openvpn
: This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config filesopenvpn::config
: This class sets up the openvpn enviornment as well as the default config fileopenvpn::install
: This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config filesopenvpn::service
: This class maintains the openvpn service.
openvpn::ca
: This define creates the openvpn ca and ssl certificatesopenvpn::client
: This define creates client certs for a specified server as well as a tarball that can be directly imported into clientsopenvpn::client_specific_config
: This feature is explained here: http://openvpn.net/index.php/open-source/documentation/howto.html#policy All the parameters are explained inopenvpn::revoke
: This define creates a revocation on a certificate for a specified server.openvpn::server
: This define creates the openvpn server instance which can run in server or client mode.
This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
class { 'openvpn':
autostart_all => true,
}
The following parameters are available in the openvpn
class:
autostart_all
manage_service
etc_directory
group
link_openssl_cnf
pam_module_path
namespecific_rclink
default_easyrsa_ver
easyrsa_source
additional_packages
ldap_auth_plugin_location
client_defaults
clients
client_specific_config_defaults
client_specific_configs
revoke_defaults
revokes
server_defaults
servers
server_directory
server_service_name
Data type: Boolean
Whether openvpn instances should be started automatically on boot.
Data type: Boolean
Whether the openvpn service should be managed by puppet.
Data type: Stdlib::Absolutepath
Path of the configuration directory.
Data type: String[1]
File group of the generated config files.
Data type: Boolean
Link easy-rsa/openssl.cnf to easy-rsa/openssl-1.0.0.cnf
Data type: Optional[Stdlib::Absolutepath]
Path to openvpn-auth-pam.so
Data type: Boolean
Enable namespecific rclink's (BSD-style)
Data type: Pattern[/^[23]\.0$/]
Expected version of easyrsa.
Data type: Stdlib::Unixpath
Location of easyrsa.
Data type: Variant[String[1], Array[String[1]]]
Additional packages
Data type: Optional[Stdlib::Absolutepath]
Path to the ldap auth pam module
Data type: Hash
Hash of defaults for clients passed to openvpn::client defined type.
Default value: {}
Data type: Hash
Hash of clients passed to openvpn::client defined type.
Default value: {}
Data type: Hash
Hash of defaults for client specific configurations passed to openvpn::client_specific_config defined type.
Default value: {}
Data type: Hash
Hash of client specific configurations passed to openvpn::client_specific_config defined type.
Default value: {}
Data type: Hash
Hash of defaults for revokes passed to openvpn::revoke defined type.
Default value: {}
Data type: Hash
Hash of revokes passed to openvpn::revoke defined type.
Default value: {}
Data type: Hash
Hash of defaults for servers passed to openvpn::server defined type.
Default value: {}
Data type: Hash
Hash of servers passed to openvpn::server defined type.
Default value: {}
Data type: Optional[Stdlib::Absolutepath]
Path of the server configuration. This is usually /etc_directory/openvpn
, but RHEL/CentOS 8 uses /etc_directory/openvpn/server
Data type: String[1]
Name of the openvpn server service. This is usually openvpn
, but RHEL/CentOS 8 uses openvpn-server
.
This class sets up the openvpn enviornment as well as the default config file
This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
This class maintains the openvpn service.
This define creates the openvpn ca and ssl certificates
openvpn::ca {
'my_user':
server => 'contractors',
remote_host => 'vpn.mycompany.com'
}
The following parameters are available in the openvpn::ca
defined type:
dn_mode
country
province
city
organization
email
common_name
group
ssl_key_algo
ssl_key_size
ssl_key_curve
key_expire
ca_expire
digest
key_name
key_ou
key_cn
tls_auth
tls_static_key
crl_days
Data type: Enum['org','cn_only']
EasyRSA X509 DN mode.
