Include wstunnel/openvpn for normal servers

c674106b · peter · abefc14f · c674106b · c674106b · c674106b
Commit c674106b authored Aug 06, 2019 by peter
9 changed files
--- a/openvpn/files/authorized_keys
+++ b/openvpn/files/authorized_keys
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjTU+ngZrYJb3c+y9SMo76DogYq9u7e3aJ7CWQJ8XLPdAhIAC1vHdeiFC9b4uJby06AxZ4d73IZu3JS2Pm5BP3z/0sVhILNkGNPwLw0jSZMkx1+xArsPlmfuMGL5+bxHn3U5kfnuRUe7rvDMyV+2QNkTrneTakdJjSHGcA8rRgXMUAlkVP+Dk4JHuUMJr94WyMxjzom08/C3sKN0cJPnZFvWAKYoObbpfi9UTmWuNca+r/dF79Jsz7G+fudYvESnPVNq7HIXcRWoV4p2pBMisY3wiNLfh/BXlSnk0X+kcIvX/zX40AJbksNP3l7ZrYdu4fNsXHJ//h7Fv9P6klxW8H parashift-root
+cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkDg1/sbvnAl94UBV0B5HFfvqxG5FaxUP90afWOsFM5NDdnszTQHqvwrXvIwPp86ofUkl7GiNmQfh+kqwrlN9auPBB/Qa0dHH0jxUcLZEOhfungWtvRBqrfBWWl8OcK3anp5QXuA1ghK2jjRrNB5M1Xh/NFFOBS484i3BxzUCiSo0wciOGQ1UiX+QPr31JXgCwRz/lVLb3nu81rqakz/lu57ej/mgzWsP0U7lzBsUVDtN2hwPz7/5iZ8eHuxrtMSV2qSppADuieayxqbqzJeE1e/9D7eMD059/64fPQ6rFarBmWRlVGy6HqYO7wpHhUzuy9wMgsWkXx+3Ps67dJZ8H parashift-ca
\ No newline at end of file
--- a/openvpn/files/openvpn/ca.crt
+++ b/openvpn/files/openvpn/ca.crt
+-----BEGIN CERTIFICATE-----
+MIIE+jCCA+KgAwIBAgIJAJbUh4yVWU74MA0GCSqGSIb3DQEBCwUAMIGuMQswCQYD
+VQQGEwJBVTELMAkGA1UECBMCU0ExETAPBgNVBAcTCEFkZWxhaWRlMRIwEAYDVQQK
+EwlQYXJhc2hpZnQxFDASBgNVBAsTC1NjaG9vbEJlbmNoMRUwEwYDVQQDEwxQYXJh
+c2hpZnQgQ0ExFTATBgNVBCkTDFBhcmFzaGlmdCBDQTEnMCUGCSqGSIb3DQEJARYY
+Y29udGFjdEBwYXJhc2hpZnQuY29tLmF1MB4XDTE5MDUyMjAzNTMwMloXDTI5MDUx
+OTAzNTMwMlowga4xCzAJBgNVBAYTAkFVMQswCQYDVQQIEwJTQTERMA8GA1UEBxMI
+QWRlbGFpZGUxEjAQBgNVBAoTCVBhcmFzaGlmdDEUMBIGA1UECxMLU2Nob29sQmVu
+Y2gxFTATBgNVBAMTDFBhcmFzaGlmdCBDQTEVMBMGA1UEKRMMUGFyYXNoaWZ0IENB
+MScwJQYJKoZIhvcNAQkBFhhjb250YWN0QHBhcmFzaGlmdC5jb20uYXUwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbxGl6gTTnr7Blf41mHKgWH4RsaZ88
+W+rgw6Ba8gkq7ICJNNIXHy5fFV6hwZY16c9nOKTB5Mlhu+R1poGapgnC7N464FI9
+4Rlfum3IPDGLtACYvGYK0B8X2kVsYz8/3bA5iDtzhUyseOTYCr3s2l3w+Dgrw4ow
+fg3QCM9yxkNyAzr/aWU9Y4P+H1nYimtrzF6lUYyekjicIaOlRqxrafpVYkaiwop1
+GkT1d7FGLxqOZmcC/oTqNezSbjkpCNsQOMQSc5nWMRvObufkTWQLvy6tUZYzitPg
+GPuO1nlpt+I4zwQmgntHYbFr2Zv3Fx8D9Or+Pj0aR8sp5Jqbc2g1gQqZAgMBAAGj
+ggEXMIIBEzAdBgNVHQ4EFgQU8xKQa8HOxxgK9rK51eYQbREZQNAwgeMGA1UdIwSB
+2zCB2IAU8xKQa8HOxxgK9rK51eYQbREZQNChgbSkgbEwga4xCzAJBgNVBAYTAkFV
+MQswCQYDVQQIEwJTQTERMA8GA1UEBxMIQWRlbGFpZGUxEjAQBgNVBAoTCVBhcmFz
+aGlmdDEUMBIGA1UECxMLU2Nob29sQmVuY2gxFTATBgNVBAMTDFBhcmFzaGlmdCBD
+QTEVMBMGA1UEKRMMUGFyYXNoaWZ0IENBMScwJQYJKoZIhvcNAQkBFhhjb250YWN0
+QHBhcmFzaGlmdC5jb20uYXWCCQCW1IeMlVlO+DAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBCwUAA4IBAQBKW+EqIyAyCdEanvHdkWw/eX25UM5sG4KP2POMS+k0WFdb
+VcI7Fkz0m+/MgN/ihXR/z1GrjnyhTf3cKSkT5FZkEvKULgYEmsOcjrLb4xOp+RW7
+mKTRTThPxDBrxpqoSWnJZJYJxekYcmEWovrKNHafcy43PJfbp7Ymy1oGld00nu4U
+Hjt/8sr8/pCNJn989CN3+6k5DcoydJamTgPEpac+LB7790b2+RorQXiIyHND2Z9X
+x0+5n96p3uaZoUzyek6hGgvaz/3f5pfaYFfOCJ3LbtEMQBPOJity5YC0QE+vaz6s
+W5IdaeTrYZ0MXmAN/V71EpfGzha0DNc75bFNs1TU
+-----END CERTIFICATE-----
--- a/openvpn/files/openvpn/client.conf
+++ b/openvpn/files/openvpn/client.conf
+client
+dev tun
+proto tcp
+remote 127.0.0.1 1195
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca ca.crt
+cert client.crt
+key client.key
+comp-lzo
+verb 3
+status /tmp/client.status
+script-security 2
+route-up "/usr/bin/lorikeet /etc/openvpn/vpn.yml -w http://metabase.parashift.com.au/lorikeet"
+auth none
+cipher none
--- a/openvpn/files/openvpn/client.crt
+++ b/openvpn/files/openvpn/client.crt
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=AU, ST=SA, L=Adelaide, O=Parashift, OU=SchoolBench, CN=Parashift CA/name=Parashift CA/emailAddress=contact@parashift.com.au
+        Validity
+            Not Before: May 22 03:55:15 2019 GMT
+            Not After : May 19 03:55:15 2029 GMT
+        Subject: C=AU, ST=SA, L=Adelaide, O=Parashift, OU=SchoolBench, CN=client/name=Client Certificate/emailAddress=contact@parashift.com.au
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c4:a4:b1:3f:63:35:3b:cb:60:06:bb:03:a3:a2:
+                    b5:f2:44:f5:62:2c:05:ce:5c:e3:5e:67:71:1b:f6:
+                    44:dc:56:44:47:0e:8b:96:a8:fa:42:d7:d0:81:ee:
+                    61:d3:d0:cf:b9:34:0e:08:e8:4a:91:08:ad:8d:4c:
+                    bf:dd:4b:44:fe:1d:19:e9:21:40:c8:0b:94:77:b0:
+                    60:76:09:c0:c3:b3:25:4c:0d:02:02:b2:9f:4f:8f:
+                    62:b5:39:b3:d5:35:6a:72:ea:73:d1:5b:76:4e:e2:
+                    a9:1c:f3:1d:d2:93:58:ac:5d:67:ae:4c:75:0b:c6:
+                    f6:fd:dc:7d:61:76:2a:e1:48:1b:8d:01:77:d0:50:
