1 { pkgs, lib, config, ... }:
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.black.riseup.net/3/cert";
7 url = "https://black.riseup.net/ca.crt";
8 hash = "sha256-Zdvnfz2k7iWlbgmmcUJrpJZ1dp7o0qXeJhP0HWJD7ro=";
10 key-cert = "/run/openvpn-${netns}/key+cert.pem";
13 services.openvpn.servers.${netns} = {
18 ["212.83.182.127" "212.83.165.160" "212.129.4.141"] ++
20 #["212.83.146.228" "212.83.143.67" "163.172.126.44"] ++
22 ["37.218.244.249" "37.218.244.251"] ++
24 ["199.58.83.10" "199.58.83.10" "199.58.83.12"] ++
28 ["198.252.153.28" "198.252.153.28"] ++
38 cipher = "AES-128-CBC";
46 remote-cert-tls = "server";
49 tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
56 systemd.services."openvpn-${netns}" = {
59 ${pkgs.curl}/bin/curl -v -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
63 StartLimitIntervalSec = 0;
66 RuntimeDirectory = [ "openvpn-${netns}" ];
67 RuntimeDirectoryMode = "0700";
70 environment.systemPackages = [
73 networking.nftables.ruleset = ''
74 add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Riseup"
76 services.netns.namespaces.${netns} = {
77 nftables = lib.mkBefore ''
79 include "${../../../../networking/nftables/filter.txt}"
81 type filter hook input priority filter
85 ct state { established, related } accept
86 jump accept-connectivity-input
91 type filter hook forward priority filter
93 jump accept-connectivity-forward
96 type filter hook output priority filter
99 ct state { related, established } accept
100 jump accept-connectivity-output