OpenVPN
STATE: unstable
TESTS: ansibleguy.opnsense.openvpn_client | ansibleguy.opnsense.openvpn_server | ansibleguy.opnsense.openvpn_static_key | ansibleguy.opnsense.openvpn_client_override | ansibleguy.opnsense.openvpn_status
API Docs: OpenVPN
Service Docs: OpenVPN
Info
You can use the ansibleguy.opnsense.service module to interact with the OpenVPN service.
Definition
For basic parameters see: Basic
ansibleguy.opnsense.openvpn_server
Parameter |
Type |
Required |
Default |
Aliases |
Comment |
|---|---|---|---|---|---|
name |
string |
true |
- |
description, desc |
The name used to match this config to existing entries |
server_ip4 |
string |
true if no server_ip6 |
- |
server, client_net_ip4 |
This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the .1 address of the given network for use as the server-side endpoint of the local TUN/TAP interface |
server_ip6 |
string |
true if no server_ip4 |
- |
server6, client_net_ip6 |
This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the next base address (+1) of the given network for use as the server-side endpoint of the local TUN/TAP interface |
protocol |
string |
false |
udp |
proto |
One of: ‘udp’, ‘udp4’, ‘udp6’, ‘tcp’, ‘tcp4’, ‘tcp6’. Use protocol for communicating with remote host. |
port |
integer |
false |
1194 |
local_port, bind_port |
Port number to use |
address |
string |
false |
- |
bind_address, bind, ip |
Optional IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. |
mode |
string |
false |
tun |
type |
One of: ‘tun’, ‘tap’. Choose the type of tunnel, OSI Layer 3 [tun] is the most common option to route IPv4 or IPv6 traffic, [tap] offers Ethernet 802.3 (OSI Layer 2) connectivity between hosts and is usually combined with a bridge. |
topology |
string |
false |
subnet |
topo |
One of: ‘net30’, ‘p2p’, ‘subnet’. Configure virtual addressing topology when running in –dev tun mode. This directive has no meaning in –dev tap mode, which always uses a subnet topology. |
max_connections |
integer |
false |
- |
max_conn, max_clients |
Specify the maximum number of clients allowed to concurrently connect to this server. |
log_level |
integer |
false |
- |
verbosity, verb |
From 0 to 11. Output verbosity level. 0 = no output, 1-4 = normal, 5 = log packets, 6-11 debug |
keepalive_interval |
integer |
false |
- |
kai |
Ping interval in seconds. 0 to disable keep alive |
keepalive_timeout |
integer |
false |
- |
kat |
Causes OpenVPN to restart after n seconds pass without reception of a ping or other packet from remote. |
renegotiate_time |
integer |
false |
- |
reneg_time, reneg |
Renegotiate data channel key after n seconds (default=3600). When using a one time password, be advised that your connection will automatically drop because your password is not valid anymore. Set to 0 to disable, remember to change your client as well. |
auth_token_time |
integer |
false |
- |
auth_time, token_time |
After successful user/password authentication, the OpenVPN server will with this option generate a temporary authentication token and push that to the client. On the following renegotiations, the OpenVPN client will pass this token instead of the users password. On the server side the server will do the token authentication internally and it will NOT do any additional authentications against configured external user/password authentication mechanisms. When set to 0, the token will never expire, any other value specifies the lifetime in seconds. |
certificate |
string |
true if no ca |
- |
cert |
Certificate to use for this service. |
ca |
string |
true if no certificate |
- |
