Skip to content

Latest commit

 

History

History
1911 lines (1086 loc) · 43 KB

REFERENCE.md

File metadata and controls

1911 lines (1086 loc) · 43 KB

Reference

Table of Contents

Classes

  • openvpn: This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
  • openvpn::config: This class sets up the openvpn enviornment as well as the default config file
  • openvpn::install: This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files
  • openvpn::service: This class maintains the openvpn service.

Defined types

Classes

openvpn

This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files

Examples

class { 'openvpn':
  autostart_all => true,
}

Parameters

The following parameters are available in the openvpn class:

autostart_all

Data type: Boolean

Whether openvpn instances should be started automatically on boot.

manage_service

Data type: Boolean

Whether the openvpn service should be managed by puppet.

etc_directory

Data type: Stdlib::Absolutepath

Path of the configuration directory.

group

Data type: String[1]

File group of the generated config files.

link_openssl_cnf

Data type: Boolean

Link easy-rsa/openssl.cnf to easy-rsa/openssl-1.0.0.cnf

pam_module_path

Data type: Optional[Stdlib::Absolutepath]

Path to openvpn-auth-pam.so

namespecific_rclink

Data type: Boolean

Enable namespecific rclink's (BSD-style)

default_easyrsa_ver

Data type: Pattern[/^[23]\.0$/]

Expected version of easyrsa.

easyrsa_source

Data type: Stdlib::Unixpath

Location of easyrsa.

additional_packages

Data type: Variant[String[1], Array[String[1]]]

Additional packages

ldap_auth_plugin_location

Data type: Optional[Stdlib::Absolutepath]

Path to the ldap auth pam module

client_defaults

Data type: Hash

Hash of defaults for clients passed to openvpn::client defined type.

Default value: {}

clients

Data type: Hash

Hash of clients passed to openvpn::client defined type.

Default value: {}

client_specific_config_defaults

Data type: Hash

Hash of defaults for client specific configurations passed to openvpn::client_specific_config defined type.

Default value: {}

client_specific_configs

Data type: Hash

Hash of client specific configurations passed to openvpn::client_specific_config defined type.

Default value: {}

revoke_defaults

Data type: Hash

Hash of defaults for revokes passed to openvpn::revoke defined type.

Default value: {}

revokes

Data type: Hash

Hash of revokes passed to openvpn::revoke defined type.

Default value: {}

server_defaults

Data type: Hash

Hash of defaults for servers passed to openvpn::server defined type.

Default value: {}

servers

Data type: Hash

Hash of servers passed to openvpn::server defined type.

Default value: {}

server_directory

Data type: Optional[Stdlib::Absolutepath]

Path of the server configuration. This is usually /etc_directory/openvpn, but RHEL/CentOS 8 uses /etc_directory/openvpn/server

server_service_name

Data type: String[1]

Name of the openvpn server service. This is usually openvpn, but RHEL/CentOS 8 uses openvpn-server.

openvpn::config

This class sets up the openvpn enviornment as well as the default config file

openvpn::install

This module installs the openvpn service, configures vpn endpoints, generates client certificates, and generates client config files

openvpn::service

This class maintains the openvpn service.

Defined types

openvpn::ca

This define creates the openvpn ca and ssl certificates

Examples

openvpn::ca {
  'my_user':
    server      => 'contractors',
    remote_host => 'vpn.mycompany.com'
 }

Parameters

The following parameters are available in the openvpn::ca defined type:

dn_mode

Data type: Enum['org','cn_only']

EasyRSA X509 DN mode.

Default value: 'org'

country

Data type: Optional[String]

Country to be used for the SSL certificate

Default value: undef

province

Data type: Optional[String]

Province to be used for the SSL certificate

Default value: undef

city

Data type: Optional[String]

City to be used for the SSL certificate

Default value: undef

organization

Data type: Optional[String]

Organization to be used for the SSL certificate

Default value: undef

email

Data type: Optional[String]

Email address to be used for the SSL certificate

Default value: undef

common_name

Data type: String

Common name to be used for the SSL certificate

Default value: 'server'

group

Data type: Optional[String]

User to drop privileges to after startup

Default value: undef

ssl_key_algo

Data type: Enum['rsa', 'ec', 'ed']

SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys

Default value: 'rsa'

ssl_key_size

Data type: Integer

Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa

Default value: 2048

ssl_key_curve

Data type: String

Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed

Default value: 'secp384r1'

key_expire

Data type: Integer

The number of days to certify the server certificate for

Default value: 3650

ca_expire

Data type: Integer

The number of days to certify the CA certificate for

Default value: 3650

digest

Data type: Enum['md5','sha1','sha256','sha224','sha384','sha512']

Cryptographic digest to use

Default value: 'sha512'

key_name

Data type: Optional[String]

Value for name_default variable in openssl.cnf and KEY_NAME in vars

Default value: undef

key_ou

Data type: Optional[String]

Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars

Default value: undef

key_cn

Data type: Optional[String]

Value for commonName_default variable in openssl.cnf and KEY_CN in vars

Default value: undef

tls_auth

Data type: Boolean

Determins if a tls key is generated

Default value: false

tls_static_key

Data type: Boolean

Determins if a tls key is generated

Default value: false

crl_days

Data type: Integer

Default value: 30

openvpn::client

This define creates client certs for a specified server as well as a tarball that can be directly imported into clients

Examples

openvpn::client {
  'my_user':
    server      => 'contractors',
    remote_host => 'vpn.mycompany.com'
 }

Parameters

The following parameters are available in the openvpn::client defined type:

server

Data type: String

Name of the corresponding openvpn endpoint

compression

Data type: Optional[String[1]]

Which compression algorithm to use. This parameter is deprecated in OpenVPN 2.5.

Default value: undef

dev

Data type: Enum['tap', 'tun']

Device method

Default value: 'tun'

mute

Data type: Integer

Set log mute level

Default value: 20

mute_replay_warnings

Data type: Boolean

Silence duplicate packet warnings (common on wireless networks)

Default value: true

nobind

Data type: Boolean

Whether or not to bind to a specific port number

Default value: true

persist_key

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: true

persist_tun

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: true

port

Data type: String

The port the openvpn server service is running on

Default value: '1194'

proto

Data type: Enum['tcp','udp']

What IP protocol is being used.

Default value: 'tcp'

remote_host

Data type: Variant[String, Array[String]]

The IP or hostname of the openvpn server service.

Default value: $facts['networking']['fqdn']

cipher

Data type: String

Cipher to use for packet encryption

Default value: 'AES-256-GCM'

tls_cipher

Data type: String

TLS Ciphers to use

Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'

resolv_retry

Data type: String

How many seconds should the openvpn client try to resolve the server's hostname

Default value: 'infinite'

auth_retry

Data type: Enum['none', 'nointeract', 'interact']

Controls how OpenVPN responds to username/password verification errors such as the client-side response to an AUTH_FAILED message from the server or verification failure of the private key password.

Default value: 'none'

verb

Data type: String

Level of logging verbosity

Default value: '3'

pam

Data type: Boolean

DEPRECATED: Boolean, Enable/Disable.

Default value: false

authuserpass

Data type: Boolean

Set if username and password required

Default value: false

tls_auth

Data type: Boolean

Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks. This has to be set to the same value as on the Server

Default value: false

tls_crypt

Data type: Boolean

Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)

Default value: false

x509_name

Data type: Optional[String]

Common name of openvpn server to make an x509-name verification

Default value: undef

setenv

Data type: Hash

Set a custom environmental variable name=value to pass to script.

Default value: {}

setenv_safe

Data type: Hash

Set a custom environmental variable OPENVPN_name=value to pass to script. This directive is designed to be pushed by the server to clients, and the prepending of "OPENVPN_" to the environmental variable is a safety precaution to prevent a LD_PRELOAD style attack from a malicious or compromised server.

Default value: {}

up

Data type: Optional[String[1]]

Script which we want to run when openvpn client is connecting

Default value: undef

down

Data type: Optional[String[1]]

Script which we want to run when openvpn client is disconneting

Default value: undef

sndbuf

Data type: Optional[Integer]

Set the TCP/UDP socket send buffer size.

Default value: undef

rcvbuf

Data type: Optional[Integer]

Set the TCP/UDP socket receive buffer size.