Default value: 'org'
Data type: Optional[String]
Country to be used for the SSL certificate
Default value: undef
Data type: Optional[String]
Province to be used for the SSL certificate
Default value: undef
Data type: Optional[String]
City to be used for the SSL certificate
Default value: undef
Data type: Optional[String]
Organization to be used for the SSL certificate
Default value: undef
Data type: Optional[String]
Email address to be used for the SSL certificate
Default value: undef
Data type: String
Common name to be used for the SSL certificate
Default value: 'server'
Data type: Optional[String]
User to drop privileges to after startup
Default value: undef
Data type: Enum['rsa', 'ec', 'ed']
SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
Default value: 'rsa'
Data type: Integer
Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
Default value: 2048
Data type: String
Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
Default value: 'secp384r1'
Data type: Integer
The number of days to certify the server certificate for
Default value: 3650
Data type: Integer
The number of days to certify the CA certificate for
Default value: 3650
Data type: Enum['md5','sha1','sha256','sha224','sha384','sha512']
Cryptographic digest to use
Default value: 'sha512'
Data type: Optional[String]
Value for name_default variable in openssl.cnf and KEY_NAME in vars
Default value: undef
Data type: Optional[String]
Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
Default value: undef
Data type: Optional[String]
Value for commonName_default variable in openssl.cnf and KEY_CN in vars
Default value: undef
Data type: Boolean
Determins if a tls key is generated
Default value: false
Data type: Boolean
Determins if a tls key is generated
Default value: false
Data type: Integer
Default value: 30
This define creates client certs for a specified server as well as a tarball that can be directly imported into clients
openvpn::client {
'my_user':
server => 'contractors',
remote_host => 'vpn.mycompany.com'
}
The following parameters are available in the openvpn::client
defined type:
server
compression
dev
mute
mute_replay_warnings
nobind
persist_key
persist_tun
port
proto
remote_host
cipher
tls_cipher
resolv_retry
auth_retry
verb
pam
authuserpass
tls_auth
tls_crypt
x509_name
setenv
setenv_safe
up
down
sndbuf
rcvbuf
shared_ca
custom_options
expire
readme
pull
server_extca_enabled
remote_cert_tls
Data type: String
Name of the corresponding openvpn endpoint
Data type: Optional[String[1]]
Which compression algorithm to use. This parameter is deprecated in OpenVPN 2.5.
Default value: undef
Data type: Enum['tap', 'tun']
Device method
Default value: 'tun'
Data type: Integer
Set log mute level
Default value: 20
Data type: Boolean
Silence duplicate packet warnings (common on wireless networks)
Default value: true
Data type: Boolean
Whether or not to bind to a specific port number
Default value: true
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: true
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: true
Data type: String
The port the openvpn server service is running on
Default value: '1194'
Data type: Enum['tcp','udp']
What IP protocol is being used.
Default value: 'tcp'
Data type: Variant[String, Array[String]]
The IP or hostname of the openvpn server service.
Default value: $facts['networking']['fqdn']
Data type: String
Cipher to use for packet encryption
Default value: 'AES-256-GCM'
Data type: String
TLS Ciphers to use
Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
Data type: String
How many seconds should the openvpn client try to resolve the server's hostname
Default value: 'infinite'
Data type: Enum['none', 'nointeract', 'interact']
Controls how OpenVPN responds to username/password verification errors such as the client-side response to an AUTH_FAILED message from the server or verification failure of the private key password.
Default value: 'none'
Data type: String
Level of logging verbosity
Default value: '3'
Data type: Boolean
DEPRECATED: Boolean, Enable/Disable.
Default value: false
Data type: Boolean
Set if username and password required
Default value: false
Data type: Boolean
Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. This has to be set to the same value as on the Server
Default value: false
Data type: Boolean
Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
Default value: false
Data type: Optional[String]
Common name of openvpn server to make an x509-name verification
Default value: undef
Data type: Hash
Set a custom environmental variable name=value to pass to script.
Default value: {}
Data type: Hash
Set a custom environmental variable OPENVPN_name=value to pass to script. This directive is designed to be pushed by the server to clients, and the prepending of "OPENVPN_" to the environmental variable is a safety precaution to prevent a LD_PRELOAD style attack from a malicious or compromised server.
