Ansible — OpenVPN Gateway

The Ansible playbook configures an Ubuntu 22.04 instance running OpenVPN to act as a NAT proxy.

You can run the OpenVPN server for free by using the Oracle Cloud Always Free tier. Terraform script for deploying the server is below,

• terraform__oci-instance-1
  • GitHub: github.com/k3karthic/terraform__oci-instance-1
  • Codeberg: codeberg.org/k3karthic/terraform__oci-instance-1

Code Mirrors

• GitHub: github.com/k3karthic/ansible__openvpn
• Codeberg: codeberg.org/k3karthic/ansible__openvpn

Requirements

Install the following before running the playbook,

pip install oci
ansible-galaxy collection install oracle.oci

Dynamic Inventory

The Oracle Ansible Inventory Plugin populates public Ubuntu instances.

The target Ubuntu instance must have the freeform tag openvpn_service: yes.

Configuration

1. Update inventory/oracle.oci.yml,
   1. Specify the region where you have deployed your server on Oracle Cloud. List of regions are at docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm.
   2. Configure the authentication as per the Oracle Guide
2. Set username and ssh authentication in inventory/group_vars/all.yml
3. Set the OpenVPN virtual network in inventory/group_vars/all.yml

Deployment

Run the playbook using the following command,

./bin/apply.sh

Certificate Authority Setup

We need to create a Certificate Authority (CA) for the OpenVPN server and clients. A key signing server generates and signs certificates used for authentication.

For security, the key signing server should be a standalone server. The OpenVPN server can act as the key signing server for smaller deployments.

To get started, install easy-rsa on the system you will be using as the key signing server.

Initialize easy-rsa

Run the following commands on the key signing server.

Create a new Public Key Infrastructure (PKI) and CA,

$ ./easyrsa init-pki
$ ./easyrsa build-ca

Create files for OpenVPN server

Run the following commands on the key signing server.

Create and sign a certificate for the OpenVPN server,

$ ./easyrsa gen-req Relay
$ ./easyrsa sign-req server Relay

Generate the Diffie-Hellman (DH) parameters for the OpenVPN server,

$ ./easyrsa gen-dh

Copy pki/ca.crt and pki/dh.pem into the ca folder of the current repository. Create a file called ca/Relay.pass with the passphrase of the Relay private key (Relay.key).

Install OpenVPN on the key signing server and run the following command. This is only required to generate a shared secret for TLS authentication.

$ openvpn --genkey --secret ta.key

Copy ta.key into the ca folder of the current directory.

Create files for Client

Run the following commands on the key signing server.

Create and sign a certificate for the Client App,

$ ./easyrsa gen-req Client1
$ ./easyrsa sign-req client Client1

Copy pki/ca.crt, pki/ta.key, pki/private/Client1.key, pki/issues/Client1.crt to the client. Enter the passphrase of the private key during import or in the configuration.

Encryption

Encrypt sensitive files (SSH private keys) before saving them. .gitignore must contain the unencrypted file paths.

Use the following command to decrypt the files after cloning the repository,

$ ./bin/decrypt.sh

Use the following command after running terraform to update the encrypted files,

$ ./bin/encrypt.sh <gpg key id>