Add standalone deployment manifests (still needs testing)

deployment/.gitignore

@@ -0,0 +1,5 @@
+# referenced by documentation
+/openvpn-client.ovpn
+/openvpn-client-creds.yml
+/openvpn-creds.yml
+/openvpn-state.json

deployment/init-aws.yml

@@ -0,0 +1,51 @@
+- type: replace
+  path: /releases/-
+  value:
+    name: bosh-aws-cpi
+    version: 65
+    url: https://bosh.io/d/github.com/cloudfoundry-incubator/bosh-aws-cpi-release?v=65
+    sha1: 26b3a5c43e6f82594a373309a495660d6db26254
+- type: replace
+  path: /resource_pools/name=default/stemcell?
+  value:
+    url: https://bosh.io/d/stemcells/bosh-aws-xen-hvm-ubuntu-trusty-go_agent?v=3421.9
+    sha1: 316a699d44f49d69493b1545d4addd17b78b5840
+- type: replace
+  path: /resource_pools/name=default/cloud_properties?
+  value:
+    instance_type: t2.nano
+    availability_zone: ((availability_zone))
+    source_dest_check: false # masquerade
+- type: replace
+  path: /resource_pools/name=default/env?/bosh/authorized_keys
+  value:
+  - ((ssh_tunnel.public_key))
+- type: replace
+  path: /networks/name=default/subnets/0/cloud_properties?
+  value:
+    subnet: ((subnet_id))
+- type: replace
+  path: /cloud_provider/template?
+  value:
+    name: aws_cpi
+    release: bosh-aws-cpi
+- type: replace
+  path: /cloud_provider/ssh_tunnel?
+  value:
+    host: ((wan_ip))
+    port: 22
+    user: vcap
+    private_key: ((ssh_tunnel.private_key))
+- type: replace
+  path: /cloud_provider/properties/aws?
+  value:
+    access_key_id: ((access_key_id))
+    secret_access_key: ((secret_access_key))
+    default_security_groups: ((default_security_groups))
+    default_key_name: default
+    region: ((region))
+- type: replace
+  path: /variables/-
+  value:
+    name: ssh_tunnel
+    type: ssh

deployment/init-google.yml

@@ -0,0 +1,39 @@
+- type: replace
+  path: /releases/-
+  value:
+    name: bosh-google-cpi
+    version: 25.9.0
+    url: https://bosh.io/d/github.com/cloudfoundry-incubator/bosh-google-cpi-release?v=25.9.0
+    sha1: 3fbda22fde33878b54dec77f4182f8044be72687
+- type: replace
+  path: /resource_pools/name=default/stemcell?
+  value:
+    url: https://bosh.io/d/stemcells/bosh-google-kvm-ubuntu-trusty-go_agent?v=3421.9
+    sha1: 408f78a2091d108bb5418964026e73c822def32d
+- type: replace
+  path: /resource_pools/name=default/cloud_properties?
+  value:
+    zone: ((zone))
+    cpu: 1
+    ram: 1024
+- type: replace
+  path: /networks/name=default/subnets/0/cloud_properties?
+  value:
+    network_name: ((network))
+    subnetwork_name: ((subnetwork))
+    ephemeral_external_ip: false
+    tags: ((tags))
+- type: replace
+  path: /cloud_provider/template?
+  value:
+    name: google_cpi
+    release: bosh-google-cpi
+- type: replace
+  path: /cloud_provider/properties/google?
+  value:
+    project: ((project_id))
+    json_key: ((gcp_credentials_json))
+- type: replace
+  path: /cloud_provider/properties/ntp?
+  value:
+  - 169.254.169.254

deployment/local-release.yml

@@ -0,0 +1,5 @@
+- path: /releases/name=openvpn
+  type: replace
+  value:
+    name: openvpn
+    url: file://((local_release))

deployment/openvpn-client.yml

@@ -0,0 +1,33 @@
+profile: |
+  client
+  dev tun
+  proto udp
+  remote ((wan_ip)) 1194
+  resolv-retry infinite
+  nobind
+  persist-key
+  persist-tun
+  mute-replay-warnings
+  remote-cert-tls server
+  verb 3
+  mute 20
+  tls-client
+  cipher AES-256-CBC
+  keysize 256
+  <ca>
+  ((ca.ca))
+  </ca>
+  <cert>
+  ((key_pair.certificate))
+  </cert>
+  <key>
+  ((key_pair.private_key))
+  </key>
+variables:
+- name: key_pair
+  type: certificate
+  options:
+    ca: ca
+    common_name: client
+    extended_key_usage:
+    - client_auth

