Skip to content

Instantly share code, notes, and snippets.

@ipcjk

ipcjk/openvpn_openssl_from_source.yaml

Last active May 23, 2024 19:48
Show Gist options
  • Save ipcjk/ed828817cfea4f4be993f1308311c4c0 to your computer and use it in GitHub Desktop.
Save ipcjk/ed828817cfea4f4be993f1308311c4c0 to your computer and use it in GitHub Desktop.
Download ZIP
Install openssl and openvpn + easyrsa3 from source with ansible
Raw
openvpn_openssl_from_source.yaml
---
- name: Download + compile recent versions of OpenSSL,OpenVPN and easyrsa3 from source
hosts: all
gather_facts: true
vars:
user_configuration:
servername: vpn.localhost.com
easyrsa_path: "/usr/local/easyrsa3"
openssl_version: "3.3.0"
openvpn_version: "2.6.10"
openvpn_configure_options:
prefix: "/usr/local/openvpn"
disable-dco: "true"
disable-lzo: "true"
disable-lz4: "true"
tasks:
- name: Print distribution
debug:
msg: "{{ansible_facts['distribution']}}"
- name: Install required packages on Debian/Ubuntu
when: ansible_facts['distribution'] in ['Debian', 'Ubuntu']
ansible.builtin.apt:
name:
- build-essential
- libpam0g-dev
- libipc-run-perl
- git
- pkg-config
- libcap-ng-devel
- libcap-ng0
state: present
become: yes
- name: Install required packages on CentOS/Oracle Linux
when: ansible_facts['distribution'] in ['Redhat', 'CentOS', 'OracleLinux']
ansible.builtin.yum:
name:
- libcap-ng
- libcap-ng-devel
- pam-devel
- perl-IPC-Cmd
state: present
become: yes
- name: Clone Easy-RSA repository
git:
repo: "https://github.com/OpenVPN/easy-rsa.git"
dest: "/usr/src/easy-rsa"
version: "master"
tags: easyrsa
- name: Copy Easy-RSA to /usr/local
copy:
src: "/usr/src/easy-rsa/easyrsa3"
dest: "/usr/local/"
remote_src: yes
become: yes
tags: easyrsa
- name: Set directory permissions
file:
path: "/usr/local/easyrsa3"
mode: "0700"
become: yes
tags: easyrsa
- name: Download OpenSSL source code
get_url:
url: "https://www.openssl.org/source/openssl-{{ openssl_version }}.tar.gz"
dest: "/usr/src/openssl-{{ openssl_version }}.tar.gz"
- name: Extract OpenSSL source code
ansible.builtin.unarchive:
src: "/usr/src/openssl-{{ openssl_version }}.tar.gz"
dest: "/usr/src"
creates: "/usr/src/openssl-{{ openssl_version }}"
remote_src: yes
become: yes
- name: Configure OpenSSL
command: >
./config shared -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
args:
chdir: "/usr/src/openssl-{{ openssl_version }}"
become: yes
- name: Build OpenSSL
ansible.builtin.make:
target: "-j16"
args:
chdir: "/usr/src/openssl-{{ openssl_version }}"
become: yes
- name: Install OpenSSL
ansible.builtin.make:
target: "install"
args:
chdir: "/usr/src/openssl-{{ openssl_version }}"
become: yes
- name: Add OpenSSL library path to ld.so.conf.d
ansible.builtin.lineinfile:
path: /etc/ld.so.conf.d/openssl.conf
line: "/usr/local/ssl/lib64"
create: yes
become: yes
- name: Rebuild ld caches
ansible.builtin.command: ldconfig
become: yes
- name: Download OpenVPN source code
get_url:
url: "https://swupdate.openvpn.org/community/releases/openvpn-{{ openvpn_version }}.tar.gz"
dest: "/usr/src/openvpn-{{ openvpn_version }}.tar.gz"
tags: openvpn
- name: Extract OpenVPN source code
ansible.builtin.unarchive:
src: "/usr/src/openvpn-{{ openvpn_version }}.tar.gz"
dest: "/usr/src"
creates: "/usr/src/openvpn-{{ openvpn_version }}"
remote_src: yes
tags: openvpn
- name: Configure OpenVPN
ansible.builtin.command: >
./configure {% for key, value in openvpn_configure_options.items() %} --{{ key }}{% if value == 'true' %}{% else %}={{value}}{% endif %}
{% endfor %}
args:
chdir: "/usr/src/openvpn-{{ openvpn_version }}"
environment:
CFLAGS: "-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib64 -L/usr/local/ssl/lib64"
become: yes
tags: openvpn
- name: Build OpenVPN
ansible.builtin.make:
target: "-j16"
args:
chdir: "/usr/src/openvpn-{{ openvpn_version }}"
become: yes
tags: openvpn
- name: Install OpenVPN
ansible.builtin.make:
target: "install"
args:
chdir: "/usr/src/openvpn-{{ openvpn_version }}"
become: yes
tags: openvpn
- name: Create OpenVPN etc directory
ansible.builtin.file:
path: "{{openvpn_configure_options.prefix}}/etc"
state: directory
become: yes
tags: openvpn
- name: Generate OpenVPN TLS key if not exists
ansible.builtin.command: "{{openvpn_configure_options.prefix}}/sbin/openvpn --genkey tls-crypt /usr/local/openvpn/etc/tls-crypt.key"
args:
creates: "{{openvpn_configure_options.prefix}}/etc/tls-crypt.key"
become: yes
tags: openvpn
- name: Copy Easy-RSA configuration to target
ansible.builtin.copy:
src: easyrsa_vars
dest: "/usr/local/easyrsa3/vars"
mode: 0600
tags: easyrsa
- name: Call Easy-RSA init
ansible.builtin.command:
cmd: "{{ easyrsa_path }}/easyrsa init-pki"
args:
chdir: "{{easyrsa_path}}"
creates: "{{easyrsa_path}}/pki"
environment:
EASYRSA_BATCH: "true"
tags: easyrsa
- name: Generate CA
ansible.builtin.command:
cmd: "{{ easyrsa_path }}/easyrsa build-ca nopass"
args:
chdir: "{{easyrsa_path}}"
creates: "{{easyrsa_path}}/pki/ca.crt"
environment:
EASYRSA_BATCH: "true"
tags: easyrsa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment