let
netns = "riseup";
inherit (config.services) openvpn;
- inherit (config.security) gnupg;
+ apiUrl = "https://api.black.riseup.net/3/cert";
+ ca = pkgs.fetchurl {
+ url = "https://black.riseup.net/ca.crt";
+ hash = "sha256-Zdvnfz2k7iWlbgmmcUJrpJZ1dp7o0qXeJhP0HWJD7ro=";
+ } + "";
+ key-cert = "/run/openvpn-${netns}/key+cert.pem";
in
{
+services.openvpn.servers.${netns} = {
+ inherit netns;
+ settings = {
+ remote =
+ # amsterdam
+ ["212.83.182.127" "212.83.165.160" "212.129.4.141"] ++
+ # paris
+ #["212.83.146.228" "212.83.143.67" "163.172.126.44"] ++
+ # miami
+ ["37.218.244.249" "37.218.244.251"] ++
+ # montreal
+ ["199.58.83.10" "199.58.83.10" "199.58.83.12"] ++
+ # new-york
+ ["185.220.103.12"] ++
+ # seattle
+ ["198.252.153.28" "198.252.153.28"] ++
+ [];
+ remote-random = true;
+ port = "443";
+ proto = "tcp";
+ inherit ca;
+ key = key-cert;
+ cert = key-cert;
+
+ auth = "SHA1";
+ cipher = "AES-128-CBC";
+ client = true;
+ dev = "ov-${netns}";
+ dev-type = "tun";
+ keepalive = "10 30";
+ nobind = true;
+ persist-key = true;
+ persist-tun = true;
+ remote-cert-tls = "server";
+ reneg-sec = 0;
+ script-security = 2;
+ tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
+ tls-client = true;
+ tun-ipv6 = true;
+ up-restart = true;
+ verb = 3;
+ };
+};
+systemd.services."openvpn-${netns}" = {
+ preStart = ''
+ set -ex
+ ${pkgs.curl}/bin/curl -v -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
+ chmod 700 ${key-cert}
+ '';
+ unitConfig = {
+ StartLimitIntervalSec = 0;
+ };
+ serviceConfig = {
+ RuntimeDirectory = [ "openvpn-${netns}" ];
+ RuntimeDirectoryMode = "0700";
+ };
+};
+environment.systemPackages = [
+ pkgs.riseup-vpn
+];
+networking.nftables.ruleset = ''
+ add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Riseup"
+'';
services.netns.namespaces.${netns} = {
nftables = lib.mkBefore ''
table inet filter {
}
'';
};
-services.openvpn.servers.${netns} = {
- netns = netns;
- settings = {
- verb = 3;
- auth-user-pass = gnupg.secrets."openvpn/${netns}/auth-user-pass".path;
- ca = riseup/RiseupCA.pem;
- client = true;
- dev = "ov-${netns}";
- dev-type = "tun";
- persist-tun = true;
- nobind = true;
- persist-key = true;
- tls-client = true;
- remote-cert-tls = "server";
- remote = "198.252.153.226 1194 udp";
- reneg-sec = 0;
- script-security = 2;
- up-restart = true;
- };
-};
-security.gnupg.secrets."openvpn/${netns}/auth-user-pass" = {
- systemdConfig.before = [ "openvpn-${netns}.service" ];
- systemdConfig.wantedBy = [ "openvpn-${netns}.service" ];
-};
-networking.nftables.ruleset = ''
- add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN"
-'';
}
sourcephile / git / sourcephile-nix.git / blobdiff