Merge pull request #363 from yakatz/feature/more-params

Add remote-random and remote-random-hostname to managed server parameters

Author: bastelfreak

REFERENCE.md

@@ -461,6 +461,22 @@ The IP or hostname of the openvpn server service.
 
 Default value: $::fqdn
 
+##### `remote_random_hostname`
+
+Data type: `Boolean`
+
+OpenVPN will prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.example.com" would be modified to "<random-chars>.foo.example.com".
+
+Default value: `false`
+
+##### `remote_random`
+
+Data type: `Boolean`
+
+When multiple ${remote} address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure.
+
+Default value: `false`
+
 ##### `cipher`
 
 Data type: `String`
@@ -942,6 +958,22 @@ List of OpenVPN endpoints to connect to.
 
 Default value: `undef`
 
+##### `remote_random_hostname`
+
+Data type: `Boolean`
+
+OpenVPN will prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.example.com" would be modified to "<random-chars>.foo.example.com".
+
+Default value: `false`
+
+##### `remote_random`
+
+Data type: `Boolean`
+
+When multiple ${remote} address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure.
+
+Default value: `false`
+
 ##### `common_name`
 
 Data type: `String`

manifests/server.pp

@@ -7,6 +7,8 @@
 # @param organization Organization to be used for the SSL certificate, mandatory for server mode.
 # @param email Email address to be used for the SSL certificate, mandatory for server mode.
 # @param remote List of OpenVPN endpoints to connect to.
+# @param remote_random_hostname OpenVPN will prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.example.com" would be modified to "<random-chars>.foo.example.com". 
+# @param remote_random When multiple ${remote} address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure.
 # @param common_name Common name to be used for the SSL certificate
 # @param compression Which compression algorithim to use
 # @param dev TUN/TAP virtual network device
@@ -146,6 +148,8 @@
   Optional[String] $organization                                    = undef,
   Optional[String] $email                                           = undef,
   Optional[Array] $remote                                           = undef,
+  Boolean $remote_random_hostname                                   = false,
+  Boolean $remote_random                                            = false,
   String $common_name                                               = 'server',
   String $compression                                               = 'comp-lzo',
   String $dev                                                       = 'tun0',

spec/defines/openvpn_server_spec.rb

@@ -221,6 +221,57 @@
         it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^key-direction 1$}) }
         it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{nobind}) }
         it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^port\s+\d+$}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').without_content(%r{^remote-random-hostname$}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').without_content(%r{^remote-random$}) }
+
+        it { is_expected.not_to contain_openvpn__ca('test_client') }
+
+        case facts[:os]['family']
+        when 'RedHat'
+          it {
+            is_expected.to contain_file('/etc/openvpn/test_client/keys').
+              with(ensure: 'directory', mode: '0750', group: 'nobody')
+          }
+        end
+      end
+
+      context 'creating a server in client mode with multiple remotes and random' do
+        let(:title) { 'test_client' }
+        let(:nobind) { false }
+        let(:params) do
+          {
+            'remote' => ['vpn1.example.com 12345', 'vpn2.example.com 23456'],
+            'remote_random_hostname' => true,
+            'remote_random'          => true,
+            'server_poll_timeout'    => 1,
+            'ping_timer_rem'         => true,
+            'tls_auth'               => true,
+            'tls_client'             => true,
+            'nobind'                 => nobind
+          }
+        end
+
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^client$}) }
+        it {
+          is_expected.to contain_file('/etc/openvpn/test_client.conf').
+            with_content(%r{^remote\s+vpn1.example.com\s+12345$})
+        }
+        it {
+          is_expected.to contain_file('/etc/openvpn/test_client.conf').
+            with_content(%r{^remote\s+vpn2.example.com\s+23456$})
+        }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^remote-random-hostname$}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^remote-random$}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^server-poll-timeout\s+1$}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^ping-timer-rem$}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^ns-cert-type server}) }
+        it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^mode\s+server$}) }
+        it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^client-config-dir}) }
+        it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^dh}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^tls-client$}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^key-direction 1$}) }
+        it { is_expected.not_to contain_file('/etc/openvpn/test_client.conf').with_content(%r{nobind}) }
+        it { is_expected.to contain_file('/etc/openvpn/test_client.conf').with_content(%r{^port\s+\d+$}) }
 
         it { is_expected.not_to contain_openvpn__ca('test_client') }
 

templates/server.erb

@@ -11,6 +11,12 @@ remote-cert-tls server
 <% @remote.to_a.each do |rem| -%>
 remote <%= rem %>
 <% end -%>
+<% if @remote_random_hostname %>
+remote-random-hostname
+<% end -%>
+<% if @remote_random %>
+remote-random
+<% end -%>
 <% if @server_poll_timeout -%>
 server-poll-timeout <%= @server_poll_timeout %>
 <% end -%>