openvpn-formula
A saltstack formula to install and configure OpenVPN servers and clients.
Note
See the full Salt Formulas installation and usage instructions.
Available states
openvpn
Installs the OpenVPN package.
openvpn.server
Configures OpenVPN server instances using data from Pillar.
Example minimum Pillar:
openvpn:
minimal-example: # Name of instance, must be unique per host
ca_cert: |
# Public CA Certificate should go here
cert: |
# Server's public certificate should go here
key: |
# Server's private key should go here
ta_key: |
# Public TLS Authentication key should go here
dh: |
# Diffie-Helman Parameters should go here
openvpn.client
Configures OpenVPN client instances using data from Pillar.
Example minimum Pillar:
openvpn:
minimal-example: # Name of instance, must be unique per host
remotes:
- server: 123.123.123.123 # Reachable IP address of OpenVPN server
ca_cert: |
# Public CA Certificate should go here
cert: |
# Client's public certificate should go here
key: |
# Client's private key should go here
ta_key: |
# Public TLS Authentication key should go here
Pillar settings
package
Set the basic package and service options.
openvpn:
lookup:
pkg: openvpn # Name of package to install
service: openvpn # Service name to manage
conf_dir: /etc/openvpn # Location that OpenVPN will look for configuration files
Shared
The pillar settings that are shared (and should be the same) between client and server.
Pillar | OpenVPN | Description | Default |
---|---|---|---|
proto | proto | Network protocol (tcp or udp) | udp |
dev | dev | Network type (tun or tap) | tun |
cipher | cipher | Encryption scheme | BF-CBC |
ca_cert | ca | Contents of the Certificate Authority public certificate | |
ta_key | tls_auth | Contents of the TLS shared secret | |
compression | comp-lzo | Enable compression for the VPN | True |
Common
The pillar settings that are common to both client and server, but don't have to be the same.
Pillar | OpenVPN | Description | Default |
---|---|---|---|
user | user | User to run OpenVPN as after initialization | root |
group | group | Group to run OpenVPN as after initialization | root |
cert | cert | Contents of the host public certificate | |
key | key | Contents of the host private key | |
common_name | Common name of host to match certificates | grains['host'] | |
log_level | verb | Set level of logging from silent 0-9 extremley verbose | 3 |
log_file | log-append | File to log messages. If not specified, all logging will go to syslog |
Server
Settings for the OpenVPN server.
Pillar | OpenVPN | Description | Default |
---|---|---|---|
local | local | Local IP address to listen on | |
vpn_network | server | The VPN subnet start address | 10.8.0.0 |
vpn_netmask | server | The subnet mask for the VPN subnet | 255.255.255.0 |
dh | dh | Diffie-Hellman parameters | |
keepalive_send | keepalive | Interval (in seconds) to send keepalive packets | 10 |
keepalive_timeout | keepalive | Interval (in seconds) before a connection without packets is considered dead | 120 |
server_networks | push "route <network> <netmask>" | Push routes for the network(s) listed to the clients | |
client_to_client | client-to-client | Allow communication between clients connected to the VPN | False |
redirect_gateway | push "redirect-gateway" | Configure all clients to redirect all default traffic to the OpenVPN server | False |
status_file | status | File to write the OpenVPN server status to each minute | <conf_dir>/<vpn_name>/status |
clients | NA | Section for per-client settings. See table below. |
Pillar | OpenVPN | Description | Default |
---|---|---|---|
client_networks | iroute <network> <netmask> | Define routes for the network(s) reachable via the client | |
server_networks | push "route <network> <netmask>" | Push routes for the network(s) listed to the client | |
redirect_gateway | push "redirect-gateway" | Configures the client to redirect all default traffic to the OpenVPN server | False |
Client
Settings for the OpenVPN client.
Pillar | OpenVPN | Description | Default |
---|---|---|---|
remotes | remote | A list of server port descriptors that the client should connect to |