vm-ansible/roles/openvpn/tasks/main.yaml

---
- name: "Install openvpn-server via apt"
  ansible.builtin.apt:
    update_cache: yes
    state: present
    name:
     - openvpn

- name : "Enable ipv4 forwarding via sysctl"
  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes

- name: Enable and restart openvpn daemon
  ansible.builtin.service:
    name: openvpn-server@stargate
    state: restarted
    enabled: yes

- name: Check if AllowUsers is defined
  ansible.builtin.lineinfile:
    state: absent
    path: /etc/ufw/before.rules
    regexp: "^# START OPENVPN"
  check_mode: true
  changed_when: false
  register: checkufwrules

- name: Insert openvpn iptables rules
  ansible.builtin.blockinfile:
    path: /etc/ufw/before.rules
    block: |
      # START OPENVPN RULES
      # NAT table rules
      *nat
      -F
      :POSTROUTING ACCEPT [0:0]
      # Allow traffic from OpenVPN client to everywhere
      -A POSTROUTING -s 192.168.37.0/24 -o eth0 -j MASQUERADE
      -A POSTROUTING -s 192.168.37.0/24 -o eth2 -j MASQUERADE
      COMMIT
      *filter
      -A ufw-before-input -i tun+ -j ACCEPT
      -A ufw-before-forward -i tun+ -j ACCEPT
      -A ufw-before-forward -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A ufw-before-forward -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A ufw-before-forward -i tun+ -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A ufw-before-forward -i eth2 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
      COMMIT
      # END OPENVPN RULES

- name: Reload ufw
  community.general.ufw:
    state: reloaded

- name: Apply custom ufw rules
  community.general.ufw:
    rule: allow
    direction: "in"
    interface: tun0
...
add openvpn stuff 2022-04-14 16:10:43 +02:00			`---`
			`- name: "Install openvpn-server via apt"`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.apt:`
add openvpn stuff 2022-04-14 16:10:43 +02:00			`update_cache: yes`
			`state: present`
			`name:`
update to latest state 2023-02-19 13:42:53 +01:00			`- openvpn`
add openvpn stuff 2022-04-14 16:10:43 +02:00
add web gateway stuff 2022-04-14 21:41:04 +02:00			`- name : "Enable ipv4 forwarding via sysctl"`
			`ansible.posix.sysctl:`
			`name: net.ipv4.ip_forward`
			`value: '1'`
			`sysctl_set: yes`
			`state: present`
			`reload: yes`

add openvpn stuff 2022-04-14 16:10:43 +02:00			`- name: Enable and restart openvpn daemon`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.service:`
update to latest state 2023-02-19 13:42:53 +01:00			`name: openvpn-server@stargate`
add openvpn stuff 2022-04-14 16:10:43 +02:00			`state: restarted`
			`enabled: yes`
automate all the things 2022-04-17 12:22:22 +02:00
			`- name: Check if AllowUsers is defined`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.lineinfile:`
automate all the things 2022-04-17 12:22:22 +02:00			`state: absent`
			`path: /etc/ufw/before.rules`
			`regexp: "^# START OPENVPN"`
			`check_mode: true`
			`changed_when: false`
			`register: checkufwrules`

			`- name: Insert openvpn iptables rules`
always use full name of ansible task 2023-03-05 19:00:38 +01:00			`ansible.builtin.blockinfile:`
automate all the things 2022-04-17 12:22:22 +02:00			`path: /etc/ufw/before.rules`
			`block: \|`
			`# START OPENVPN RULES`
			`# NAT table rules`
			`*nat`
fix openvpn rules 2023-03-05 22:02:29 +01:00			`-F`
automate all the things 2022-04-17 12:22:22 +02:00			`:POSTROUTING ACCEPT [0:0]`
			`# Allow traffic from OpenVPN client to everywhere`
			`-A POSTROUTING -s 192.168.37.0/24 -o eth0 -j MASQUERADE`
			`-A POSTROUTING -s 192.168.37.0/24 -o eth2 -j MASQUERADE`
			`COMMIT`
fix openvpn rules 2023-03-05 22:02:29 +01:00			`*filter`
update to latest state 2023-02-19 13:42:53 +01:00			`-A ufw-before-input -i tun+ -j ACCEPT`
			`-A ufw-before-forward -i tun+ -j ACCEPT`
			`-A ufw-before-forward -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`-A ufw-before-forward -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`-A ufw-before-forward -i tun+ -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`-A ufw-before-forward -i eth2 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`COMMIT`
automate all the things 2022-04-17 12:22:22 +02:00			`# END OPENVPN RULES`

			`- name: Reload ufw`
			`community.general.ufw:`
			`state: reloaded`
fix openvpn 2023-03-05 21:53:06 +01:00
			`- name: Apply custom ufw rules`
			`community.general.ufw:`
			`rule: allow`
			`direction: "in"`
do not use tun+ 2023-03-05 22:04:46 +01:00			`interface: tun0`
fuck yaml and indentation 2022-04-16 19:55:29 +02:00			`...`