FC069: Ensure standardized license defined in metadata: ./metadata.rb:1
FC072: Metadata should not contain "attribute" keyword: ./metadata.rb:1
FC078: Ensure cookbook shared under an OSI-approved open source license: ./metadata.rb:1

Hi!
The cookbook on the supermarket is very old. Is it planned to release an intermediate version before v3?

Thx

Hi, the most recent version of this cookbook on supermarket is 2.1.0. Can you please update?

Cookbook version

[Version of the cookbook where you are encountering the issue]
3.0.0

Chef-client version

[Version of chef-client in your environment]
13.9.1

Platform Details

[Operating system distribution and release version. Cloud provider if running in the cloud]
Ubuntu 16 LTS

Scenario:

[What you are trying to achieve and you can't?]
use the opnvpn_conf resource

Steps to Reproduce:

[If you are filing an issue what are the things we need to do in order to repro your problem? How are you using this cookbook or any resources it includes?]

1. define resource like:
   openvpn_conf 'server' do
   port node['openvpn']['config']['port']
   proto node['openvpn']['config']['proto']
   type node['openvpn']['config']['dev']
   local node['openvpn']['config']['local']
   routes node['openvpn']['routes']
   script_security node['openvpn']['script_security']
   key_dir node['openvpn']['key_dir']
   key_size node['openvpn']['key']['size']
   subnet node['openvpn']['subnet']
   netmask node['openvpn']['netmask']
   user node['openvpn']['user']
   group node['openvpn']['group']
   log node['openvpn']['log']
   not_if { node['openvpn']['configure_default_server'] }
   action :create
   notifies :restart, 'service[openvpn]'
   end

2. chef converge

Expected Result:

[What are you expecting to happen as the consequence of above reproduction steps?]
succesful converge and conf file creation

Actual Result:

[What actually happens after the reproduction steps? Include the error output or a link to a gist if possible.]
getting error messages like this for every resource property:
[2018-05-11T23:54:23+00:00] ERROR: undefined method `proto' for Custom resource openvpn_conf from cookbook openvpn

with 2.1.0 is working

Develop initial support for macOS using homebrew.

Glad to see this cookbook adopted and bumped to version 3.0.0 but the supermarket is still showing 2.1.0 as the latest.

Create a service recipe that contains the openvpn service, so that recipe can be included by both the server recipes, and the client recipe, to make the service managed, and not repeated (to avoid cloned resource warnings).

On CentOS 7 the openvpn service is not running after reboot.

"systemctl status [email protected]"

[email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled)
   Active: failed (Result: exit-code) since di 2015-05-05 19:43:08 CEST; 14s ago
  Process: 940 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)

mei 05 19:43:08 combi001.example.com systemd[1]: [email protected]: control process exited, code=exited status=1
mei 05 19:43:08 combi001.example.com systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.
mei 05 19:43:08 combi001.example.com systemd[1]: Unit [email protected] entered failed state.

When I log in with SSH and execute this command manually "systemctl restart [email protected]" it runs fine (however it still says something about a failure).

[email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled)
   Active: active (running) since di 2015-05-05 19:44:42 CEST; 1s ago
  Process: 2060 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
 Main PID: 2070 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─2070 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf

mei 05 19:44:42 combi001.example.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
mei 05 19:44:42 combi001.example.com systemd[1]: Failed to read PID from file /var/run/openvpn/server.pid: Invalid argument
mei 05 19:44:42 combi001.example.com systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.

Vagrantfile currently uses vbox private networking to connect the client to server to complete an end to end setup. This needs to be integrated into .kitchen.yml or a separate kitchen yaml so each supported platform can be tested in integration. Sprouted from issue #73.

Rather than a maze of twisty execute/bash resources, we should use the openssl LWRP to generate the required certs/keys. If this requires an update to the openssl cookbook, we should add any functionality necessary.

