Configure single-client OpenVPN

2023-09-11 19:52:03 -05:00 · 2023-09-11 19:52:03 -05:00 · e9decbda68
commit e9decbda68
parent 006e96421c
5 changed files with 75 additions and 9 deletions
--- a/flake.nix
+++ b/flake.nix
@ -62,6 +62,8 @@
                    ./nix/system/dns.nix
                    ./nix/system/hardware.nix
                    ./nix/system/nix-conf.nix
+                    ./nix/system/network.nix
+                    ./nix/system/openvpn.nix
                    ./nix/system/security.nix
                    ./nix/system/system.nix
                    ./nix/system/virtualisation.nix
--- a/nix/system/network.nix
+++ b/nix/system/network.nix
@ -0,0 +1,15 @@
+{ ... }: {
+  networking = {
+    hostName = "eve-psr-nix0";
+    firewall = {
+      allowedTCPPorts = [ 22 80 443 ];
+      allowedUDPPorts = [ 22 80 443 53 1194 ];
+      trustedInterfaces = [ "tun0" ];
+    };
+    nat = {
+      enable = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = [ "tun0" ];
+    };
+  };
+}
--- a/nix/system/openvpn.nix
+++ b/nix/system/openvpn.nix
@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+let
+  client-key = "/home/sezycei/srv/sec/openvpn/James/laptop.key";
+  domain = "matri.cx";
+  port = 1194;
+in
+{
+  services.openvpn.servers.laptop.config = ''
+    dev tun0
+    proto udp
+    ifconfig 10.8.0.1 10.8.0.2
+    secret ${client-key}
+    port ${toString port}
+
+    cipher AES-256-CBC
+    auth-nocache
+
+    comp-lzo
+    keepalive 10 60
+    ping-timer-rem
+    persist-tun
+    persist-key
+  '';
+
+  environment.etc."openvpn/laptop-client.ovpn" = {
+    text = ''
+      dev tun
+      remote "${domain}"
+      ifconfig 10.8.0.2 10.8.0.1
+      port ${toString port}
+      redirect-gateway def1
+
+      cipher AES-256-CBC
+      auth-nocache
+
+      comp-lzo
+      keepalive 10 60
+      resolv-retry infinite
+      nobind
+      persist-key
+      persist-tun
+      secret [inline]
+
+    '';
+    mode = "600";
+  };
+  system.activationScripts.openvpn-addkey = ''
+    f="/etc/openvpn/laptop-client.ovpn"
+    if ! grep -q '<secret>' $f; then
+      echo "appending secret key"
+      echo "<secret>" >> $f
+      cat ${client-key} >> $f
+      echo "</secret>" >> $f
+    fi
+  '';
+}
--- a/nix/system/security.nix
+++ b/nix/system/security.nix
@ -2,6 +2,7 @@
  services.openssh = {
    enable = true;
  };
+
  security = {
    sudo.wheelNeedsPassword = false;
    acme = {
--- a/nix/system/system.nix
+++ b/nix/system/system.nix
@ -5,15 +5,7 @@
    loader.efi.canTouchEfiVariables = true;
  };

-  environment.systemPackages = with pkgs; [ git pciutils vim wget ];
-
-  networking = {
-    hostName = "eve-psr-nix0";
-    firewall = {
-      allowedTCPPorts = [ 22 80 443 ];
-      allowedUDPPorts = [ 22 80 443 53 ];
-    };
-  };
+  environment.systemPackages = with pkgs; [ git pciutils openvpn vim wget ];

  programs.ssh.knownHosts = {
    selbeiskami = {