From b6c383814a073386b3c85a1ff727cdd68e831574 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Tue, 1 Dec 2020 21:19:04 +0100
Subject: [PATCH] openvpn: bitmask-vpn key no longer works
---
.../losurdo/networking/openvpn/riseup.nix | 38 +++++++------
.../networking/openvpn/riseup/cacert.pem | 32 -----------
.../networking/openvpn/riseup/client.pem | 54 -------------------
3 files changed, 22 insertions(+), 102 deletions(-)
delete mode 100644 machines/losurdo/networking/openvpn/riseup/cacert.pem
delete mode 100644 machines/losurdo/networking/openvpn/riseup/client.pem
diff --git a/machines/losurdo/networking/openvpn/riseup.nix b/machines/losurdo/networking/openvpn/riseup.nix
index 0fe2641..9b8dc15 100644
--- a/machines/losurdo/networking/openvpn/riseup.nix
+++ b/machines/losurdo/networking/openvpn/riseup.nix
@@ -6,7 +6,8 @@ let
in
{
networking.nftables.ruleset = ''
- add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN"
+ #add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN"
+ add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN"
'';
systemd.services."openvpn-${ns}" = {
bindsTo = [ "netns-${ns}.service" ];
@@ -43,23 +44,9 @@ services.netns.namespaces.riseup = {
};
services.openvpn.servers = {
"${ns}" = {
- config = ''
- verb 3
- ca ${riseup/cacert.pem}
+ /*
cert ${riseup/client.pem}
- client
- dev ov-${ns}
- dev-type tun
- persist-tun
- nobind
- # Useless to setup the interface
- # because moving it to ${ns} will reset it
- ifconfig-noexec
- route-noexec
- persist-key
key ${riseup/client.pem}
- tls-client
- remote-cert-tls server
remote 37.218.241.7 1194 tcp4
remote 37.218.241.106 443 tcp4
remote 163.172.126.44 443 tcp4
@@ -72,6 +59,25 @@ services.openvpn.servers = {
remote 212.83.165.160 443 tcp4
remote 212.83.182.127 443 tcp4
remote 212.129.62.247 443 tcp4
+ ca ${riseup/cacert.pem}
+ */
+ config = ''
+ verb 3
+ ca ${riseup/RiseupCA.pem}
+ client
+ dev ov-${ns}
+ dev-type tun
+ persist-tun
+ nobind
+ # Useless to setup the interface
+ # because moving it to ${ns} will reset it