Default value: {}
Data type: Optional[String[1]]
Script which we want to run when openvpn client is connecting
Default value: undef
Data type: Optional[String[1]]
Script which we want to run when openvpn client is disconneting
Default value: undef
Data type: Optional[Integer]
Set the TCP/UDP socket send buffer size.
Default value: undef
Data type: Optional[Integer]
Set the TCP/UDP socket receive buffer size.
Default value: undef
Data type: Optional[String]
The name of an openssl::ca resource to use.
Default value: undef
Data type: Hash
Hash of additional options that you want to append to the configuration file.
Default value: {}
Data type: Optional[Integer]
Set a custom expiry time to pass to script. Value is the number of days the certificate is valid for.
Default value: undef
Data type: Optional[String]
Text to place in a README file which is included in download-configs archive.
Default value: undef
Data type: Boolean
Allow server to push options like dns or routes
Default value: false
Data type: Boolean
Turn this on if you are using an external CA solution, like FreeIPA. Use this in Combination with exported_ressourced, since they don't have Access to the Serverconfig
Default value: false
Data type: Boolean
Enable or disable use of remote-cert-tls used with client configuration
Default value: true
This feature is explained here: http://openvpn.net/index.php/open-source/documentation/howto.html#policy All the parameters are explained in the openvpn documentation http://openvpn.net/index.php/open-source/documentation/howto.html#policy
openvpn::client_specific_config {
'vpn_client':
server => 'contractors',
iroute => ['10.0.1.0 255.255.255.0'],
ifconfig => '10.10.10.1 10.10.10.2',
dhcp_options => ['DNS 8.8.8.8']
}
The following parameters are available in the openvpn::client_specific_config
defined type:
server
iroute
iroute_ipv6
route
ifconfig
ifconfig_ipv6
dhcp_options
redirect_gateway
custom_options
ensure
manage_client_configs
Data type: String[1]
Name of the corresponding openvpn endpoint
Data type: Array[String[1]]
Array of iroute combinations.
Default value: []
Data type: Array[String[1]]
Array of IPv6 iroute combinations.
Default value: []
Data type: Array[String[1]]
Array of route combinations pushed to client.
Default value: []
Data type: Optional[String[1]]
IP configuration to push to the client.
Default value: undef
Data type: Optional[String[1]]
IPv6 configuration to push to the client.
Default value: undef
Data type: Array[String[1]]
DHCP options to push to the client.
Default value: []
Data type: Boolean
Redirect all traffic to gateway
Default value: false
Data type: Hash
Hash of additional options to append to the configuration file.
Default value: {}
Data type: Enum['present', 'absent']
Sets the client specific configuration file status (present or absent)
Default value: present
Data type: Boolean
Manage dependencies on Openvpn::Client ressources
Default value: true
This define creates a revocation on a certificate for a specified server.
openvpn::client {
'my_user':
server => 'contractors'
}
openvpn::revoke {
'my_user':
server => 'contractors'
}
The following parameters are available in the openvpn::revoke
defined type:
Data type: String
Name of the corresponding openvpn endpoint
This define creates the openvpn server instance which can run in server or client mode.
