ansibleguy.infra_openvpn
WORK IN PROGRESS! DO NOT USE IN PRODUCTION!
Ansible Role - OpenVPN Client-to-Site VPN
WARNING: This role is still being developed. DO NOT USE IN PRODUCTION!
This role helps you set up OpenVPN for Client-to-Site connections.
OpenVPN Editions
This role uses the OpenSource OpenVPN Community edition.
Why use the community edition?
Pros:
- No licensing fees - you can have one server for thousands of clients without high costs.
- All important features are included in the open-source edition.
- Can be managed with Ansible.
Cons:
- This version does not have a graphical (web-based) user interface!
If you prefer a user-friendly web interface, check out the OpenVPN Access Server.
Tested On:
- Debian 11
- Debian 12
Installation
# Install the latest version
ansible-galaxy role install git+https://github.com/ansibleguy/infra_openvpn
# Install from galaxy
ansible-galaxy install ansibleguy.infra_openvpn
# Or specify a custom role path
ansible-galaxy install ansibleguy.infra_openvpn --roles-path ./roles
# Install any required dependencies
ansible-galaxy install -r requirements.yml
Usage
Looking for a simple Ansible GUI? Check out my Ansible WebUI.
Configuration
Set your configuration as needed:
openvpn:
You may want to use 'ansible-vault' to encrypt your passwords:
ansible-vault encrypt_string
Execution
Run the playbook:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml
Some useful tags are available for specific tasks.
For debugging errors, you can set the 'debug' variable when running:
# WARNING: This will log passwords!
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
To allow OpenVPN services to restart automatically (without prompts):
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e auto_restart=yes
Features
Package Installation
- Ansible dependencies (minimal)
Configuration *
Default Configuration: *
Default Options to Include: *
Default Options to Exclude:
Information
Info: For more on configuring the OpenVPN community, see their detailed documentation.
Important pages include:
Info: ChromeOS uses the Open-Network-Configuration (ONC) format.
It’s in JSON format and can be tricky to debug as it may not show helpful error messages.
The profile template from this role may not work for every situation.
For troubleshooting, check the ONC documentation. Note: Not every option may work in practice as documented.
Warning: If your OpenVPN setup needs to accept connections from ChromeOS clients, you must set the 'openvpn.instances.[name].security.tls_crypt' option to 'false' since it is not currently supported by the ChromeOS version.
Note: This role currently only works on Debian-based systems.
Note: Most of the role's features can be included or excluded.
For all available options, see the default configuration in the main defaults file.
Warning: Not every setting you provide will be checked for correctness. Bad configurations could break the role!
Info: If you want to use
openvpn.unprivileged: truefor better system security, the installed OpenVPN binary must supportiproute2!The role will check for compatibility, and it will fail if the binary does not support it.
How to gain support for iproute2:
- Use a binary compiled with that option enabled:
- Recompile OpenVPN yourself as shown in this example script (without the 'uninstall' part).
- Alternatively, set the role to download a precompiled binary from my ansibleguy/openvpn-recompiled repository.
- Uninstall existing OpenVPN packages/binaries.
- Copy or link the
openvpnbinary to/usr/local/bin.
- Use a binary compiled with that option enabled:
Info: If you are using multi-factor authentication, you might face problems with clients (like ChromeOS) that don’t support multiple input fields for secrets!
You can set
openvpn.server.auth.mfa_separatorto a unique character to combine both secrets into one input field. For example:p4ssW0rd<<<001122The default separator
:will always work, even if you choose a different one, allowing both input methods.
ansible-galaxy install ansibleguy.infra_openvpn