From ecd0bb4c3817e458b722e64ee49d8cff60f7c430 Mon Sep 17 00:00:00 2001
From: Timur Batyrshin <erthad@gmail.com>
Date: Mon, 28 Oct 2013 00:03:54 +0400
Subject: [PATCH] added playbook for installation of VPN server

---
 .gitignore                |  3 +++
 files/do_masquerade.sh    |  9 +++++++
 templates/openvpn.conf.j2 | 17 +++++++++++++
 vpn.yml                   | 51 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 files/do_masquerade.sh
 create mode 100644 templates/openvpn.conf.j2
 create mode 100644 vpn.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..33937e2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*~
+*.swp
+files/static.key
diff --git a/files/do_masquerade.sh b/files/do_masquerade.sh
new file mode 100644
index 0000000..1133c20
--- /dev/null
+++ b/files/do_masquerade.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# This file was created by Ansible.
+# Manual changes will be lost.
+
+# Don't add masquerading rule if it is already exists
+iptables -n -t nat -L POSTROUTING | grep -q MASQUERADE && exit 0 ||:
+
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
diff --git a/templates/openvpn.conf.j2 b/templates/openvpn.conf.j2
new file mode 100644
index 0000000..1964431
--- /dev/null
+++ b/templates/openvpn.conf.j2
@@ -0,0 +1,17 @@
+# This file was created by Ansible.
+# Manual changes will be lost.
+
+dev tun
+ifconfig {{ server_addr }} {{ client_addr }}
+secret {{ keyfile }}
+
+{% if compression is defined and compression %}
+comp-lzo
+
+{% endif %}
+keepalive {{ keepalive }}
+ping-timer-rem
+persist-tun
+persist-key
+
+up /usr/local/sbin/do_masquerade
diff --git a/vpn.yml b/vpn.yml
new file mode 100644
index 0000000..5c1dfc1
--- /dev/null
+++ b/vpn.yml
@@ -0,0 +1,51 @@
+---
+- hosts: vpn
+
+  vars:
+    server_addr: 10.8.0.1
+    client_addr: 10.8.0.2
+    keyfile: static.key
+    keepalive: "10 60"
+    compression: true
+
+  tasks:
+  - include: tasks/base.yml
+
+  - name: install openvpn server
+    apt: pkg=openvpn state=installed
+
+  - name: create masquerading script
+    copy:
+      src=files/do_masquerade.sh
+      dest=/usr/local/sbin/do_masquerade
+      owner=root
+      group=root
+      mode=0755
+
+  - name: create openvpn config
+    template:
+      src=templates/openvpn.conf.j2
+      dest=/etc/openvpn/openvpn.conf
+      backup=yes
+    notify:
+      - restart openvpn
+
+  - name: manage openvpn key
+    copy:
+      src=files/{{ keyfile }}
+      dest=/etc/openvpn/{{ keyfile }}
+      owner=root
+      group=root
+      mode=0600
+    notify:
+      - restart openvpn
+
+  - name: enable ipv4 forwarding
+    sysctl: name=net.ipv4.ip_forward value=1
+
+  - name: start openvpn server
+    service: name=openvpn enabled=yes state=started
+
+  handlers:
+  - name: restart openvpn
+    service: name=openvpn enabled=yes state=restarted