openvpn::server { 'winterthur':
country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => 'root@example.org',
server => '10.200.200.0 255.255.255.0',
}
file {
'/etc/openvpn/zurich/keys/ca.crt':
source => 'puppet:///path/to/ca.crt';
'/etc/openvpn/zurich/keys/zurich.crt':
source => 'puppet:///path/to/zurich.crt';
'/etc/openvpn/zurich/keys/zurich.key':
source => 'puppet:///path/to/zurich.key';
}
openvpn::server { 'zurich':
remote => [ 'mgmtnet3.nine.ch 1197', 'mgmtnet2.nine.ch 1197' ],
require => [ File['/etc/openvpn/zurich/keys/ca.crt'],
File['/etc/openvpn/zurich/keys/zurich.crt'],
File['/etc/openvpn/zurich/keys/zurich.key'] ];
}
The following parameters are available in the openvpn::server
defined type:
dn_mode
country
province
city
organization
email
remote
remote_random_hostname
remote_random
common_name
compression
dev
user
group
ipp
duplicate_cn
local
logfile
manage_logfile_directory
logdirectory_user
logdirectory_group
port
portshare
proto
status_log
status_version
server
server_ipv6
server_bridge
push
route
route_ipv6
keepalive
ssl_key_algo
ssl_key_size
ssl_key_curve
ecdh_curve
topology
c2c
tcp_nodelay
ccd_exclusive
pam
pam_module_arguments
management
management_ip
management_port
up
down
client_connect
client_disconnect
username_as_common_name
client_cert_not_required
ldap_enabled
ldap_server
ldap_binddn
ldap_bindpass
ldap_u_basedn
ldap_u_filter
ldap_g_basedn
ldap_gmember
ldap_g_filter
ldap_memberatr
ldap_tls_enable
ldap_tls_ca_cert_file
ldap_tls_ca_cert_dir
ldap_tls_client_cert_file
ldap_tls_client_key_file
verb
cipher
tls_cipher
persist_key
persist_tun
key_expire
crl_days
digest
ca_expire
key_name
key_ou
key_cn
tls_auth
tls_crypt
tls_server
tls_client
server_poll_timeout
ping_timer_rem
sndbuf
rcvbuf
shared_ca
crl_verify
crl_auto_renew
crl_renew_schedule_period
crl_renew_schedule_repeat
extca_enabled
extca_ca_cert_file
extca_ca_crl_file
extca_server_cert_file
extca_server_key_file
extca_dh_file
extca_tls_auth_key_file
autostart
remote_cert_tls
nobind
secret
scripts
custom_options
fragment
Data type: Enum['org','cn_only']
EasyRSA X509 DN mode.
Default value: 'org'
Data type: Optional[String[1]]
Country to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String[1]]
Province to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String[1]]
City to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String[1]]
Organization to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[String[1]]
Email address to be used for the SSL certificate, mandatory for server mode.
Default value: undef
Data type: Optional[Array]
List of OpenVPN endpoints to connect to.
Default value: undef
Data type: Boolean
OpenVPN will prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.example.com" would be modified to ".foo.example.com".
Default value: false
Data type: Boolean
When multiple ${remote} address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure.
Default value: false
Data type: String
Common name to be used for the SSL certificate
Default value: 'server'
Data type: Optional[String[1]]
Which compression algorithm to use. This parameter is deprecated in OpenVPN 2.5.
Default value: undef
Data type: String
TUN/TAP virtual network device
Default value: 'tun0'
Data type: String
Group to drop privileges to after startup
Default value: 'nobody'
Data type: Optional[String]
User to drop privileges to after startup
Default value: undef
Data type: Boolean
Persist ifconfig information to a file to retain client IP addresses between sessions
Default value: false
Data type: Boolean
Allow multiple connections on one cn
Default value: false
Data type: String
Interface for openvpn to bind to.
Default value: $facts['networking']['ip']
Data type: Variant[Boolean, String]
Logfile for this openvpn server
Default value: false
Data type: Boolean
Manage the directory that the logfile is located in
Default value: false
Data type: String[1]
The owner user of the logfile directory
Default value: 'nobody'
Data type: String[1]
The owner group of the logfile directory
Default value: 'nobody'
Data type: String
The port the openvpn server service is running on#
Default value: '1194'
Data type: Optional[String]
The address and port to which non openvpn request shall be forwared, e.g. 127.0.0.1 8443
Default value: undef
Data type: Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']
What IP protocol is being used.
Default value: 'tcp'
Data type: String
Logfile for periodic dumps of the vpn service status
Default value: "/var/log/openvpn/${name}-status.log"
Data type: Enum['1', '2', '3', '']
Choose the status file format version number.
