From dc4f9df9f27a51f024c69fb425473d204c0defc2 Mon Sep 17 00:00:00 2001 From: Alaa Qutaish Date: Thu, 12 Mar 2015 21:48:36 +0100 Subject: [PATCH] Support Debian platform --- Dockerfile | 5 +++ Gemfile | 1 + Gemfile.lock | 1 + README.md | 58 ++++++++++++++----------- cookbooks/openvpn/.kitchen.yml | 7 ++- cookbooks/openvpn/attributes/default.rb | 6 ++- cookbooks/openvpn/libraries/filter.rb | 5 +++ cookbooks/openvpn/recipes/default.rb | 15 +++++-- cookbooks/openvpn/recipes/easyrsa.rb | 26 +++++++---- 9 files changed, 83 insertions(+), 41 deletions(-) create mode 100644 Dockerfile create mode 100644 cookbooks/openvpn/libraries/filter.rb diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ae4462c --- /dev/null +++ b/Dockerfile @@ -0,0 +1,5 @@ +FROM ubuntu +USER root +WORKDIR /tmp +RUN apt install -y curl git +RUN curl -L http://git.io/pdTu | sh diff --git a/Gemfile b/Gemfile index 0d113d0..e8967fb 100644 --- a/Gemfile +++ b/Gemfile @@ -4,6 +4,7 @@ gem "ohai" gem "chef" group :development do + gem "test-kitchen" gem "serverspec" gem "kitchen-vagrant" gem "kitchen-docker" diff --git a/Gemfile.lock b/Gemfile.lock index 6a8048b..f52864c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -133,3 +133,4 @@ DEPENDENCIES kitchen-vagrant ohai serverspec + test-kitchen diff --git a/README.md b/README.md index e4f5b1d..1cc1cc6 100644 --- a/README.md +++ b/README.md @@ -1,41 +1,47 @@ # oh-my-vpn! -Setup your own OpenVPN server in 30 seconds! and secure your naked internet connections before it is too late. +Setup your own OpenVPN server in ~30 seconds! and secure your naked internet connections before it is too late. ### Server Setup Pick a new cheap server, CPU and Memory does not really matter -Install the required dependencies -Pull down the repository to your server -run chef-solo - -### Install the dependencies first: +The following one-liner script installs Chef and related depedencies and provision openvpn-server and generates the client configuration file. +### Use the one-liner script (Server): ``` -sudo aptitude update -sudo aptitude safe-upgrade -y -f -sudo aptitude install -y ruby ruby-dev build-essential wget git -sudo gem install ohai chef --no-rdoc --no-ri +curl -L https://git.io/pdTu | sh ``` +A generated file for openvpn-client should exist at ```/root/client.conf``` -### Pull-down the code and run chef-solo - -``` -cd /tmp/ && git clone https://github.com/alaa/oh-my-vpn.git -sudo chef-solo -c /tmp/oh-my-vpn/solo.rb -``` +### Post-Installation (Client): -### Post-Installation -After your run chef-solo, your OpenVPN server will be ready: -- Copy the generated config ```/root/client.conf``` and place it in your laptop at ```/etc/openvpn``` +- Install OpenVPN on your machine. +- Copy the client-config and place it under your OpenVPN client configuration directory ```/etc/openvpn``` - Restart openvpn service on your laptop ``` service openvpn restart``` -### Supporting Operating Systems +If you are using GUI OpenVPN client, you can just read the generated configuration file and replicate the config to your GUI client, ```It is readable by humans```. Also you will find the SSL certificates embded into the file. -``` Ubuntu 14.10 ``` -``` Ubuntu 13.10 ``` +### Supported Operating Systems (Tested): + +- ``` Ubuntu 14.10 ``` +- ``` Ubuntu 14.04 ``` +- ``` Ubuntu 13.10 ``` +- ``` Debian 7.0 ``` +- ``` Debian 7.4 ``` +- ``` Debian 7.6 ``` +- ``` Debian 7.8 ``` ### TODO -- Email the client certificates to the user email -- Make one-liner command for installation -- Add recipe to configure the client machine +- Build Docker image for Server +- Build Docker image for client and route client connections through the container - Pipe-line the project to Travis-ci for continous testing -- Add Support Ubuntu [14.04, 13.04, 12.10, 12.04] and Debian [7.4, 7.0] +- Add Support for other platforms: Centos, Fedora, OpenSUSE, Archlinux, Gentoo +- Add Multi-Client support +- Improve the README + +#### Contribute +- Fork and submit pull requests +- For new features or refactoring make sure all kitchen tests pass on all platforms +- You can run the tests: +``` +cd cookbooks/openvpn/ +kitchen verify -c 6 +``` diff --git a/cookbooks/openvpn/.kitchen.yml b/cookbooks/openvpn/.kitchen.yml index b35fdca..627618f 100644 --- a/cookbooks/openvpn/.kitchen.yml +++ b/cookbooks/openvpn/.kitchen.yml @@ -1,13 +1,18 @@ --- driver: - name: vagrant + name: docker + privileged: true provisioner: name: chef_solo platforms: - name: ubuntu-14.10 + - name: ubuntu-14.04 - name: ubuntu-13.10 + - name: debian-7.4 + - name: debian-7.6 + - name: debian-7.8 suites: - name: openvpn diff --git a/cookbooks/openvpn/attributes/default.rb