openvpn: update configurations

This commit is contained in:
Tigor Hutasuhut 2024-06-14 19:30:17 +07:00
parent 4b3c971a12
commit 381a2d92e9
2 changed files with 68 additions and 58 deletions

File diff suppressed because one or more lines are too long

View file

@ -1,19 +1,11 @@
# It's a pain setting up Certificate Authority, Public Key Infrastructure, etc. for OpenVPN. # Guide on how to create client ovpn files, and server config: https://wiki.archlinux.org/title/OpenVPN/Checklist_guide
# Instead setup multiple openvpn servers with multiple ports, with each server having one client.
#
# Does not scale well, but it's good enough for personal use.
#
# TODO: Create CA, and ROOTCA, and use them to sign the keys, then store in sops-nix secrets.
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.profile.services.openvpn; cfg = config.profile.services.openvpn;
domain = "vpn.tigor.web.id"; domain = "vpn.tigor.web.id";
portLaptop = 1194; port = 1194;
portPhone = 1195; vpn-dev = "tun0";
vpn-dev-laptop = "tun0";
vpn-dev-phone = "tun1";
externalInterface = config.profile.networking.externalInterface; externalInterface = config.profile.networking.externalInterface;
inherit (lib) mkIf; inherit (lib) mkIf;
in in
@ -27,11 +19,11 @@ in
networking.nat = { networking.nat = {
enable = true; enable = true;
inherit externalInterface; inherit externalInterface;
internalInterfaces = [ vpn-dev-laptop vpn-dev-phone ]; internalInterfaces = [ vpn-dev ];
}; };
networking.firewall.trustedInterfaces = [ vpn-dev-laptop vpn-dev-phone ]; networking.firewall.trustedInterfaces = [ vpn-dev ];
networking.firewall.allowedUDPPorts = [ portLaptop portPhone ]; networking.firewall.allowedUDPPorts = [ port ];
sops = { sops = {
# Activate the secrets. # Activate the secrets.
@ -43,41 +35,50 @@ in
in in
{ {
"openvpn/server/ip" = opts; "openvpn/server/ip" = opts;
"openvpn/key/phone" = opts; "openvpn/server/ca" = opts;
"openvpn/key/laptop" = opts; "openvpn/server/cert" = opts;
"openvpn/server/key" = opts;
"openvpn/server/tls-auth" = opts;
"openvpn/server/dh" = opts;
"openvpn/clients/phone" = opts;
"openvpn/clients/laptop" = opts;
}; };
# This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients. # This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
templates = templates =
let let
template = { secretPlaceholder, port, ifConfig }: '' # secretPlaceholder is a generated inline file from easyrsa build-client-full.
# it contains <cert>, <key>, <ca> sections.
template = { secretPlaceholder, ifConfig }: ''
client
dev tun dev tun
remote "${config.sops.placeholder."openvpn/server/ip"}" remote "${domain}"
port ${toString port} port ${toString port}
ifconfig ${ifConfig}
redirect-gateway def1 redirect-gateway def1
cipher AES-256-CBC cipher AES-256-CBC
auth-nocache auth-nocache
comp-lzo
keepalive 10 60 keepalive 10 60
resolv-retry infinite resolv-retry infinite
nobind nobind
persist-key persist-key
persist-tun persist-tun
secret [inline] key-direction 1
tls-client
<tls-auth>
${config.sops.placeholder."openvpn/server/tls-auth"}
</tls-auth>
<secret>
${secretPlaceholder} ${secretPlaceholder}
</secret>
''; '';
in in
{ {
"openvpn/key/phone" = { "openvpn/key/phone" = {
content = template { content = template {
secretPlaceholder = config.sops.placeholder."openvpn/key/phone"; secretPlaceholder = config.sops.placeholder."openvpn/clients/phone";
port = portPhone;
ifConfig = "10.8.1.1 10.8.1.2"; ifConfig = "10.8.1.1 10.8.1.2";
}; };
path = "/etc/openvpn/phone.ovpn"; path = "/etc/openvpn/phone.ovpn";
@ -85,8 +86,7 @@ in
}; };
"openvpn/key/laptop" = { "openvpn/key/laptop" = {
content = template { content = template {
secretPlaceholder = config.sops.placeholder."openvpn/key/laptop"; secretPlaceholder = config.sops.placeholder."openvpn/clients/laptop";
port = portLaptop;
ifConfig = "10.8.2.1 10.8.2.2"; ifConfig = "10.8.2.1 10.8.2.2";
}; };
path = "/etc/openvpn/laptop.ovpn"; path = "/etc/openvpn/laptop.ovpn";
@ -94,34 +94,31 @@ in
}; };
}; };
}; };
services.openvpn.servers = services.openvpn.servers.homeserver = {
let config = ''
configTemplate = { secretFile, port, dev }: '' dev ${vpn-dev}
dev ${dev} proto udp
proto udp
secret ${secretFile}
port ${toString port}
cipher AES-256-CBC tls-server
auth-nocache cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
comp-lzo server 10.10.10.0 255.255.255.0
keepalive 10 60
ping-timer-rem allow-compression no
persist-tun ca ${config.sops.secrets."openvpn/server/ca".path}
persist-key cert ${config.sops.secrets."openvpn/server/cert".path}
''; key ${config.sops.secrets."openvpn/server/key".path}
in dh ${config.sops.secrets."openvpn/server/dh".path}
{ tls-auth ${config.sops.secrets."openvpn/server/tls-auth".path} 0
phone = {
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/phone".path; port = portPhone; dev = vpn-dev-phone; }; keepalive 10 60
autoStart = true; ping-timer-rem
}; persist-tun
laptop = { persist-key
config = configTemplate { secretFile = config.sops.secrets."openvpn/key/laptop".path; port = portLaptop; dev = vpn-dev-laptop; }; '';
autoStart = true; autoStart = true;
}; };
};
}; };
} }