Default value: ''
Data type: Optional[String[1]]
Network to assign client addresses out of. Required in tun mode, not in tap mode
Default value: undef
Data type: Optional[String[1]]
IPv6 network to assign client addresses out of
Default value: undef
Data type: Optional[String[1]]
Server configuration to comply with existing DHCP server
Default value: undef
Data type: Array
Options to push out to the client. This can include routes, DNS servers, DNS search domains, and many other options.
Default value: []
Data type: Array
Add route to routing table after connection is established. Multiple routes can be specified.
Default value: []
Data type: Array
Add IPv6 route to routing table after connection is established. Multiple routes can be specified.
Default value: []
Data type: Optional[String[1]]
Add keepalive directive (ping and ping-restart) to server. Should match the form "n m".
Default value: undef
Data type: Enum['rsa', 'ec', 'ed']
SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
Default value: 'rsa'
Data type: Integer
Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
Default value: 2048
Data type: String
Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
Default value: 'secp384r1'
Data type: Optional[String[1]]
Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed
Default value: undef
Data type: String
Define the network topology type
Default value: 'net30'
Data type: Boolean
Enable client to client visibility
Default value: false
Data type: Boolean
Enable/Disable.
Default value: false
Data type: Boolean
Enable/Disable.
Default value: false
Data type: Boolean
Enable/Disable.
Default value: false
Data type: String
Arguments to pass to the PAM module. For FreeIPA, set this to "openvpn login USERNAME password PASSWORD" and create HBAC Service "openvpn".
Default value: 'login'
Data type: Boolean
Enable management interface
Default value: false
Data type: String
IP address where the management interface will listen
Default value: 'localhost'
Data type: Variant[Stdlib::Port::Unprivileged,Enum['unix']]
Port where the management interface will listen
Default value: 7505
Data type: Optional[String[1]]
Script which we want to run when openvpn server starts. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts
directory.
Default value: undef
Data type: Optional[String[1]]
Script which we want to run when openvpn server stops. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts
directory.
Default value: undef
Data type: Optional[String[1]]
Script which we want to run when a client connects. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts
directory.
Default value: undef
Data type: Optional[String[1]]
Script which we want to run when a client disconnects. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts
directory.
Default value: undef
Data type: Boolean
If true then set username-as-common-name
Default value: false
Data type: Boolean
If true then set client-cert-not-required
Default value: false
Data type: Boolean
If ldap is enabled, do stuff
Default value: false
Data type: Optional[String[1]]
URL of LDAP server. ie. ldap://URL:PORT
Default value: undef
Data type: Optional[String[1]]
LDAP DN to bind as#
Default value: undef
Data type: Optional[String[1]]
LDAP password for ldapbinddn
Default value: undef
Data type: Optional[String[1]]
Place in the LDAP tree to look for users
Default value: undef
Data type: Optional[String[1]]
User SearchFilter for LDAP accounts
Default value: undef
Data type: Optional[String[1]]
Place in the LDAP tree to look for groups
Default value: undef
Data type: Boolean
If defined use group block in ldap.conf
Default value: false
Data type: Optional[String[1]]
Group SearchFilter for LDAP accounts
Default value: undef
Data type: Optional[String[1]]
Attribute for MemberAttribute. Used with ldapfilter
Default value: undef
Data type: Boolean
Enable TLS for the LDAP authentication
Default value: false
Data type: Optional[String[1]]
LDAP TLS authentication: path to the CA certificate.
