How to transfer configs to clients using openvpn::deploy::export and openvpn::deploy::client?

[flyingstar16]

Hi,

I'm having some trouble getting my configs exported to a client, and the README is not 100% clear on how this should be configured (or I'm missing something obvious).
I tried a few different things, and read through the issues, PRs and the original description of the functions on bitbucket, googled stuff, but can't seem to get the configs transferred onto the client.

I defined the server first in hiera, then moved them to a .pp file in a "generic" module, and finally in its own module.
This is the (redacted) latest version of the config (although I pretty much copied and pasted everything)

in server.pp

class internal_vpn::server {
  class { 'openvpn':
    autostart_all                   => true,
    default_easyrsa_ver             => '3.0',
    easyrsa_source                  => '/usr/share/easy-rsa/',
  }

  openvpn::server {'internal_vpn':
    country => 'AU',
    province => 'Some-State',
    city => 'Some-City',
    organization => 'int-vpn.example.com',
    email => 'postmaster@example.com',
    server => '10.4.1.0 255.255.255.0',
    dev => 'tun1',
    user => 'nobody',
    group => 'nogroup',
    logfile => '/var/log/openvpn/int-vpn.example.com',
    port => '8443',
    proto => 'tcp',
    cipher => 'AES-256-GCM',
    key_cn => 'int-vpn.example.com',
    crl_auto_renew => true,
    autostart => true,
    local => '1.2.3.4',
    ssl_key_size => 4096,
    tls_server => true,
    tls_auth => true,
    custom_options => {
      key-direction => 0,
    },
  }


  openvpn::client {
    'client':
      server => 'internal_vpn',
      remote_host => 'int-vpn.example.com',
      port => '8443',
      proto => 'tcp',
      cipher => 'AES-256-GCM',
      tls_auth => true,
      custom_options => {
        key-direction => 1,
      },
  }

  openvpn::client_specific_config {
    'client':
      server => 'internal_vpn',
      redirect_gateway => false,
  }

  openvpn::deploy::export {
    'client':
      server   => 'internal_vpn',
      tls_auth => true
  }
}

The client has this in the node config:

  openvpn::deploy::client {'client':
    server => 'internal_vpn'
  }

When (on the server) I look into /etc/openvpn/internal_vpn, the configuration in download-configs are present, but client-configs only contains an empty file with the same name as the client

root@host~ # ls -l /etc/openvpn/internal_vpn/download-configs/
total 36
drwxr-xr-x. 3 root root  4096 Sep 22 13:32 client
-r--------. 1 root root 15247 Sep 22 13:32 client.ovpn
-rw-r--r--. 1 root root  9608 Sep 22 13:32 client.tar.gz
drwxr-xr-x. 2 root root  4096 Aug  1 13:36 client.tblk
root@host ~ # ls -l /etc/openvpn/internal_vpn/client-configs/
total 4
-rw-r--r--. 1 root root 1 Sep 22 13:05 client

There is absolutely nothing on the client :/

Can someone please let me know what I'm doing wrong?

Thanks in advance!

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.9.0-1stretch
• Ruby: ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux-gnu]
• Distribution: Debian Buster
• Module version: v8.2.0

[jameskirsop]

Hi @flyingstar16.

Do you have PuppetDB setup on your Puppet Server? As a starting point, you'll need that to be able to build and deploy the configuration to clients.

It seems weird that the client-configs directory is empty, but that could be related to missing PuppetDB if that's not installed.

[flyingstar16]

Ok so something changed: the agent run after I set up puppetdb shows

Notice: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-crt]/ensure: defined content as '{md5}80fcc2f53406886193a9f278bd0d5671'
Info: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-crt]: Scheduling refresh of Class[Openvpn::Deploy::Service]
Notice: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-config]/ensure: defined content as '{md5}cd7d23df914a2b582dd35f7ea96077e9'
Info: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-config]: Scheduling refresh of Class[Openvpn::Deploy::Service]
Notice: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-ca]/ensure: defined content as '{md5}15ed2969a64b969ce2aba4c5299ac657'
Info: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-ca]: Scheduling refresh of Class[Openvpn::Deploy::Service]
Notice: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-ta]/ensure: defined content as '{md5}015b1119ec4762747837ef01ca39c841'
Info: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-ta]: Scheduling refresh of Class[Openvpn::Deploy::Service]
Notice: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-key]/ensure: defined content as '{md5}4c15b76e07d404c2f46d56372017f833'
Info: /Stage[main]/Main/Node[client]/Openvpn::Deploy::Client[client]/File[exported-internal_vpn-client-key]: Scheduling refresh of Class[Openvpn::Deploy::Service]
Info: Openvpn::Deploy::Client[client]: Scheduling refresh of Class[Openvpn::Deploy::Service]
Info: Class[Openvpn::Deploy::Service]: Scheduling refresh of Service[openvpn]	

which is good... Except that on the openvpn server client-configs is still empty and that I can't find those files anywhere :/
I checked both with find on /var, /etc, /home and /root and using locate after an updatedb, and just to be sure I did a puppet print config vardir and checked in there too (as well as the entire /opt/puppetlabs, where the cache turned out to be) - nothing :|

Subsequent runs didn't show those lines, so for good measure I wiped /opt/puppetlabs/puppet/cache and rerun the agent. No joy.

Am I missing something super obvious?

Side note: if puppetdb is a requirement, it might be a good idea to note it explicitly in the README

[jameskirsop]

@flyingstar16, you won't see anything in client-configs unless you've got specific configuration that needs to live there.

For example, I've specified the ifconfig setting in my manifest, and so in my client-configs directory I see a file for each client node containing contents like:

ifconfig-push 169.254.0.10 255.255.255.0

If you do have files in download-configs then that's where the files that are sent to the clients are pulled from.

However, I too am having a similar problem as reported in #352 (which now has a misleading title). It seems that Facter and PuppetDB both report that they've done their job properly, but configurations aren't deployed automatically to my clients.

[jameskirsop]

@flyingstar16, did you ever get to the bottom of your client deployment issues? I'm still having facts generated but not pushed to my configured nodes.

[flyingstar16]

@jameskirsop no, TBH I abandoned the effort :(

I might pick it back up soon-ish (couple of months?) because I'm setting up an offsite backup and want/need a VPN for it, but I'm not 100% sure I'll go the puppet route yet.

[ilovekuchen]

@flyingstar16, did you ever get to the bottom of your client deployment issues? I'm still having facts generated but not pushed to my configured nodes.

I have the same issue. The certs and config is on puppetdb, we checked.

[Rubueno]

@flyingstar16 Out of interest I've tried to replicate your issue, although I'm using Puppet 6.25.1, I was unable to reproduce the issue. With module version v8.2.0 the export to puppetdb goes fine and so does the client retrieving the data.