certificate_authority, authority |
Select a certificate authority when it differs from the attached certificate. |
crl |
string |
false |
- |
certificate_revocation_list, revocation_list |
Select a certificate revocation list to use for this service. |
key |
string |
false |
- |
tls_key, tls_static_key |
Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. The prefixed mode determines if this measurement is only used for authentication (–tls-auth) or includes encryption (–tls-crypt). |
authentication |
string |
false |
- |
auth, auth_algo |
One of: ‘BLAKE2b512’, ‘BLAKE2s256’, ‘whirlpool’, ‘none’, ‘MD4’, ‘MD5’, ‘MD5-SHA1’, ‘RIPEMD160’, ‘SHA1’, ‘SHA224’, ‘SHA256’, ‘SHA3-224’, ‘SHA3-256’, ‘SHA3-384’, ‘SHA3-512’, ‘SHA384’, ‘SHA512’, ‘SHA512-224’, ‘SHA512-256’, ‘SHAKE128’, ‘SHAKE256’. Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. |
network_local |
list |
false |
- |
local, net_local, push_route |
These are the networks accessible on this host, these are pushed via route{-ipv6} clauses in OpenVPN to the client |
network_remote |
list |
false |
- |
remote, net_remote, route |
Remote networks for the server, add route to routing table after connection is established |
data_ciphers |
list |
false |
- |
ciphers |
One or multiple of: ‘AES-256-GCM’, ‘AES-128-GCM’, ‘CHACHA20-POLY1305’. Restrict the allowed ciphers to be negotiated to the ciphers in this list. |
data_cipher_fallback |
string |
false |
- |
cipher_fallback |
One of: ‘AES-256-GCM’, ‘AES-128-GCM’, ‘CHACHA20-POLY1305’. Configure a cipher that is used to fall back to if we could not determine which cipher the peer is willing to use. This option should only be needed to connect to peers that are running OpenVPN 2.3 or older versions, and have been configured with –enable-small (typically used on routers or other embedded devices). |
auth_mode |
list |
false |
- |
authentication_mode, auth_source |
Select authentication methods to use, leave empty if no challenge response authentication is needed. |
auth_group |
string |
false |
- |
group |
Restrict access to users in the selected local group. Please be aware that other authentication backends will refuse to authenticate when using this option. |
options |
list |
false |
- |
opts |
One or multiple of: ‘client-to-client’, ‘duplicate-cn’, ‘passtos’, ‘persist-remote-ip’, ‘route-nopull’, ‘route-noexec’, ‘remote-random’. Various less frequently used yes/no options which can be set for this instance. |
push_options |
list |
false |
- |
push_opts |
One or multiple of: ‘block-outside-dns’, ‘register-dns’. Various less frequently used yes/no options which can be pushed to the client for this instance. |
redirect_gateway |
list |
false |
- |
redirect_gw, redir_gw |
One or multiple of: ‘local’, ‘autolocal’, ‘def1’, ‘bypass_dhcp’, ‘bypass_dns’, ‘block_local’, ‘ipv6’, ‘notipv4’. Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. |
domain |
string |
false |
- |
dns_domain |
Set Connection-specific DNS Suffix. |
domain_list |
list |
false |
- |
dns_domain_search |
Add name to the domain search list. Repeat this option to add more entries. Up to 10 domains are supported |
dns_servers |
list |
false |
- |
dns |
Set primary domain name server IPv4 or IPv6 address. Repeat this option to set secondary DNS server addresses. |
ntp_servers |
list |
false |
- |
ntp |
Set primary NTP server address (Network Time Protocol). Repeat this option to set secondary NTP server addresses. |
mtu |
integer |
false |
- |
tun_mtu |
Take the TUN device MTU to be tun-mtu and derive the link MTU from it. |
route_metric |
integer |
false |
- |
metric, push_metric |
