cd204a45b1
for only a single client (smartphone) with psk
112 lines
2.3 KiB
Nix
112 lines
2.3 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
out-itf = config.makefu.server.primary-itf;
|
|
# generate via openvpn --genkey --secret static.key
|
|
client-key = (toString <secrets>) + "/openvpn-laptop.key";
|
|
# domain = "vpn.euer.krebsco.de";
|
|
domain = "gum.krebsco.de";
|
|
dev = "tun0";
|
|
port = 1194;
|
|
tcp-port = 3306;
|
|
in {
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
|
networking.nat = {
|
|
enable = true;
|
|
externalInterface = out-itf;
|
|
internalInterfaces = [ dev ];
|
|
};
|
|
networking.firewall.trustedInterfaces = [ dev ];
|
|
networking.firewall.allowedUDPPorts = [ port ];
|
|
environment.systemPackages = [ pkgs.openvpn ];
|
|
services.openvpn.servers.smartphone.config = ''
|
|
#user nobody
|
|
#group nobody
|
|
|
|
dev ${dev}
|
|
proto udp
|
|
ifconfig 10.8.0.1 10.8.0.2
|
|
secret ${client-key}
|
|
port ${toString port}
|
|
cipher AES-256-CBC
|
|
comp-lzo
|
|
|
|
keepalive 10 60
|
|
ping-timer-rem
|
|
persist-tun
|
|
persist-key
|
|
'';
|
|
|
|
environment.etc."openvpn/smartphone-client.ovpn" = {
|
|
text = ''
|
|
client
|
|
dev tun
|
|
remote "${domain}"
|
|
ifconfig 10.8.0.1 10.8.0.2
|
|
port ${toString port}
|
|
|
|
cipher AES-256-CBC
|
|
comp-lzo
|
|
keepalive 10 60
|
|
resolv-retry infinite
|
|
nobind
|
|
persist-key
|
|
persist-tun
|
|
|
|
secret [inline]
|
|
|
|
'';
|
|
mode = "700";
|
|
};
|
|
system.activationScripts.openvpn-addkey = ''
|
|
f="/etc/openvpn/smartphone-client.ovpn"
|
|
if ! grep -q '<secret>' $f; then
|
|
echo "appending secret key"
|
|
echo "<secret>" >> $f
|
|
cat ${client-key} >> $f
|
|
echo "</secret>" >> $f
|
|
fi
|
|
'';
|
|
#smartphone-tcp.config = ''
|
|
# user nobody
|
|
# group nobody
|
|
|
|
# dev ${dev}
|
|
# proto tcp
|
|
# ifconfig 10.8.0.1 10.8.0.3
|
|
# secret ${client-key}
|
|
# port tcp-port
|
|
# comp-lzo
|
|
|
|
# keepalive 10 60
|
|
# ping-timer-rem
|
|
# persist-tun
|
|
# persist-key
|
|
#'';
|
|
# TODO: forward via 443
|
|
# stream {
|
|
#
|
|
# map $ssl_preread_server_name $name {
|
|
# vpn1.app.com vpn1_backend;
|
|
# vpn2.app.com vpn2_backend;
|
|
# https.app.com https_backend;
|
|
# }
|
|
#
|
|
# upstream vpn1_backend {
|
|
# server 10.0.0.3:443;
|
|
# }
|
|
#
|
|
# upstream vpn2_backend {
|
|
# server 10.0.0.4:443;
|
|
# }
|
|
#
|
|
# upstream https_backend {
|
|
# server 10.0.0.5:443;
|
|
#
|
|
# server {
|
|
# listen 10.0.0.1:443;
|
|
# proxy_pass $name;
|
|
# ssl_preread on;
|
|
# }
|
|
# }
|
|
}
|