stockholm/makefu/2configs/vpn/openvpn-server.nix

112 lines
2.3 KiB
Nix
Raw Normal View History

{ config, pkgs, ... }:
let
out-itf = config.makefu.server.primary-itf;
# generate via openvpn --genkey --secret static.key
client-key = (toString <secrets>) + "/openvpn-laptop.key";
# domain = "vpn.euer.krebsco.de";
domain = "gum.krebsco.de";
dev = "tun0";
port = 1194;
tcp-port = 3306;
in {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nat = {
enable = true;
externalInterface = out-itf;
internalInterfaces = [ dev ];
};
networking.firewall.trustedInterfaces = [ dev ];
networking.firewall.allowedUDPPorts = [ port ];
environment.systemPackages = [ pkgs.openvpn ];
services.openvpn.servers.smartphone.config = ''
#user nobody
#group nobody
dev ${dev}
proto udp
ifconfig 10.8.0.1 10.8.0.2
secret ${client-key}
port ${toString port}
cipher AES-256-CBC
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
'';
environment.etc."openvpn/smartphone-client.ovpn" = {
text = ''
client
dev tun
remote "${domain}"
ifconfig 10.8.0.1 10.8.0.2
port ${toString port}
cipher AES-256-CBC
comp-lzo
keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
secret [inline]
'';
mode = "700";
};
system.activationScripts.openvpn-addkey = ''
f="/etc/openvpn/smartphone-client.ovpn"
if ! grep -q '<secret>' $f; then
echo "appending secret key"
echo "<secret>" >> $f
cat ${client-key} >> $f
echo "</secret>" >> $f
fi
'';
#smartphone-tcp.config = ''
# user nobody
# group nobody
# dev ${dev}
# proto tcp
# ifconfig 10.8.0.1 10.8.0.3
# secret ${client-key}
# port tcp-port
# comp-lzo
# keepalive 10 60
# ping-timer-rem
# persist-tun
# persist-key
#'';
# TODO: forward via 443
# stream {
#
# map $ssl_preread_server_name $name {
# vpn1.app.com vpn1_backend;
# vpn2.app.com vpn2_backend;
# https.app.com https_backend;
# }
#
# upstream vpn1_backend {
# server 10.0.0.3:443;
# }
#
# upstream vpn2_backend {
# server 10.0.0.4:443;
# }
#
# upstream https_backend {
# server 10.0.0.5:443;
#
# server {
# listen 10.0.0.1:443;
# proxy_pass $name;
# ssl_preread on;
# }
# }
}