--- - hosts: all become: true tasks: - name: update apt: update_cache: yes - name: install openvpn apt: name: openvpn state: present - name: install iperf3 apt: name: iperf3 state: present - hosts: vpn-server become: true tasks: - name: install easy-rsa apt: name: easy-rsa state: present - name: create cert dir openvpn file: path: /etc/openvpn/keys state: directory mode: '0755' - name: create vars for cert copy: dest: /usr/share/easy-rsa/vars content: | set_var EASYRSA_DIGEST "sha512" set_var EASYRSA_REQ_COUNTRY "RU" set_var EASYRSA_REQ_PROVINCE "Moscow" set_var EASYRSA_REQ_CITY "Moscow" set_var EASYRSA_REQ_ORG "Pupkin And Co" set_var EASYRSA_REQ_EMAIL "help@mail.ru" set_var EASYRSA_REQ_OU "IT" set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_CA_CN "ca" - name: create ca and server cert shell: | cd /usr/share/easy-rsa/ ./easyrsa init-pki echo "ca" | ./easyrsa build-ca nopass ./easyrsa gen-dh echo "vpn-server" | ./easyrsa gen-req vpn-server nopass echo "yes" | ./easyrsa sign-req server vpn-server - name: create user cert shell: | cd /usr/share/easy-rsa/ echo "{{ item }}" | ./easyrsa gen-req {{ item }} nopass echo "yes" | ./easyrsa sign-req client {{ item }} loop: - client01 - client02 - client03 - name: copy public cert to openvpn dir copy: src: /usr/share/easy-rsa/pki/issued/{{ item }}.crt dest: /etc/openvpn/keys/ remote_src: yes loop: - vpn-server - client01 - client02 - client03 - name: copy private key cert to openvpn dir copy: src: /usr/share/easy-rsa/pki/private/{{ item }}.key dest: /etc/openvpn/keys/{{ item }}.key remote_src: yes loop: - vpn-server - client01 - client02 - client03 - name: copy dh.pem and ca to openvpn dir copy: src: /usr/share/easy-rsa/pki/{{ item }} dest: /etc/openvpn/keys/{{ item }} remote_src: yes loop: - dh.pem - ca.crt - name: create conf openvpn copy: dest: /etc/openvpn/server.conf content: | port 8810 proto udp dev tun server 172.16.10.0 255.255.255.0 keepalive 10 120 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/vpn-server.crt key /etc/openvpn/keys/vpn-server.key dh /etc/openvpn/keys/dh.pem client-to-client persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 4 mute 20 daemon mode server tls-server comp-lzo notify: restart openvpn - name: copy cert fetch: src: "/etc/openvpn/keys/{{ item }}" dest: "./{{ item }}" flat: yes loop: - ca.crt - client01.crt - client02.crt - client03.crt - client01.key - client02.key - client03.key handlers: - name: restart openvpn systemd: name: openvpn@server state: restarted - hosts: vpn-client become: true tasks: - name: create cert dir openvpn file: path: /etc/openvpn/keys state: directory mode: '0755' - name: copy client01 cert copy: src: "./{{ item }}" dest: "/etc/openvpn/keys/{{ item }}" loop: - ca.crt - client01.crt - client01.key - name: create conf clietn openvpn copy: dest: /etc/openvpn/client.conf content: | client resolv-retry infinite nobind proto udp dev tun remote 10.10.1.10 8810 keepalive 10 120 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client01.crt key /etc/openvpn/keys/client01.key persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 4 tls-client comp-lzo float notify: restart openvpn handlers: - name: restart openvpn systemd: name: openvpn@client state: restarted