crans/crans_bcfg2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Conf d'openvpn

Browse source 
darcs-hash:20080228123815-af139-45398677dde47cc2e86282788c93252d7c6d3fa0.gz
This commit is contained in:
Jeremie Dimino 2008-02-28 13:38:15 +01:00
parent 5f0c6f5c27
commit 2cfb65fda6
15 changed files with 222 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Bundler/openvpn.xml Normal file
View file

@ -0,0 +1,17 @@
<Bundle name="openvpn">
<Package name="openvpn"/>
<Service name="openvpn"/>
<ConfigFile name="/etc/default/openvpn"/>
<ConfigFile name="/etc/openvpn/up"/>
<ConfigFile name="/etc/openvpn/down"/>
<Group name="external">
<ConfigFile name="/etc/openvpn/main.conf"/>
<ConfigFile name="/etc/openvpn/rescue.conf"/>
</Group>
<Group name="connection-main">
<ConfigFile name="/etc/openvpn/external.conf"/>
</Group>
<Group name="connection-rescue">
<ConfigFile name="/etc/openvpn/external.conf"/>
</Group>
</Bundle>

3
Cfg/etc/openvpn/main.down/info.xml Normal file
View file

@ -0,0 +1,3 @@
<FileInfo>
<Info owner='root' group='root' perms='0755'/>
</FileInfo>

11
Cfg/etc/openvpn/main.down/main.down Executable file
View file

@ -0,0 +1,11 @@
#!/bin/bash
#
# Fichier gere par BCfg2 avec le plugin Cfg
#
# Configuration des routes lorsque la connexion principale tombe
# La connexion principale est inactive => on passe par la connexion de
# secours. Si la connexion de secours est down ne marche pas ça
# changera rien mais de toutes facons on peut pas faire mieux...
route del -net 10.231.136.0 netmask 255.255.255.0 &> /dev/null
route add -net 10.231.136.0 netmask 255.255.255.0 dev tun-rescue

3
Cfg/etc/openvpn/main.up/info.xml Normal file
View file

@ -0,0 +1,3 @@
<FileInfo>
<Info owner='root' group='root' perms='0755'/>
</FileInfo>

10
Cfg/etc/openvpn/main.up/main.up Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash
#
# Fichier gere par BCfg2 avec le plugin Cfg
#
# Configuration des routes lorsque la connexion principale est
# disponible
# La connexion principale est active => on l'utilise
route del -net 10.231.136.0 netmask 255.255.255.0 &> /dev/null
route add -net 10.231.136.0 netmask 255.255.255.0 dev $dev

3
Cfg/etc/openvpn/rescue.down/info.xml Normal file
View file

@ -0,0 +1,3 @@
<FileInfo>
<Info owner='root' group='root' perms='0755'/>
</FileInfo>

10
Cfg/etc/openvpn/rescue.down/rescue.down Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash
#
# Fichier gere par BCfg2 avec le plugin Cfg
#
# Configuration des routes lorsque la connexion de secours tombe
# Si c'était la route actuelle, alors tant pis...
if [ "$(route -n|awk '$1 == "$ifconfig_remote" {print $8}')" = "$dev" ]; then
route del -net 10.231.136.0 netmask 255.255.255.0 &> /dev/null
fi

3
Cfg/etc/openvpn/rescue.up/info.xml Normal file
View file

@ -0,0 +1,3 @@
<FileInfo>
<Info owner='root' group='root' perms='0755'/>
</FileInfo>

11
Cfg/etc/openvpn/rescue.up/rescue.up Executable file
View file

@ -0,0 +1,11 @@
#!/bin/bash
#
# Fichier gere par BCfg2 avec le plugin Cfg
#
# Configuration des routes lorsque la connexion de secours est
# disponible
# Si on a déjà une route vers le vlan adm alors on ne fait rien
if [ -z "$(route -n|awk '$1 == "$ifconfig_remote" {print $8}')" ]; then
route add -net 10.231.136.0 netmask 255.255.255.0 dev $dev
fi

