{ config, pkgs, ... }: let out-itf = config.makefu.server.primary-itf; # generate via openvpn --genkey --secret static.key client-key = (toString <secrets>) + "/openvpn-laptop.key"; # domain = "vpn.euer.krebsco.de"; domain = "gum.krebsco.de"; dev = "tun0"; port = 1194; tcp-port = 3306; in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nat = { enable = true; externalInterface = out-itf; internalInterfaces = [ dev ]; }; networking.firewall.trustedInterfaces = [ dev ]; networking.firewall.allowedUDPPorts = [ port ]; environment.systemPackages = [ pkgs.openvpn ]; services.openvpn.servers.smartphone.config = '' #user nobody #group nobody dev ${dev} proto udp ifconfig 10.8.0.1 10.8.0.2 secret ${client-key} port ${toString port} cipher AES-256-CBC comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key ''; environment.etc."openvpn/smartphone-client.ovpn" = { text = '' client dev tun remote "${domain}" ifconfig 10.8.0.1 10.8.0.2 port ${toString port} cipher AES-256-CBC comp-lzo keepalive 10 60 resolv-retry infinite nobind persist-key persist-tun secret [inline] ''; mode = "700"; }; system.activationScripts.openvpn-addkey = '' f="/etc/openvpn/smartphone-client.ovpn" if ! grep -q '<secret>' $f; then echo "appending secret key" echo "<secret>" >> $f cat ${client-key} >> $f echo "</secret>" >> $f fi ''; #smartphone-tcp.config = '' # user nobody # group nobody # dev ${dev} # proto tcp # ifconfig 10.8.0.1 10.8.0.3 # secret ${client-key} # port tcp-port # comp-lzo # keepalive 10 60 # ping-timer-rem # persist-tun # persist-key #''; # TODO: forward via 443 # stream { # # map $ssl_preread_server_name $name { # vpn1.app.com vpn1_backend; # vpn2.app.com vpn2_backend; # https.app.com https_backend; # } # # upstream vpn1_backend { # server 10.0.0.3:443; # } # # upstream vpn2_backend { # server 10.0.0.4:443; # } # # upstream https_backend { # server 10.0.0.5:443; # # server { # listen 10.0.0.1:443; # proxy_pass $name; # ssl_preread on; # } # } }