Specify a default metric m for use with –route on the connecting client (push option). |
fragment_size |
integer |
false |
- |
frag_size |
Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than the specified byte size. |
verify_client_cert |
string |
false |
require |
verify_client, verify_cert |
One of: ‘require’, ‘none’. Specify if the client is required to offer a certificate. |
cert_depth |
integer |
false |
- |
certificate_depth |
From 1 to 5. When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server. |
register_dns |
boolean |
false |
false |
- |
Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers. |
ocsp |
boolean |
false |
false |
use_ocsp, verify_ocsp |
When the CA used supplies an authorityInfoAccess OCSP URI extension, it will be used to validate the client certificate. |
user_as_cn |
boolean |
false |
false |
username_as_cn |
Use the authenticated username as the common-name, rather than the common-name from the client certificate. |
user_cn_strict |
boolean |
false |
false |
username_cn_strict |
When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login. |
mss_fix |
boolean |
false |
false |
mss |
Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed the recommended size. |
reload |
boolean |
false |
true |
- |
If the running config should be reloaded on change - this may take some time. For mass-managing items you might want to reload it ‘manually’ after all changes are done => using the ansibleguy.opnsense.reload module. |
ansibleguy.opnsense.openvpn_client
Parameter |
Type |
Required |
Default |
Aliases |
Comment |
|---|---|---|---|---|---|
name |
string |
true |
- |
description, desc |
The name used to match this config to existing entries |
remote |
list |
true |
- |
peer, server |
Remote host name or IP address with optional port |
protocol |
string |
false |
udp |
proto |
One of: ‘udp’, ‘udp4’, ‘udp6’, ‘tcp’, ‘tcp4’, ‘tcp6’. Use protocol for communicating with remote host. |
port |
integer |
false |
- |
local_port, bind_port |
Port number to use. Specifies a bind address, or nobind when client does not have a specific bind address. |
address |
string |
false |
- |
bind_address, bind, ip |
Optional IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. |
mode |
string |
false |
tun |
type |
One of: ‘tun’, ‘tap’. Choose the type of tunnel, OSI Layer 3 [tun] is the most common option to route IPv4 or IPv6 traffic, [tap] offers Ethernet 802.3 (OSI Layer 2) connectivity between hosts and is usually combined with a bridge. |
log_level |
integer |
false |
- |
verbosity, verb |
From 0 to 11. Output verbosity level. 0 = no output, 1-4 = normal, 5 = log packets, 6-11 debug |
keepalive_interval |
integer |
false |
- |
kai |
Ping interval in seconds. 0 to disable keep alive |
keepalive_timeout |
integer |
false |
- |
kat |
Causes OpenVPN to restart after n seconds pass without reception of a ping or other packet from remote. |
renegotiate_time |
integer |
false |
- |
reneg_time, reneg |
Renegotiate data channel key after n seconds (default=3600). When using a one time password, be advised that your connection will automatically drop because your password is not valid anymore. Set to 0 to disable, remember to change your client as well. |
carp_depend_on |
string |
false |
- |
vip, vip_depend, carp, carp_depend |
The CARP VHID to depend on. When this virtual address is not in master state, then the instance will be shutdown. |
certificate |
string |
true if no ca |
- |
cert |
Certificate to use for this service. |
ca |
string |
true if no certificate |
- |
certificate_authority, authority |
