Making it work with Amazon EC2 instances

[corby]

Great module. But it's missing support for the standard Amazon EC2 AMI.

The following changes were needed to get it to work with Amazon:

1. Had to install easy-rpm from epel repo which is disabled by default
   yumrepo { "epel": enabled => 1 }
   package { "easy-rsa": require => Yumrepo["epel"] }
2. Had to make local changes to params.pp

--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -16,9 +16,13 @@
 #
 class openvpn::params {

-  $group = $::osfamily ? {
-    'RedHat' => 'nobody',
-    default  => 'nogroup'
+  if ($::operatingsystem == 'Amazon') {
+    $group = 'nobody'
+  } else {
+    $group = $::osfamily ? {
+      'RedHat' => 'nobody',
+      default  => 'nogroup',
+    }
   }

   case $::osfamily {
@@ -39,6 +43,8 @@ class openvpn::params {
       if($::operatingsystemmajrelease == 'jessie/sid' or $::lsbdistdescription == 'Ubuntu 13.10'){
         $additional_packages = ['easy-rsa']
         $easyrsa_source = '/usr/share/easy-rsa/'
+      } elsif ($::operatingsystem == 'Amazon') {
+        $easyrsa_source = '/usr/share/easy-rsa/2.0'
       } else {
         $easyrsa_source = '/usr/share/doc/openvpn/examples/easy-rsa/2.0'
       }

[luxflux]

To implement this... Could you tell me which facts the AMI has set? Especially the facts operatingsystem, osfamily, operatingsystemmajrelease, operatingsystemrelease and lsbdistdescription.

[luxflux]

@corby any news?

[luxflux]

Closed because of inactivity.

[gbarton]

I could really use this as currently I run a RHEL instance within AWS when a regular AWS version would do me just fine. Not many of the variables you requested report, here is a full dump of factor:

[ec2-user@ip-10-1-3-194 ~]$ facter -p
architecture => x86_64
augeasversion => 1.0.0
domain => ec2.internal
ec2_ami_id => ami-146e2a7c
ec2_ami_launch_index => 0
ec2_ami_manifest_path => (unknown)
ec2_block_device_mapping_ami => /dev/xvda
ec2_block_device_mapping_root => /dev/xvda
ec2_hostname => ip-10-1-3-194.ec2.internal
ec2_instance_id => i-b4a06a4e
ec2_instance_type => t2.micro
ec2_local_hostname => ip-10-1-3-194.ec2.internal
ec2_local_ipv4 => 10.1.3.194
ec2_placement_availability_zone => us-east-1d
ec2_profile => default-hvm
ec2_public_hostname => xxxx.amazonaws.com
ec2_public_ipv4 => xxx.xxx.xxx.xxx
ec2_public_keys_0_openssh_key => xxxxxx
ec2_reservation_id => r-9499cb7f
ec2_security_groups => bastion
facterversion => 1.6.18
fqdn => ip-10-1-3-194.ec2.internal
hardwareisa => x86_64
hardwaremodel => x86_64
hostname => ip-10-1-3-194
id => ec2-user
interfaces => eth0,lo
ipaddress => 10.1.3.194
ipaddress_eth0 => 10.1.3.194
ipaddress_lo => 127.0.0.1
is_virtual => true
kernel => Linux
kernelmajversion => 3.14
kernelrelease => 3.14.27-25.47.amzn1.x86_64
kernelversion => 3.14.27
macaddress => 0A:40:99:F5:A6:51
macaddress_eth0 => 0A:40:99:F5:A6:51
memoryfree => 913.47 MB
memorysize => 996.29 MB
memorytotal => 996.29 MB
mtu_eth0 => 9001
mtu_lo => 65536
netmask => 255.255.255.0
netmask_eth0 => 255.255.255.0
netmask_lo => 255.0.0.0
network_eth0 => 10.1.3.0
network_lo => 127.0.0.0
operatingsystem => Amazon
operatingsystemrelease => 3.14.27-25.47.amzn1.x86_64
osfamily => Linux
path => /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin
physicalprocessorcount => 1
processor0 => Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
processorcount => 1
ps => ps -ef
puppetversion => 2.7.25
rubysitedir => /usr/lib/ruby/site_ruby/1.8
rubyversion => 1.8.7
selinux => false
sshdsakey => xxxx
sshecdsakey => xxxx
sshrsakey => xxxx
swapfree => 0.00 kB
swapsize => 0.00 kB
timezone => UTC
uniqueid => 010ac203
uptime => 0:31 hours
uptime_days => 0
uptime_hours => 0
uptime_seconds => 1872
virtual => xenhvm

Does this help? What OP said about epel not existing is true, that has to be manually added.

