pfsense_openvpn_server

pfsensible.core.pfsense_openvpn_server

        Manage pfSense OpenVPN server configuration

ADDED IN: version 0.5.0 of pfsensible.core

OPTIONS (= is mandatory):

- allow_compression
        Allow compression to be used with this VPN instance.
        Compression can potentially increase throughput but may allow
        an attacker to extract secrets if they can control compressed
        plaintext traversing the
        VPN (e.g. HTTP). Before enabling compression, consult
        information about the VORACLE, CRIME, TIME, and BREACH attacks
        against TLS to decide if the use
        case for this specific VPN is vulnerable to attack.
        Asymmetric compression allows an easier transition when
        connecting with older peers.
        choices: ['no', asym, 'yes']
        default: 'no'
        type: str

- authmode
        Authentication servers. This list will be put into
        alphabetical order.  Required if mode == server_tls_user.
        default: []
        elements: str
        type: list

- ca
        Certificate Authority name.
        default: null
        type: str

- cert
        Server certificate name.
        default: null
        type: str

- cert_depth
        Depth of certificates to check.
        default: 1
        type: int

- client2client
        Allow communication between clients connected to this server.
        default: false
        type: bool

- compression
        Allowed compression to be used with this VPN instance.
        '' => Disable Compression [Omit Preference]
        'none' => Disable Compression, retain compression packet
        framing [compress]
        'stub' => Enable Compression (stub) [compress stub]
        'stub-v2' => Enable Compression (stub v2) [compress stub-v2]
        'lz4' => LZ4 Compression [compress lz4]
        'lz4-v2' => LZ4 Compression v2 [compress lz4-v2]
        'lzo' => LZO Compression [compress lzo, equivalent to comp-lzo
        yes for compatibility]
        'noadapt' => Omit Preference, + Disable Adaptive LZO
        Compression [Legacy style, comp-noadapt]
        'adaptive' => Adaptive LZO Compression [Legacy style, comp-lzo
        adaptive]
        'yes' => LZO Compression [Legacy style, comp-lzo yes]
        'no' => No LZO Compression [Legacy style, comp-lzo no]
        choices: ['', none, stub, stub-v2, lz4, lz4-v2, lzo, noadapt, adaptive, 'yes', 'no']
        default: ''
        type: str

- compression_push
        Push the selected Compression setting to connecting clients.
        default: false
        type: bool

- create_gw
        Which gateway types to create.
        choices: [both, v4only, v6only]
        default: both
        type: str

- crl
        Certificate Revocation List name.
        default: null
        type: str

- custom_options
        Custom openvpn options.
        default: null
        type: str

- data_ciphers
        Allowed cryptographic algorithms.
        choices: [AES-256-CBC, AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305]
        default: [AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305]
        elements: str
        type: list

- data_ciphers_fallback
        Fallback cryptographic algorithm.
        choices: [AES-256-CBC, AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305]
        default: AES-256-CBC
        type: str

- dev_mode
        Device mode.
        choices: [tun, tap]
        default: tun
        type: str

- dh_length
        DH parameter length.
        default: 2048
        type: int

- digest
        Auth digest algorithm.
        choices: [SHA256, SHA1]
        default: SHA256
        type: str

- disable
        Is the OpenVPN config disabled?
        default: false
        type: bool

- dns_domain
        DNS default domain.
        default: ''
        type: str

- dns_server1
        DNS server 1.
        default: ''
        type: str

- dns_server2
        DNS server 2.
        default: ''
        type: str

- dns_server3
        DNS server 3.
        default: ''
        type: str

- dns_server4
        DNS server 4.
        default: ''
        type: str

- dynamic_ip
        Allow connected clients to retain their connections if their
        IP address changes.
        default: false
        type: bool

- ecdh_curve
        Elliptic Curve to use for key exchange.
        choices: [none, prime256v1, secp384r1, secp521r1]
        default: none
        type: str

- gwredir
        Redirect IPv4 gateway.
        default: false
        type: bool

- gwredir6
        Redirect IPv6 gateway.
        default: false
        type: bool

- interface
        The interface for OpenVPN to listen on.
        default: wan
        type: str

- local_network
        IPv4 networks that will be accessible from the remote
        endpoint.
        default: ''
        type: str

- local_networkv6
        IPv6 networks that will be accessible from the remote
        endpoint.
        default: ''
        type: str

- local_port
        The port for OpenVPN to listen on.
        default: 1194
        type: int

- maxclients
        The maximum number of clients allowed to concurrently connect
        to this server.
        default: null
        type: int

- mode
        The server mode.
        choices: [p2p_tls, p2p_shared_key, server_tls, server_tls_user, server_user]
        default: null
        type: str

= name
        The name of the OpenVPN server.
        type: str

- ncp_enable
        Enable data encryption negotiation.
        default: true
        type: bool

- passtos
        Set the TOS IP header value of tunnel packets to match the
        encapsulated packet value.
        default: false
        type: bool

- protocol
        The protocol used for the connection.
        choices: [UDP4, TCP4]
        default: UDP4
        type: str

- push_register_dns
        Push DNS.
        default: false
        type: bool

- remote_network
        IPv4 networks that will be routed through the tunnel.
        default: ''
        type: str

- remote_networkv6
        IPv6 networks that will be routed through the tunnel.
        default: ''
        type: str

- shared_key
        Pre-shared key for shared key modes.  If set to 'generate' it
        will create a key if one does not already exist.
        default: null
        type: str

- state
        State in which to leave the OpenVPN config.
        choices: [present, absent]
        default: present
        type: str

- strictusercn
        Enforce a match between the common name of the client
        certificate and the username given at login.
        default: false
        type: bool

- tls
        TLS Key.  If set to 'generate' it will create a key if one
        does not already exist.
        default: null
        type: str

- tls_type
        Use TLS for authentication ('auth') or encyprtion and
        authentication ('crypt').
        choices: [auth, crypt]
        default: null
        type: str

- topology
        The method used to supply a virtual adapter IP address to
        clients when using TUN mode on IPv4.
        choices: [net30, subnet]
        default: subnet
        type: str

- tunnel_network
        IPv4 virtual network used for private communications between
        this server and client hosts expressed using CIDR notation.
        default: ''
        type: str

- tunnel_networkv6
        IPv6 virtual network used for private communications between
        this server and client hosts expressed using CIDR notation.
        default: ''
        type: str

- username_as_common_name
        Use the authenticated client username instead of the
        certificate common name (CN).
        default: false
        type: bool

- verbosity_level
        Verbosity level.
        default: 1
        type: int


AUTHOR: Orion Poplawski (@opoplawski)

METADATA:
  metadata_version: '1.1'
  status:
  - preview
  supported_by: community

EXAMPLES:

- name: "Add OpenVPN server"
  pfsense_openvpn_server:
    name: 'OpenVPN Server'


RETURN VALUES:
- vpnid
        The vpnid number of the OpenVPN server instance.
        returned: always
        sample: 1
        type: int