Default value: undef
Data type: Optional[String[1]]
LDAP TLS authentication: path to the CA certificates.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
LDAP TLS authentication: path to the tls client certificate
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
LDAP TLS authentication: path to the tls client key
Default value: undef
Data type: Optional[String]
Level of logging verbosity
Default value: undef
Data type: String
Cipher to use for packet encryption
Default value: 'AES-256-GCM'
Data type: String
TLS Ciphers to use
Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: false
Data type: Boolean
Try to retain access to resources that may be unavailable because of privilege downgrades
Default value: false
Data type: Integer
The number of days to certify the server certificate for
Default value: 3650
Data type: Integer[1]
The number of days the client revocation list will be valid for after generating
Default value: 30
Data type: Enum['md5','sha1','sha256','sha224','sha384','sha512']
Cryptographic digest to use
Default value: 'sha512'
Data type: Integer
The number of days to certify the CA certificate for
Default value: 3650
Data type: Optional[String]
Value for name_default variable in openssl.cnf and KEY_NAME in vars
Default value: undef
Data type: Optional[String]
Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
Default value: undef
Data type: Optional[String]
Value for commonName_default variable in openssl.cnf and KEY_CN in vars
Default value: undef
Data type: Boolean
Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.
Default value: false
Data type: Boolean
Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
Default value: false
Data type: Boolean
If proto not tcp it lets you choose if the parameter tls-server is set or not.
Default value: false
Data type: Boolean
Allows you to set this server up as a tls-client connection.
Default value: false
Data type: Optional[Integer]
Value for timeout before trying the next server.
Default value: undef
Data type: Boolean
Do not start clocking timeouts until a remote peer connects.
Default value: false
Data type: Optional[Integer]
Set the TCP/UDP socket send buffer size.
Default value: undef
Data type: Optional[Integer]
Set the TCP/UDP socket receive buffer size.
Default value: undef
Data type: Optional[String]
Name of a openssl::ca resource to use config with
Default value: undef
Data type: Boolean
Enable CRL checking. Disabling this is not recommended.
Default value: true
Data type: Boolean
Enables automatic renewing of crl.pem.
Default value: false
Data type: String
Sets the "period" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good
Default value: 'monthly'
Data type: Integer
Sets the "repeat" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good
Default value: 2
Data type: Boolean
Turn this on if you are using an external CA solution, like FreeIPA. Once enabled, you must configure the remaining extca_* parameters.
Default value: false
Data type: Optional[String]
External CA: Path to the CA certificate.
Default value: undef
Data type: Optional[String]
External CA: Path to the CA's CRL file. For FreeIPA-based CAs, CRLs expire every four hours, which means you may need your own solution for maintaining a local copy of your CA's CRL. Otherwise, you can set crl_verify to false (not recommended).
Default value: undef
Data type: Optional[String]
External CA: Path to the external CA issued OpenVPN server certificate.
Default value: undef
Data type: Optional[String]
External CA: Path to the key file that corresponds to $extca_server_cert_file
Default value: undef
Data type: Optional[String]
External CA: Path to your Dillie-Hellman parameter file. You will need to create one yourself. Make sure key-size matches the public key size of your CA-issued server certificate. Like this: openssl dhparam -out /path/to/dh.pem 2048 Note: This is only required if you are enabling $tls_server.
Default value: undef
Data type: Optional[String]
External CA: If you are enabling $extca_enabled and $tls_auth, you will also need to create the tls-auth key file and specify its location here. The file can be created like this: openvpn --genkey --secret /path/to/ta.key. Note: you will need to distribute this file to your clients as well.
Default value: undef
Data type: Optional[Boolean]
Enable autostart for server if openvpn::autostart_all is false.
Default value: undef
Data type: Boolean
Enable or disable use of remote-cert-tls for the session. Generally used with client configuration
Default value: true
Data type: Boolean
Whether or not to bind to a specific port number.#
Default value: false
Data type: Optional[String]
A pre-shared static key.
Default value: undef
Data type: Hash[String, Hash]
Hash of scripts to copy with this instance.
For example, to put a script in /etc/openvpn/test-site/scripts/add-tap-to-bridge.sh
and use it as an up
script
openvpn::server { 'test-site':
....
up => 'add-tap-to-bridge.sh',
scripts => {
"add-tap-to-bridge.sh" => {
source => 'puppet:///path/to/add-tap-to-bridge.sh',
},
},
}
Default value: {}
Data type: Hash
Hash of additional options to append to the configuration file.
Default value: {}
Data type: Variant[Boolean, Integer]
Default value: false