Install openvpn & certs also on client nodes
monotek opened this issue · 6 comments
Why is there no option to install the already created client tarball on client nodes, which are already able to get the configuration via puppet?
Did i just missed something?
It's probably not as straightforward as it might seem, because the certs are generated not on the puppet node, but on the server.
The only way I've been able to think of doing this would be to use a custom facter plugin to extract the certificates from the vpn servers into puppetdb using exported resources.
The other thing I've seen done is to use the puppet certificates for the openvpn connection.
Sure, assuming all relevant nodes are able to be accessed via SSH and have authorised keys setup.
copy it over ssh is probably not the best solution and not the "puppet way" :) but yes, would work.
I would export the client resource from the node and collect it on the openvpn server via puppetdb.
then export the client configs and "collect" them on the node.
so the clients could "self-join" the openvpn server
I've started to work on that inside of my fork. Will create a PR when everything is finished.
https://github.com/khaefeli/puppet-openvpn/commits/master
for now, you can only manage a redundant "slave" of the openvpn server.
the master crt, key and ca.crt is copied over puppetdb and applied on the master.
I'll continue with the work after my vacation, to also support the client certificates.
This will include: applying the certs on the x openvpn server's and copy the download-config stuff over puppetdb to the client - so no manual steps are required anymore and the nodes can "self-join" a openvpn server ;)
Just wondering if this functionality ever made it into a release?
We wrote a module a few years ago to do the same thing - https://bitbucket.org/codacity/puppet-module-openvpn_client
If we can consolidate it into a single module it's always a bonus and less to maintain.