+ ifconfig-noexec
+ route-noexec
+ persist-key
+ auth-user-pass /root/riseup.auth
+ tls-client
+ remote-cert-tls server
+ remote 198.252.153.226 1194 udp
reneg-sec 0
script-security 2
up-restart
diff --git a/machines/losurdo/networking/openvpn/riseup/cacert.pem b/machines/losurdo/networking/openvpn/riseup/cacert.pem
deleted file mode 100644
index cbec39c..0000000
--- a/machines/losurdo/networking/openvpn/riseup/cacert.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQ0FADBZMRgwFgYDVQQKDA9SaXNl
-dXAgTmV0d29ya3MxGzAZBgNVBAsMEmh0dHBzOi8vcmlzZXVwLm5ldDEgMB4GA1UE
-AwwXUmlzZXVwIE5ldHdvcmtzIFJvb3QgQ0EwHhcNMTQwNDI4MDAwMDAwWhcNMjQw
-NDI4MDAwMDAwWjBZMRgwFgYDVQQKDA9SaXNldXAgTmV0d29ya3MxGzAZBgNVBAsM
-Emh0dHBzOi8vcmlzZXVwLm5ldDEgMB4GA1UEAwwXUmlzZXVwIE5ldHdvcmtzIFJv
-b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC76J4ciMJ8Sg0m
-TP7DF2DT9zNe0Csk4myoMFC57rfJeqsAlJCv1XMzBmXrw8wq/9z7XHv6n/0sWU7a
-7cF2hLR33ktjwODlx7vorU39/lXLndo492ZBhXQtG1INMShyv+nlmzO6GT7ESfNE
-LliFitEzwIegpMqxCIHXFuobGSCWF4N0qLHkq/SYUMoOJ96O3hmPSl1kFDRMtWXY
-iw1SEKjUvpyDJpVs3NGxeLCaA7bAWhDY5s5Yb2fA1o8ICAqhowurowJpW7n5ZuLK
-5VNTlNy6nZpkjt1QycYvNycffyPOFm/Q/RKDlvnorJIrihPkyniV3YY5cGgP+Qkx
-HUOT0uLA6LHtzfiyaOqkXwc4b0ZcQD5Vbf6Prd20Ppt6ei0zazkUPwxld3hgyw58
-m/4UIjG3PInWTNf293GngK2Bnz8Qx9e/6TueMSAn/3JBLem56E0WtmbLVjvko+LF
-PM5xA+m0BmuSJtrD1MUCXMhqYTtiOvgLBlUm5zkNxALzG+cXB28k6XikXt6MRG7q
-hzIPG38zwkooM55yy5i1YfcIi5NjMH6A+t4IJxxwb67MSb6UFOwg5kFokdONZcwj
-shczHdG9gLKSBIvrKa03Nd3W2dF9hMbRu//STcQxOailDBQCnXXfAATj9pYzdY4k
-ha8VCAREGAKTDAex9oXf1yRuktES4QIDAQABo2AwXjAdBgNVHQ4EFgQUC4tdmLVu
-f9hwfK4AGliaet5KkcgwDgYDVR0PAQH/BAQDAgIEMAwGA1UdEwQFMAMBAf8wHwYD
-VR0jBBgwFoAUC4tdmLVuf9hwfK4AGliaet5KkcgwDQYJKoZIhvcNAQENBQADggIB
-AGzL+GRnYu99zFoy0bXJKOGCF5XUXP/3gIXPRDqQf5g7Cu/jYMID9dB3No4Zmf7v
-qHjiSXiS8jx1j/6/Luk6PpFbT7QYm4QLs1f4BlfZOti2KE8r7KRDPIecUsUXW6P/
-3GJAVYH/+7OjA39za9AieM7+H5BELGccGrM5wfl7JeEz8in+V2ZWDzHQO4hMkiTQ
-4ZckuaL201F68YpiItBNnJ9N5nHr1MRiGyApHmLXY/wvlrOpclh95qn+lG6/2jk7
-3AmihLOKYMlPwPakJg4PYczm3icFLgTpjV5sq2md9bRyAg3oPGfAuWHmKj2Ikqch
