From: Matt Birkholz Date: Wed, 13 Nov 2024 03:38:57 +0000 (-0700) Subject: Use OpenVPN's tls-crypt option, rather than tls-auth. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=fced149222935a9dcf92e47964018cf07d856547;p=Institute Use OpenVPN's tls-crypt option, rather than tls-auth. --- diff --git a/README.org b/README.org index 9a96824..cfdabbe 100644 --- a/README.org +++ b/README.org @@ -2188,7 +2188,7 @@ ca /usr/local/share/ca-certificates/{{ domain_name }}.crt cert server.crt key server.key dh dh2048.pem -tls-auth ta.key 0 +tls-crypt shared.key #+END_SRC Finally, here are the tasks (and handler) required to install and @@ -2252,7 +2252,7 @@ configure the OpenVPN server on Front. mode: u=r,g=,o= loop: - { src: front-dh2048.pem, dest: dh2048.pem } - - { src: front-ta.key, dest: ta.key } + - { src: front-shared.key, dest: shared.key } notify: Restart OpenVPN. - name: Configure OpenVPN. @@ -3648,7 +3648,7 @@ verb 3 ca /usr/local/share/ca-certificates/{{ domain_name }}.crt cert client.crt key client.key -tls-auth ta.key 1 +tls-crypt shared.key #+END_SRC The tasks that install and configure the OpenVPN client configuration @@ -3671,8 +3671,8 @@ for Core. - name: Install OpenVPN secret. become: yes copy: - src: ../Secret/front-ta.key - dest: /etc/openvpn/ta.key + src: ../Secret/front-shared.key + dest: /etc/openvpn/shared.key mode: u=r,g=,o= notify: Restart OpenVPN. @@ -5089,7 +5089,7 @@ ca /usr/local/share/ca-certificates/{{ domain_name }}.crt cert /etc/server.crt key /etc/server.key dh dh2048.pem -tls-auth ta.key 0 +tls-crypt shared.key #+END_SRC Finally, here are the tasks (and handler) required to install and @@ -5133,7 +5133,7 @@ configure the OpenVPN server on Gate. mode: u=r,g=,o= loop: - { src: gate-dh2048.pem, dest: dh2048.pem } - - { src: gate-ta.key, dest: ta.key } + - { src: gate-shared.key, dest: shared.key } notify: Restart OpenVPN. - name: Configure OpenVPN. @@ -5856,8 +5856,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") { mysystem "cd Secret/CA; ./easyrsa build-server-full core.$pvt nopass"; mysystem "cd Secret/CA; ./easyrsa build-client-full core nopass"; umask 077; - mysystem "openvpn --genkey secret Secret/front-ta.key"; - mysystem "openvpn --genkey secret Secret/gate-ta.key"; + mysystem "openvpn --genkey secret Secret/front-shared.key"; + mysystem "openvpn --genkey secret Secret/gate-shared.key"; mysystem "openssl dhparam -out Secret/front-dh2048.pem 2048"; mysystem "openssl dhparam -out Secret/gate-dh2048.pem 2048"; @@ -6637,13 +6637,13 @@ if (defined $ARGV[0] && $ARGV[0] eq "client") { <>"; if ($type ne "campus") { - my $TA = read_file "Secret/front-ta.key"; - write_template ($DEV,$UP,$CA,$CRT,$KEY,$TA, $front_addr, + my $TC = read_file "Secret/front-shared.key"; + write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $front_addr, $domain_name, "public.ovpn"); print "Wrote public VPN configuration to public.ovpn.\n"; } - my $TA = read_file "Secret/gate-ta.key"; - write_template ($DEV,$UP,$CA,$CRT,$KEY,$TA, $gate_wifi_addr, + my $TC = read_file "Secret/gate-shared.key"; + write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $gate_wifi_addr, "gate.$domain_priv", "campus.ovpn"); print "Wrote campus VPN configuration to campus.ovpn.\n"; @@ -6651,7 +6651,7 @@ if (defined $ARGV[0] && $ARGV[0] eq "client") { } sub write_template ($$$$$$$$$) { - my ($DEV,$UP,$CA,$CRT,$KEY,$TA,$ADDR,$NAME,$FILE) = @_; + my ($DEV,$UP,$CA,$CRT,$KEY,$TC,$ADDR,$NAME,$FILE) = @_; my $O = new IO::File; open ($O, ">$FILE.tmp") or die "Could not open $FILE.tmp: $!