Select a certificate authority when it differs from the attached certificate. |
key |
string |
false |
- |
tls_key, tls_static_key |
Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. The prefixed mode determines if this measurement is only used for authentication (–tls-auth) or includes encryption (–tls-crypt). |
authentication |
string |
false |
- |
auth, auth_algo |
One of: ‘BLAKE2b512’, ‘BLAKE2s256’, ‘whirlpool’, ‘none’, ‘MD4’, ‘MD5’, ‘MD5-SHA1’, ‘RIPEMD160’, ‘SHA1’, ‘SHA224’, ‘SHA256’, ‘SHA3-224’, ‘SHA3-256’, ‘SHA3-384’, ‘SHA3-512’, ‘SHA384’, ‘SHA512’, ‘SHA512-224’, ‘SHA512-256’, ‘SHAKE128’, ‘SHAKE256’. Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. |
username |
string |
false |
- |
user |
(optional) Username to send to the server for authentication when required. |
password |
string |
false |
- |
pwd |
Password belonging to the user specified above |
network_local |
list |
false |
- |
local, net_local, push_route |
These are the networks accessible on this host, these are pushed via route{-ipv6} clauses in OpenVPN to the client |
network_remote |
list |
false |
- |
remote, net_remote, route |
Remote networks for the server, add route to routing table after connection is established |
options |
list |
false |
- |
opts |
One or multiple of: ‘client-to-client’, ‘duplicate-cn’, ‘passtos’, ‘persist-remote-ip’, ‘route-nopull’, ‘route-noexec’, ‘remote-random’. Various less frequently used yes/no options which can be set for this instance. |
mtu |
integer |
false |
- |
tun_mtu |
Take the TUN device MTU to be tun-mtu and derive the link MTU from it. |
fragment_size |
integer |
false |
- |
frag_size |
Enable internal datagram fragmentation so that no UDP datagrams are sent which are larger than the specified byte size. |
mss_fix |
boolean |
false |
false |
mss |
Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed the recommended size. |
reload |
boolean |
false |
true |
- |
If the running config should be reloaded on change - this may take some time. For mass-managing items you might want to reload it ‘manually’ after all changes are done => using the ansibleguy.opnsense.reload module. |
ansibleguy.opnsense.openvpn_static_key
Parameter |
Type |
Required |
Default |
Aliases |
Comment |
|---|---|---|---|---|---|
name |
string |
true |
- |
description, desc |
The name used to match this config to existing entries |
mode |
string |
false |
crypt |
type |
One of: ‘auth’, ‘crypt’. Define the use of this key, authentication (–tls-auth) or authentication and encryption (–tls-crypt) |
key |
string |
false |
- |
- |
OpenVPN Static key. If empty - it will be auto-generated. |
reload |
boolean |
false |
true |
- |
If the running config should be reloaded on change - this may take some time. For mass-managing items you might want to reload it ‘manually’ after all changes are done => using the ansibleguy.opnsense.reload module. |
ansibleguy.opnsense.openvpn_client_override
Parameter |
Type |
Required |
Default |
Aliases |
Comment |
|---|---|---|---|---|---|
name |
string |
true |
- |
description, desc |
The client’s X.509 common-name used to match these override to |
servers |
list |
true |
- |
instances |
Select the OpenVPN servers where this override applies to, leave empty for all |
description |
string |
false |
- |
desc |
You may enter a description here for your reference (not parsed). |
block |
boolean |
false |
false |
block_connection, block_client |
Block this client connection based on its common name. Don’t use this option to permanently disable a client due to a compromised key or password. Use a CRL (certificate revocation list) instead. |
push_reset |