When using client-config-dir directory you can specify more than one client subnet.

client-config-dir ccd
route 10.9.1.0 255.255.255.0
route 10.8.0.0 255.255.255.0

I've modify the cookbook like this to make this possible.

diff --git a/providers/conf.rb b/providers/conf.rb
index be2d9be..d10a0b2 100644
--- a/providers/conf.rb
+++ b/providers/conf.rb
@@ -40,13 +40,14 @@ action :create do
     dhcp_domain: new_resource.dhcp_domain,
     duplicate_cn: new_resource.duplicate_cn,
     interface_num: new_resource.interface_num,
-    client_subnet_route: new_resource.client_subnet_route,
+    client_subnet_routes: new_resource.client_subnet_routes,
     max_clients: new_resource.max_clients,
     status_log: new_resource.status_log,
     plugins: new_resource.plugins

diff --git a/resources/conf.rb b/resources/conf.rb
index bc3deea..fb050ad 100644
--- a/resources/conf.rb
+++ b/resources/conf.rb
@@ -65,8 +65,8 @@ attribute :duplicate_cn,
           default: false
 attribute :interface_num,
           kind_of: Integer
-attribute :client_subnet_route,
-          kind_of: String
+attribute :client_subnet_routes,
+          kind_of: Array
 attribute :max_clients,
           kind_of: Integer
 attribute :status_log,
diff --git a/templates/default/server.conf.erb b/templates/default/server.conf.erb
index 1cfb993..f26bc38 100644
--- a/templates/default/server.conf.erb
+++ b/templates/default/server.conf.erb
@@ -36,9 +36,11 @@ push "dhcp-option DOMAIN <%= @dhcp_domain %>"
 <% if @duplicate_cn -%>
 duplicate-cn
 <% end -%>
-<% if @client_subnet_route -%>
+<% if @client_subnet_routes -%>
 client-config-dir ccd
-route <%= @client_subnet_route %>
+<% @client_subnet_routes.each do |client_subnet_route| -%>
+route <%= client_subnet_route %>
+<% end -%>
 <% end -%>

Cookbook version

3.0.0

Scenario:

The .conf and .ovpn files generated with rake doesn't have the openvpn port on the remote line.

Expected Result:

remote #{gateway} #{port}

Actual Result:

remote #{gateway}

Proposition:

See : julienlevasseur@7527253

easy-rsa (https://github.com/OpenVPN/easy-rsa/) is generally no longer packaged with openvpn. For initial support, create a recipe to install it.

There needs to be idempotency of server PKI (CA cert, key etc.) of a server i.e. if the server dies, run up a new node with the exact same configuration including the PKI elements.

It should also be possible to create a new server node that has a different configuration with other directives but uses the same stored CA, cert and key.

Secrets storage to fetch from is a likely requirement here and this could support multiple sources by means of providers e.g. s3, vault.

[2016-05-30T00:52:24+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
==> default: [2016-05-30T00:52:24+00:00] ERROR: could not find recipe server for cookbook openvpn
==> default: [2016-05-30T00:52:24+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

I can work around it by specifying the type as server and running include_recipe 'openvpn' instead

Hi! Would you mind tagging this, as there are 166 commits since v2.1.0.

Thanks in advance,
Leandro

client.conf.erb has:
proto <%= node['openvpn']['proto'] %>

whereas attributes/default.rb has
default['openvpn']['config']['proto'] = 'udp'

Uses systemd contrib https://aur.archlinux.org/packages/openvpn-git/ which uses a unit per client and server instead of one (https://github.com/OpenVPN/openvpn/tree/master/distro/systemd).

to reflect change of attributes, e.g.:

node["openvpn"]["proto"] -> node["openvpn"]['config']["proto"]

When using LWRP conf provider in my recipe I get this error message because server.conf.erb doesn't exist in my cookbook (which depends on openvpn)

Chef::Exceptions::FileNotFound
------------------------------
template[/etc/openvpn/server.conf]

I resolved it with this change:

diff --git a/providers/conf.rb b/providers/conf.rb
index be2d9be..de783c3 100644
--- a/providers/conf.rb
+++ b/providers/conf.rb
@@ -47,6 +47,7 @@ action :create do
   }

   template "/etc/openvpn/#{new_resource.name}.conf" do
+    cookbook 'openvpn' if !node['openvpn']['override_template']
     source 'server.conf.erb'
     owner 'root'
     group 'root'

The README points out that you can use the rake tasks defined in /etc/openvpn/easy-rsa/Rakefile, but rake is not available by default on an ubuntu 12.04 LTS system (and probably others).

It would be nice to be able to use the openvpn::default recipe, and be able to create users using this raketask without having to bring another recipe to install rake, or install it manually.

Used for client cert generation mostly.

See #23 (comment).

The LWRP for managing the client vs server config could be improved by refactoring a few things.

1. Rename the source template to openpvn.conf.erb since it's not server specific.
2. Create a service resource that can be restarted/reloaded when the template is updated (optionally, default to true); see also #43 for approaching this in the cookbook's recipes.
3. Separate resource attribute that is the name attribute, rather than using new_resource#name directly.
4. ChefSpec coverage, including matchers, to test behavior.
5. Other things as I dig into the code/templates 😸

1. I needed to add iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE to /etc/openvpn/server.up.d/postrouting.sh. Without this no packets were forwarded from the tunnel to the internet. I've noticed also that digitalocean tutorials create similar rules using ufw (https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8)

2. When starting the client from command line sudo openvpn --config user.ovpn it was necessary to add push "redirect-gateway def1 bypass-dhcp" to server.conf, otherwise it won't completely create the necessary routes on the client. With network-manager it creates the routes anyway.

If I switch to CentOS 7 (by changing to "config.vm.box = 'centos-7.2'" in the Vagrantfile) the server machine builds fine but the client machine fails with the error below. It is failing to start the OpenVPN service as it is trying to start [email protected] which in turn causes /etc/systemd/system/multi-user.target.wants/[email protected] file to look for a 'server.conf' OpenVPN config file but none exists as instead the recipe created a 'client.conf' file on the client machine.

I changed the references to "[email protected]" in service.rb file to "[email protected]" and was able to vagrant up the client machine successfully but that in turn breaks the server machine as service.rb is shared across both machines and in the server we create a 'server.conf' file for OpenVPN.

So, definitely a minor thing but I thought it was very cool of you to provide a working Vagrantfile and as it includes a lot of code to work on RHEL platforms I figured I'd try it on CentOS. Also this is basically the last step so fix this and we have RHEL working which would be nice. I'm not entirely certain how best to fix this but am happy to help out if I can.

Thanks all for the awesome recipe,

Paul

==> client: Recipe: openvpn::install
==> client:   * yum_package[openvpn] action install
==> client: [2016-01-07T17:25:43+00:00] INFO: yum_package[openvpn] installing openvpn-2.3.9-1.el7 from epel repository
==> client: [2016-01-07T17:25:46+00:00] INFO: yum_package[openvpn] installed openvpn at 2.3.9-1.el7
==> client: 
==> client:     - install version 2.3.9-1.el7 of package openvpn
==> client: Recipe: openvpn::service
==> client:   * link[/etc/systemd/system/multi-user.target.wants/[email protected]] action create[2016-01-07T17:25:46+00:00] INFO: link[/etc/systemd/system/multi-user.target.wants/[email protected]] created
==> client: 
==> client:     - create symlink at /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected]
==> client:   * service[openvpn] action enable
==> client:  (up to date)
==> client:   * service[openvpn] action start
==> client: 
==> client:     
==> client:     ================================================================================
==> client:     Error executing action `start` on resource 'service[openvpn]'
==> client:     ================================================================================
==> client:     
==> client:     Mixlib::ShellOut::ShellCommandFailed
==> client:     ------------------------------------
==> client:     Expected process to exit with [0], but received '1'
==> client:     ---- Begin output of /bin/systemctl start [email protected] ----
==> client:     STDOUT: 
==> client:     STDERR: Job for [email protected] failed because the control process exited with error code. See "systemctl status [email protected]" and "journalctl -xe" for details.
==> client:     ---- End output of /bin/systemctl start [email protected] ----
==> client:     Ran /bin/systemctl start [email protected] returned 1
==> client:     
==> client:     Resource Declaration:
==> client:     ---------------------
==> client:     # In /var/chef/cache/cookbooks/openvpn/recipes/service.rb
==> client:     
==> client:      39: service 'openvpn' do
==> client:      40:   service_name service_name
==> client:      41:   action [:enable, :start]
==> client:      42: end
==> client:     
==> client:     Compiled Resource:
==> client:     ------------------
==> client:     # Declared in /var/chef/cache/cookbooks/openvpn/recipes/service.rb:39:in `from_file'
==> client:     
==> client:     service("openvpn") do
==> client:       action [:enable, :start]
==> client:       supports {:restart=>nil, :reload=>nil, :status=>nil}
==> client:       retries 0
==> client:       retry_delay 2
==> client:       default_guard_interpreter :default
==> client:       service_name "[email protected]"
==> client:       enabled true
==> client:       pattern "openvpn"
==> client:       declared_type :service
==> client:       cookbook_name "openvpn"
==> client:       recipe_name "service"
==> client:     end
==> client:     
==> client: [2016-01-07T17:25:46+00:00] INFO: Running queued delayed notifications before re-raising exception
==> client: 
==> client: Running handlers:
==> client: [2016-01-07T17:25:46+00:00] ERROR: Running exception handlers
==> client: Running handlers complete
==> client: [2016-01-07T17:25:46+00:00] ERROR: Exception handlers complete
==> client: Chef Client failed. 7 resources updated in 23 seconds
==> client: [2016-01-07T17:25:46+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
==> client: [2016-01-07T17:25:46+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
==> client: [2016-01-07T17:25:46+00:00] ERROR: service[openvpn] (openvpn::service line 39) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
==> client: ---- Begin output of /bin/systemctl start [email protected] ----
==> client: STDOUT: 
==> client: STDERR: Job for [email protected] failed because the control process exited with error code. See "systemctl status [email protected]" and "journalctl -xe" for details.
==> client: ---- End output of /bin/systemctl start [email protected] ----
==> client: Ran /bin/systemctl start [email protected] returned 1
==> client: [2016-01-07T17:25:47+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Chef never successfully completed! Any errors should be visible in the
output above. Please fix your recipes so that they properly complete.

Looking through the code/doc, I don't see a solution for:

• removing credentials for users with "remove" action
• suspending credentials for users with "lock" action

Let me know if I just missed it or if folks are handling in a different manner. If not, is there any interest in supporting either of these use cases? If so, I can do my work in this cookbook and submit as PR. Otherwise, will just handle via wrapper.

Cheers,

Todd

I've been trying to make a recipe that pushes a route just using the default configuration. However, the route doesn't show up. Do I need to the LWRP to create a server.conf that has a push route?
example default atttribute in recipe

normal['openvpn']['push_routes'] = ['10.0.0.0 255.255.0.0']

There are major changes in 2.1.1 that are not backwards compatible with 2.x. The structure of the recipes in the cookbook, and also the routes attribute changes to push_routes. This is a breaking change.
Therefore the cookbook should be 3.x and follow semver.

Hi,

I have a need for adding one more config for our user client conf, called tls-auth 'ta.key' 1.

But it is not feasible to rewind Chef Resources, since the "user create code" lives inside a Search loop which yields different user id.

Is it possible if we can add cookbook attributes to the template file like this.

