moved to use an IP instead of a domain

config.cfg

@@ -5,13 +5,9 @@ easyrsa_ca_expire: 3650
 easyrsa_cert_expire: 3650
 easyrsa_p12_export_password: vpn
 
-# if True re-init all existing certificates. Boolean
-easyrsa_reinit_existent: False
+# if True re-init all existing certificates.
+easyrsa_reinit_existent: True
 
-# Domain or ip
-# server_name: - this domain or ip that you will use in your VPN client
-server_name: example.com
-server_ip: "{{ ansible_ssh_host }}"
 dns_servers:
   - 8.8.8.8
   - 8.8.4.4  

digiocean.yml

@@ -42,8 +42,8 @@
     default: "7"
     private: no
     
-  - name: "do_server_name"
-    prompt: "Name the vpn server:\n"
+  - name: "server_name"
+    prompt: "Name the vpn server:\nMaybe a valid DNS name"
     default: "strongswan.local"
     private: no
     
@@ -65,7 +65,7 @@
     digital_ocean:
       state: present
       command: droplet
-      name: "{{ do_server_name }}"
+      name: "{{ server_name }}"
       region_id: "{{ regions[do_region] }}"
       size_id: "512mb"
       image_id: "ubuntu-16-04-x64"

inventory_users

@@ -1,2 +1,3 @@
 [user-management]
+146.185.161.17
 37.139.11.102

templates/easy-rsa.vars.j2

@@ -183,7 +183,7 @@ set_var EASYRSA_SSL_CONF   "$EASYRSA/openssl-1.0.cnf"
 # This is best left alone. Interactively you will set this manually, and BATCH
 # callers are expected to set this themselves.
 
-set_var EASYRSA_REQ_CN     "{{ server_name }}"
+set_var EASYRSA_REQ_CN     "{{ ansible_ssh_host }}"
 
 # Cryptographic digest to use.
 # Do not change this default unless you understand the security implications.
@@ -195,4 +195,4 @@ set_var EASYRSA_REQ_CN     "{{ server_name }}"
 # in batch mode without any user input, confirmation on dangerous operations,
 # or most output. Setting this to any non-blank string enables batch mode.
 
-set_var EASYRSA_BATCH      "{{ server_name }}"
+set_var EASYRSA_BATCH      "{{ ansible_ssh_host }}"

templates/ipsec.conf.j2

@@ -15,14 +15,14 @@ conn %default
     
     left=%any
     leftauth=pubkey
-    leftid={{ server_name }}
-    leftcert={{ server_name }}.crt
+    leftid={{ ansible_ssh_host }}
+    leftcert={{ ansible_ssh_host }}.crt
     leftsendcert=always
     leftsubnet=0.0.0.0/0,::/0
 
     right=%any
     rightauth=pubkey
-    rightsourceip="{{ vpn_network }""
+    rightsourceip="{{ vpn_network }}"
 {% if service_dns is defined and service_dns == "N" %}
     rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
 {% else %}    

templates/ipsec.secrets.j2

@@ -1,2 +1,2 @@
-: ECDSA {{ server_name }}.key
+: ECDSA {{ ansible_ssh_host }}.key
 

templates/mobileconfig.j2

@@ -48,11 +48,11 @@
                 <key>CertificateType</key>
                 <string>ECDSA256</string>
                 <key>ServerCertificateIssuerCommonName</key>
-                <string>{{ server_name }}</string>                
+                <string>{{ ansible_ssh_host }}</string>                
                 <key>RemoteAddress</key>
-                <string>{{ server_name }}</string>
+                <string>{{ ansible_ssh_host }}</string>
                 <key>RemoteIdentifier</key>
-                <string>{{ server_name }}</string>
+                <string>{{ ansible_ssh_host }}</string>
                 <key>UseConfigurationAttributeInternalIPSubnet</key>
                 <integer>0</integer>
             </dict>
@@ -81,7 +81,7 @@
                 <integer>0</integer>
             </dict>
             <key>UserDefinedName</key>
-            <string>{{ server_name }} IKEv2</string>
+            <string>{{ ansible_ssh_host }} IKEv2</string>
             <key>VPNType</key>
             <string>IKEv2</string>
         </dict>
@@ -117,7 +117,7 @@
             <key>PayloadDescription</key>
             <string>Adds a CA root certificate</string>
             <key>PayloadDisplayName</key>
-            <string>{{ server_name }}</string>
+            <string>{{ ansible_ssh_host }}</string>
             <key>PayloadIdentifier</key>
             <string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
             <key>PayloadType</key>
@@ -129,7 +129,7 @@
         </dict>
     </array>
     <key>PayloadDisplayName</key>
-    <string>{{ server_name }} IKEv2</string>
+    <string>{{ ansible_ssh_host }} IKEv2</string>
     <key>PayloadIdentifier</key>
     <string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
     <key>PayloadRemovalDisallowed</key>

vpn.yml

@@ -70,9 +70,9 @@
     notify:
     - restart strongswan  
     
-  - name: Build the server pair # TODO: IP and DNS for certificate
+  - name: Build the server pair
     shell: >
-      ./easyrsa build-server-full {{ server_name }} nopass &&
+      ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&&
       touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -104,12 +104,12 @@
     - restart strongswan
 
   - name: Copy the server cert to the strongswan directory
-    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ server_name }}.crt' dest=/etc/ipsec.d/certs/{{ server_name }}.crt owner=root group=root mode=0600
+    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600
     notify:
     - restart strongswan      
     
   - name: Copy the server key to the strongswan directory
-    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600
+    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600
     notify:
     - restart strongswan