boolean |
false |
false |
reset |
Don’t inherit the global push list for a specific client instance. NOTE: –push-reset is very thorough: it will remove almost all options from the list of to-be-pushed options. In many cases, some of these options will need to be re-configured afterwards - specifically, –topology subnet and –route-gateway will get lost and this will break client configs in many cases. |
network_tunnel_ip4 |
string |
false |
- |
tun_ip4, tunnel_ip4 |
Push virtual IP endpoints for client tunnel, overriding dynamic allocation. |
network_tunnel_ip6 |
string |
false |
- |
tun_ip6, tunnel_ip6 |
Push virtual IP endpoints for client tunnel, overriding dynamic allocation. |
network_local |
list |
false |
- |
net_local, push_route |
These are the networks accessible by the client, these are pushed via route{-ipv6} clauses in OpenVPN to the client. |
network_remote |
list |
false |
- |
net_remote, route |
Remote networks for the server, these are configured via iroute{-ipv6} clauses in OpenVPN and inform the server to send these networks to this specific client. |
route_gateway |
string |
false |
- |
route_gw, rt_gw |
Specify a default gateway to use for the connected client. Without one set the first address in the netblock is being offered. When segmenting the tunnel (server) network, this one might not be accessible from the client. |
redirect_gateway |
list |
false |
- |
redirect_gw, redir_gw |
Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. |
register_dns |
boolean |
false |
false |
- |
Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers. |
domain |
string |
false |
- |
dns_domain |
Set Connection-specific DNS Suffix. |
domain_list |
list |
false |
- |
dns_domain_search |
Add name to the domain search list. Repeat this option to add more entries. Up to 10 domains are supported |
dns_servers |
list |
false |
- |
dns |
Set primary domain name server IPv4 or IPv6 address. Repeat this option to set secondary DNS server addresses. |
ntp_servers |
list |
false |
- |
ntp |
Set primary NTP server address (Network Time Protocol). Repeat this option to set secondary NTP server addresses. |
wins_servers |
list |
false |
- |
wins |
Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses. |
reload |
boolean |
false |
true |
- |
If the running config should be reloaded on change - this may take some time. For mass-managing items you might want to reload it ‘manually’ after all changes are done => using the ansibleguy.opnsense.reload module. |
ansibleguy.opnsense.openvpn_status
Parameter |
Type |
Required |
Default |
Aliases |
Comment |
|---|---|---|---|---|---|
target |
string |
false |
sessions |
kind |
One of: ‘sessions’, ‘routes’. What information to query |
Usage
The instance description/name is used to match your config to the existing entries.
WARNING: The openvpn_server and openvpn_client module share the same namespace! Be aware that you p.e. CANNOT create an openvpn_server with the same name as an existing openvpn_client (on the same box)!
Use can create an manage certificates using the OPNSense WebUI!
Examples
ansibleguy.opnsense.openvpn_server
- hosts: localhost
gather_facts: no
module_defaults:
group/ansibleguy.opnsense.all:
firewall: 'opnsense.template.ansibleguy.net'
api_credential_file: '/home/guy/.secret/opn.key'
ansibleguy.opnsense.list:
target: 'openvpn_instance'
tasks:
- name: Example
ansibleguy.opnsense.openvpn_server:
name: 'example'
server_ip4: ''
server_ip6: ''
certificate: ''
