summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/vpn/openvpn-server.nix
diff options
context:
space:
mode:
Diffstat (limited to 'makefu/2configs/vpn/openvpn-server.nix')
-rw-r--r--makefu/2configs/vpn/openvpn-server.nix111
1 files changed, 111 insertions, 0 deletions
diff --git a/makefu/2configs/vpn/openvpn-server.nix b/makefu/2configs/vpn/openvpn-server.nix
new file mode 100644
index 000000000..1e7edbf78
--- /dev/null
+++ b/makefu/2configs/vpn/openvpn-server.nix
@@ -0,0 +1,111 @@
+{ config, pkgs, ... }:
+let
+ out-itf = config.makefu.server.primary-itf;
+ # generate via openvpn --genkey --secret static.key
+ client-key = (toString <secrets>) + "/openvpn-laptop.key";
+ # domain = "vpn.euer.krebsco.de";
+ domain = "gum.krebsco.de";
+ dev = "tun0";
+ port = 1194;
+ tcp-port = 3306;
+in {
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ networking.nat = {
+ enable = true;
+ externalInterface = out-itf;
+ internalInterfaces = [ dev ];
+ };
+ networking.firewall.trustedInterfaces = [ dev ];
+ networking.firewall.allowedUDPPorts = [ port ];
+ environment.systemPackages = [ pkgs.openvpn ];
+ services.openvpn.servers.smartphone.config = ''
+ #user nobody
+ #group nobody
+
+ dev ${dev}
+ proto udp
+ ifconfig 10.8.0.1 10.8.0.2
+ secret ${client-key}
+ port ${toString port}
+ cipher AES-256-CBC
+ comp-lzo
+
+ keepalive 10 60
+ ping-timer-rem
+ persist-tun
+ persist-key
+ '';
+
+ environment.etc."openvpn/smartphone-client.ovpn" = {
+ text = ''
+ client
+ dev tun
+ remote "${domain}"
+ ifconfig 10.8.0.1 10.8.0.2
+ port ${toString port}
+
+ cipher AES-256-CBC
+ comp-lzo
+ keepalive 10 60
+ resolv-retry infinite
+ nobind
+ persist-key
+ persist-tun
+
+ secret [inline]
+
+ '';
+ mode = "700";
+ };
+ system.activationScripts.openvpn-addkey = ''
+ f="/etc/openvpn/smartphone-client.ovpn"
+ if ! grep -q '<secret>' $f; then
+ echo "appending secret key"
+ echo "<secret>" >> $f
+ cat ${client-key} >> $f
+ echo "</secret>" >> $f
+ fi
+ '';
+ #smartphone-tcp.config = ''
+ # user nobody
+ # group nobody
+
+ # dev ${dev}
+ # proto tcp
+ # ifconfig 10.8.0.1 10.8.0.3
+ # secret ${client-key}
+ # port tcp-port
+ # comp-lzo
+
+ # keepalive 10 60
+ # ping-timer-rem
+ # persist-tun
+ # persist-key
+ #'';
+ # TODO: forward via 443
+ # stream {
+ #
+ # map $ssl_preread_server_name $name {
+ # vpn1.app.com vpn1_backend;
+ # vpn2.app.com vpn2_backend;
+ # https.app.com https_backend;
+ # }
+ #
+ # upstream vpn1_backend {
+ # server 10.0.0.3:443;
+ # }
+ #
+ # upstream vpn2_backend {
+ # server 10.0.0.4:443;
+ # }
+ #
+ # upstream https_backend {
+ # server 10.0.0.5:443;
+ #
+ # server {
+ # listen 10.0.0.1:443;
+ # proxy_pass $name;
+ # ssl_preread on;
+ # }
+ # }
+}