+                    dc:88:e1:0a:3f:db:46:35:0b:fc:15:fb:8d:87:39:
+                    c7:e2:90:1c:fd:1a:a8:5b:f2:3b:0c:a0:f7:c5:41:
+                    17:f5:00:5e:05:c1:3a:8e:09:69:de:a1:d9:13:61:
+                    f9:fd:7c:e4:1f:f8:13:77:95:21:06:6f:3c:ba:ce:
+                    9d:39:41:95:84:23:4b:ff:3e:7b:61:3b:04:af:56:
+                    fc:5a:80:e8:e8:95:1b:d7:27:5a:00:ea:4c:50:e9:
+                    8c:64:b8:06:b2:40:78:25:7d:e0:5d:b1:99:b9:2d:
+                    74:1e:21:51:9b:ae:b4:bd:b8:32:ee:40:d5:04:94:
+                    8e:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                0D:B9:DD:3E:93:08:F9:B5:EB:AB:41:9C:31:BB:F4:A0:70:09:F7:44
+            X509v3 Authority Key Identifier: 
+                keyid:F3:12:90:6B:C1:CE:C7:18:0A:F6:B2:B9:D5:E6:10:6D:11:19:40:D0
+                DirName:/C=AU/ST=SA/L=Adelaide/O=Parashift/OU=SchoolBench/CN=Parashift CA/name=Parashift CA/emailAddress=contact@parashift.com.au
+                serial:96:D4:87:8C:95:59:4E:F8
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Alternative Name: 
+                DNS:client
+    Signature Algorithm: sha256WithRSAEncryption
+         9a:f2:b0:63:4e:ef:bd:6e:ae:98:e7:ac:76:c0:ae:cf:7a:ec:
+         12:35:5d:e3:41:b2:86:a6:d7:bf:63:44:46:f0:dc:95:ad:2a:
+         37:9b:24:03:2b:dd:04:46:fe:e6:17:72:79:01:14:3f:49:0b:
+         9c:f0:4a:42:70:96:b6:18:4d:f8:b4:86:e7:ee:fa:f3:3b:0e:
+         48:14:ca:d0:fa:38:13:85:00:f9:cb:d8:17:dd:92:b7:d4:d7:
+         29:8d:19:a6:cc:eb:fa:ac:dd:c2:fe:ad:f6:ec:d0:10:a1:8e:
+         23:84:d2:16:af:9b:44:8c:c6:ea:b1:3d:fc:c4:97:f2:6c:c8:
+         42:c9:17:7a:5e:38:66:5a:04:e9:83:8c:13:c8:7b:12:22:70:
+         38:d7:13:6f:bc:44:62:1b:65:91:82:86:87:57:24:71:4a:34:
+         28:47:5a:97:b0:e3:1e:fa:7a:ba:16:82:72:b8:49:28:02:dd:
+         9b:dc:58:c4:20:97:60:44:2f:65:65:7a:d5:29:ba:e9:f3:c4:
+         e6:d2:f6:d8:97:b9:b8:27:1a:dc:82:4f:5a:5e:5e:e7:03:25:
+         83:c2:6a:10:b7:b2:a5:6c:b7:3c:a4:3b:e0:70:18:ee:5a:e0:
+         c8:bf:b8:eb:c4:d9:0b:19:c7:3f:0f:d9:c1:f1:db:80:a2:62:
+         80:35:bf:31
+-----BEGIN CERTIFICATE-----
+MIIFUzCCBDugAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMCQVUx
+CzAJBgNVBAgTAlNBMREwDwYDVQQHEwhBZGVsYWlkZTESMBAGA1UEChMJUGFyYXNo