Default value: undef

shared_ca

Data type: Optional[String]

The name of an openssl::ca resource to use.

Default value: undef

custom_options

Data type: Hash

Hash of additional options that you want to append to the configuration file.

Default value: {}

expire

Data type: Optional[Integer]

Set a custom expiry time to pass to script. Value is the number of days the certificate is valid for.

Default value: undef

readme

Data type: Optional[String]

Text to place in a README file which is included in download-configs archive.

Default value: undef

pull

Data type: Boolean

Allow server to push options like dns or routes

Default value: false

server_extca_enabled

Data type: Boolean

Turn this on if you are using an external CA solution, like FreeIPA. Use this in Combination with exported_ressourced, since they don't have Access to the Serverconfig

Default value: false

remote_cert_tls

Data type: Boolean

Enable or disable use of remote-cert-tls used with client configuration

Default value: true

openvpn::client_specific_config

This feature is explained here: http://openvpn.net/index.php/open-source/documentation/howto.html#policy All the parameters are explained in the openvpn documentation http://openvpn.net/index.php/open-source/documentation/howto.html#policy

Examples

openvpn::client_specific_config {
  'vpn_client':
    server       => 'contractors',
    iroute       => ['10.0.1.0 255.255.255.0'],
    ifconfig     => '10.10.10.1 10.10.10.2',
    dhcp_options => ['DNS 8.8.8.8']
 }

Parameters

The following parameters are available in the openvpn::client_specific_config defined type:

server

Data type: String[1]

Name of the corresponding openvpn endpoint

iroute

Data type: Array[String[1]]

Array of iroute combinations.

Default value: []

iroute_ipv6

Data type: Array[String[1]]

Array of IPv6 iroute combinations.

Default value: []

route

Data type: Array[String[1]]

Array of route combinations pushed to client.

Default value: []

ifconfig

Data type: Optional[String[1]]

IP configuration to push to the client.

Default value: undef

ifconfig_ipv6

Data type: Optional[String[1]]

IPv6 configuration to push to the client.

Default value: undef

dhcp_options

Data type: Array[String[1]]

DHCP options to push to the client.

Default value: []

redirect_gateway

Data type: Boolean

Redirect all traffic to gateway

Default value: false

custom_options

Data type: Hash

Hash of additional options to append to the configuration file.

Default value: {}

ensure

Data type: Enum['present', 'absent']

Sets the client specific configuration file status (present or absent)

Default value: present

manage_client_configs

Data type: Boolean

Manage dependencies on Openvpn::Client ressources

Default value: true

openvpn::revoke

This define creates a revocation on a certificate for a specified server.

Examples

openvpn::client {
  'my_user':
    server      => 'contractors'
}
openvpn::revoke {
  'my_user':
    server      => 'contractors'
 }

Parameters

The following parameters are available in the openvpn::revoke defined type:

server

Data type: String

Name of the corresponding openvpn endpoint

openvpn::server

This define creates the openvpn server instance which can run in server or client mode.

Examples

install
openvpn::server { 'winterthur':
    country      => 'CH',
    province     => 'ZH',
    city         => 'Winterthur',
    organization => 'example.org',
    email        => '[email protected]',
    server       => '10.200.200.0 255.255.255.0',
}
a server in client mode
file {
  '/etc/openvpn/zurich/keys/ca.crt':
    source => 'puppet:///path/to/ca.crt';
  '/etc/openvpn/zurich/keys/zurich.crt':
    source => 'puppet:///path/to/zurich.crt';
  '/etc/openvpn/zurich/keys/zurich.key':
    source => 'puppet:///path/to/zurich.key';
}
openvpn::server { 'zurich':
  remote  => [ 'mgmtnet3.nine.ch 1197', 'mgmtnet2.nine.ch 1197' ],
  require => [ File['/etc/openvpn/zurich/keys/ca.crt'],
               File['/etc/openvpn/zurich/keys/zurich.crt'],
               File['/etc/openvpn/zurich/keys/zurich.key'] ];
}

Parameters

The following parameters are available in the openvpn::server defined type:

dn_mode

Data type: Enum['org','cn_only']

EasyRSA X509 DN mode.