%w(conf ovpn).each do |ext|
      template "#{node['openvpn']['key_dir']}/#{node['openvpn']['client_prefix']}-#{u['id']}.#{ext}" do
        source 'client.conf.erb'
        cookbook node['openvpn']['client_template_cookbook']
        variables(client_cn: u['id'])
      end
    end

Hi,

The problem is that after openvpn service started successfully, it would run with non root user, usually nobody user. In the "default" recipe, line 33

directory key_dir do
  owner 'root'
  group 'root'
  mode  '0700'
end

This would make "crl.pem" file cannot be read by nobody user.

I just wanted to use the openvpn::client recipe, however it's pretty broken atm (in 2.1.1 / master).

Here's the output from the chef-client run:

...
       Recipe: openvpn::service
         * service[openvpn] action restart

           ================================================================================
           Error executing action `restart` on resource 'service[openvpn]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '1'
           ---- Begin output of /etc/init.d/openvpn start ----
           STDOUT: * Starting virtual private network daemon(s)...
            *   Autostarting VPN 'client'
           STDERR: 
           ---- End output of /etc/init.d/openvpn start ----
       Ran /etc/init.d/openvpn start returned 1


           ---------------------
           # In /tmp/kitchen/cache/cookbooks/openvpn/recipes/service.rb

            39: service 'openvpn' do
            40:   service_name service_name
            41:   action [:enable, :start]
            42: end

           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/openvpn/recipes/service.rb:39:in `from_file'

           service("openvpn") do
             action [:enable, :start]
             updated true
             supports {:restart=>nil, :reload=>nil, :status=>nil}
             retries 0
             retry_delay 2
             default_guard_interpreter :default
             service_name "openvpn"
             enabled true
             running true
             pattern "openvpn"
             declared_type :service
             cookbook_name "openvpn"
             recipe_name "service"
           end

...       
       Running handlers:
       [2016-01-28T06:13:44+08:00] ERROR: Running exception handlers
       Running handlers complete
       [2016-01-28T06:13:44+08:00] ERROR: Exception handlers complete
       Chef Client failed. 41 resources updated in 01 minutes 59 seconds
       [2016-01-28T06:13:44+08:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2016-01-28T06:13:44+08:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2016-01-28T06:13:44+08:00] ERROR: service[openvpn] (openvpn::service line 39) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
       ---- Begin output of /etc/init.d/openvpn start ----
       STDOUT: * Starting virtual private network daemon(s)...
        *   Autostarting VPN 'client'
       STDERR: 
       ---- End output of /etc/init.d/openvpn start ----
       Ran /etc/init.d/openvpn start returned 1
       [2016-01-28T06:13:45+08:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
>>>>>> Converge failed on instance <default-ubuntu-1404>.
>>>>>> Please see .kitchen/logs/default-ubuntu-1404.log for more details
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: SSH exited (1) for command: [sh -c '

sudo -E /opt/chef/bin/chef-client --local-mode --config /tmp/kitchen/client.rb --log_level auto --force-formatter --no-color --json-attributes /tmp/kitchen/dna.json --chef-zero-port 8889
']
>>>>>> ----------------------

here's the relevant output from /var/log/syslog:

Jan 27 22:13:43 vagrant ovpn-client[3249]: Options error: --ca fails with 'ca.crt': No such file or directory
Jan 27 22:13:43 vagrant ovpn-client[3249]: Options error: --cert fails with '.crt': No such file or directory
Jan 27 22:13:43 vagrant ovpn-client[3249]: Options error: --key fails with '.key': No such file or directory
Jan 27 22:13:43 vagrant ovpn-client[3249]: Options error: Please correct these errors.
Jan 27 22:13:43 vagrant ovpn-client[3249]: Use --help for more information.