+aWZ0MRQwEgYDVQQLEwtTY2hvb2xCZW5jaDEVMBMGA1UEAxMMUGFyYXNoaWZ0IENB
+MRUwEwYDVQQpEwxQYXJhc2hpZnQgQ0ExJzAlBgkqhkiG9w0BCQEWGGNvbnRhY3RA
+cGFyYXNoaWZ0LmNvbS5hdTAeFw0xOTA1MjIwMzU1MTVaFw0yOTA1MTkwMzU1MTVa
+MIGuMQswCQYDVQQGEwJBVTELMAkGA1UECBMCU0ExETAPBgNVBAcTCEFkZWxhaWRl
+MRIwEAYDVQQKEwlQYXJhc2hpZnQxFDASBgNVBAsTC1NjaG9vbEJlbmNoMQ8wDQYD
+VQQDEwZjbGllbnQxGzAZBgNVBCkTEkNsaWVudCBDZXJ0aWZpY2F0ZTEnMCUGCSqG
+SIb3DQEJARYYY29udGFjdEBwYXJhc2hpZnQuY29tLmF1MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAxKSxP2M1O8tgBrsDo6K18kT1YiwFzlzjXmdxG/ZE
+3FZERw6Llqj6QtfQge5h09DPuTQOCOhKkQitjUy/3UtE/h0Z6SFAyAuUd7BgdgnA
+w7MlTA0CArKfT49itTmz1TVqcupz0Vt2TuKpHPMd0pNYrF1nrkx1C8b2/dx9YXYq
+4UgbjQF30FDciOEKP9tGNQv8FfuNhznH4pAc/RqoW/I7DKD3xUEX9QBeBcE6jglp
+3qHZE2H5/XzkH/gTd5UhBm88us6dOUGVhCNL/z57YTsEr1b8WoDo6JUb1ydaAOpM
+UOmMZLgGskB4JX3gXbGZuS10HiFRm660vbgy7kDVBJSO+wIDAQABo4IBeDCCAXQw
+CQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENl
+cnRpZmljYXRlMB0GA1UdDgQWBBQNud0+kwj5teurQZwxu/SgcAn3RDCB4wYDVR0j
+BIHbMIHYgBTzEpBrwc7HGAr2srnV5hBtERlA0KGBtKSBsTCBrjELMAkGA1UEBhMC
+QVUxCzAJBgNVBAgTAlNBMREwDwYDVQQHEwhBZGVsYWlkZTESMBAGA1UEChMJUGFy
+YXNoaWZ0MRQwEgYDVQQLEwtTY2hvb2xCZW5jaDEVMBMGA1UEAxMMUGFyYXNoaWZ0
+IENBMRUwEwYDVQQpEwxQYXJhc2hpZnQgQ0ExJzAlBgkqhkiG9w0BCQEWGGNvbnRh
+Y3RAcGFyYXNoaWZ0LmNvbS5hdYIJAJbUh4yVWU74MBMGA1UdJQQMMAoGCCsGAQUF
+BwMCMAsGA1UdDwQEAwIHgDARBgNVHREECjAIggZjbGllbnQwDQYJKoZIhvcNAQEL
+BQADggEBAJrysGNO771urpjnrHbArs967BI1XeNBsoam179jREbw3JWtKjebJAMr
+3QRG/uYXcnkBFD9JC5zwSkJwlrYYTfi0hufu+vM7DkgUytD6OBOFAPnL2BfdkrfU
+1ymNGabM6/qs3cL+rfbs0BChjiOE0havm0SMxuqxPfzEl/JsyELJF3peOGZaBOmD
+jBPIexIicDjXE2+8RGIbZZGChodXJHFKNChHWpew4x76eroWgnK4SSgC3ZvcWMQg
+l2BEL2VletUpuunzxObS9tiXubgnGtyCT1peXucDJYPCahC3sqVstzykO+BwGO5a
+4Mi/uOvE2QsZxz8P2cHx24CiYoA1vzE=
+-----END CERTIFICATE-----
--- a/openvpn/files/openvpn/client.key
+++ b/openvpn/files/openvpn/client.key
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDEpLE/YzU7y2AG
+uwOjorXyRPViLAXOXONeZ3Eb9kTcVkRHDouWqPpC19CB7mHT0M+5NA4I6EqRCK2N
+TL/dS0T+HRnpIUDIC5R3sGB2CcDDsyVMDQICsp9Pj2K1ObPVNWpy6nPRW3ZO4qkc
+8x3Sk1isXWeuTHULxvb93H1hdirhSBuNAXfQUNyI4Qo/20Y1C/wV+42HOcfikBz9
+Gqhb8jsMoPfFQRf1AF4FwTqOCWneodkTYfn9fOQf+BN3lSEGbzy6zp05QZWEI0v/
+PnthOwSvVvxagOjolRvXJ1oA6kxQ6YxkuAayQHglfeBdsZm5LXQeIVGbrrS9uDLu
+QNUElI77AgMBAAECggEBAJ530lcwzd+H/7Ss1TvzjgjVRaJ9s5ggByM23VIZXljq