-Td5CHKGxEEWbGUWEMP0s1A/JHWiCbDigc4Cfxhy56CWG4q0tYtnc2GMw8OAUO6Wf
-Xu5pYKNkzKSEtT/MrNJt44tTZWbKV/Pi/N2Fx36my7TgTUj7g3xcE9eF4JV2H/sg
-tsK3pwE0FEqGnT4qMFbixQmc8bGyuakr23wjMvfO7eZUxBuWYR2SkcP26sozF9PF
-tGhbZHQVGZUTVPyvwahMUEhbPGVerOW0IYpxkm0x/eaWdTc4vPpf/rIlgbAjarnJ
-UN9SaWRlWKSdP4haujnzCoJbM7dU9bjvlGZNyXEekgeT0W2qFeGGp+yyUWw8tNsp
-0BuC1b7uW/bBn/xKm319wXVDvBgZgcktMolak39V7DVO
------END CERTIFICATE-----
diff --git a/machines/losurdo/networking/openvpn/riseup/client.pem b/machines/losurdo/networking/openvpn/riseup/client.pem
deleted file mode 100644
index cb391bb..0000000
--- a/machines/losurdo/networking/openvpn/riseup/client.pem
+++ /dev/null
@@ -1,54 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAs4V9VZQSh1xSjk0tIUc3B6nEu8uLht/WDp+LU/RzPdjLDMXc
-irpRKzBAuhqJwWB0SBw8LoaNp1DnIVetEa1RmuWkD+VVTtDwaPwst36T64BHrKzP
-yiK/vXs5mzhm4KbLKFlcwOYGysNrORVrMJtSsK6TD9TpoPEeELTJt8gJ1mFGZBjY
-HHRMGvYOvZwFhtsMDNSj5b48KwxIIiiPfrkYElNRU35NQcZfT8ETvRCM+R98E+3E
-YFY017Lhfzdgak5LWttYB/AVruOMbmSv50WKT6rhZFeG6llelEcPaRb1aT6IR3uq
-nhQLn/xXsUKEO+pAvOUb6p+GyOwcQMMAHDLkOQIDAQABAoIBAB31hBIZEPKIBLr8
-xDBOiy97NHrGoDVU+4sbMwxCukyy9kfeaUy5hTw45ERqk1yzNRSnqZ92EwO+K6RT
-1m0hyIGaG0QP2Km7krNiii/hLtxZXxzBBjhMjkUX4Gg4BGsvSq4kI6eJe86wyB8R
-pP7KnQUhTSeSN58FPig5k4RZHNMqxwIjWLBWoz3qy82CtICcJLWDd0ro/rNZFW8h
-LAteXA7DuOlbyFHcC0SG8kctB9ZRPkasdwrF6swyBOTTtwabsMXfat8f+mqM6Efo
-VZ3Xp2wN0UXEFVjJXMEDDeQH+q0kGE7H6MQE/0FiOt98wLuC5bBYQC0HxMSlWdz1
-USbPDVUCgYEA4vlA29mvSffe4iqDC83VtawMt4lC5m2Zqs8+D4BV1kUnnA9OO1zu
-ZPmof4eWj6K17k7YXO8Xd8je794s4iTmZvO5Ig76bZk43N8aXSr0M+WmMMLRKAbC
-EsJlVOwwwwmu2sQLHBEeS+9vsnA1tlslvtqsq5/fEBOFXGMvMrS9be8CgYEAynq6
-hTKodj7BpvwipGXLa+uaPN8ttCesOUc+yKK9nuMnpJNPU1MCyTEtskijsz823Tzi
-ti1dyTQSiBFtFgh8D1dUYKdd98u3ljzoToSsaDvIyMvn/2pxvTGMvZ9VaMSRHlZI
-bMC9xtfchuDzVR3APh2I4CV9UHnCEiIVtRrd+FcCgYEA0wdWI1KI5Kf+ZZ+LCf2N
-toTJqheHyQCcADEBjZ4PsNHJWxLr9MuZpu5smG3zMYbhyjkqd3WhBzEO/kw+xN/0
-DEKMnbr5Yc81DD6un3Mha+MYGnv3xVRLOu/dEREs4Rnupd3iSm0sEwQCgRBNEEg8
-lu9v3X4eAi90LgrVxjo/aacCgYEAqCOeO/nDNt4KRbZethHqCKZPIHlcJJxFQhNN
