]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/openvpn/riseup.nix
security: no longer depend upon upstream's hardening
[sourcephile-nix.git] / machines / losurdo / networking / openvpn / riseup.nix
1 { pkgs, lib, config, ... }:
2 let
3 ns = "riseup";
4 dev = "ov-${ns}";
5 inherit (config.services) openvpn;
6 in
7 {
8 networking.nftables.ruleset = ''
9 #add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN"
10 add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN"
11 '';
12 systemd.services."openvpn-${ns}" = {
13 bindsTo = [ "netns-${ns}.service" ];
14 requires = [ "netns-${ns}.service" ];
15 };
16 services.netns.namespaces.riseup = {
17 nftables = lib.mkBefore ''
18 table inet filter {
19 include "${../../../../var/nftables/filter.txt}"
20 chain input {
21 type filter hook input priority filter
22 policy drop
23 iifname lo accept
24 jump check-tcp
25 ct state { established, related } accept
26 jump accept-connectivity-input
27 jump check-broadcast
28 ct state invalid drop
29 }
30 chain forward {
31 type filter hook forward priority filter
32 policy drop
33 jump accept-connectivity-forward
34 }
35 chain output {
36 type filter hook output priority filter
37 policy drop
38 oifname lo accept
39 ct state { related, established } accept
40 jump accept-connectivity-output
41 }
42 }
43 '';
44 };
45 services.openvpn.servers = {
46 "${ns}" = {
47 /*
48 cert ${riseup/client.pem}
49 key ${riseup/client.pem}
50 remote 37.218.241.7 1194 tcp4
51 remote 37.218.241.106 443 tcp4
52 remote 163.172.126.44 443 tcp4
53 remote 198.252.153.28 443 tcp4
54 remote 199.58.81.143 443 tcp4
55 remote 199.58.81.145 443 tcp4
56 remote 212.83.143.67 443 tcp4
57 remote 212.83.144.12 443 tcp4
58 remote 212.83.146.228 443 tcp4
59 remote 212.83.165.160 443 tcp4
60 remote 212.83.182.127 443 tcp4
61 remote 212.129.62.247 443 tcp4
62 ca ${riseup/cacert.pem}
63 */
64 config = ''
65 verb 3
66 ca ${riseup/RiseupCA.pem}
67 client
68 dev ov-${ns}
69 dev-type tun
70 persist-tun
71 nobind
72 # Useless to setup the interface
73 # because moving it to ${ns} will reset it
74 ifconfig-noexec
75 route-noexec
76 persist-key
77 auth-user-pass /root/riseup.auth
78 tls-client
79 remote-cert-tls server
80 remote 198.252.153.226 1194 udp
81 reneg-sec 0
82 script-security 2
83 up-restart
84 '';
85 up = let dev = "ov-${ns}"; in ''
86 set -eux
87 PATH=${lib.makeBinPath [pkgs.iproute]}
88 ip link set dev "${dev}" up netns "${ns}" mtu "$tun_mtu"
89 ip netns exec "${ns}" ${pkgs.writeShellScript "route-up.sh" ''
90 set -eux
91 PATH=${lib.makeBinPath [pkgs.iproute pkgs.coreutils]}
92
93 ip link set dev lo up
94
95 mkdir -p /etc/netns/"${ns}"
96 foreign_opt_domains=
97 process_foreign_option () {
98 case "$1:$2" in
99 dhcp-option:DNS) echo "nameserver $3" >>/etc/netns/"${ns}"/resolv.conf ;;
100 dhcp-option:DOMAIN) foreign_opt_domains="$foreign_opt_domains $3" ;;
101 esac
102 }
103 if test ! -e /etc/netns/"${ns}"/resolv.conf; then
104 # add DNS settings if given in foreign options
105 i=1
106 while
107 eval opt=\"\''${foreign_option_$i-}\"
108 [ -n "$opt" ]
109 do
110 process_foreign_option $opt
111 i=$(( i + 1 ))
112 done
113 for d in $foreign_opt_domains; do
114 printf '%s\n' "domain $1" "search $*" \
115 >>/etc/netns/"${ns}"/resolv.conf
116 done
117 fi
118
119 netmask4="''${ifconfig_netmask:-30}"
120 netbits6="''${ifconfig_ipv6_netbits:-112}"
121 if [ -n "''${ifconfig_local-}" ]; then
122 if [ -n "''${ifconfig_remote-}" ]; then
123 ip -4 addr replace \
124 local "$ifconfig_local" \
125 peer "$ifconfig_remote/$netmask4" \
126 ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
127 dev "${dev}"
128 else
129 ip -4 addr replace \
130 local "$ifconfig_local/$netmask4" \
131 ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
132 dev "${dev}"
133 fi
134 fi
135 if [ -n "''${ifconfig_ipv6_local-}" ]; then
136 if [ -n "''${ifconfig_ipv6_remote-}" ]; then
137 ip -6 addr replace \
138 local "$ifconfig_ipv6_local" \
139 peer "$ifconfig_ipv6_remote/$netbits6" \
140 dev "${dev}"
141 else
142 ip -6 addr replace \
143 local "$ifconfig_ipv6_local/$netbits6" \
144 dev "${dev}"
145 fi
146 fi
147 ''}
148 '';
149 routeUp = ''
150 set -eux
151 PATH=${lib.makeBinPath [pkgs.iproute]}
152 ${pkgs.coreutils}/bin/env
153 ip netns exec "${ns}" ${pkgs.writeShellScript "route-up.sh" ''
154 set -eux
155 PATH=${lib.makeBinPath [pkgs.iproute]}
156 i=1
157 while
158 eval net=\"\''${route_network_$i-}\"
159 eval mask=\"\''${route_netmask_$i-}\"
160 eval gw=\"\''${route_gateway_$i-}\"
161 eval mtr=\"\''${route_metric_$i-}\"
162 [ -n "$net" ]
163 do
164 ip -4 route replace "$net/$mask" via "$gw" ''${mtr:+metric "$mtr"}
165 i=$(( i + 1 ))
166 done
167
168 if [ -n "''${route_vpn_gateway-}" ]; then
169 ip -4 route replace default via "$route_vpn_gateway"
170 fi
171
172 i=1
173 while
174 # There doesn't seem to be $route_ipv6_metric_<n>
175 # according to the manpage.
176 eval net=\"\''${route_ipv6_network_$i-}\"
177 eval gw=\"\''${route_ipv6_gateway_$i-}\"
178 [ -n "$net" ]
179 do
180 ip -6 route replace "$net" via "$gw" metric 100
181 i=$(( i + 1 ))
182 done
183
184 # There's no $route_vpn_gateway for IPv6. It's not
185 # documented if OpenVPN includes default route in
186 # $route_ipv6_*. Set default route to remote VPN
187 # endpoint address if there is one. Use higher metric
188 # than $route_ipv6_* routes to give preference to a
189 # possible default route in them.
190 if [ -n "''${ifconfig_ipv6_remote-}" ]; then
191 ip -6 route replace default \
192 via "$ifconfig_ipv6_remote" metric 200
193 fi
194 ''}
195 '';
196 };
197 };
198 }