73 lines
1.8 KiB
Nix
73 lines
1.8 KiB
Nix
{ config, pkgs, lib, ... }: {
|
|
options.snowflake.services.openvpn.enable =
|
|
lib.mkEnableOption "enable openvpn";
|
|
|
|
config = let
|
|
# generate via `openvpn --genkey secret openvpn-laptop.key`
|
|
client-key = "/root/openvpn-laptop.key";
|
|
domain = "nixvpn.codingcoffee.me";
|
|
vpn-dev = "tun0";
|
|
port = 443;
|
|
in lib.mkIf config.snowflake.services.openvpn.enable {
|
|
# sudo systemctl start nat
|
|
networking.nat = {
|
|
enable = true;
|
|
externalInterface = lib.mkDefault "enp1s0";
|
|
internalInterfaces = [ vpn-dev ];
|
|
};
|
|
networking.firewall.trustedInterfaces = [ vpn-dev ];
|
|
# networking.firewall.allowedUDPPorts = [ port ];
|
|
networking.firewall.allowedTCPPorts = [ port ];
|
|
environment.systemPackages = [ pkgs.openvpn ]; # for key generation
|
|
services.openvpn.servers.smartphone.config = ''
|
|
dev ${vpn-dev}
|
|
proto tcp-server
|
|
ifconfig 10.8.0.1 10.8.0.2
|
|
secret ${client-key}
|
|
port ${toString port}
|
|
|
|
cipher AES-256-CBC
|
|
auth-nocache
|
|
|
|
comp-lzo
|
|
keepalive 10 60
|
|
ping-timer-rem
|
|
persist-tun
|
|
persist-key
|
|
'';
|
|
|
|
environment.etc."openvpn/smartphone-client.ovpn" = {
|
|
text = ''
|
|
dev tun
|
|
proto tcp-client
|
|
remote "${domain}"
|
|
ifconfig 10.8.0.2 10.8.0.1
|
|
port ${toString port}
|
|
redirect-gateway def1
|
|
|
|
cipher AES-256-CBC
|
|
auth-nocache
|
|
|
|
comp-lzo
|
|
keepalive 10 60
|
|
resolv-retry infinite
|
|
nobind
|
|
persist-key
|
|
persist-tun
|
|
secret [inline]
|
|
|
|
'';
|
|
mode = "600";
|
|
};
|
|
system.activationScripts.openvpn-addkey = ''
|
|
f="/etc/openvpn/smartphone-client.ovpn"
|
|
if ! grep -q '<secret>' $f; then
|
|
echo "appending secret key"
|
|
echo "<secret>" >> $f
|
|
cat ${client-key} >> $f
|
|
echo "</secret>" >> $f
|
|
fi
|
|
'';
|
|
};
|
|
}
|
|
|