deployment/openvpn.yml

@@ -0,0 +1,101 @@
+---
+name: openvpn
+releases:
+- name: openvpn
+  url: https://s3-external-1.amazonaws.com/dpb587-bosh-release-openvpn-us-east-1/compiled_releases/openvpn/openvpn-3.2.2-on-ubuntu-trusty-stemcell-3421.9-compiled-1.20170624025614.0.tgz
+  version: 3.2.2
+  sha1: 334b6d0b86ab80d4d03d93a672b7353412e764ea
+- name: os-conf
+  version: 11
+  url: https://bosh.io/d/github.com/cloudfoundry/os-conf-release?v=11
+  sha1: 651f10a765a2900a7f69ea07705f3367bd8041eb
+resource_pools:
+- name: default
+  network: default
+  env:
+    bosh:
+      mbus:
+        cert: ((mbus_cert))
+networks:
+- name: default
+  type: manual
+  subnets:
+  - range: ((lan_cidr))
+    gateway: ((lan_gateway))
+    static:
+    - ((lan_ip))
+    dns: [8.8.8.8]
+- name: vip
+  type: vip
+  static_ips:
+  - ((wan_ip))
+instance_groups:
+- name: openvpn
+  jobs:
+  - name: openvpn
+    release: openvpn
+    properties:
+      server: ((vpn_network)) ((vpn_network_mask))
+      tls_key_pair: ((server_key_pair))
+      dh_pem: |
+        -----BEGIN DH PARAMETERS-----
+        MIIBCAKCAQEA/oih/YXvkf13npOIF5LW170/V5j4R20NjL/IzgdZUYMlsQtm5zMZ
+        LwA8Vk1v9UnSWkopAGuJ8gZxz4qKk2p2MLzHSDwXC5khGrrJlHfjn7H0lYilyFqn
+        2YhmfCQ7z7ih0jUS/iNf/+xUmfoJn/2OMEY3gmcAxAbtVRqNtGFwsTjtap3Rgbt9
+        /j7Xbrsp3JqSeWN3VSqMzAgUrjkkkv52HcDo4zA1KfN7m+ROj/uGxcrmvZr7G0RK
+        9yJ2f8I1x8EW3p+CmWhHcmoNyxxlfRHIsZ+82+BIessN99pSxCbjWvhggntFLRwC
+        fcrq5wk9ei7dzYjZHSPHqvhmmZgWKJZYQwIBAg==
+        -----END DH PARAMETERS-----
+  - name: disable_agent
+    release: os-conf
+    properties: {}
+  instances: 1
+  stemcell: default
+  resource_pool: default
+  networks:
+  - name: default
+    default:
+    - dns
+    - gateway
+    static_ips:
+    - ((lan_ip))
+  - name: vip
+    static_ips:
+    - ((wan_ip))
+update:
+  canaries: 1
+  canary_watch_time: 1000-60000
+  update_watch_time: 1000-60000
+  max_in_flight: 1
+cloud_provider:
+  mbus: https://mbus:((mbus_password))@((wan_ip)):6868
+  cert: ((mbus_cert))
+  properties:
+    agent:
+      mbus: "https://mbus:((mbus_password))@0.0.0.0:6868"
+    blobstore:
+      provider: local
+      path: /var/vcap/micro_bosh/data/cache
+variables:
+- name: mbus_password
+  type: password
+- name: mbus_cert
+  type: certificate
+  options:
+    is_ca: true
+    common_name: mbus
+    alternative_names:
+    - ((lan_ip))
+    - ((wan_ip))
+- name: ca
+  type: certificate
+  options:
+    is_ca: true
+    common_name: ca
+- name: server_key_pair
+  type: certificate
+  options:
+    ca: ca
+    common_name: openvpn
+    extended_key_usage:
+    - server_auth

deployment/with-dh-params.yml

@@ -0,0 +1,3 @@
+- path: /instance_groups/name=openvpn/jobs/name=openvpn/properties/dh_pem
+  type: replace
+  value: ((dh_params))

deployment/with-gateway-redirection.yml

@@ -0,0 +1,19 @@
+- path: /releases/name=networking?
+  type: replace
+  value:
+    name: networking
+    version: 9
+    url: http://bosh.io/d/github.com/cloudfoundry/networking-release?v=9
+    sha1: 9b5f9d27917c3754e492470ac6c9af80d62963db
+- path: /instance_groups/name=openvpn/jobs/name=iptables?
+  type: replace
+  value:
+    name: iptables
+    release: networking
+    properties:
+      nat:
+        POSTROUTING:
+        - -s ((vpn_network))/((vpn_network_mask_bits)) -d 0/0 -j MASQUERADE
+- path: /instance_groups/name=openvpn/jobs/name=openvpn/properties/extra_configs?/-
+  type: replace
+  value: push "redirect-gateway def1"

deployment/with-pushed-routes.yml

@@ -0,0 +1,3 @@
+- path: /instance_groups/name=openvpn/jobs/name=openvpn/properties/push_routes
+  type: replace
+  value: ((push_routes))

deployment/with-ssh.yml

@@ -0,0 +1,14 @@
+- path: /instance_groups/name=openvpn/jobs/name=user_add?
+  type: replace
+  value:
+    name: user_add
+    release: os-conf
+    properties:
+      users:
+      - name: openvpn
+        public_key: ((ssh.public_key))
+- path: /variables/-
+  type: replace
+  value:
+    name: ssh
+    type: ssh