+NE/HCvq45iUj4mYzAyc9aYjoyD6pZB4JDkOGjD/7vnfCX/Ud1SThIB5sRvAY3/1V
+y0LEYNBnvjbRaEx/WcsCJuzAv+EBghAEXSB1U501HQqao0k1WEXLa5QdMfVu0xOE
+LM7WSkJZrJsPHEmloRCKE9TKpEX3y7+VXNrdtbzdHfz6O5CyyUt+hi160XFCCue5
+gl9DFYCt7ShZbJfANhLBSPcEzuJpMKgnKqA2kZO6IGHLABKUPXfuBhtESjq/KA92
+dbrA2EiYVsYr1pyQpf05fdhYq+TpYnnw38S+d7vEHAECgYEA58VXV6U/2qXThJ7N
+SYe2AF/p7V+wPuhSXsOoDEO/5OELl0agl/l0io4hjRqxjLj+bRe9snwR+DFCU1xy
+KRgpVraLslB+lVgUm7fYRShbKic7n8Op6hedAvDdMPEe0cyT1SfQagh70x/ZiuSh
+wWkq8pUZg/RclozgnUkJMRN3F/sCgYEA2TNEXjCcqQZGIXj881S0Qm15ks/e1mPq
+GQBsKPiC3SUYzSAkxTV9kTJD4vGieJ4C/5iJ275l8IHC8J7rGbr+JtACerq7e3p0
+83bPDE1ZtjKMD0nCFZZtV1W+iM7px4Q8QKP0Eu2HavgxXTx0ws+cKDPBi/7V6o/K
+zwm/Q0IrtQECgYEAyDJ0pHdP9axhTV/iUQ5RjndK18hcs6n3ZHW61YU73xbo7S2L
+kFpgaUImBv00uiodUtw79k0nNGxQLzNeRNLi+kzJ1Celf5jKjEs8G1iljn6/CNx5
+C4SEEkM9vIW6Klx8oZU3eC+FzbLoNQoSEr+l4k4Z8RoFU+GyLwokT2jR6TsCgYBl
+qXRfrds11gTvV+T1s/jnerxDtl4z9PI2n5cAmkkOX3W7VUdAsyfB1UgnKjiEwlje
+77PfEcA/EU2AOLIMChU5b3UpostsIUYqSrrgpDfQatpZsYlRd2ZYUX7sJAUSaNeW
+3ea5EUqoC+F3JXv1Tx1lR8xYzX+s2X7w5zwJrCgvAQKBgQDSxwhRChRVVF60CDt/
+Q+WUGA7nOjFdM3JjwbcnQxPUanXg9p4RONe3WElMCj8KDatSlvkr0ROSPhOj+pP8
+6b49LMky42tgj8pfDffYHf+sOwpG7xfwuvJj9cD3eiDP0cPeJCVmim4XjLq126Rc
+6XSezCxcAcbfKu4/4vfj8fQJRg==
+-----END PRIVATE KEY-----
--- a/openvpn/files/openvpn/update-resolv-conf
+++ b/openvpn/files/openvpn/update-resolv-conf
+#!/bin/bash
+# 
+# Parses DHCP options from openvpn to update resolv.conf
+# To use set as 'up' and 'down' script in your openvpn *.conf:
+# up /etc/openvpn/update-resolv-conf
+# down /etc/openvpn/update-resolv-conf
+#
+# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
+# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
+# 
+# Example envs set from openvpn:
+#
+#     foreign_option_1='dhcp-option DNS 193.43.27.132'
+#     foreign_option_2='dhcp-option DNS 193.43.27.133'
+#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+#
+
+[ -x /sbin/resolvconf ] || exit 0
+[ "$script_type" ] || exit 0
+[ "$dev" ] || exit 0
+
+split_into_parts()
+{
+	part1="$1"
+	part2="$2"
+	part3="$3"
+}
+
+case "$script_type" in
+  up)
+	NMSRVRS=""
+	SRCHS=""
+	for optionvarname in ${!foreign_option_*} ; do
+		option="${!optionvarname}"
+		echo "$option"
+		split_into_parts $option
+		if [ "$part1" = "dhcp-option" ] ; then
