From 25f0252908465fd8b40c9c3d29e6f056586d87cd Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Sun, 24 Nov 2024 03:03:01 +0300 Subject: [PATCH] Vpn: Re-implement on openvpn. --- container/Vpn.nix | 108 +++++++++++++++------------ home/program/bash/module/Qr.nix | 7 ++ host/x86_64-linux/home/Container.nix | 1 + host/x86_64-linux/home/Network.nix | 14 +++- package/default.nix | 3 + 5 files changed, 81 insertions(+), 52 deletions(-) create mode 100644 home/program/bash/module/Qr.nix diff --git a/container/Vpn.nix b/container/Vpn.nix index 327cc9b7..73a15e0e 100644 --- a/container/Vpn.nix +++ b/container/Vpn.nix @@ -1,27 +1,20 @@ +# easyrsa init-pki +# easyrsa build-ca +# easyrsa build-server-full nopass +# easyrsa build-client-full nopass +# openssl dhparam -out dh2048.pem 2048 +# Don't forget to set tls hostname on the client to match SERVER_NAME *AND* disable ipv6 ? +# SEE: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf +# SRC: https://github.com/TinCanTech/easy-tls { config, container, lib, pkgs, + util, ... }: let cfg = config.container.module.vpn; - - wireguardPeers = let - mkPeer = name: ip: PublicKey: { - inherit PublicKey; - PresharedKeyFile = "/var/lib/wireguard/preshared/${name}"; - AllowedIPs = [ - "${ip}/32" - ]; - }; - in [ - (mkPeer "dashaphone" "10.1.1.3" "O/3y8+QKEY8UoLVlmbc8xdhs248L4wtQcl1MsBBfoQo=") - (mkPeer "laptop" "10.1.1.9" "xxoCNPSB86zs8L8p+wXhqaIwpNDkiZu1Yjv8sj8XhgY=") - (mkPeer "phone" "10.1.1.5" "bFmFisMqbDpIrAg3o/GiRl9XhceZEVnZtkegZDTL4yg=") - (mkPeer "tablet" "10.1.1.6" "BdslswVc9OgUpEhJd0sugDBmYw44DiS0FbUPT5EjOG0=") - (mkPeer "work" "10.1.1.2" "Pk0AASSInKO9O8RaQEmm1uNrl0cwWTJDcT8rLn7PSA0=") - ]; in { options.container.module.vpn = { enable = lib.mkEnableOption "the vpn server."; @@ -30,7 +23,7 @@ in { type = lib.types.str; }; port = lib.mkOption { - default = 51820; + default = 22145; type = lib.types.int; }; storage = lib.mkOption { @@ -42,54 +35,73 @@ in { config = lib.mkIf cfg.enable { systemd.tmpfiles.rules = container.mkContainerDir cfg [ "data" - "data/preshared" ]; + # HACK: When using `networking.interfaces.*` it breaks. This works tho. + systemd.services.vpn-route = { + enable = true; + description = "Hack vpn routes on host"; + after = [ "container@vpn.service" ]; + wants = [ "container@vpn.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.iproute2}/bin/ip route add 10.1.1.0/24 via ${cfg.address} dev ve-vpn"; + Type = "oneshot"; + }; + }; + containers.vpn = container.mkContainer cfg { bindMounts = { - "/var/lib/wireguard" = { + "/data" = { hostPath = "${cfg.storage}/data"; - isReadOnly = false; + isReadOnly = true; }; }; config = { ... }: container.mkContainerConfig cfg { - networking.useNetworkd = true; boot.kernel.sysctl = { "net.ipv4.conf.all.src_valid_mark" = 1; "net.ipv4.ip_forward" = 1; }; environment.systemPackages = with pkgs; [ - wireguard-tools + easyrsa + openvpn ]; - systemd.network = { - enable = true; - netdevs = { - "50-wg0" = { - inherit wireguardPeers; - netdevConfig = { - Kind = "wireguard"; - MTUBytes = "1300"; - Name = "wg0"; - }; - wireguardConfig = { - ListenPort = cfg.port; - PrivateKeyFile = "/var/lib/wireguard/privkey"; - }; - }; - }; - - networks.wg0 = { - matchConfig.Name = "wg0"; - address = [ - "10.1.1.0/24" - ]; - networkConfig = { - IPMasquerade = "ipv4"; - IPv4Forwarding = "yes"; - }; + users = { + groups.openvpn = {}; + users.openvpn = { + group = "openvpn"; + isSystemUser = true; + uid = 1000; }; }; + services.openvpn.servers.vpn = { + autoStart = true; + config = util.trimTabs '' + ca /data/pki/ca.crt + cert /data/pki/issued/home.crt + client-to-client + dev tun + dh /data/dh2048.pem + explicit-exit-notify 1 + group openvpn + ifconfig-pool-persist ipp.txt + keepalive 10 120 + key /data/pki/private/home.key + persist-tun + port ${toString cfg.port} + proto udp + push "dhcp-option DNS 10.0.0.1" + push "dhcp-option DNS 10.0.0.1" + push "route 10.0.0.0 255.0.0.0" + push "route 192.168.1.0 255.255.255.0" + server 10.1.1.0 255.255.255.0 + status openvpn-status.log + topology subnet + user openvpn + verb 4 + ''; + }; }; }; }; diff --git a/home/program/bash/module/Qr.nix b/home/program/bash/module/Qr.nix new file mode 100644 index 00000000..345c35cd --- /dev/null +++ b/home/program/bash/module/Qr.nix @@ -0,0 +1,7 @@ +{ ... }: { + text = '' + function qr() { + qrencode -t ansiutf8 + } + ''; +} diff --git a/host/x86_64-linux/home/Container.nix b/host/x86_64-linux/home/Container.nix index 59baf08a..f97e2b08 100644 --- a/host/x86_64-linux/home/Container.nix +++ b/host/x86_64-linux/home/Container.nix @@ -28,6 +28,7 @@ search.enable = true; status.enable = true; stock.enable = true; + vpn.enable = true; watch.enable = true; yt.enable = true; }; diff --git a/host/x86_64-linux/home/Network.nix b/host/x86_64-linux/home/Network.nix index 668feaad..491d2e70 100644 --- a/host/x86_64-linux/home/Network.nix +++ b/host/x86_64-linux/home/Network.nix @@ -1,3 +1,8 @@ +# 10.0.0.0/24 - wired clients. +# 10.1.0.0/24 - containers. +# 10.1.1.0/24 - vpn clients. +# 192.168.1.0/24 - 5G wireless clients. +# 192.168.2.0/24 - 2.4G wireless clients. { config, lib, @@ -45,7 +50,8 @@ in { iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE # Full access from VPN clients. - iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal} + # iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal} + iptables -I INPUT -j ACCEPT -s 10.1.1.0/24 -d ${internal} iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal} # Full access from Lan. @@ -69,8 +75,8 @@ in { + (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport udp) + (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport udp) - # Allow VPN connections from Wan. - # + (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp) + # VPN connections. + + (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp) # Nginx HTTP. + (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp) @@ -89,7 +95,7 @@ in { # Print serivce. + (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp); - # External SSH access. + # SSH access. # + (mkForward external 22143 config.container.host 22143 tcp) }; diff --git a/package/default.nix b/package/default.nix index e8e1a028..764fae73 100644 --- a/package/default.nix +++ b/package/default.nix @@ -43,10 +43,13 @@ neovim # Text editor. nmap # Network scanning. openssh # Ssh client. + openssl # Cryptography. + openvpn # Vpn client. parallel # Run programs in parallel. parted # CLI disk partition tool. powertop # Monitor power usage. pv # IO progress bar. + qrencode # Generate QR codes. radare2 # Hex editor. ripgrep # Better grep. rsync # File copy tool.