From cd204a45b1f341f04b2791cc8b7b8ebd88c3ed81 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 7 Aug 2017 16:28:21 +0200 Subject: [PATCH] ma openvpn-server: init for only a single client (smartphone) with psk --- 2configs/vpn/openvpn-server.nix | 111 ++++++++++++++++++++++++++ 2configs/{openvpn => vpn}/vpngate.nix | 0 2 files changed, 111 insertions(+) create mode 100644 2configs/vpn/openvpn-server.nix rename 2configs/{openvpn => vpn}/vpngate.nix (100%) diff --git a/2configs/vpn/openvpn-server.nix b/2configs/vpn/openvpn-server.nix new file mode 100644 index 0000000..1e7edbf --- /dev/null +++ b/2configs/vpn/openvpn-server.nix @@ -0,0 +1,111 @@ +{ config, pkgs, ... }: +let + out-itf = config.makefu.server.primary-itf; + # generate via openvpn --genkey --secret static.key + client-key = (toString ) + "/openvpn-laptop.key"; + # domain = "vpn.euer.krebsco.de"; + domain = "gum.krebsco.de"; + dev = "tun0"; + port = 1194; + tcp-port = 3306; +in { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.nat = { + enable = true; + externalInterface = out-itf; + internalInterfaces = [ dev ]; + }; + networking.firewall.trustedInterfaces = [ dev ]; + networking.firewall.allowedUDPPorts = [ port ]; + environment.systemPackages = [ pkgs.openvpn ]; + services.openvpn.servers.smartphone.config = '' + #user nobody + #group nobody + + dev ${dev} + proto udp + ifconfig 10.8.0.1 10.8.0.2 + secret ${client-key} + port ${toString port} + cipher AES-256-CBC + comp-lzo + + keepalive 10 60 + ping-timer-rem + persist-tun + persist-key + ''; + + environment.etc."openvpn/smartphone-client.ovpn" = { + text = '' + client + dev tun + remote "${domain}" + ifconfig 10.8.0.1 10.8.0.2 + port ${toString port} + + cipher AES-256-CBC + comp-lzo + keepalive 10 60 + resolv-retry infinite + nobind + persist-key + persist-tun + + secret [inline] + + ''; + mode = "700"; + }; + system.activationScripts.openvpn-addkey = '' + f="/etc/openvpn/smartphone-client.ovpn" + if ! grep -q '' $f; then + echo "appending secret key" + echo "" >> $f + cat ${client-key} >> $f + echo "" >> $f + fi + ''; + #smartphone-tcp.config = '' + # user nobody + # group nobody + + # dev ${dev} + # proto tcp + # ifconfig 10.8.0.1 10.8.0.3 + # secret ${client-key} + # port tcp-port + # comp-lzo + + # keepalive 10 60 + # ping-timer-rem + # persist-tun + # persist-key + #''; + # TODO: forward via 443 + # stream { + # + # map $ssl_preread_server_name $name { + # vpn1.app.com vpn1_backend; + # vpn2.app.com vpn2_backend; + # https.app.com https_backend; + # } + # + # upstream vpn1_backend { + # server 10.0.0.3:443; + # } + # + # upstream vpn2_backend { + # server 10.0.0.4:443; + # } + # + # upstream https_backend { + # server 10.0.0.5:443; + # + # server { + # listen 10.0.0.1:443; + # proxy_pass $name; + # ssl_preread on; + # } + # } +} diff --git a/2configs/openvpn/vpngate.nix b/2configs/vpn/vpngate.nix similarity index 100% rename from 2configs/openvpn/vpngate.nix rename to 2configs/vpn/vpngate.nix