Default value: 'org'

country

Data type: Optional[String[1]]

Country to be used for the SSL certificate, mandatory for server mode.

Default value: undef

province

Data type: Optional[String[1]]

Province to be used for the SSL certificate, mandatory for server mode.

Default value: undef

city

Data type: Optional[String[1]]

City to be used for the SSL certificate, mandatory for server mode.

Default value: undef

organization

Data type: Optional[String[1]]

Organization to be used for the SSL certificate, mandatory for server mode.

Default value: undef

email

Data type: Optional[String[1]]

Email address to be used for the SSL certificate, mandatory for server mode.

Default value: undef

remote

Data type: Optional[Array]

List of OpenVPN endpoints to connect to.

Default value: undef

remote_random_hostname

Data type: Boolean

OpenVPN will prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.example.com" would be modified to ".foo.example.com".

Default value: false

remote_random

Data type: Boolean

When multiple ${remote} address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure.

Default value: false

common_name

Data type: String

Common name to be used for the SSL certificate

Default value: 'server'

compression

Data type: Optional[String[1]]

Which compression algorithm to use. This parameter is deprecated in OpenVPN 2.5.

Default value: undef

dev

Data type: String

TUN/TAP virtual network device

Default value: 'tun0'

user

Data type: String

Group to drop privileges to after startup

Default value: 'nobody'

group

Data type: Optional[String]

User to drop privileges to after startup

Default value: undef

ipp

Data type: Boolean

Persist ifconfig information to a file to retain client IP addresses between sessions

Default value: false

duplicate_cn

Data type: Boolean

Allow multiple connections on one cn

Default value: false

local

Data type: String

Interface for openvpn to bind to.

Default value: $facts['networking']['ip']

logfile

Data type: Variant[Boolean, String]

Logfile for this openvpn server

Default value: false

manage_logfile_directory

Data type: Boolean

Manage the directory that the logfile is located in

Default value: false

logdirectory_user

Data type: String[1]

The owner user of the logfile directory

Default value: 'nobody'

logdirectory_group

Data type: String[1]

The owner group of the logfile directory

Default value: 'nobody'

port

Data type: String

The port the openvpn server service is running on#

Default value: '1194'

portshare

Data type: Optional[String]

The address and port to which non openvpn request shall be forwared, e.g. 127.0.0.1 8443

Default value: undef

proto

Data type: Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']

What IP protocol is being used.

Default value: 'tcp'

status_log

Data type: String

Logfile for periodic dumps of the vpn service status

Default value: "/var/log/openvpn/${name}-status.log"

status_version

Data type: Enum['1', '2', '3', '']

Choose the status file format version number.

Default value: ''

server

Data type: Optional[String[1]]

Network to assign client addresses out of. Required in tun mode, not in tap mode

Default value: undef

server_ipv6

Data type: Optional[String[1]]

IPv6 network to assign client addresses out of

Default value: undef

server_bridge

Data type: Optional[String[1]]

Server configuration to comply with existing DHCP server

Default value: undef

push

Data type: Array

Options to push out to the client. This can include routes, DNS servers, DNS search domains, and many other options.

Default value: []

route

Data type: Array

Add route to routing table after connection is established. Multiple routes can be specified.

Default value: []

route_ipv6

Data type: Array

Add IPv6 route to routing table after connection is established. Multiple routes can be specified.

Default value: []

keepalive

Data type: Optional[String[1]]

Add keepalive directive (ping and ping-restart) to server. Should match the form "n m".

Default value: undef

ssl_key_algo

Data type: Enum['rsa', 'ec', 'ed']

SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys

Default value: 'rsa'

ssl_key_size

Data type: Integer

Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa

Default value: 2048

ssl_key_curve

Data type: String

Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed

Default value: 'secp384r1'

ecdh_curve

Data type: Optional[String[1]]

Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed

Default value: undef

topology

Data type: String

Define the network topology type

Default value: 'net30'

c2c

Data type: Boolean

Enable client to client visibility

Default value: false

tcp_nodelay

Data type: Boolean

Enable/Disable.

Default value: false

ccd_exclusive

Data type: Boolean

Enable/Disable.

