajrelease == 'jessie/sid' or $::lsbdistdescription == 'Ubuntu 13.10'){
         $additional_packages = ['easy-rsa']
         $easyrsa_source = '/usr/share/easy-rsa/'
+      } elsif ($::operatingsystem == 'Amazon') {
+        $easyrsa_source = '/usr/share/easy-rsa/2.0'
       } else {
         $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
       }

Hey there - I'm trying to get the openvpn module working on CentOS 5.7 with Puppet 2.7.9. I've run into 2 issues so far:

The module tries to copy files form /usr/share/doc/openvpn/examples/easy-rsa/2.0, when on CentOS the directory is /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0. I can push a patch for this one, if ya want...I can test it across a few different linux distros.

After tweaking that in server.pp, I'm still getting an error where the require for /etc/openvpn/${name} doesn't seem to be creating the directory. Basically, it looks like puppet isn't running the required mkdir before attempting to copy files:

[root@vpn1 ~]# puppet agent --test --server=puppetserver
info: Retrieving plugin
info: Loading facts in concat_basedir
info: Loading facts in concat_basedir
info: Caching catalog for vpn1
err: Failed to apply catalog: 'cp -r /usr/share/doc/openvpn/easy-rsa/2.0 /etc/openvpn/vpn1/easy-rsa' is not qualified and no path was specified. Please qualify the command or specify a path.

Any thoughts?

John

The server template always appends '-server' to the protocol, which is fine for tcp, but breaks proto udp.

'-server' should only be appended if the proto is tcp

Likewise, how to I change other settings of this module? Where can I find a more detailed documentation?

Thanks.

A stable version of puppetlabs/concat version 2 has been out for a while now and seems to be largely compatible with version 1 while claiming to have much improved performance.

This module pins the dependency to version < 2.

Hi,

if working with exported ressources @@openpvn::client{} the above Error is thrown at the client, exporting the ressource, since at that client there is no openvpn::server at all...

Hello,

I Have an error when I try to deploy Openvpn::server on Debian 8.3 with your code 3.0. (It was OK in my test server Debian 8.1 and your code 2.9)

My puppet conf :

openvpn::server { 'admin_openvpn_server':
                country      => 'FR',
                province     => 'FR',
                city         => 'France',
                organization => 'xxxxxxxxx',
                email        => 'xxxxxxxxx',
                server       => '10.0.0.1 255.255.255.0',
        }

And when I try to deploy :

root@openvpn:~$ puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource 'Class[Openvpn::Install]' for relationship on 'Openvpn::Server[admin_openvpn_server]' on node openvpn.xxxxxxxx.fr
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

In puppet log, i found :

Jan 28 10:55:44 puppet puppet-master[30539]: (Scope(Openvpn::Server[admin_openvpn_server])) Could not look up qualified variable '::openvpn::params::pam_module_path'; class ::openvpn::params has not been evaluated
Jan 28 10:55:44 puppet puppet-master[30539]: (Scope(Openvpn::Server[admin_openvpn_server])) Could not look up qualified variable 'openvpn::params::group'; class openvpn::params has not been evaluated
Jan 28 10:55:44 puppet puppet-master[30539]: (Scope(Openvpn::Server[admin_openvpn_server])) Could not look up qualified variable '::openvpn::params::systemd'; class ::openvpn::params has not been evaluated
Jan 28 10:55:45 puppet puppet-master[30539]: (Scope(Openvpn::Ca[admin_openvpn_server])) Could not look up qualified variable 'openvpn::params::group'; class openvpn::params has not been evaluated
Jan 28 10:55:45 puppet puppet-master[30539]: (Scope(Openvpn::Ca[admin_openvpn_server])) Could not look up qualified variable 'openvpn::params::easyrsa_source'; class openvpn::params has not been evaluated
Jan 28 10:55:45 puppet puppet-master[30539]: (Scope(Openvpn::Ca[admin_openvpn_server])) Could not look up qualified variable 'openvpn::params::link_openssl_cnf'; class openvpn::params has not been evaluated
Jan 28 10:55:45 puppet puppet-master[30539]: Could not find resource 'Class[Openvpn::Install]' for relationship on 'Openvpn::Server[admin_openvpn_server]' on node openvpn.xxxxxx.fr
Jan 28 10:55:45 puppet puppet-master[30539]: Could not find resource 'Class[Openvpn::Install]' for relationship on 'Openvpn::Server[admin_openvpn_server]' on node openvpn.xxxxxx.fr
Jan 28 10:55:45 puppet puppet-master[30539]: Could not find resource 'Class[Openvpn::Install]' for relationship on 'Openvpn::Server[admin_openvpn_server]' on node openvpn.xxxxxx.fr

Any idea please ?