\n"; print $O "client @@ -6668,7 +6668,7 @@ key-direction 1 \n$CA \n$CRT \n$KEY -\n$TA\n"; +\n$TC\n"; close $O or die "Could not close $FILE.tmp: $!\n"; rename ("$FILE.tmp", $FILE) or die "Could not rename $FILE.tmp: $!\n"; diff --git a/Secret/front-shared.key b/Secret/front-shared.key new file mode 100644 index 0000000..2d8517f --- /dev/null +++ b/Secret/front-shared.key @@ -0,0 +1,21 @@ +# +# 2048 bit OpenVPN static key +# +-----BEGIN OpenVPN Static key V1----- +38bb9f2e2ecf092249801644212b9546 +9eee27dad596e738c3b290f814e87136 +4e571cf3cfe990c6e2423c6583f00c4a +37c4c11bea6c7b70947dd3473792e973 +6106f6a0b0eb96861ade6b2f641e39ca +59829de1d1d0455afa8510183f6eda5d +2df99306c448d5d4a52699fdced9d45f +5cd650e057eeac3b8ee134dfda4a3f36 +dda2fae254a8fffb2a4aafe5b1f9b505 +7087da1a362df472cf27f7b5690eaac5 +4476c76635f9919506e3922aca44ea72 +5d6ea54559619f85b7b6c830a66e8d95 +be0c0b73830784ea463aa1f4b1a837ba +3f9b90057e30941c6d8ad1ab49a6e4d5 +8215cbe4865e4d0b30f60223dd72b30a +5c2940c22b1cdc3778d060a3cedbc4d4 +-----END OpenVPN Static key V1----- diff --git a/Secret/front-ta.key b/Secret/front-ta.key deleted file mode 100644 index 4267587..0000000 --- a/Secret/front-ta.key +++ /dev/null @@ -1,21 +0,0 @@ -# -# 2048 bit OpenVPN static key -# ------BEGIN OpenVPN Static key V1----- -fdb61812ceb4d5ba83f0016642320cfd -f1e6632d8a6b08e5a20e009a81ed3e31 -3f4340500a8b3ad21fbb7a42aacb9f36 -dd86d96bae740065e2edea03add75272 -e806c05694fdfb666a8e84ea650e35d5 -c39f20053a525ff16fbba2c28b836a60 -98e3e482205de399c0e965e82b61a83c -25ff589e395681e8a08ec22115ea4e95 -23b026fa239594cda3b80df28e48a9f9 -023b8b0c0a79ec031cde847781557475 -9eb2702fe2b766c06c6a15d83c3070c3 -f8b7e33dae75ac3814b4e17c07148934 -4e055c8451f663ec555a67a9a86a8616 -9e2c736ee6330ecbafd8c9144bc93350 -8fac74ec0fe2ec823fba7423c54be1d8 -5d8c79c0cec56b4cc7cc7e6dcee71991 ------END OpenVPN Static key V1----- diff --git a/Secret/gate-shared.key b/Secret/gate-shared.key new file mode 100644 index 0000000..fec95dc --- /dev/null +++ b/Secret/gate-shared.key @@ -0,0 +1,21 @@ +# +# 2048 bit OpenVPN static key +# +-----BEGIN OpenVPN Static key V1----- +c5ceb7e1cb1c786f5ad2afd2cc62b2c8 +45fb74fe0116d0e2aad97a9b9066eb30 +6127c851931a6bd97b3e6cf896f09a44 +b0f68b3656d1fa46a73202c0bec5368b +20f23e743d09826169ffbee8328974ea +5134e6c1c9050e31aa02f29722e1df2e +cce6bea69c8ec5d3cf6c1b1b15afcf78 +fad7f12c48436006bab293aba68840cb +88a358378f326a9f99bf09f21028ddf9 +b85b158bce9745663d74f8fd0b217738 +ae90d4da0d151ea458a961dbfeb8e3e5 +59ccd15678a90fa8da9d567e47e1ca10 +80d8706c7cbf6f10a2055258ec337105 +f567a4be6b758438b74f48a54ce86bdd +556abbef5bed0c07cd4fc305b22a3195 +6a6e9093ca2efffc299aa94906e95fc4 +-----END OpenVPN Static key V1----- diff --git a/Secret/gate-ta.key b/Secret/gate-ta.key deleted file mode 100644 index 87806ad..0000000 --- a/Secret/gate-ta.key +++ /dev/null @@ -1,21 +0,0 @@ -# -# 2048 bit OpenVPN static key -# ------BEGIN OpenVPN Static key V1----- -1c3632d86e265c77f3ff112183cd715c -f64febfc4ebd48b6b34847a5718a4c68 -2d86a5fffbd46b157586c59148a62582 -f13c511edf584938f9a985528b141e03 -e1ef39dfdde9ac2b72f3738fd2eb759c -74e774ccdd4376720c6f598233748dee -56013726afb984218ed858f099c231b0 -70b18d01d37d81eb42044b2a2752bacf -3a51f3e3da1fb5fd0826b4940934b4b8 -800a216c252af314144746945c6a78b6 -9e3f4c8b4871c992a10cf413a778402c -bbaa65c0a82fac9557257abbb3e7bc56 -4e3da795966c7fa86662ea6b9b97cb19 -4cd73356e4b9310ea1f1d5e4c7c17f5c -2f0e6595af00060a0d4e101fa18236d5 -8820a9e4b6535f72080ff5207e1eeceb ------END OpenVPN Static key V1----- diff --git a/inst b/inst index 92bd003..d0e2ab2 100755 --- a/inst +++ b/inst @@ -79,8 +79,8 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") { mysystem "cd Secret/CA; ./easyrsa build-server-full core.