]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/openvpn/riseup.nix
nix: factorize security.gnupg.store
[sourcephile-nix.git] / machines / losurdo / networking / openvpn / riseup.nix
1 { pkgs, lib, config, ... }:
2 let
3 ns = "riseup";
4 dev = "ov-${ns}";
5 inherit (config.services) openvpn;
6 in
7 {
8 networking.nftables.ruleset = ''
9 add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN"
10 '';
11 systemd.services."openvpn-${ns}" = {
12 bindsTo = [ "netns-${ns}.service" ];
13 requires = [ "netns-${ns}.service" ];
14 };
15 services.netns.namespaces.riseup = {
16 nftables = lib.mkBefore ''
17 table inet filter {
18 include "${../../../../var/nftables/filter.txt}"
19 chain input {
20 type filter hook input priority filter
21 policy drop
22 iifname lo accept
23 jump check-tcp
24 ct state { established, related } accept
25 jump accept-connectivity-input
26 jump check-broadcast
27 ct state invalid drop
28 }
29 chain forward {
30 type filter hook forward priority filter
31 policy drop
32 jump accept-connectivity-forward
33 }
34 chain output {
35 type filter hook output priority filter
36 policy drop
37 oifname lo accept
38 ct state { related, established } accept
39 jump accept-connectivity-output
40 }
41 }
42 '';
43 };
44 services.openvpn.servers = {
45 "${ns}" = {
46 config = ''
47 verb 3
48 ca ${riseup/cacert.pem}
49 cert ${riseup/client.pem}
50 client
51 dev ov-${ns}
52 dev-type tun
53 persist-tun
54 nobind
55 # Useless to setup the interface
56 # because moving it to ${ns} will reset it
57 ifconfig-noexec
58 route-noexec
59 persist-key
60 key ${riseup/client.pem}
61 tls-client
62 remote-cert-tls server
63 remote 37.218.241.7 1194 tcp4
64 remote 37.218.241.106 443 tcp4
65 remote 163.172.126.44 443 tcp4
66 remote 198.252.153.28 443 tcp4
67 remote 199.58.81.143 443 tcp4
68 remote 199.58.81.145 443 tcp4
69 remote 212.83.143.67 443 tcp4
70 remote 212.83.144.12 443 tcp4
71 remote 212.83.146.228 443 tcp4
72 remote 212.83.165.160 443 tcp4
73 remote 212.83.182.127 443 tcp4
74 remote 212.129.62.247 443 tcp4
75 reneg-sec 0
76 script-security 2
77 up-restart
78 '';
79 up = let dev = "ov-${ns}"; in ''
80 set -eux
81 PATH=${lib.makeBinPath [pkgs.iproute]}
82 ip link set dev "${dev}" up netns "${ns}" mtu "$tun_mtu"
83 ip netns exec "${ns}" ${pkgs.writeShellScript "route-up.sh" ''
84 set -eux
85 PATH=${lib.makeBinPath [pkgs.iproute pkgs.coreutils]}
86
87 ip link set dev lo up
88
89 mkdir -p /etc/netns/"${ns}"
90 foreign_opt_domains=
91 process_foreign_option () {
92 case "$1:$2" in
93 dhcp-option:DNS) echo "nameserver $3" >>/etc/netns/"${ns}"/resolv.conf ;;
94 dhcp-option:DOMAIN) foreign_opt_domains="$foreign_opt_domains $3" ;;
95 esac
96 }
97 if test ! -e /etc/netns/"${ns}"/resolv.conf; then
98 # add DNS settings if given in foreign options
99 i=1
100 while
101 eval opt=\"\''${foreign_option_$i-}\"
102 [ -n "$opt" ]
103 do
104 process_foreign_option $opt
105 i=$(( i + 1 ))
106 done
107 for d in $foreign_opt_domains; do
108 printf '%s\n' "domain $1" "search $*" \
109 >>/etc/netns/"${ns}"/resolv.conf
110 done
111 fi
112
113 netmask4="''${ifconfig_netmask:-30}"
114 netbits6="''${ifconfig_ipv6_netbits:-112}"
115 if [ -n "''${ifconfig_local-}" ]; then
116 if [ -n "''${ifconfig_remote-}" ]; then
117 ip -4 addr replace \
118 local "$ifconfig_local" \
119 peer "$ifconfig_remote/$netmask4" \
120 ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
121 dev "${dev}"
122 else
123 ip -4 addr replace \
124 local "$ifconfig_local/$netmask4" \
125 ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
126 dev "${dev}"
127 fi
128 fi
129 if [ -n "''${ifconfig_ipv6_local-}" ]; then
130 if [ -n "''${ifconfig_ipv6_remote-}" ]; then
131 ip -6 addr replace \
132 local "$ifconfig_ipv6_local" \
133 peer "$ifconfig_ipv6_remote/$netbits6" \
134 dev "${dev}"
135 else
136 ip -6 addr replace \
137 local "$ifconfig_ipv6_local/$netbits6" \
138 dev "${dev}"
139 fi
140 fi
141 ''}
142 '';
143 routeUp = ''
144 set -eux
145 PATH=${lib.makeBinPath [pkgs.iproute]}
146 ${pkgs.coreutils}/bin/env
147 ip netns exec "${ns}" ${pkgs.writeShellScript "route-up.sh" ''
148 set -eux
149 PATH=${lib.makeBinPath [pkgs.iproute]}
150 i=1
151 while
152 eval net=\"\''${route_network_$i-}\"
153 eval mask=\"\''${route_netmask_$i-}\"
154 eval gw=\"\''${route_gateway_$i-}\"
155 eval mtr=\"\''${route_metric_$i-}\"
156 [ -n "$net" ]
157 do
158 ip -4 route replace "$net/$mask" via "$gw" ''${mtr:+metric "$mtr"}
159 i=$(( i + 1 ))
160 done
161
162 if [ -n "''${route_vpn_gateway-}" ]; then
163 ip -4 route replace default via "$route_vpn_gateway"
164 fi
165
166 i=1
167 while
168 # There doesn't seem to be $route_ipv6_metric_<n>
169 # according to the manpage.
170 eval net=\"\''${route_ipv6_network_$i-}\"
171 eval gw=\"\''${route_ipv6_gateway_$i-}\"
172 [ -n "$net" ]
173 do
174 ip -6 route replace "$net" via "$gw" metric 100
175 i=$(( i + 1 ))
176 done
177
178 # There's no $route_vpn_gateway for IPv6. It's not
179 # documented if OpenVPN includes default route in
180 # $route_ipv6_*. Set default route to remote VPN
181 # endpoint address if there is one. Use higher metric
182 # than $route_ipv6_* routes to give preference to a
183 # possible default route in them.
184 if [ -n "''${ifconfig_ipv6_remote-}" ]; then
185 ip -6 route replace default \
186 via "$ifconfig_ipv6_remote" metric 200
187 fi
188 ''}
189 '';
190 };
191 };
192 }