Add TLS and x509-name verification support

README.md

@@ -10,6 +10,7 @@ Puppet module to manage OpenVPN servers
 * Support for multiple server instances
 * Support for LDAP-Authentication
 * Support for server instance in client mode
+* Support for TLS
 
 ## Supported OS
 

manifests/ca.pp

@@ -54,6 +54,10 @@
 #     and KEY_CN in vars
 #   Default: None
 #
+# [*tls_auth*]
+#   Boolean. Determins if a tls key is generated
+#   Default: False
+#
 # === Examples
 #
 #   openvpn::ca {
@@ -99,6 +103,7 @@
   $key_cn = '',
   $key_name = '',
   $key_ou = '',
+  $tls_auth = false,
 ) {
 
   include openvpn
@@ -194,6 +199,15 @@
     provider => 'shell',
     require  => Exec["generate server cert ${name}"],
   }
+  if $tls_auth {
+    exec { "generate tls key for ${name}":
+      command  => "openvpn --genkey --secret keys/ta.key",
+      cwd      => "/etc/openvpn/${name}/easy-rsa",
+      creates  => "/etc/openvpn/${name}/easy-rsa/keys/ta.key",
+      provider => 'shell',
+      require  => Exec["generate server cert ${name}"],
+    }
+  }
 
   file { "/etc/openvpn/${name}/easy-rsa/keys/crl.pem":
     ensure  => link,

manifests/client.pp

@@ -83,6 +83,17 @@
 #   Boolean. Set if username and password required
 #   Default: false
 #
+# [*tls_auth*]
+#   Boolean. Activates tls-auth to Add an additional layer of HMAC
+#     authentication on top of the TLS control channel to protect
+#     against DoS attacks. This has to be set to the same value as on the
+#     Server
+#   Default: false
+#
+# [*x509_name*]
+#   Common name of openvpn server to make an x509-name verification
+#   Default: undef
+#
 # [*setenv*]
 #   Hash. Set a custom environmental variable name=value to pass to script.
 #   Default: {}
@@ -165,6 +176,8 @@
   $setenv_safe = {},
   $up = '',
   $down = '',
+  $tls_auth = false,
+  $x509_name = undef,
   $sndbuf = undef,
   $rcvbuf = undef,
 ) {
@@ -207,6 +220,15 @@
     target  => "/etc/openvpn/${server}/easy-rsa/keys/ca.crt",
     require => Exec["generate certificate for ${name} in context of ${server}"],
   }
+  if $tls_auth {
+    file { "/etc/openvpn/${server}/download-configs/${name}/keys/${name}/ta.key":
+      ensure  => link,
+      target  => "/etc/openvpn/${server}/easy-rsa/keys/ta.key",
+      require => Exec["generate certificate for ${name} in context of ${server}"],
+      before  => Exec["tar the thing ${server} with ${name}"],
+      notify  => Exec["tar the thing ${server} with ${name}"],
+    }
+  }
 
   file { "/etc/openvpn/${server}/download-configs/${name}/${name}.conf":
     owner   => root,

manifests/server.pp

@@ -265,6 +265,17 @@
 #     and KEY_CN in vars
 #   Default: None
 #
+# [*tls_auth*]
+#   Boolean. Activates tls-auth to Add an additional layer of HMAC
+#     authentication on top of the TLS control channel to protect
+#     against DoS attacks.
+#   Default: false
+#
+# [*tls_server*]
+#   Boolean. If proto not tcp it lets you choose if the parameter
+#     tls-server is set or not.
+#   Default: false
+#
 # [*server_poll_timeout*]
 #   Integer. Value for timeout before trying the next server.
 #   Default: undef
@@ -378,6 +389,8 @@
   $cipher = '',
   $persist_key = false,
   $persist_tun = false,
+  $tls_auth = false,
+  $tls_server = false,
   $server_poll_timeout = undef,
   $ping_timer_rem = false,
   $sndbuf = undef,
@@ -389,9 +402,13 @@
   Openvpn::Server[$name] ~>
   Class['openvpn::service']
 