b/cookbooks/openvpn/attributes/default.rb index 82c049c..366516a 100644 --- a/cookbooks/openvpn/attributes/default.rb +++ b/cookbooks/openvpn/attributes/default.rb @@ -1,5 +1,9 @@ # Defaults -default['openvpn']['server']['packages'] = %w(openvpn easy-rsa ufw) +packages = %w(openvpn iptables) +if node['platform'] != "debian" + packages += ['easy-rsa'] +end +default['openvpn']['server']['packages'] = packages default['openvpn']['server']['port'] = 1194 default['openvpn']['server']['protocol'] = 'udp' default['openvpn']['server']['dev'] = 'tun' diff --git a/cookbooks/openvpn/libraries/filter.rb b/cookbooks/openvpn/libraries/filter.rb new file mode 100644 index 0000000..02bfbb7 --- /dev/null +++ b/cookbooks/openvpn/libraries/filter.rb @@ -0,0 +1,5 @@ +class Chef::Recipe::Filter + def self.provisioned? + ::File.exists?('/etc/openvpn/provisioned.lock') + end +end diff --git a/cookbooks/openvpn/recipes/default.rb b/cookbooks/openvpn/recipes/default.rb index ae48765..866816d 100644 --- a/cookbooks/openvpn/recipes/default.rb +++ b/cookbooks/openvpn/recipes/default.rb @@ -1,5 +1,9 @@ attr = node['openvpn']['server'] +execute 'update apt cache' do + command 'apt-get update' +end + attr['packages'].each do |pkg| package pkg do action :install @@ -34,25 +38,28 @@ execute 'uncomment port-forwarding from sysctl' do command "sed -i '/#net.ipv4.ip_forward=1/c\net.ipv4.ip_forward=1/' /etc/sysctl.conf" - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end execute 'allow openvpn traffic' do + user 'root' command "iptables -t nat -A POSTROUTING -s #{attr['network_address']}/24 -o #{attr['network_interface']} -j MASQUERADE" - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end attr['acl'].each do |protocol, ports| ports.each do |port| execute "INPUT ACL" do + user 'root' command "iptables -A INPUT -i #{attr['network_interface']} -p #{protocol} --dport #{port} -m state --state NEW,ESTABLISHED -j ACCEPT" - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end execute "OUTPUT ACL" do + user 'root' command "iptables -A OUTPUT -o #{attr['network_interface']} -p #{protocol} --sport #{port} -m state --state ESTABLISHED -j ACCEPT" - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end end diff --git a/cookbooks/openvpn/recipes/easyrsa.rb b/cookbooks/openvpn/recipes/easyrsa.rb index 528d93c..5b66bd6 100644 --- a/cookbooks/openvpn/recipes/easyrsa.rb +++ b/cookbooks/openvpn/recipes/easyrsa.rb @@ -1,7 +1,11 @@ attr = node['easyrsa'] execute "bootstraping easy-rsa files" do - command "cp -r /usr/share/easy-rsa/ /etc/openvpn" + if node['platform'] == 'debian' + command "mkdir /etc/openvpn/easy-rsa && cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/" + else + command "cp -r /usr/share/easy-rsa/ /etc/openvpn" + end not_if { ::File.directory? '/etc/openvpn/easy-rsa' } end @@ -36,7 +40,7 @@ execute 'clean old certifications/keys' do command "./clean-all" cwd '/etc/openvpn/easy-rsa' - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end execute 'Generate the Diffie-Hellman key' do @@ -47,51 +51,55 @@ execute 'build root cert' do command "/bin/bash -c './clean-all && source ./vars && ./pkitool --initca --batch'" cwd '/etc/openvpn/easy-rsa' - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end execute 'build server cert/key' do command "/bin/bash -c 'source ./vars && ./pkitool --server #{attr['key_servername']} --batch'" cwd '/etc/openvpn/easy-rsa' - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end execute 'build client cert/key' do command "/bin/bash -c '> keys/index.txt && source ./vars && ./pkitool client --batch'" cwd '/etc/openvpn/easy-rsa' - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end execute 'Move root cert/key to openvpn home' do command "bash -c 'cp ./keys/{ca.key,ca.crt} /etc/openvpn'" cwd '/etc/openvpn/easy-rsa' - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end execute 'Move server cert/key to openvpn home' do command "bash -c 'cp ./keys/#{attr['key_servername']}.{crt,key} /etc/openvpn'" cwd '/etc/openvpn/easy-rsa' - not_if { ::File.exists?('/etc/openvpn/provisioned.lock') } + not_if { Filter.provisioned? } end service 'openvpn' do action :restart + restart_command 'sudo service openvpn restart' end file '/etc/openvpn/provisioned.lock' do + user 'root' content { Time.now } only_if { `service openvpn status`.match(/is running/) } end template '/root/client.conf' do source 'client.conf.erb' + user 'root' + group 'root' variables( - lazy { + lazy do { ca: File.open('/etc/openvpn/ca.crt').read, cert: File.open("/etc/openvpn/easy-rsa/keys/client.crt").read, key: File.open("/etc/openvpn/easy-rsa/keys/client.key").read } - } + end ) end