]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/openvpn/riseup.nix
nftables: remove redundant check-broadcast
[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / riseup.nix
1 { pkgs, lib, config, ... }:
2 let
3 netns = "riseup";
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.black.riseup.net/3/cert";
6 ca = pkgs.fetchurl {
7 url = "https://black.riseup.net/ca.crt";
8 hash = "sha256-Zdvnfz2k7iWlbgmmcUJrpJZ1dp7o0qXeJhP0HWJD7ro=";
9 } + "";
10 key-cert = "/run/openvpn-${netns}/key+cert.pem";
11 in
12 {
13 services.openvpn.servers.${netns} = {
14 inherit netns;
15 settings = {
16 remote =
17 # amsterdam
18 ["212.83.182.127" "212.83.165.160" "212.129.4.141"] ++
19 # paris
20 #["212.83.146.228" "212.83.143.67" "163.172.126.44"] ++
21 # miami
22 ["37.218.244.249" "37.218.244.251"] ++
23 # montreal
24 ["199.58.83.10" "199.58.83.10" "199.58.83.12"] ++
25 # new-york
26 ["185.220.103.12"] ++
27 # seattle
28 ["198.252.153.28" "198.252.153.28"] ++
29 [];
30 remote-random = true;
31 port = "443";
32 proto = "tcp";
33 inherit ca;
34 key = key-cert;
35 cert = key-cert;
36
37 auth = "SHA1";
38 cipher = "AES-128-CBC";
39 client = true;
40 dev = "ov-${netns}";
41 dev-type = "tun";
42 keepalive = "10 30";
43 nobind = true;
44 persist-key = true;
45 persist-tun = true;
46 remote-cert-tls = "server";
47 reneg-sec = 0;
48 script-security = 2;
49 tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
50 tls-client = true;
51 tun-ipv6 = true;
52 up-restart = true;
53 verb = 3;
54 };
55 };
56 systemd.services."openvpn-${netns}" = {
57 preStart = ''
58 set -ex
59 ${pkgs.curl}/bin/curl -v -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
60 chmod 700 ${key-cert}
61 '';
62 unitConfig = {
63 StartLimitIntervalSec = 0;
64 };
65 serviceConfig = {
66 RuntimeDirectory = [ "openvpn-${netns}" ];
67 RuntimeDirectoryMode = "0700";
68 };
69 };
70 environment.systemPackages = [
71 pkgs.riseup-vpn
72 ];
73 networking.nftables.ruleset = ''
74 add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Riseup"
75 '';
76 services.netns.namespaces.${netns} = {
77 nftables = lib.mkBefore ''
78 table inet filter {
79 include "${../../../../networking/nftables/filter.txt}"
80 chain input {
81 type filter hook input priority filter
82 policy drop
83 iifname lo accept
84 jump check-tcp
85 ct state { established, related } accept
86 jump accept-connectivity-input
87 jump check-broadcast
88 ct state invalid drop
89 }
90 chain forward {
91 type filter hook forward priority filter
92 policy drop
93 jump accept-connectivity-forward
94 }
95 chain output {
96 type filter hook output priority filter
97 policy drop
98 oifname lo accept
99 ct state { related, established } accept
100 jump accept-connectivity-output
101 }
102 }
103 '';
104 };
105 }