Regards,

Hi,

my client server gets unconfigured out of the box. The problem seems to be the conflict of settings. Currently the script adds "client" (which is a shorthand of "tls-client") and "tls-server".
The problem seems to lie in server.pp fragment [1]. If I want a default-setting client with tcp I will inevitably get settings conflict.

I am thinking if this code block should be moved under conditional statement block that tackles server-specific values to line 447, before "if !$shared_ca {".

    if $tls_server {
      $real_tls_server = $tls_server
    } else {
    $real_tls_server = $proto ? {
        /tcp/   => true,
        default => false
      }
    }

Cheers,
Gin

If you use openvpn::client & openvpn::server in different classes, Openvpn::Client is unable to create a relationship because it is attempting to chain two top-level resources.

err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource 'Openvpn::Server[vpn.foo.net]' for relationship on 'Openvpn::Client[user]' on node vpn.foo.net

Chaining types within a defined type is probably a poor idea since you can't make assumptions about the scoping. Removing the chain from the define works fine but it's ultimately up to the user to ensure they create the server prior to creating the client.

I would like to put this module under the Apache 2.0 License.

Are you okay with this, @jlambert121 and @jlk?

In their infinite wisdom, Ubuntu have decided to split up the openvpn and easy-rsa packages, by the looks of things:

https://help.ubuntu.com/14.04/serverguide/openvpn.html

Hence, server install fails now.

Hello,

how do you deal with the delivery of the client certificates to the users?

I mean, lets say you configure a server and create client certs, usually how do you send the certificates to the users in an automated or "self-service" way?

or you just manually download the certs and send emails with the attached cert?

Hi Raffael,
it's me again...when trying to create an instance running with ldap authentication on Debian Wheezy, openvpn-auth-ldap does not get installed. When adding the package & ldap_auth_plugin_location to the else block, everything seems ok:

case $::lsbdistid {
 'Debian': {
   # Version > 8.0.0, jessie
   if(versioncmp($::lsbdistrelease, '8.0.0') >= 0) {
      $additional_packages = ['easy-rsa', 'openvpn-auth-ldap']
      $easyrsa_source = '/usr/share/easy-rsa/'
      $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so'
   } else {
      $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
      $additional_packages = 'openvpn-auth-ldap'
      $ldap_auth_plugin_location = '/usr/lib/openvpn/openvpn-auth-ldap.so'
   } 

So far - if I understand correctly - only on Jessie this package will be installed. Or is it just an incorrect usage on my side ? I've just added "ldap_enabled => true" with all other needed parameters to my manifest. But maybe I'm just doing it wrong.

Regards
Peter

Add support for servers that use a bridged interface. I am going to need this for my own use so assuming the issue regarding the easy-rsa scripts is resolved I can implement this pretty easily. For reference, it's the "server-bridged" directive in the server configuration file plus start up ("up" directive) and shut down ("down" directive) scripts to configure the network bridge. There are sample bridge scripts in the openvpn package for CentOS 6.4.

Would it be possible to add a new (maybe optional) parameter for the status-version to the server-template? I for myself would prefer status-version 2 as there are all information about a connected client in one single line which makes it easier to get details about connected clients.

if you add status-version 2 for example, it's more convenient to grep the connections:

 grep ^CLIENT_LIST /etc/openvpn/instance_name/openvpn-status.log | wc -l

another optional feature would be the time to refresh the log which can be appended to the existing "status" entry. For a refresh every 5 seconds for example:

status instance_name/openvpn-status.log 5

but the refresh is in my opinion unneeded, as far as i know is the default interval fast enough ;-)

Hi,

When I install openvpn server it fails to start. The cause is in the generated /etc/default/openvpn file [1].
More specifically:

• Line 2 prevents openvpn from starting ("AUTOSTART="$AUTOSTART client1"").
  • If I modify the line to "AUTOSTART="client1"" it successfully starts the server.
• Line 2 and the last line are duplicate parameter options "AUTOSTART".

System:

• Puppet 3.7
• parser=future
• Ubuntu 14.04.1 LTS

I am not familiar with the module yet, therefore I can't suggest a fix.

Cheers,
Gin

[1] /etc/default/openvpn.

# This file is managed by Puppet. DO NOT EDIT.
AUTOSTART="$AUTOSTART client1"
# This is the configuration file for /etc/init.d/openvpn

#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
#
#AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
AUTOSTART=""