[luxflux]

I added this now in a branch called amazon-wheezy-small-support and opened a pull request #134. @gbarton, could you test it?

[gbarton]

Closer!! I gave it a shot, this was the first few lines, everything else is spewing errors due to dependencies so I skipped dumping it here.

err: /Stage[main]/Openvpn::Install/File[/etc/openvpn]: Could not evaluate: Could not find group nogroup
notice: /Stage[main]/Openvpn::Install/File[/etc/openvpn/keys]: Dependency File[/etc/openvpn] has failures: true
warning: /Stage[main]/Openvpn::Install/File[/etc/openvpn/keys]: Skipping because of failed dependencies
notice: /Stage[main]/Openvpn::Install/Package[easy-rsa]/ensure: created
n

[luxflux]

Thanks, @gbarton. I assume that it's nobody as for RedHat and updated the branch. Could you check again?

[gbarton]

Were getting closer. Tried on a fresh instance, now it hangs indefinitely here until I hit ctrl-C any ideas?

notice: /Stage[main]/Openvpn::Install/File[/etc/openvpn]/group: group changed 'root' to 'nobody'
notice: /Stage[main]/Openvpn::Install/File[/etc/openvpn/keys]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver.conf]/ensure: defined content as '{md5}a136ee503bfe031280347c24d4c22352'
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver/download-configs]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/File[/etc/openvpn/testvpnserver/auth]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/Exec[copy easy-rsa to openvpn config folder testvpnserver]/returns: executed successfully
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/revoked]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/openssl.cnf]/ensure: created
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/Exec[fix_easyrsa_file_permissions_testvpnserver]: Triggered 'refresh' from 1 events
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/vars]/content: content changed '{md5}74cc9626a611540b882ea1d43ab2e9e0' to '{md5}463948c55be7bfa73ec6d89a8673063b'
notice: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/File[/etc/openvpn/testvpnserver/easy-rsa/vars]/group: group changed 'root' to 'nobody'
^CExiting
err: /Stage[main]/testopenvpn/Openvpn::Server[testvpnserver]/Openvpn::Ca[testvpnserver]/Exec[generate dh param testvpnserver]: Could not evaluate: Puppet::Util::Log requires a message

[luxflux]

@gbarton, my assumption would be that it's generating the dh params and waits for more entropy... Either you wait until it has enough or you try could install an entropy generator (e.g. havaged) to generate more available entropy.

Could you test again?

[gbarton]

It built! Thank you for suggesting to try one more time. For some reason a fresh yum update pushed things through, wasnt smart enough to pay attention to what came down. Does take a little while but it generates. I am unable to verify now though because I think I am running into an openvpn server change where I'm getting self signed cert errors:

Sun Mar 01 12:53:39 2015 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=XX, L=xxx, O=xxx, CN=xx CA, emailAddress=contact@xxx.com
Sun Mar 01 12:53:39 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Mar 01 12:53:39 2015 TLS Error: TLS object -> incoming plaintext read error
Sun Mar 01 12:53:39 2015 TLS Error: TLS handshake failed

Googling says that MD5 is no longer supported (centos 7 openvpn forums), is there a way to configure it to do something else?

[gbarton]

I'm not sure whats going on. Verified my openvpn configs on another RHEL 6.6 vm and it worked great. I tried manually adding auth SHA256, and setting cypher to a few different things. None seemed to help. I also copied every single client file down to no avail. (When it works normally I just need the .ovpn file)

[luxflux]

I just tested this on a ec2 instance (thanks @gbarton for the machine).

I tried to connect from the server itself and from my local computer with tunnelblick. It worked for both. The output can be found in this gist.

@gbarton do you have a proxy in between or something? Did you try with tcp and udp?

[luxflux]

As the current implementation seems to work, I am going to merge it.