E1W4QHFA

· 9 years ago · Dec 14, 2016, 11:24 PM
1[root@vpn ~]# cat /opt/accel-ppp/config/accel-ppp.conf
2[modules]
3log_syslog
4pptp
5l2tp
6auth_mschap_v2
7ippool
8sigchld
9chap-secrets
10logwtmp
11
12[core]
13log-error=/var/log/accel-ppp/core.log
14thread-count=4
15
16[ppp]
17verbose=1
18min-mtu=1280
19mtu=1400
20mru=1400
21check-ip=1
22single-session=replace
23mppe=require
24ipv4=require
25ipv6=deny
26ipv6-intf-id=0:0:0:1
27ipv6-peer-intf-id=0:0:0:2
28ipv6-accept-peer-intf-id=1
29
30[lcp]
31lcp-echo-interval=30
32lcp-echo-failure=3
33
34[auth]
35#any-login=0
36#noauth=0
37
38[pptp]
39echo-interval=30
40echo-failure=3
41verbose=1
42
43[l2tp]
44host-name=access-vpn
45verbose=1
46
47[dns]
48dns1=192.168.70.251
49dns2=192.168.70.252
50
51[client-ip-range]
52disable
53
54[ip-pool]
55gw-ip-address=192.168.99.254
56192.168.99.1-253
57
58[log]
59log-file=/var/log/accel-ppp/accel-ppp.log
60log-emerg=/var/log/accel-ppp/emerg.log
61log-fail-file=/var/log/accel-ppp/auth-fail.log
62log-debug=/var/log/accel-ppp/debug.log
63copy=1
64level=3
65
66[chap-secrets]
67gw-ip-address=192.168.99.254
68chap-secrets=/etc/ppp/chap-secrets
69
70[cli]
71telnet=127.0.0.1:2000
72tcp=127.0.0.1:2001
73
74[root@vpn ~]# 
75===
76	
77[root@vpn ~]# grep -E '^dhcp' /etc/dnsmasq.conf 
78dhcp-range=192.168.99.254,static
79dhcp-option=option:router
80dhcp-option=121,192.168.70.0/24,192.168.99.254,192.168.75.0/24,192.168.99.254,10.0.0.0/24,192.168.99.254
81dhcp-option=249,192.168.70.0/24,192.168.99.254,192.168.75.0/24,192.168.99.254,10.0.0.0/24,192.168.99.254
82dhcp-option=vendor:MSFT,2,1i
83[root@vpn ~]#
84	
8519:54:46.716113 IP (tos 0x0, ttl 64, id 10142, offset 0, flags [none], proto UDP (17), length 333)
86    192.168.99.254.67 > 192.168.99.153.68: BOOTP/DHCP, Reply, length 305, htype 8, hlen 6, xid 0xa27cfc5f, secs 1536, Flags [none]
87      Client-IP 192.168.99.153
88      Vendor-rfc1048 Extensions
89        Magic Cookie 0x63825363
90        DHCP-Message Option 53, length 1: ACK
91        Server-ID Option 54, length 4: 192.168.99.254
92        Domain-Name Option 15, length 18: "vpn.server.tld"
93        Classless-Static-Route-Microsoft Option 249, length 24: (192.168.70.0/24:192.168.99.254),(192.168.75.0/24:192.168.99.254),(10.0.0.0/24:192.168.99.254)
94        Vendor-Option Option 43, length 7: 2.4.0.0.0.1.255
95	
96- name: Sysctl, enable forwarding
97  lineinfile:
98    dest: /etc/sysctl.conf
99    regexp: "^#?net.ipv4.ip_forward"
100    line: "net.ipv4.ip_forward = 1"
101  notify: reload sysctl
102
103- name: Sysctl, disabling send_redirects
104  lineinfile:
105    dest: /etc/sysctl.conf
106    regexp: "^#?net.ipv4.conf.{{item}}.send_redirects"
107    line: "net.ipv4.conf.{{item}}.send_redirects = 0"
108    insertafter: "^#?net.ipv4.conf.all.send_redirects"
109  with_items:
110    - all
111    - default
112  notify: reload sysctl
113
114- name: Sysctl, disable accept_redirects
115  lineinfile:
116    dest: /etc/sysctl.conf
117    regexp: "^#?net.ipv4.conf.{{item}}.accept_redirects"
118    line: "net.ipv4.conf.{{item}}.accept_redirects = 0"
119    insertafter: "^[#]?net.ipv4.conf.all.accept_redirects"
120  with_items:
121    - all
122    - default
123  notify: reload sysctl
124	
125- name: Add OpenVPN key
126  apt_key: url="{{openvpn_key_url}}" state=present
127
128- name: Add OpenVPN repository
129  apt_repository: repo="{{openvpn_repo_url}}" state=present update_cache=yes
130
131- name: Install OpenVPN
132  apt: pkg={{item}} state=present
133  with_items:
134    - openvpn
135    - easy-rsa
136
137- name: Copy easy-rsa directory
138  command: cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa creates=/etc/openvpn/easy-rsa