67
Metadata/groups.xml
View file

@ -9,8 +9,8 @@
profile="true"> profile="true">
<Group name="crans"/> <Group name="crans"/>
<Group name="firewall"/> <Group name="firewall"/>
<Group name="services-ext-ovh"/>
<Group name="backup-client"/> <Group name="backup-client"/>
<Group name="connection-main"/>
</Group> </Group>
<Group name="sila" <Group name="sila"
@ -87,7 +87,7 @@
<Group name="db-replica"/> <Group name="db-replica"/>
<Group name="mail-mx-secondary"/> <Group name="mail-mx-secondary"/>
<Group name="dns-secondary-no-forward"/> <Group name="dns-secondary-no-forward"/>
<Group name="vpn-vers-crans"/> <Group name="external"/>
</Group> </Group>
<Group name="fx" <Group name="fx"
@ -101,6 +101,7 @@
<Group name="mail-mx-secondary"/> <Group name="mail-mx-secondary"/>
<Group name="dns-secondary-no-forward"/> <Group name="dns-secondary-no-forward"/>
<Group name="backup-client"/> <Group name="backup-client"/>
<Group name="connection-rescue"/>
</Group> </Group>
<Group name="mdr" <Group name="mdr"
@ -252,7 +253,7 @@
<!-- Mailman a besoin d'un smtp --> <!-- Mailman a besoin d'un smtp -->
<Group name="mail-mx"/> <Group name="mail-mx"/>
</Group> </Group>
<Group name="adh-antispam-filter" <Group name="adh-antispam-filter"
comment="filtre antispam pour les adhérents"> comment="filtre antispam pour les adhérents">
<Group name="antispam-backend"/> <Group name="antispam-backend"/>
@ -290,7 +291,7 @@
category="dns"> category="dns">
<Group name="dns-server"/> <Group name="dns-server"/>
</Group> </Group>
<Group name="dns-secondary-no-forward" <Group name="dns-secondary-no-forward"
comment="un serveur DNS secondaire sans forward de l'association" comment="un serveur DNS secondaire sans forward de l'association"
category="dns"> category="dns">
@ -330,6 +331,24 @@
<Group name="adblock-server"/> <Group name="adblock-server"/>
</Group> </Group>
<!-- *** Connexion *** -->
<Group name="external"
comment="Un serveur à l'éxtérieur du campus">
<Group name="vpn"/>
</Group>
<Group name="connection-main"
comment="Le serveur qui est connecté à la la
connection principale du crans (RENATER)">
<Group name="vpn"/>
</Group>
<Group name="connection-rescue"
comment="Le serveur qui à la connexion de secours (par la freebox)">
<Group name="vpn"/>
</Group>
<!-- *** Divers *** --> <!-- *** Divers *** -->
<Group name="users" <Group name="users"
@ -379,18 +398,6 @@
<Group name="radius-server-backend"/> <Group name="radius-server-backend"/>
</Group> </Group>
<Group name="services-ext-ovh"
comment="Les services que le firewall doit avoir sur l'extérieur pour ovh">
<Group name="monit-ovh"/>
<Group name="openvpn-ovh"/>
</Group>
<Group name="vpn-vers-crans"
comment="Les VPN de ovh vers le crans">
<Group name="openvpn-komaz"/>
<Group name="openvpn-freebox"/>
</Group>
<Group name="name-service-cache" <Group name="name-service-cache"
comment="Un service de cache pour nss"> comment="Un service de cache pour nss">
<Group name="nscd"/> <Group name="nscd"/>
@ -447,6 +454,13 @@
<Group name="dns-backend"/> <Group name="dns-backend"/>
</Group> </Group>
<!-- *** Connexion sécurisée *** -->
<Group name="vpn"
comment="Un des deux points d'un tunnel sécurisée">
<Group name="vpn-backend"/>
</Group>
<!-- *** Divers *** --> <!-- *** Divers *** -->
<Group name="auth" <Group name="auth"
@ -588,6 +602,10 @@
<Group name="pgsql-sqlgrey"/> <Group name="pgsql-sqlgrey"/>
</Group> </Group>
<Group name="vpn-backend">
<Group name="openvpn"/>
</Group>
<!-- +==============+ --> <!-- +==============+ -->
<!-- | Les backends | --> <!-- | Les backends | -->
<!-- +==============+ --> <!-- +==============+ -->
@ -648,11 +666,11 @@
category="dns-backend"> category="dns-backend">
<Bundle name="bind"/> <Bundle name="bind"/>
</Group> </Group>
<Group name="nfs"> <Group name="nfs">
<Bundle name="nfs"/> <Bundle name="nfs"/>
</Group> </Group>
<Group name="apache" <Group name="apache"
category="http-server-backend"> category="http-server-backend">
<!-- TODO: a implémenter --> <!-- TODO: a implémenter -->
@ -708,14 +726,6 @@
<!-- TODO: a implementer --> <!-- TODO: a implementer -->
</Group> </Group>
<Group name="openvpn-komaz">
<!-- TODO: a implementer -->
</Group>
<Group name="openvpn-freebox">
<!-- TODO: a implementer -->
</Group>
<Group name="squid" <Group name="squid"
category="proxy-server-backend"> category="proxy-server-backend">
<!-- TODO: a implementer --> <!-- TODO: a implementer -->
@ -744,6 +754,11 @@
<Bundle name="nscd"/> <Bundle name="nscd"/>
</Group> </Group>
<Group name="openvpn"
category="vpn-backend">
<Bundle name="openvpn"/>
</Group>
<!-- +====================+ --> <!-- +====================+ -->
<!-- | Groupes dynamiques | --> <!-- | Groupes dynamiques | -->
<!-- +====================+ --> <!-- +====================+ -->

