]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/openvpn/riseup.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
openvpn: add riseup in net namespace
[sourcephile-nix.git] / machines / losurdo / networking / openvpn / riseup.nix
1 { pkgs, lib, config, ... }:
2 let
3 ns = "riseup";
4 dev = "ov-${ns}";
5 inherit (config.services) openvpn;
6 in
7 {
8 networking.nftables.ruleset = ''
9 add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN"
10 '';
11 systemd.services."openvpn-${ns}" = {
12 bindsTo = [ "netns@${ns}.service" ];
13 requires = [ "netns@${ns}.service" ];
14 };
15 services.openvpn.servers = {
16 "${ns}" = {
17 config = ''
18 verb 3
19 ca ${riseup/cacert.pem}
20 cert ${riseup/client.pem}
21 client
22 dev ov-${ns}
23 dev-type tun
24 persist-tun
25 nobind
26 # Useless to setup the interface
27 # because moving it to ${ns} will reset it
28 ifconfig-noexec
29 route-noexec
30 persist-key
31 key ${riseup/client.pem}
32 tls-client
33 remote-cert-tls server
34 remote 37.218.241.7 1194 tcp4
35 remote 37.218.241.106 443 tcp4
36 remote 163.172.126.44 443 tcp4
37 remote 198.252.153.28 443 tcp4
38 remote 199.58.81.143 443 tcp4
39 remote 199.58.81.145 443 tcp4
40 remote 212.83.143.67 443 tcp4
41 remote 212.83.144.12 443 tcp4
42 remote 212.83.146.228 443 tcp4
43 remote 212.83.165.160 443 tcp4
44 remote 212.83.182.127 443 tcp4
45 remote 212.129.62.247 443 tcp4
46 reneg-sec 0
47 script-security 2
48 up-restart
49 '';
50 up = let dev = "ov-${ns}"; in ''
51 set -eux
52 PATH=${lib.makeBinPath [pkgs.iproute]}
53 ip link set dev "${dev}" up netns "${ns}" mtu "$tun_mtu"
54 ip netns exec "${ns}" ${pkgs.writeShellScript "route-up.sh" ''
55 set -eux
56 PATH=${lib.makeBinPath [pkgs.iproute pkgs.coreutils]}
57
58 ip link set dev lo up
59
60 mkdir -p /etc/netns/"${ns}"
61 foreign_opt_domains=
62 process_foreign_option () {
63 case "$1:$2" in
64 dhcp-option:DNS) echo "nameserver $3" >>/etc/netns/"${ns}"/resolv.conf ;;
65 dhcp-option:DOMAIN) foreign_opt_domains="$foreign_opt_domains $3" ;;
66 esac
67 }
68 if test ! -e /etc/netns/"${ns}"/resolv.conf; then
69 # add DNS settings if given in foreign options
70 i=1
71 while
72 eval opt=\"\''${foreign_option_$i-}\"
73 [ -n "$opt" ]
74 do
75 process_foreign_option $opt
76 i=$(( i + 1 ))
77 done
78 for d in $foreign_opt_domains; do
79 printf '%s\n' "domain $1" "search $*" \
80 >>/etc/netns/"${ns}"/resolv.conf
81 done
82 fi
83
84 netmask4="''${ifconfig_netmask:-30}"
85 netbits6="''${ifconfig_ipv6_netbits:-112}"
86 if [ -n "''${ifconfig_local-}" ]; then
87 if [ -n "''${ifconfig_remote-}" ]; then
88 ip -4 addr replace \
89 local "$ifconfig_local" \
90 peer "$ifconfig_remote/$netmask4" \
91 ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
92 dev "${dev}"
93 else
94 ip -4 addr replace \
95 local "$ifconfig_local/$netmask4" \
96 ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
97 dev "${dev}"
98 fi
99 fi
100 if [ -n "''${ifconfig_ipv6_local-}" ]; then
101 if [ -n "''${ifconfig_ipv6_remote-}" ]; then
102 ip -6 addr replace \
103 local "$ifconfig_ipv6_local" \
104 peer "$ifconfig_ipv6_remote/$netbits6" \
105 dev "${dev}"
106 else
107 ip -6 addr replace \
108 local "$ifconfig_ipv6_local/$netbits6" \
109 dev "${dev}"
110 fi
111 fi
112
113 ${pkgs.writeScript "ruleset" openvpn.servers.${ns}.nftables}
114 ''}
115 '';
116 routeUp = ''
117 set -eux
118 PATH=${lib.makeBinPath [pkgs.iproute]}
119 ${pkgs.coreutils}/bin/env
120 ip netns exec "${ns}" ${pkgs.writeShellScript "route-up.sh" ''
121 set -eux
122 PATH=${lib.makeBinPath [pkgs.iproute]}
123 i=1
124 while
125 eval net=\"\''${route_network_$i-}\"
126 eval mask=\"\''${route_netmask_$i-}\"
127 eval gw=\"\''${route_gateway_$i-}\"
128 eval mtr=\"\''${route_metric_$i-}\"
129 [ -n "$net" ]
130 do
131 ip -4 route replace "$net/$mask" via "$gw" ''${mtr:+metric "$mtr"}
132 i=$(( i + 1 ))
133 done
134
135 if [ -n "''${route_vpn_gateway-}" ]; then
136 ip -4 route replace default via "$route_vpn_gateway"
137 fi
138
139 i=1
140 while
141 # There doesn't seem to be $route_ipv6_metric_<n>
142 # according to the manpage.
143 eval net=\"\''${route_ipv6_network_$i-}\"
144 eval gw=\"\''${route_ipv6_gateway_$i-}\"
145 [ -n "$net" ]
146 do
147 ip -6 route replace "$net" via "$gw" metric 100
148 i=$(( i + 1 ))
149 done
150
151 # There's no $route_vpn_gateway for IPv6. It's not
152 # documented if OpenVPN includes default route in
153 # $route_ipv6_*. Set default route to remote VPN
154 # endpoint address if there is one. Use higher metric
155 # than $route_ipv6_* routes to give preference to a
156 # possible default route in them.
157 if [ -n "''${ifconfig_ipv6_remote-}" ]; then
158 ip -6 route replace default \
159 via "$ifconfig_ipv6_remote" metric 200
160 fi
161 ''}
162 '';
163 nftables = lib.mkBefore ''
164 #!${pkgs.nftables}/bin/nft -f
165 flush ruleset
166 table inet filter {
167 include "${../../../../var/nftables/filter.txt}"
168 chain input {
169 type filter hook input priority filter
170 policy drop
171 iifname lo accept
172 jump check-tcp
173 ct state { established, related } accept
174 jump accept-connectivity-input
175 jump check-broadcast
176 ct state invalid drop
177 }
178 chain forward {
179 type filter hook forward priority filter
180 policy drop
181 jump accept-connectivity-forward
182 }
183 chain output {
184 type filter hook output priority filter
185 policy drop
186 oifname lo accept
187 ct state { related, established } accept
188 jump accept-connectivity-output
189 }
190 }
191 '';
192 };
193 };
194 }
NixOS configurations for Sourcephile's infrastructure