And here's how the template ends up:

vagrant@default-ubuntu-1404:~$ vi /etc/openvpn/client.conf 

# OpenVPN client configuration file
# Generated by Chef - local changes will be overwritten!

# Please refer to the OpenVPN documentation for details on
# configuration settings.

client
dev tun
proto udp
remote vpn. 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert .crt
key .key
comp-lzo
verb 3 

The username is set and used by the openvpn::users recipe, but not from the openvpn::client.

There's been a lot of changes since the last release in 2013. Any idea when this new 3.0.0 version will make the cut and be tagged/added to supermarket?

I'd be happy to pitch in and clean up some of the issues/pull requests, as well as implement them in a way that doesn't break CI in cases where they currently do.

Cookbook version

2.1.0, 2.0.4

Chef-client version

12

Platform Details

ubuntu 16.04

Scenario:

some recipies were missing in package mentioned in readme (openvpn::server)

Steps to Reproduce:

run recipie openvpn::server

Expected Result:

to initiate openvpn::server

Actual Result:

Chef::Exceptions::RecipeNotFound

could not find recipe server for cookbook openvpn

Thanks for providing the cookbook to create a VPN server. I don't see anything in the documentation about how to revoke users. I also don't see the revoke-full command on the server to do it according to the "OpenVPN way".

What is the recommended way of removing users access to the VPN?

Ideally I'd like to remove the user, manually run chef on the server and have it boot that user from the connection.

Thanks!

I've noticed after struggling to install openvpn with this cookbook on a debian jessie that /etc/openvpn/keys/openssl.cnf refers to /usr/lib/engines/engine_pkcs11.so but this file doesn't exist. So probably libengine-pkcs11-openssl package needs to be installed too

We should try to cover proper support of bridging in the next major version. To begin we need to ensure bridge-utils is installed to provide brctl.

Cookbook version

[Version of the cookbook where you are encountering the issue]

Chef-client version

[Version of chef-client in your environment]

Platform Details

[Operating system distribution and release version. Cloud provider if running in the cloud]

Scenario:

I would like to add to openvpn args " --status-version 2" to use with collectd plugin (https://collectd.org/documentation/manpages/collectd.conf.5.shtml#plugin_openvpn).

By default, status version is 1

       --status-version [n]
              Choose the status file format version number.  Currently n can be 1, 2, or 3 and defaults to 1.

I don't see how to do that in this cookbook. Any idea ?

Steps to Reproduce:

[If you are filing an issue what are the things we need to do in order to repro your problem? How are you using this cookbook or any resources it includes?]

Expected Result:

[What are you expecting to happen as the consequence of above reproduction steps?]

Actual Result:

[What actually happens after the reproduction steps? Include the error output or a link to a gist if possible.]

Hi guys,

I noticed there's an enable_ip_forwarding recipe which is not yet documented in the README.md which seems to help me achieve the same (?) thing as using the server.up script does?

In particular I see this recipe sets the net.ipv4.conf.all.forwarding and net.ipv6.conf.all.forwarding using the sysctl_param resource. The up script, if used, sets /sbin/sysctl -w net.ipv4.ip_forward=1, so I am somewhat unsure as to which method is the preferred one to use here.. ?

If someone could help explain this, I'd be happy to tidy it up in a PR that helps document this.

Thanks!

/var/log/openvpn.log

  1 Sat Apr  2 21:59:54 2016 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
  2 Sat Apr  2 21:59:54 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  3 Sat Apr  2 21:59:54 2016 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
  4 Sat Apr  2 21:59:54 2016 Exiting due to fatal error

Possible solutions:
http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
http://wiki.openvz.org/VPN_via_the_TUN/TAP_device

Executing the openvpn::default on a new server will generate a slew of openssl files (i.e. server.crt, server.key, ca.crt, dh2048.pem, etc...). After the initial build of a VPN server and distribution of some of those files to clients, how do we ensure those files persist beyond node failure, or are used on say multiple openvpn servers (load balanced for availability)?

I must be missing something here.

There are use cases where IP forwarding will be needed such as with tap/bridges as well as general routing. A method should be provided in this cookbook but depend on the right system/kernel cookbook to set it e.g. https://supermarket.chef.io/cookbooks/sysctl.