# topology: 'subnet'
# protocol: 'udp'
# port: ''
# address: ''
# mode: 'tun'
# max_connections: ''
# ca: ''
# crl: ''
# verify_client_cert: 'require'
# cert_depth: ''
# data_ciphers: []
# data_cipher_fallback: ''
# ocsp: false
# log_level: 3
# keepalive_interval: ''
# keepalive_timeout: ''
# key: ''
# authentication: ''
# auth_mode: []
# auth_group: ''
# renegotiate_time: ''
# auth_token_time: ''
# network_local: []
# network_remote: []
# options: []
# push_options: []
# redirect_gateway: []
# route_metric: ''
# mtu: ''
# fragment_size: ''
# domain: ''
# domain_list: []
# dns_servers: []
# ntp_servers: []
# register_dns: false
# user_as_cn: false
# user_cn_strict: false
# mss_fix: false
# reload: true
# enabled: true
- name: Adding
ansibleguy.opnsense.openvpn_server:
name: 'ANSIBLE_TEST_1_1'
port: 20000
protocol: 'udp'
mode: 'tun'
server: '192.168.77.0/29'
network_local: ['192.168.78.128/27']
ca: 'OpenVPN'
certificate: 'OpenVPN Server'
- name: Changing
ansibleguy.opnsense.openvpn_server:
name: 'ANSIBLE_TEST_1_1'
port: 20000
protocol: 'udp'
mode: 'tun'
server: '192.168.77.0/29'
network_local: ['192.168.78.128/27']
ca: 'OpenVPN'
certificate: 'OpenVPN Server'
cert_depth: 1
data_ciphers: ['AES-256-GCM', 'CHACHA20-POLY1305']
max_connections: 100
user_as_cn: true
user_cn_strict: true
push_options: ['block-outside-dns', 'register-dns']
mtu: 1420
- name: Disabling
ansibleguy.opnsense.openvpn_server:
name: 'ANSIBLE_TEST_1_1'
port: 20000
protocol: 'udp'
mode: 'tun'
server: '192.168.77.0/29'
network_local: ['192.168.78.128/27']
ca: 'OpenVPN'
certificate: 'OpenVPN Server'
cert_depth: 1
data_ciphers: ['AES-256-GCM', 'CHACHA20-POLY1305']
max_connections: 100
user_as_cn: true
user_cn_strict: true
push_options: ['block-outside-dns', 'register-dns']
mtu: 1420
enabled: false
- name: Listing
ansibleguy.opnsense.list:
# target: 'openvpn_instance'
register: existing_entries
- name: Printing instances
ansible.builtin.debug:
var: existing_entries.data
- name: Removing
ansibleguy.opnsense.openvpn_server:
name: 'test1'
state: 'absent'
ansibleguy.opnsense.openvpn_client
- hosts: localhost
gather_facts: no
module_defaults:
group/ansibleguy.opnsense.all:
firewall: 'opnsense.template.ansibleguy.net'
api_credential_file: '/home/guy/.secret/opn.key'
ansibleguy.opnsense.list:
target: 'openvpn_instance'
tasks:
- name: Example
ansibleguy.opnsense.openvpn_client:
name: 'example'
remote: 'example.ovpn.ansibleguy.net:10000'
certificate: ''
# ca: ''
# protocol: 'udp'
# port: ''
# address: ''
# mode: 'tun'
# log_level: 3
# keepalive_interval: ''
# keepalive_timeout: ''
# carp_depend_on: ''
# key: ''
# authentication: ''
# username: ''
# password: ''
# renegotiate_time: ''
# network_local: []
# network_remote: []
# options: []
# mtu: ''
# fragment_size: ''
# mss_fix: false
# reload: true
# enabled: true
- name: Adding
ansibleguy.opnsense.openvpn_client:
name: 'test1'
remote: 'openvpn.test.ansibleguy.net:20000'
protocol: 'udp'
mode: 'tun'
network_remote: ['192.168.77.128/27', '192.168.89.64/27']
log_level: 2
ca: 'OpenVPN'
certificate: 'OpenVPN Client'
mtu: 1400
- name: Changing
ansibleguy.opnsense.openvpn_client:
name: 'test1'
remote: 'openvpn.test.ansibleguy.net:10000'
protocol: 'tcp'
mode: 'tun'
network_remote: ['192.168.77.0/24']
log_level: 5
ca: 'OpenVPN'
certificate: 'OpenVPN Client'
mtu: 1400
- name: Disabling
ansibleguy.opnsense.openvpn_client:
name: 'test1'
remote: 'openvpn.test.ansibleguy.net:10000'
protocol: 'tcp'
mode: 'tun'
network_remote: ['192.168.77.0/24']
log_level: 5
ca: 'OpenVPN'
certificate: 'OpenVPN Client'
mtu: 1400
enabled: false
- name: Listing
ansibleguy.opnsense.list:
# target: 'openvpn_instance'
register: existing_entries
- name: Printing instances
ansible.builtin.debug:
