2024-06-14 19:30:17 +07:00
|
|
|
# Guide on how to create client ovpn files, and server config: https://wiki.archlinux.org/title/OpenVPN/Checklist_guide
|
2024-06-14 14:30:52 +07:00
|
|
|
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
|
|
cfg = config.profile.services.openvpn;
|
|
|
|
domain = "vpn.tigor.web.id";
|
2024-06-14 19:30:17 +07:00
|
|
|
port = 1194;
|
|
|
|
vpn-dev = "tun0";
|
2024-06-14 14:30:52 +07:00
|
|
|
externalInterface = config.profile.networking.externalInterface;
|
|
|
|
inherit (lib) mkIf;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key
|
|
|
|
|
2024-06-14 16:44:08 +07:00
|
|
|
# Enable IP forwarding to allow the VPN to act as a gateway.
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
|
|
|
|
2024-06-14 14:30:52 +07:00
|
|
|
networking.nat = {
|
|
|
|
enable = true;
|
|
|
|
inherit externalInterface;
|
2024-06-14 19:30:17 +07:00
|
|
|
internalInterfaces = [ vpn-dev ];
|
2024-06-14 14:30:52 +07:00
|
|
|
};
|
|
|
|
|
2024-06-14 19:30:17 +07:00
|
|
|
networking.firewall.trustedInterfaces = [ vpn-dev ];
|
|
|
|
networking.firewall.allowedUDPPorts = [ port ];
|
2024-06-14 14:30:52 +07:00
|
|
|
|
|
|
|
sops = {
|
|
|
|
# Activate the secrets.
|
|
|
|
secrets =
|
|
|
|
let
|
|
|
|
opts = {
|
|
|
|
sopsFile = ../../secrets/openvpn.yaml;
|
|
|
|
};
|
|
|
|
in
|
|
|
|
{
|
2024-06-14 16:43:42 +07:00
|
|
|
"openvpn/server/ip" = opts;
|
2024-06-14 19:30:17 +07:00
|
|
|
"openvpn/server/ca" = opts;
|
|
|
|
"openvpn/server/cert" = opts;
|
|
|
|
"openvpn/server/key" = opts;
|
|
|
|
"openvpn/server/tls-auth" = opts;
|
|
|
|
"openvpn/server/dh" = opts;
|
|
|
|
"openvpn/clients/phone" = opts;
|
|
|
|
"openvpn/clients/laptop" = opts;
|
2024-06-14 14:30:52 +07:00
|
|
|
};
|
|
|
|
|
|
|
|
# This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
|
|
|
|
templates =
|
|
|
|
let
|
2024-06-14 19:30:17 +07:00
|
|
|
# secretPlaceholder is a generated inline file from easyrsa build-client-full.
|
|
|
|
# it contains <cert>, <key>, <ca> sections.
|
|
|
|
template = { secretPlaceholder, ifConfig }: ''
|
|
|
|
client
|
|
|
|
|
2024-06-14 14:30:52 +07:00
|
|
|
dev tun
|
2024-06-14 19:30:17 +07:00
|
|
|
remote "${domain}"
|
2024-06-14 14:30:52 +07:00
|
|
|
port ${toString port}
|
|
|
|
redirect-gateway def1
|
|
|
|
|
|
|
|
cipher AES-256-CBC
|
|
|
|
auth-nocache
|
|
|
|
|
|
|
|
keepalive 10 60
|
|
|
|
resolv-retry infinite
|
|
|
|
nobind
|
|
|
|
persist-key
|
|
|
|
persist-tun
|
2024-06-14 19:30:17 +07:00
|
|
|
key-direction 1
|
|
|
|
|
|
|
|
tls-client
|
|
|
|
<tls-auth>
|
|
|
|
${config.sops.placeholder."openvpn/server/tls-auth"}
|
|
|
|
</tls-auth>
|
2024-06-14 14:30:52 +07:00
|
|
|
|
2024-06-14 16:43:42 +07:00
|
|
|
${secretPlaceholder}
|
2024-06-14 14:30:52 +07:00
|
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
"openvpn/key/phone" = {
|
|
|
|
content = template {
|
2024-06-14 19:30:17 +07:00
|
|
|
secretPlaceholder = config.sops.placeholder."openvpn/clients/phone";
|
2024-06-14 14:30:52 +07:00
|
|
|
ifConfig = "10.8.1.1 10.8.1.2";
|
|
|
|
};
|
2024-06-21 22:01:11 +07:00
|
|
|
path = "/nas/Syncthing/Sync/VPN/phone.ovpn";
|
2024-06-14 14:30:52 +07:00
|
|
|
owner = config.profile.user.name;
|
|
|
|
};
|
|
|
|
"openvpn/key/laptop" = {
|
|
|
|
content = template {
|
2024-06-14 19:30:17 +07:00
|
|
|
secretPlaceholder = config.sops.placeholder."openvpn/clients/laptop";
|
2024-06-14 14:30:52 +07:00
|
|
|
ifConfig = "10.8.2.1 10.8.2.2";
|
|
|
|
};
|
2024-06-21 22:01:11 +07:00
|
|
|
path = "/nas/Syncthing/Sync/VPN/laptop.ovpn";
|
2024-06-14 14:30:52 +07:00
|
|
|
owner = config.profile.user.name;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2024-06-14 19:30:17 +07:00
|
|
|
services.openvpn.servers.homeserver = {
|
|
|
|
config = ''
|
|
|
|
dev ${vpn-dev}
|
|
|
|
proto udp
|
2024-06-21 22:01:11 +07:00
|
|
|
status /tmp/openvpn-status.log
|
|
|
|
|
|
|
|
comp-lzo no
|
2024-06-14 19:30:17 +07:00
|
|
|
|
|
|
|
tls-server
|
|
|
|
cipher AES-256-CBC
|
|
|
|
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
|
|
|
|
|
|
|
|
server 10.10.10.0 255.255.255.0
|
|
|
|
|
|
|
|
ca ${config.sops.secrets."openvpn/server/ca".path}
|
|
|
|
cert ${config.sops.secrets."openvpn/server/cert".path}
|
|
|
|
key ${config.sops.secrets."openvpn/server/key".path}
|
|
|
|
dh ${config.sops.secrets."openvpn/server/dh".path}
|
|
|
|
tls-auth ${config.sops.secrets."openvpn/server/tls-auth".path} 0
|
|
|
|
|
|
|
|
keepalive 10 60
|
|
|
|
ping-timer-rem
|
|
|
|
persist-tun
|
|
|
|
persist-key
|
2024-06-21 22:01:11 +07:00
|
|
|
|
|
|
|
push "block-outside-dns"
|
|
|
|
push "dhcp-option 192.168.100.3"
|
|
|
|
push "comp-lzo no"
|
2024-06-14 19:30:17 +07:00
|
|
|
'';
|
|
|
|
autoStart = true;
|
|
|
|
};
|
2024-06-14 14:30:52 +07:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
|