Added openvpn server role

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>

roles/server/templates/ca.crt.j2

@@ -0,0 +1 @@
+{{ server_openvpn_ca_content }}

roles/server/templates/ccd.j2

@@ -0,0 +1 @@
+{{ item.value }}

roles/server/templates/cert.crt.j2

@@ -0,0 +1 @@
+{{ server_openvpn_cert_content }}

roles/server/templates/cert.key.j2

@@ -0,0 +1 @@
+{{ server_openvpn_key_content }}

roles/server/templates/cert.pwd.j2

@@ -0,0 +1 @@
+{{ server_openvpn_askpass_content }}

roles/server/templates/crl.pem.j2

@@ -0,0 +1 @@
+{{ server_openvpn_crl_content }}

roles/server/templates/dh2048.pem.j2

@@ -0,0 +1 @@
+{{ server_openvpn_dh_content }}

roles/server/templates/openvpn_server.conf.j2

@@ -0,0 +1,111 @@
+ ######   ######## ##    ## ######## ########     ###    ##
+##    ##  ##       ###   ## ##       ##     ##   ## ##   ##
+##        ##       ####  ## ##       ##     ##  ##   ##  ##
+##   #### ######   ## ## ## ######   ########  ##     ## ##
+##    ##  ##       ##  #### ##       ##   ##   ######### ##
+##    ##  ##       ##   ### ##       ##    ##  ##     ## ##
+ ######   ######## ##    ## ######## ##     ## ##     ## ########
+
+# Reduce the OpenVPN daemon's privileges after initialization
+user nobody
+group nogroup
+
+# TCP or UDP server?
+proto udp
+proto udp6
+
+# Subnet mode instead of p2p
+topology subnet
+
+# Which TCP/UDP port should OpenVPN listen on?
+port {{ server_openvpn_port }}
+
+# "dev tun" will create a routed IP tunnel, "dev tap" will create an
+# ethernet tunnel
+dev tun
+
+# Enable compression on the VPN link
+comp-lzo
+
+# Maintain a record of client virtual IP address associations in this file.
+ifconfig-pool-persist {{ server_openvpn_directory }}/ipp.txt
+
+# Output a short status file showing current connections, truncated
+# and rewritten every minute.
+status {{ server_openvpn_directory }}/openvpn-status.log
+
+# Configure server mode and supply a VPN subnet for OpenVPN to draw client
+# addresses from. The server will take subnet ip .1 for itself, the rest will
+# be made available to clients.
+server {{ server_openvpn_ipv4_pool }} {{ server_openvpn_ipv4_subnet }}
+server-ipv6 {{ server_openvpn_ipv6 }}
+
+{% for route in server_openvpn_routes %}
+route {{route.network }} {{ route.subnet }}
+{% endfor %}
+
+# Uncomment this directive to allow different clients to be able
+# to "see" each other.
+client-to-client
+
+# Ping every 10 seconds, assume that remote peer is down if no ping received
+# during a 120 second time period.
+keepalive 10 120
+
+# The persist options will try to avoid accessing certain resources on restart
+# that may no longer be accessible because of the privilege downgrade.
+persist-key
+persist-tun
+
+# Allow client specific configurations
+client-config-dir {{ server_openvpn_directory }}/ccd
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 4
+
+
+ ######  ########  ######  ##     ## ########  #### ######## ##    ##
+##    ## ##       ##    ## ##     ## ##     ##  ##     ##     ##  ##
+##       ##       ##       ##     ## ##     ##  ##     ##      ####
+ ######  ######   ##       ##     ## ########   ##     ##       ##
+      ## ##       ##       ##     ## ##   ##    ##     ##       ##
+##    ## ##       ##    ## ##     ## ##    ##   ##     ##       ##
+ ######  ########  ######   #######  ##     ## ####    ##       ##
+# SSL/TLS root certificate (ca), certificate (cert), and private key (key)
+ca {{ server_openvpn_ca }}
+cert {{ server_openvpn_cert }}
+key {{ server_openvpn_key }}
+
+# Password for certificate provided in separate file
+askpass {{ server_openvpn_passfile }}
+auth-nocache
+
+# Verify against revoked certificates
+crl-verify {{ server_openvpn_crl }}
+
+# Diffie hellman parameters
+dh {{ server_openvpn_dhfile }}
+
+# For extra security beyond that provided by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+# The server and each client must have a copy of this key.
+# The second parameter should be '0' on the server and '1' on the clients.
+tls-auth {{ server_openvpn_tlsauth }} 0
+
+# Select a cryptographic cipher
+cipher AES-256-CBC
+
+# Improve message authentication
+auth SHA256
+
+# Enforce TLSv1.2
+tls-version-min 1.2
+
+# Limit the available cipersuites to reasonably safe choices
+tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

roles/server/templates/tls-auth.key.j2

@@ -0,0 +1 @@
+{{ server_openvpn_tlsauth_content }}