Default value: false

pam

Data type: Boolean

Enable/Disable.

Default value: false

pam_module_arguments

Data type: String

Arguments to pass to the PAM module. For FreeIPA, set this to "openvpn login USERNAME password PASSWORD" and create HBAC Service "openvpn".

Default value: 'login'

management

Data type: Boolean

Enable management interface

Default value: false

management_ip

Data type: String

IP address where the management interface will listen

Default value: 'localhost'

management_port

Data type: Variant[Stdlib::Port::Unprivileged,Enum['unix']]

Port where the management interface will listen

Default value: 7505

up

Data type: Optional[String[1]]

Script which we want to run when openvpn server starts. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts directory.

Default value: undef

down

Data type: Optional[String[1]]

Script which we want to run when openvpn server stops. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts directory.

Default value: undef

client_connect

Data type: Optional[String[1]]

Script which we want to run when a client connects. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts directory.

Default value: undef

client_disconnect

Data type: Optional[String[1]]

Script which we want to run when a client disconnects. If the path to the scirpt does not contain a slash, it will be assumed to be in openvpn/${name}/scripts directory.

Default value: undef

username_as_common_name

Data type: Boolean

If true then set username-as-common-name

Default value: false

client_cert_not_required

Data type: Boolean

If true then set client-cert-not-required

Default value: false

ldap_enabled

Data type: Boolean

If ldap is enabled, do stuff

Default value: false

ldap_server

Data type: Optional[String[1]]

URL of LDAP server. ie. ldap://URL:PORT

Default value: undef

ldap_binddn

Data type: Optional[String[1]]

LDAP DN to bind as#

Default value: undef

ldap_bindpass

Data type: Optional[String[1]]

LDAP password for ldapbinddn

Default value: undef

ldap_u_basedn

Data type: Optional[String[1]]

Place in the LDAP tree to look for users

Default value: undef

ldap_u_filter

Data type: Optional[String[1]]

User SearchFilter for LDAP accounts

Default value: undef

ldap_g_basedn

Data type: Optional[String[1]]

Place in the LDAP tree to look for groups

Default value: undef

ldap_gmember

Data type: Boolean

If defined use group block in ldap.conf

Default value: false

ldap_g_filter

Data type: Optional[String[1]]

Group SearchFilter for LDAP accounts

Default value: undef

ldap_memberatr

Data type: Optional[String[1]]

Attribute for MemberAttribute. Used with ldapfilter

Default value: undef

ldap_tls_enable

Data type: Boolean

Enable TLS for the LDAP authentication

Default value: false

ldap_tls_ca_cert_file

Data type: Optional[String[1]]

LDAP TLS authentication: path to the CA certificate.

Default value: undef

ldap_tls_ca_cert_dir

Data type: Optional[String[1]]

LDAP TLS authentication: path to the CA certificates.

Default value: undef

ldap_tls_client_cert_file

Data type: Optional[Stdlib::Absolutepath]

LDAP TLS authentication: path to the tls client certificate

Default value: undef

ldap_tls_client_key_file

Data type: Optional[Stdlib::Absolutepath]

LDAP TLS authentication: path to the tls client key

Default value: undef

verb

Data type: Optional[String]

Level of logging verbosity

Default value: undef

cipher

Data type: String

Cipher to use for packet encryption

Default value: 'AES-256-GCM'

tls_cipher

Data type: String

TLS Ciphers to use

Default value: 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'

persist_key

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: false

persist_tun

Data type: Boolean

Try to retain access to resources that may be unavailable because of privilege downgrades

Default value: false

key_expire

Data type: Integer

The number of days to certify the server certificate for

Default value: 3650

crl_days

Data type: Integer[1]

The number of days the client revocation list will be valid for after generating

Default value: 30

digest

Data type: Enum['md5','sha1','sha256','sha224','sha384','sha512']

Cryptographic digest to use

Default value: 'sha512'

ca_expire

Data type: Integer

The number of days to certify the CA certificate for

Default value: 3650

key_name

Data type: Optional[String]

Value for name_default variable in openssl.cnf and KEY_NAME in vars

Default value: undef

key_ou

Data type: Optional[String]

Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars

Default value: undef

key_cn

Data type: Optional[String]

Value for commonName_default variable in openssl.cnf and KEY_CN in vars

Default value: undef

tls_auth

Data type: Boolean

Activates tls-auth to Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

Default value: false

tls_crypt

Data type: Boolean

Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)

Default value: false

tls_server

Data type: Boolean

If proto not tcp it lets you choose if the parameter tls-server is set or not.