-qaKqwAR16Q6C8vid+aCjB8eWWMUHtFRZF1s45FofgWqnIYLOMpccdF7Hg3xh6ZqO
-dpVp7eynYUciUlF8PdWlv9lOPX/t2jlgTx8G+NZMRJ0MtAPOnkY8YZYAKBHT/Obd
-C9VRumUCgYB5njH4P8PNeBA/H/vYF17a9F6ulDYHB5/BZnFcPfuxiov/aNepVyvt
-Z+QY6SmFdmak00YLh3qOGT5ek6iMODfKBe625VIr4p3akwzr/bu/LWHWNpfffaET
-bvJ4nzplqyYkMV9nLr+9N/iUjtRXQ0yHJp+cBRu2cS032TDyzplc7A==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIEmzCCAoOgAwIBAgIQT9fuPod6b6yND5zUoXK38TANBgkqhkiG9w0BAQsFADB1
-MRgwFgYDVQQKDA9SaXNldXAgTmV0d29ya3MxGzAZBgNVBAsMEmh0dHBzOi8vcmlz
-ZXVwLm5ldDE8MDoGA1UEAwwzUmlzZXVwIE5ldHdvcmtzIFJvb3QgQ0EgKGNsaWVu
-dCBjZXJ0aWZpY2F0ZXMgb25seSEpMB4XDTIwMDgyMjAwMDAwMFoXDTIwMTEyMjAw
-MDAwMFowLTErMCkGA1UEAwwiVU5MSU1JVEVEODE5a3Rxa3ZhNGkyeDEzbW5wNnJ2
-MmswYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOFfVWUEodcUo5N
-LSFHNwepxLvLi4bf1g6fi1P0cz3YywzF3Iq6USswQLoaicFgdEgcPC6GjadQ5yFX
-rRGtUZrlpA/lVU7Q8Gj8LLd+k+uAR6ysz8oiv717OZs4ZuCmyyhZXMDmBsrDazkV
-azCbUrCukw/U6aDxHhC0ybfICdZhRmQY2Bx0TBr2Dr2cBYbbDAzUo+W+PCsMSCIo
-j365GBJTUVN+TUHGX0/BE70QjPkffBPtxGBWNNey4X83YGpOS1rbWAfwFa7jjG5k
-r+dFik+q4WRXhupZXpRHD2kW9Wk+iEd7qp4UC5/8V7FChDvqQLzlG+qfhsjsHEDD
-ABwy5DkCAwEAAaNvMG0wHQYDVR0OBBYEFCRYWXXaTEtq6EbvKXTDkTNTOf70MAsG
-A1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAJBgNVHRMEAjAAMB8GA1Ud
-IwQYMBaAFBf0G9XlKgEBTWuiXTYKKQmWZYBGMA0GCSqGSIb3DQEBCwUAA4ICAQCV
-sL/zmlK0f8conYDz2d5uZ0qIcJjtsb1DtE3vHULrei0cVgFuAX/y7XT4ddzj64r6
-PzkoHSZ5FhVbg/ZN0olpEed25kt6bp4m2QvfRNd/qctcYmnqsSZdC5vb7NByBWQE
-a7by2zvG281W0J+PRrXcnbPB2dTUMw7/mEJ9MIh5KfHWoPQl+KKYJorOgkoUACMS
-L1k+0xxKGOE7DDwALGa/Uh8KSEZ2tF3OrYTNfweaOmdjn6UBzii1Jn54aU4dhwea
-I5WFWDQ3TxOdtSrOWHuyVLNGE61iwMAhqLmPlBl3tqci/BHe5/bAKWx4FkS6GcZ6
-+i6mCqJG93rT+XLmePqFd9WQKd5Ff9kG104X3Fv5qnVRxR+eYRqZjDg6kySFyj3G
-ZM9SXYH0dMl3oxMjroIBlIKIW3A+VFjWpM2W49eib+wVL0YL5wMTCNpK7ZM84amz
-b1Q1A9jKgPMmbIL9HFWDjJigMBC6SYu3vfNUsXQzimrRvho6HBpQ63X3FcOOAlZ3
-5z/3OFWwwRvI/S7SENgRj7QB6mTc0z18BdwYKB7UZX8xhoZWYr9UaKeo/OGoSi1K
-LqEe6R30A8PYGYgnXxeOe0adZHiIIElE9ypZccy2qAcak1BYdoHjQqoY96Amqi37
-J24ftvwhm5GUwYFRecUP7Ll/NI6AjcgxxDxU5v2viA==
------END CERTIFICATE-----
--
2.47.2