{ pkgs, lib, config, ... }: let ns = "riseup"; inherit (config.services) openvpn; inherit (config.security) gnupg; in { networking.nftables.ruleset = '' #add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN" add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN" ''; services.netns.namespaces.riseup = { nftables = lib.mkBefore '' table inet filter { include "${../../../../var/nftables/filter.txt}" chain input { type filter hook input priority filter policy drop iifname lo accept jump check-tcp ct state { established, related } accept jump accept-connectivity-input jump check-broadcast ct state invalid drop } chain forward { type filter hook forward priority filter policy drop jump accept-connectivity-forward } chain output { type filter hook output priority filter policy drop oifname lo accept ct state { related, established } accept jump accept-connectivity-output } } ''; }; security.gnupg.secrets."openvpn/riseup/auth-user-pass" = { systemdConfig.before = [ "openvpn-riseup.service" ]; systemdConfig.wantedBy = [ "openvpn-riseup.service" ]; }; services.openvpn.servers.${ns} = { /* cert ${riseup/client.pem} key ${riseup/client.pem} remote 37.218.241.7 1194 tcp4 remote 37.218.241.106 443 tcp4 remote 163.172.126.44 443 tcp4 remote 198.252.153.28 443 tcp4 remote 199.58.81.143 443 tcp4 remote 199.58.81.145 443 tcp4 remote 212.83.143.67 443 tcp4 remote 212.83.144.12 443 tcp4 remote 212.83.146.228 443 tcp4 remote 212.83.165.160 443 tcp4 remote 212.83.182.127 443 tcp4 remote 212.129.62.247 443 tcp4 ca ${riseup/cacert.pem} */ netns = ns; settings = { verb = 3; auth-user-pass = gnupg.secrets."openvpn/riseup/auth-user-pass".path; ca = riseup/RiseupCA.pem; client = true; dev = "ov-${ns}"; dev-type = "tun"; persist-tun = true; nobind = true; persist-key = true; tls-client = true; remote-cert-tls = "server"; remote = "198.252.153.226 1194 udp"; reneg-sec = 0; script-security = 2; up-restart = true; }; }; }