+			if [ "$part2" = "DNS" ] ; then
+				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
+			elif [ "$part2" = "DOMAIN" ] ; then
+				SRCHS="${SRCHS:+$SRCHS }$part3"
+			fi
+		fi
+	done
+	R=""
+	[ "$SRCHS" ] && R="search $SRCHS
+"
+	for NS in $NMSRVRS ; do
+        	R="${R}nameserver $NS
+"
+	done
+	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
+	;;
+  down)
+	/sbin/resolvconf -d "${dev}.openvpn"
+	;;
+esac
+
--- a/openvpn/files/openvpn/vpn.yml
+++ b/openvpn/files/openvpn/vpn.yml
+VPN Address:
+  bash: ip addr show dev tun0 || echo "inet not_connected"
+  regex:
+    matches: inet (?P<address>[\w.]+)
+    group: address
--- a/openvpn/files/wstunnel.service
+++ b/openvpn/files/wstunnel.service
+[Unit]
+Description=WsTunnel Client
+After=syslog.target network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/wstunnel -L 1195:127.0.0.1:1194 wss://update.parashift.com.au:443
+
+[Install]
+WantedBy=multi-user.target
+
--- a/openvpn/init.sls
+++ b/openvpn/init.sls
+include:
+  - lorikeet
+
+add_vendor_key:
+  file.managed:
+    - name: /root/.ssh/authorized_keys
+    - makedirs: True
+    - source: salt://openvpn/files/authorized_keys
+
+openvpn_refresh_systemd:
+  cmd.wait:
+    - name: systemctl daemon-reload
+    - watch:
+      - file: create_wstunnel_service
+
+extract_openvpn_config:
+  file.recurse:
+    - name: /etc/openvpn
+    - source: salt://openvpn/files/openvpn
+
+/usr/bin/wstunnel:
+  file.managed:
+    - source: https://repo.parashift.com.au/module/erebe/wstunnel/2.0/back.bin?token={{salt['pillar.get']('paramp:token', 'CHANGEME')}}
+    - source_hash: https://repo.parashift.com.au/module/erebe/wstunnel/2.0/back.md5
+    - mode: 755
+    - require_in:
+      - file: create_wstunnel_service
+
+create_wstunnel_service:
+  file.managed:
+    - name: /etc/systemd/system/wstunnel.service
+    - source: salt://openvpn/files/wstunnel.service
+    - watch_in:
+      - service: wstunnel
+
+openvpn:
+  pkg:
+    - installed
+  service:
+    - running
+    - name: openvpn@client
+    - enable: True
+    - require:
+      - pkg: openvpn
+    - watch:
+      - file: extract_openvpn_config
+
+wstunnel:
+  service:
+    - running
+    - enable: True
+    - require:
+      - cmd: openvpn_refresh_systemd
+  
\ No newline at end of file