var: existing_entries.data
- name: Removing
ansibleguy.opnsense.openvpn_client:
name: 'test1'
state: 'absent'
ansibleguy.opnsense.openvpn_static_key
- hosts: localhost
gather_facts: no
module_defaults:
group/ansibleguy.opnsense.all:
firewall: 'opnsense.template.ansibleguy.net'
api_credential_file: '/home/guy/.secret/opn.key'
ansibleguy.opnsense.list:
target: 'openvpn_static_key'
tasks:
- name: Example
ansibleguy.opnsense.openvpn_static_key:
name: 'example'
# mode: 'crypt'
# key: ''
- name: Adding
ansibleguy.opnsense.openvpn_static_key:
name: 'test1'
# key: => will be auto-generated
- name: Changing
ansibleguy.opnsense.openvpn_static_key:
name: 'test1'
key: '#\n# 2048 bit OpenVPN static key\n#\n
-----BEGIN OpenVPN Static key V1-----\n
c07e43dc02829f88184b4fb74243e4ac\
nb1d24d1d1a74cd21df8ac64a527915ae\n
9c736c0c219eb33774e40e61f6f660c8\n
daf44730850fae665f5f609a71e99f3c\n
8a636b16dff7434ce3b7f9aca896287b\n
d6c62d2f6d7db4e9cfcfe0f101cc6474\n
0c98246fbcd203891a0343777c7551c7\n
aa2ba1e6a6ab4fcf593a894d4da8f180\n
d44645b5a658e17f5d48408a020430c3\n
5b768f413a2ec69ead015750cacb53d7\n
64a19bce04b29f11d3ca7560a99958b6\n
9203f493fd7e740b5a5a3d1afe1b4185\n
50043805c5bac513baf2306e42c1c1f8\n
0fd16661536a3ee72ffbd1d2d1b1f6c0\n
9683064c9bc044ee0357f4b94f5687ed\n
67cb013625cfb9b113ecff16674d63e6\n
-----END OpenVPN Static key V1-----'
- name: Listing
ansibleguy.opnsense.list:
# target: 'openvpn_static_key'
register: existing_entries
- name: Printing static-keys
ansible.builtin.debug:
var: existing_entries.data
- name: Removing
ansibleguy.opnsense.openvpn_static_key:
name: 'test1'
state: 'absent'
- name: Linking key to OpenVPN-client
ansibleguy.opnsense.openvpn_client:
name: 'test-client'
remote: 'openvpn.test.ansibleguy.net'
ca: 'OpenVPN'
key: 'test-key'
ansibleguy.opnsense.openvpn_client_override
- hosts: localhost
gather_facts: no
module_defaults:
group/ansibleguy.opnsense.all:
firewall: 'opnsense.template.ansibleguy.net'
api_credential_file: '/home/guy/.secret/opn.key'
tasks:
- name: Example
ansibleguy.opnsense.openvpn_client_override:
name: 'example'
# servers: []
# description: ''
# block: false
# push_reset: false
# network_tunnel_ip4: ''
# network_tunnel_ip6: ''
# network_local: []
# network_remote: []
# route_gateway: ''
# redirect_gateway: []
# register_dns: false
# domain: ''
# domain_list: []
# dns_servers: []
# ntp_servers: []
# wins_servers: []
# reload: true
# enabled: true
- name: Adding
ansibleguy.opnsense.openvpn_client_override:
name: 'test1'
servers: 'test-server'
network_tunnel_ip4: '192.168.77.3/29'
network_local: ['192.168.78.128/27']
domain: 'test.vpn'
dns_servers: ['1.1.1.1', '8.8.8.8']
- name: Blocking client
ansibleguy.opnsense.openvpn_client_override:
name: 'test2'
block: true
- name: Listing
ansibleguy.opnsense.list:
# target: 'openvpn_client_override'
register: existing_entries
- name: Printing client-overrides
ansible.builtin.debug:
var: existing_entries.data
- name: Removing
ansibleguy.opnsense.openvpn_client_override:
name: 'test1'
state: 'absent'
ansibleguy.opnsense.openvpn_status
- hosts: localhost
gather_facts: no
module_defaults:
group/ansibleguy.opnsense.all:
firewall: 'opnsense.template.ansibleguy.net'
api_credential_file: '/home/guy/.secret/opn.key'
tasks:
- name: Querying OpenVPN Sessions
ansibleguy.opnsense.openvpn_status:
target: 'sessions'
register: ovpn_sessions
- name: Printing Sessions
ansible.builtin.debug:
var: ovpn_sessions.data
- name: Querying OpenVPN Routes
ansibleguy.opnsense.openvpn_status:
target: 'routes'
register: ovpn_routes
- name: Printing Routes
ansible.builtin.debug:
var: ovpn_routes.data