8
Python/etc/default/openvpn Normal file
View file

@ -0,0 +1,8 @@
# -*- coding: utf-8; mode: python -*-
header("Configuration des tunnels a lancer par defauts")
if has("external"):
@AUTOSTART = "main rescue"
else:
@AUTOSTART = "external"

30
Python/etc/openvpn/external.conf Normal file
View file

@ -0,0 +1,30 @@
# -*- coding: utf-8; mode: python -*-
include("ip")
header("Configuration du tunnel vers les serveurs a 'exterieur")
print """
daemon tun-ovh
dev tun-ovh
tls-server
ca /etc/ssl/certs/root.pem
cert /etc/ssl/certs/vpn.pem
tls-verify "/usr/share/openvpn/verify-cn ovh.vpn.crans.org"
key /etc/ssl/private/vpn.pem
log-append /var/log/openvpn/external.log
port 1194
ifconfig %s %s
ping-timer-rem
keepalive 10 60
persist-tun
verb 3
dh /etc/openvpn/dh1024.pem
""" % (admipof("komaz"), admipof("ovh"))

35
Python/etc/openvpn/main.conf Normal file
View file

@ -0,0 +1,35 @@
# -*- coding: utf-8; mode: python -*-
include("ip")
header("Configuration du tunnel vers la connexion principale")
print """
daemon tun-main
dev tun-main
tls-server
ca /etc/ssl/certs/root.pem
cert /etc/ssl/certs/vpn.pem
tls-verify "/usr/share/openvpn/verify-cn komaz.vpn.crans.org"
key /etc/ssl/private/vpn.pem
log-append /var/log/openvpn/main.log
port 1194
ifconfig %s %s
ping-timer-rem
keepalive 10 60
persist-tun
verb 3
dh /etc/openvpn/dh1024.pem
up /etc/openvpn/up
down /etc/openvpn/down
up-restart
remote %s
""" % (admipof("ovh"), admipof("komaz"), pubipof("komaz"))

35
Python/etc/openvpn/rescue.conf Normal file
View file

@ -0,0 +1,35 @@
# -*- coding: utf-8; mode: python -*-
include("ip")
header("Configuration du tunnel vers la connexion principale")
print """
daemon tun-rescue
dev tun-rescue
tls-server
ca /etc/ssl/certs/root.pem
cert /etc/ssl/certs/vpn.pem
tls-verify "/usr/share/openvpn/verify-cn freebox.vpn.crans.org"
key /etc/ssl/private/vpn.pem
log-append /var/log/openvpn/rescue.log
port 1194
ifconfig %s %s
ping-timer-rem
keepalive 10 60
persist-tun
verb 3
dh /etc/openvpn/dh1024.pem
up /etc/openvpn/up
down /etc/openvpn/down
up-restart
remote %s
""" % (admipof("ovh"), admipof("komaz"), pubipof("freebox"))

2
Rules/rules.xml
View file

@ -44,6 +44,8 @@
<Service name="nscd" status="on"/> <Service name="nscd" status="on"/>
<Service name="openvpn" status="on"/>
<!-- Suppression du groupe adm de /etc/group pour forcer sudo à regarder dans la base --> <!-- Suppression du groupe adm de /etc/group pour forcer sudo à regarder dans la base -->
<Action name="del-adm" <Action name="del-adm"
timing="post" when="modified" status="check" timing="post" when="modified" status="check"