diff options
Diffstat (limited to 'makefu/2configs/vpn/openvpn-server.nix')
-rw-r--r-- | makefu/2configs/vpn/openvpn-server.nix | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/makefu/2configs/vpn/openvpn-server.nix b/makefu/2configs/vpn/openvpn-server.nix new file mode 100644 index 000000000..1e7edbf78 --- /dev/null +++ b/makefu/2configs/vpn/openvpn-server.nix @@ -0,0 +1,111 @@ +{ config, pkgs, ... }: +let + out-itf = config.makefu.server.primary-itf; + # generate via openvpn --genkey --secret static.key + client-key = (toString <secrets>) + "/openvpn-laptop.key"; + # domain = "vpn.euer.krebsco.de"; + domain = "gum.krebsco.de"; + dev = "tun0"; + port = 1194; + tcp-port = 3306; +in { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.nat = { + enable = true; + externalInterface = out-itf; + internalInterfaces = [ dev ]; + }; + networking.firewall.trustedInterfaces = [ dev ]; + networking.firewall.allowedUDPPorts = [ port ]; + environment.systemPackages = [ pkgs.openvpn ]; + services.openvpn.servers.smartphone.config = '' + #user nobody + #group nobody + + dev ${dev} + proto udp + ifconfig 10.8.0.1 10.8.0.2 + secret ${client-key} + port ${toString port} + cipher AES-256-CBC + comp-lzo + + keepalive 10 60 + ping-timer-rem + persist-tun + persist-key + ''; + + environment.etc."openvpn/smartphone-client.ovpn" = { + text = '' + client + dev tun + remote "${domain}" + ifconfig 10.8.0.1 10.8.0.2 + port ${toString port} + + cipher AES-256-CBC + comp-lzo + keepalive 10 60 + resolv-retry infinite + nobind + persist-key + persist-tun + + secret [inline] + + ''; + mode = "700"; + }; + system.activationScripts.openvpn-addkey = '' + f="/etc/openvpn/smartphone-client.ovpn" + if ! grep -q '<secret>' $f; then + echo "appending secret key" + echo "<secret>" >> $f + cat ${client-key} >> $f + echo "</secret>" >> $f + fi + ''; + #smartphone-tcp.config = '' + # user nobody + # group nobody + + # dev ${dev} + # proto tcp + # ifconfig 10.8.0.1 10.8.0.3 + # secret ${client-key} + # port tcp-port + # comp-lzo + + # keepalive 10 60 + # ping-timer-rem + # persist-tun + # persist-key + #''; + # TODO: forward via 443 + # stream { + # + # map $ssl_preread_server_name $name { + # vpn1.app.com vpn1_backend; + # vpn2.app.com vpn2_backend; + # https.app.com https_backend; + # } + # + # upstream vpn1_backend { + # server 10.0.0.3:443; + # } + # + # upstream vpn2_backend { + # server 10.0.0.4:443; + # } + # + # upstream https_backend { + # server 10.0.0.5:443; + # + # server { + # listen 10.0.0.1:443; + # proxy_pass $name; + # ssl_preread on; + # } + # } +} |