Default value: false

tls_client

Data type: Boolean

Allows you to set this server up as a tls-client connection.

Default value: false

server_poll_timeout

Data type: Optional[Integer]

Value for timeout before trying the next server.

Default value: undef

ping_timer_rem

Data type: Boolean

Do not start clocking timeouts until a remote peer connects.

Default value: false

sndbuf

Data type: Optional[Integer]

Set the TCP/UDP socket send buffer size.

Default value: undef

rcvbuf

Data type: Optional[Integer]

Set the TCP/UDP socket receive buffer size.

Default value: undef

shared_ca

Data type: Optional[String]

Name of a openssl::ca resource to use config with

Default value: undef

crl_verify

Data type: Boolean

Enable CRL checking. Disabling this is not recommended.

Default value: true

crl_auto_renew

Data type: Boolean

Enables automatic renewing of crl.pem.

Default value: false

crl_renew_schedule_period

Data type: String

Sets the "period" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good

Default value: 'monthly'

crl_renew_schedule_repeat

Data type: Integer

Sets the "repeat" Parameter of the schedule for renewing the CRL. Since changing the expiry of 30 days is not possible with easy-rsa2, twice a month should be good

Default value: 2

extca_enabled

Data type: Boolean

Turn this on if you are using an external CA solution, like FreeIPA. Once enabled, you must configure the remaining extca_* parameters.

Default value: false

extca_ca_cert_file

Data type: Optional[String]

External CA: Path to the CA certificate.

Default value: undef

extca_ca_crl_file

Data type: Optional[String]

External CA: Path to the CA's CRL file. For FreeIPA-based CAs, CRLs expire every four hours, which means you may need your own solution for maintaining a local copy of your CA's CRL. Otherwise, you can set crl_verify to false (not recommended).

Default value: undef

extca_server_cert_file

Data type: Optional[String]

External CA: Path to the external CA issued OpenVPN server certificate.

Default value: undef

extca_server_key_file

Data type: Optional[String]

External CA: Path to the key file that corresponds to $extca_server_cert_file

Default value: undef

extca_dh_file

Data type: Optional[String]

External CA: Path to your Dillie-Hellman parameter file. You will need to create one yourself. Make sure key-size matches the public key size of your CA-issued server certificate. Like this: openssl dhparam -out /path/to/dh.pem 2048 Note: This is only required if you are enabling $tls_server.

Default value: undef

extca_tls_auth_key_file

Data type: Optional[String]

External CA: If you are enabling $extca_enabled and $tls_auth, you will also need to create the tls-auth key file and specify its location here. The file can be created like this: openvpn --genkey --secret /path/to/ta.key. Note: you will need to distribute this file to your clients as well.

Default value: undef

autostart

Data type: Optional[Boolean]

Enable autostart for server if openvpn::autostart_all is false.

Default value: undef

remote_cert_tls

Data type: Boolean

Enable or disable use of remote-cert-tls for the session. Generally used with client configuration

Default value: true

nobind

Data type: Boolean

Whether or not to bind to a specific port number.#

Default value: false

secret

Data type: Optional[String]

A pre-shared static key.

Default value: undef

scripts

Data type: Hash[String, Hash]

Hash of scripts to copy with this instance. For example, to put a script in /etc/openvpn/test-site/scripts/add-tap-to-bridge.sh and use it as an up script

openvpn::server { 'test-site':
  ....
  up => 'add-tap-to-bridge.sh',
  scripts => {
    "add-tap-to-bridge.sh" => {
      source => 'puppet:///path/to/add-tap-to-bridge.sh',
    },
  },
}

Default value: {}

custom_options

Data type: Hash

Hash of additional options to append to the configuration file.

Default value: {}

fragment

Data type: Variant[Boolean, Integer]

Default value: false