deployment/with-syslog-forwarding.yml

@@ -0,0 +1,18 @@
+- path: /releases/name=syslog?
+  type: replace
+  value:
+    name: syslog
+    version: 11
+    url: http://bosh.io/d/github.com/cloudfoundry/syslog-release?v=11
+    sha1: 332ac15609b220a3fdf5efad0e0aa069d8235788
+- path: /instance_groups/name=openvpn/jobs/name=syslog_forwarder?
+  type: replace
+  value:
+    name: syslog_forwarder
+    release: syslog
+    properties:
+      syslog:
+        address: ((syslog_address))
+        port: ((syslog_port))
+        tls_enabled: ((syslog_tls_enabled))
+        transport: ((syslog_transport))

docs/README.md

@@ -3,6 +3,7 @@
 **Operations**
 
  * Server
+   * [Deploying a Standalone Server](ops/deployment/standalone-server.md)
    * [Advanced Settings](ops/server/advanced-settings.md)
    * [Using a Local PKI](ops/server/using-a-local-pki.md)
  * Clients

docs/ops/deployment/standalone-server.md

@@ -23,20 +23,28 @@ Start a YAML configuration file named `openvpn-creds.yml` which will contain sim
     vpn_network_mask: 255.255.255.0
     vpn_network_mask_bits: 24
 
+    # IaaS/LAN internal network
+    lan_cidr: 10.10.250.0/24
+    lan_gateway: 10.10.250.1
+    lan_ip: 10.10.250.9
+
+    # IaaS/WAN public IP address
+    wan_ip: 123.123.123.123
+
 
 ### Optional Features
 
 There are several `with-*.yml` files which can be used to change some behaviors of the server. To use, include them in the later `create-env` command, and be sure to add documented settings to the configuration file.
 
 
-#### Gateway Redirection (`-o with-gateway-redirection.yml`)
+#### Gateway Redirection
 
-If you want to force clients to redirect all their traffic through the VPN server.
+If you want to force clients to redirect all their traffic through the VPN server, include the `-o with-gateway-redirection.yml` option.
 
 
-#### Log Forwarding (`-o with-log-forwarding.yml`)
+#### Log Forwarding
 
-If you want to forward system and OpenVPN logs to a syslog server. Be sure to add a few more settings to `openvpn-creds.yml`...
+If you want to forward system and OpenVPN logs to a syslog server, include the `-o with-log-forwarding.yml` option. Be sure to add a few more settings to `openvpn-creds.yml`...
 
     # the syslog server host and port
     syslog_address: logs12345.papertrailapp.com
@@ -49,9 +57,9 @@ If you want to forward system and OpenVPN logs to a syslog server. Be sure to ad
     syslog_tls_enabled: true
 
 
-#### SSH Access (`-o with-ssh.yml`)
+#### SSH Access
 
-If you want SSH access to the VM. To use an existing public key, set `ssh.public_key` in `openvpn-creds.yml`...
+If you want SSH access to the VM, include the `-o with-ssh.yml` option. To use an existing public key, set `ssh.public_key` in `openvpn-creds.yml`...
 
     ssh:
       public_key: ssh-rsa ....
@@ -96,6 +104,28 @@ Ensure the standard `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment
     -o init-aws.yml -v access_key_id="$AWS_ACCESS_KEY_ID" -v secret_access_key="$AWS_SECRET_ACCESS_KEY"
 
 
+### Google Cloud Platform (`google`)
+
+GCP requires the additional settings that you should add to `openvpn-creds.yml` using the following template...
+
+    # the project to use
+    project_id: openvpn-test
+
+    # the zone to deploy to
+    zone: us-east1-b
+
+    # the network and subnetwork to deploy to
+    network: default
+    subnetwork: default
+
+    # zero or more tags to apply to the VM
+    tags: [openvpn]
+
+Ensure you have a service account file. When running the `create-env` command, you'll need to append the following arguments to the command...
+
+    -o init-google.yml --var-file gcp_credentials_json=~/.config/gcloud/application_default_credentials.json
+
+
 ## Deploy
 
 Once everything has been configured, run the full `create-env` command. Be sure to add IaaS and feature-specific arguments to the command, as necessary.
@@ -116,13 +146,10 @@ After the command has completed, there will be an `openvpn-state.json` file - be
 
 ## Client Setup
 
-After the server is running, you can generate an OpenVPN connection profile for [a client](../client-software.md)...
+After the server is running, you can generate an OpenVPN connection profile for [a client](../client/software.md)...
 
-    bosh interpolate --vars-store openvpn-profile.yml -l openvpn-creds.yml --path=/profile > openvpn.ovpn
+    bosh interpolate --vars-store openvpn-client-creds.yml -l openvpn-creds.yml --path=/profile openvpn-client.yml > openvpn-client.ovpn
 
 And then use the profile to connect...
 
-    openvpn --config openvpn.ovpn
-
-
-## Maintenance
+    openvpn --config openvpn-client.ovpn