-  $tls_server = $proto ? {
-    /tcp/   => true,
-    default => false
+  if $tls_server {
+    $real_tls_server = $tls_server
+  } else {
+    $real_tls_server = $proto ? {
+      /tcp/   => true,
+      default => false
+    }
   }
 
   $group_to_set = $group ? {
@@ -439,6 +456,7 @@
       key_cn       => $key_cn,
       key_name     => $key_name,
       key_ou       => $key_ou,
+      tls_auth     => $tls_auth,
     }
   } else {
     # VPN Client Mode

spec/defines/openvpn_client_spec.rb

@@ -58,7 +58,8 @@
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+3$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+20$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^auth-retry\s+none$/)}
-
+    it { should_not contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^tls-client$/)}
+    it { should_not contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verify-x509-name\s+"test_server"\s+name$/)}
     it { should_not contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^sndbuf/)}
     it { should_not contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^rcvbuf/)}
   end
@@ -82,8 +83,10 @@
       'verb'                  => '1',
       'setenv'                => {'CLIENT_CERT' => '0'},
       'setenv_safe'           => {'FORWARD_COMPATIBLE' => '1'},
-      'sndbuf' => 393216,
-      'rcvbuf' => 393215,
+      'tls_auth'              => true,
+      'x509_name'             => 'test_server',
+      'sndbuf'                => 393216,
+      'rcvbuf'                => 393215,
     } }
     let(:facts) { {
       :fqdn           => 'somehost',
@@ -108,6 +111,8 @@
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^setenv\s+CLIENT_CERT\s+0$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^setenv_safe\s+FORWARD_COMPATIBLE\s+1$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^cipher\s+BF-CBC$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^tls-client$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verify-x509-name\s+"test_server"\s+name$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^sndbuf\s+393216$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^rcvbuf\s+393215$/)}
   end

spec/defines/openvpn_server_spec.rb

@@ -101,6 +101,8 @@
     it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/persist-tun/) }
     it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(%r{^duplicate-cn$}) }
     it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^ns-cert-type server/) }
+    it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+/etc/openvpn/test_server/keys/ta.key\s+0$}) }
+
   end
 
   context "creating a server setting all parameters" do
@@ -143,6 +145,8 @@
       'persist_key'     => true,
       'persist_tun'     => true,
       'duplicate_cn'    => true,
+      'tls_auth'        => true,
+      'tls_server'      => true,
     } }
 
     let(:facts) { {
@@ -189,6 +193,8 @@
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^down "/tmp/down"$}) }
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^script-security 2$}) }
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^duplicate-cn$}) }
+    it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-server$}) }
+    it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^tls-auth\s+/etc/openvpn/test_server/keys/ta.key\s+0$}) }
 
     it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^server-poll-timeout/) }
     it { should_not contain_file('/etc/openvpn/test_server.conf').with_content(/^ping-timer-rem/) }
@@ -209,7 +215,8 @@
               :key_expire   => 365,
               :key_cn       => 'yolo',
               :key_name     => 'burp',
-              :key_ou       => 'NSA')
+              :key_ou       => 'NSA',
+              :tls_auth     => true)
     }
 
   end

templates/client.erb

@@ -52,3 +52,14 @@ up "<%= @up %>"
 <% if @down != '' -%>
 down "<%= @down %>"
 <% end -%>
+<% if @tls_auth -%>
+
+# tls authentification
+tls-client
+tls-auth keys/<%= @name %>/ta.key 1
+<% end -%>
+<% if @x509_name -%>
+
+# x509 name verification
+verify-x509-name "<%= @x509_name %>" name
+<% end -%>

templates/server.erb

@@ -26,7 +26,7 @@ proto <%= @proto %>-server
 proto <%= @proto %>
 <% end -%>
 port <%= @port %>
-<% if @tls_server -%>
+<% if @real_tls_server -%>
 tls-server
 <% end -%>
 <% if @compression != '' -%>
@@ -126,3 +126,8 @@ duplicate-cn
 <% if @ping_timer_rem -%>
 ping-timer-rem
 <% end -%>
+<% if @tls_auth -%>
+
+# tls authentification
+tls-auth /etc/openvpn/<%= @name %>/keys/ta.key 0
+<% end -%>