Any chance there's going to be a release with the new key/val based config options sometime soon? That would allow for a lot more robust changes and would be really useful as long as everyone is aware that's it's going to break their existing configs.

Hey Folks,

it looks like specifying the push_options attribute doesnt trigger anything

override[:openvpn][:push_options][:"dhcp-option"] = "DNS 10.0.0.2"

when i look into templates/default/server.conf.erb - i dont see any handling inside
neither

<% @config.sort.each do |key, value| %>
<% next if value.nil? -%>
<%= key %> <%=
  case value
  when String
    value
  when TrueClass
    1
  when FalseClass
    0
  else
    value
  end
%>
<% end %>

<% unless @push_routes.empty? %>
# additional routes to push to clients
  <% @push_routes.each do |route| %>
push "route <%= route %>"
  <% end %>
<% end %>

same is under providers/conf.rb

i see that variables are passed through node['openvpn']['config'] & node['openvpn']['push_routes']
but nowhere i find node['openvpn']['push_options']

action :create do
  template "/etc/openvpn/#{new_resource.name}.conf" do
    cookbook 'openvpn'
    source "#{new_resource.name}.conf.erb"
    owner 'root'
    group 'root'
    mode 0644
    variables(
      config: new_resource.config || node['openvpn']['config'],
      push_routes: node['openvpn']['push_routes']
    )
  end
end

maybe i'm blind - any hints ?

I'm very new to Chef (started yesterday) and I'm wondering what the parameters to the knife tool to create the user data bags, I've tried the following combinations:

• users (data bag), openvpn (data bag item)
• openvpn (data bag), users (item)
• users (data bag), zack (item)

Is there something I'm missing?

The trouble seems to be that the bats tests are in test/integration/default but when DigitalOcean tests were moved to their own YAML (in commit bdb0b53), the newly created suite in the old Kitchen YAML was named server.

Hi,
My berksfile is:
`
source "https://supermarket.chef.io"

metadata

cookbook 'openvpn', '~> 2.1.0'
`

However, during berks install I don't have the latest template file: server.conf.erb.
I logged into my test kitchen, it is a different file

`

OpenVPN server config file

Generated by Chef - local changes will be overwritten

port <%= @PORT %>
proto <%= @proto %>
<% if @type == "server-bridge" -%>
dev tap<%= @interface_num %>
<% else -%>
dev tun<%= @interface_num %>
The problem with this old file is that if the 'plugins' is empty as default, it would bring the error - Nomethod each for Nil:NilClass
<% @plugins.each do |p| -%>
plugin <%= p %>
`
<% end -%>

{
  "name": "openvpn-server",
  "default_attributes": {
  },
  "json_class": "Chef::Role",
  "run_list": [
    "recipe[openvpn::default]",
    "recipe[openvpn::users]"
  ],
  "description": "OpenVPN Server",
  "chef_type": "role",
  "override_attributes": {
      "openvpn" : {
          "config" : {
              "local" : "0.0.0.0",
          },
          "gateway" : "gw.example.com",
          "subnet" : "192.168.0.0",
          "netmask" : "255.255.0.0",
          "routes" : [
              "push 'route 1.2.3.0 255.255.255.224'"
          ],
          "script_security" : "2",
      }
  }
}

No push routes show up in server.conf.

You already use unless...

# Use unless instead of not_if otherwise OpenSSL::PKey::DH runs every time.
unless ::File.exist?("#{key_dir}/dh#{key_size}.pem")

But when I wrap the cookbook and have my own key process, this still runs at converge time on the first run unnecessarily. If you use the recommended key size (4096) this is extremely painful.

My workaround was to send a key size smaller than I'm actually using (side-effects unknown), but lazy evaluation should deal with this nicely.

https://docs.chef.io/resource_common.html#lazy-evaluation