139
140- name: Configure easy-rsa
141  lineinfile: 
142    dest: /etc/openvpn/easy-rsa/vars
143    regexp: "{{item.name}}"
144    line: 'export {{item.name}}="{{item.value}}"'
145  with_items:
146    - { name: "KEY_NAME", value: "MyVPN" }
147    - { name: "KEY_COUNTRY", value: "XX" }
148    - { name: "KEY_PROVINCE", value: " " }
149    - { name: "KEY_CITY", value: " " }
150    - { name: "KEY_ORG", value: "MyName" }
151    - { name: "KEY_OU", value: " " }
152    - { name: "KEY_EMAIL", value: " " }
153  notify: openvpn restart
154
155- name: Build CA
156  shell: . ./vars; ./clean-all; ./pkitool --initca
157  args:
158    chdir: /etc/openvpn/easy-rsa
159    creates: /etc/openvpn/easy-rsa/keys/ca.crt
160  notify: openvpn restart
161
162- name: Build Server certificate
163  shell: . ./vars; export KEY_NAME="server"; ./pkitool --server server
164  args:
165    chdir: /etc/openvpn/easy-rsa
166    creates: /etc/openvpn/easy-rsa/keys/server.key
167  notify: openvpn restart
168
169- name: Build Client certificates
170  shell: . ./vars; export KEY_NAME="{{item.name}}"; ./pkitool {{item.name}}
171  args:
172    chdir: /etc/openvpn/easy-rsa
173    creates: /etc/openvpn/easy-rsa/keys/{{item.name}}.key
174  with_items:
175    - { name: "Client1" }
176    - { name: "Client2" }
177    - { name: "Client3" }
178    - { name: "Client4" }
179  notify: openvpn restart
180
181- name: Generate Diffie Hellman parameters
182  shell: . ./vars; ./build-dh
183  args:
184    chdir: /etc/openvpn/easy-rsa
185    creates: /etc/openvpn/easy-rsa/keys/dh2048.pem
186  notify: openvpn restart
187
188- name: Generate Secret key
189  command: openvpn --genkey --secret /etc/openvpn/secret.key creates=/etc/openvpn/secret.key
190  notify: openvpn restart
191
192- name: Setup OpenVPN
193  blockinfile:
194    dest: /etc/openvpn/vpn-server.conf
195    owner: root
196    group: root
197    mode: 0644
198    create: yes
199    block: |
200      dev tun
201      user nobody
202      group nogroup
203      persist-key
204      persist-tun
205      local {{ansible_eth0.ipv4.address}}
206      cipher AES-256-CBC
207      server 192.168.100.0 255.255.255.0
208      ifconfig-pool-persist clientip.txt
209      topology subnet
210      tls-auth secret.key 0
211      ca easy-rsa/keys/ca.crt
212      cert easy-rsa/keys/server.crt
213      key easy-rsa/keys/server.key
214      dh easy-rsa/keys/dh2048.pem
215      comp-lzo
216      keepalive 10 120
217      # Route to the VPN server
218      push "route 192.168.100.1 255.255.255.255"
219      # Some additional routes:
220      push "route 88.0.0.0 255.224.0.0"
221      push "route 105.38.0.0 255.254.0.0"
222      push "route 202.32.0.0 255.224.0.0"
223      push "route 250.30.0.0 255.252.0.0"
224      # for debugging:
225      #verb 3
226  notify: openvpn restart
227
228- name: Setup iptables forwarding
229  iptables: chain=FORWARD in_interface={{item.in}} source={{item.source}} out_interface={{item.out}} destination={{item.dest}} jump=ACCEPT
230  with_items:
231    - { in: "tun0", out: "eth0", source: "192.168.100.0/24", dest: "0.0.0.0/0" }
232    - { in: "eth0", out: "tun0", source: "0.0.0.0/0", dest: "192.168.100.0/24" }
233
234- name: Setup iptables postrouting
235  iptables: chain=POSTROUTING table=nat out_interface=eth0 source=192.168.100.0/24 jump=MASQUERADE
236	
237client
238dev tun
239proto udp
240remote my.vpn.server 1194
241resolv-retry infinite
242nobind
243persist-key
244persist-tun
245ca ca.crt
246cert Client1.crt
247key Client1.key
248tls-auth secret.key 1
249cipher AES-256-CBC
250comp-lzo
251verb 3