$pvt nopass"; mysystem "cd Secret/CA; ./easyrsa build-client-full core nopass"; umask 077; - mysystem "openvpn --genkey secret Secret/front-ta.key"; - mysystem "openvpn --genkey secret Secret/gate-ta.key"; + mysystem "openvpn --genkey secret Secret/front-shared.key"; + mysystem "openvpn --genkey secret Secret/gate-shared.key"; mysystem "openssl dhparam -out Secret/front-dh2048.pem 2048"; mysystem "openssl dhparam -out Secret/gate-dh2048.pem 2048"; @@ -421,13 +421,13 @@ up /etc/openvpn/update-systemd-resolved up-restart"; if ($type ne "campus") { - my $TA = read_file "Secret/front-ta.key"; - write_template ($DEV,$UP,$CA,$CRT,$KEY,$TA, $front_addr, + my $TC = read_file "Secret/front-shared.key"; + write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $front_addr, $domain_name, "public.ovpn"); print "Wrote public VPN configuration to public.ovpn.\n"; } - my $TA = read_file "Secret/gate-ta.key"; - write_template ($DEV,$UP,$CA,$CRT,$KEY,$TA, $gate_wifi_addr, + my $TC = read_file "Secret/gate-shared.key"; + write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $gate_wifi_addr, "gate.$domain_priv", "campus.ovpn"); print "Wrote campus VPN configuration to campus.ovpn.\n"; @@ -435,7 +435,7 @@ up-restart"; } sub write_template ($$$$$$$$$) { - my ($DEV,$UP,$CA,$CRT,$KEY,$TA,$ADDR,$NAME,$FILE) = @_; + my ($DEV,$UP,$CA,$CRT,$KEY,$TC,$ADDR,$NAME,$FILE) = @_; my $O = new IO::File; open ($O, ">$FILE.tmp") or die "Could not open $FILE.tmp: $!\n"; print $O "client @@ -456,7 +456,7 @@ key-direction 1 \n$CA \n$CRT \n$KEY -\n$TA\n"; +\n$TC\n"; close $O or die "Could not close $FILE.tmp: $!\n"; rename ("$FILE.tmp", $FILE) or die "Could not rename $FILE.tmp: $!\n"; diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 2c7c6b0..8053102 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -594,8 +594,8 @@ - name: Install OpenVPN secret. become: yes copy: - src: ../Secret/front-ta.key - dest: /etc/openvpn/ta.key + src: ../Secret/front-shared.key + dest: /etc/openvpn/shared.key mode: u=r,g=,o= notify: Restart OpenVPN. @@ -631,7 +631,7 @@ ca /usr/local/share/ca-certificates/{{ domain_name }}.crt cert client.crt key client.key - tls-auth ta.key 1 + tls-crypt shared.key dest: /etc/openvpn/front.conf mode: u=r,g=r,o= notify: Restart OpenVPN. diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index ec38821..882291e 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -408,7 +408,7 @@ mode: u=r,g=,o= loop: - { src: front-dh2048.pem, dest: dh2048.pem } - - { src: front-ta.key, dest: ta.key } + - { src: front-shared.key, dest: shared.key } notify: Restart OpenVPN. - name: Configure OpenVPN. @@ -442,7 +442,7 @@ cert server.crt key server.key dh dh2048.pem - tls-auth ta.key 0 + tls-crypt shared.key dest: /etc/openvpn/server.conf mode: u=r,g=r,o= notify: Restart OpenVPN. diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml index 66bf06d..db95047 100644 --- a/roles_t/gate/tasks/main.yml +++ b/roles_t/gate/tasks/main.yml @@ -198,7 +198,7 @@ mode: u=r,g=,o= loop: - { src: gate-dh2048.pem, dest: dh2048.pem } - - { src: gate-ta.key, dest: ta.key } + - { src: gate-shared.key, dest: shared.key } notify: Restart OpenVPN. - name: Configure OpenVPN. @@ -230,7 +230,7 @@ cert /etc/server.crt key /etc/server.key dh dh2048.pem - tls-auth ta.key 0 + tls-crypt shared.key dest: /etc/openvpn/server.conf mode: u=r,g=r,o= notify: Restart OpenVPN.