voronind/nix
0
0
Fork 0
Code Issues 40 Pull requests Packages Projects Releases Wiki Activity

Vpn: Re-implement on openvpn.

Browse source
This commit is contained in:
Dmitry Voronin 2024-11-24 03:03:01 +03:00
parent 98ec027a1d
commit 25f0252908
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
5 changed files with 81 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

106
container/Vpn.nix
View file

@ -1,27 +1,20 @@
# easyrsa init-pki
# easyrsa build-ca
# easyrsa build-server-full <SERVER_NAME> nopass
# easyrsa build-client-full <CLIENT_NAME> nopass
# openssl dhparam -out dh2048.pem 2048
# Don't forget to set tls hostname on the client to match SERVER_NAME *AND* disable ipv6 ?
# SEE: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
# SRC: https://github.com/TinCanTech/easy-tls
{
config,
container,
lib,
pkgs,
util,
...
}: let
cfg = config.container.module.vpn;
wireguardPeers = let
mkPeer = name: ip: PublicKey: {
inherit PublicKey;
PresharedKeyFile = "/var/lib/wireguard/preshared/${name}";
AllowedIPs = [
"${ip}/32"
];
};
in [
(mkPeer "dashaphone" "10.1.1.3" "O/3y8+QKEY8UoLVlmbc8xdhs248L4wtQcl1MsBBfoQo=")
(mkPeer "laptop" "10.1.1.9" "xxoCNPSB86zs8L8p+wXhqaIwpNDkiZu1Yjv8sj8XhgY=")
(mkPeer "phone" "10.1.1.5" "bFmFisMqbDpIrAg3o/GiRl9XhceZEVnZtkegZDTL4yg=")
(mkPeer "tablet" "10.1.1.6" "BdslswVc9OgUpEhJd0sugDBmYw44DiS0FbUPT5EjOG0=")
(mkPeer "work" "10.1.1.2" "Pk0AASSInKO9O8RaQEmm1uNrl0cwWTJDcT8rLn7PSA0=")
];
in {
options.container.module.vpn = {
enable = lib.mkEnableOption "the vpn server.";
@ -30,7 +23,7 @@ in {
type = lib.types.str;
};
port = lib.mkOption {
default = 51820;
default = 22145;
type = lib.types.int;
};
storage = lib.mkOption {
@ -42,53 +35,72 @@ in {
config = lib.mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
"data/preshared"
];
# HACK: When using `networking.interfaces.*` it breaks. This works tho.
systemd.services.vpn-route = {
enable = true;
description = "Hack vpn routes on host";
after = [ "container@vpn.service" ];
wants = [ "container@vpn.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.iproute2}/bin/ip route add 10.1.1.0/24 via ${cfg.address} dev ve-vpn";
Type = "oneshot";
};
};
containers.vpn = container.mkContainer cfg {
bindMounts = {
"/var/lib/wireguard" = {
"/data" = {
hostPath = "${cfg.storage}/data";
isReadOnly = false;
isReadOnly = true;
};
};
config = { ... }: container.mkContainerConfig cfg {
networking.useNetworkd = true;
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
"net.ipv4.ip_forward" = 1;
};
environment.systemPackages = with pkgs; [
wireguard-tools
easyrsa
openvpn
];
systemd.network = {
enable = true;
netdevs = {
"50-wg0" = {
inherit wireguardPeers;
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1300";
Name = "wg0";
};
wireguardConfig = {
ListenPort = cfg.port;
PrivateKeyFile = "/var/lib/wireguard/privkey";
};
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = [
"10.1.1.0/24"
];
networkConfig = {
IPMasquerade = "ipv4";
IPv4Forwarding = "yes";
users = {
groups.openvpn = {};
users.openvpn = {
group = "openvpn";
isSystemUser = true;
uid = 1000;
};
};
services.openvpn.servers.vpn = {
autoStart = true;
config = util.trimTabs ''
ca /data/pki/ca.crt
cert /data/pki/issued/home.crt
client-to-client
dev tun
dh /data/dh2048.pem
explicit-exit-notify 1
group openvpn
ifconfig-pool-persist ipp.txt
keepalive 10 120
key /data/pki/private/home.key
persist-tun
port ${toString cfg.port}
proto udp
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option DNS 10.0.0.1"
push "route 10.0.0.0 255.0.0.0"
push "route 192.168.1.0 255.255.255.0"
server 10.1.1.0 255.255.255.0
status openvpn-status.log
topology subnet
user openvpn
verb 4
'';
};
};
};

7
home/program/bash/module/Qr.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }: {
text = ''
function qr() {
qrencode -t ansiutf8
}
'';
}

1
host/x86_64-linux/home/Container.nix
View file

@ -28,6 +28,7 @@
search.enable = true;
status.enable = true;
stock.enable = true;
vpn.enable = true;
watch.enable = true;
yt.enable = true;
};

14
host/x86_64-linux/home/Network.nix
View file

@ -1,3 +1,8 @@
# 10.0.0.0/24 - wired clients.
# 10.1.0.0/24 - containers.
# 10.1.1.0/24 - vpn clients.
# 192.168.1.0/24 - 5G wireless clients.
# 192.168.2.0/24 - 2.4G wireless clients.
{
config,
lib,
@ -45,7 +50,8 @@ in {
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
# Full access from VPN clients.
iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}
# iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}
iptables -I INPUT -j ACCEPT -s 10.1.1.0/24 -d ${internal}
iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal}
# Full access from Lan.
@ -69,8 +75,8 @@ in {
+ (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport udp)
+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport udp)
# Allow VPN connections from Wan.
# + (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp)
# VPN connections.
+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp)
# Nginx HTTP.
+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)
@ -89,7 +95,7 @@ in {
# Print serivce.
+ (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp);
# External SSH access.
# SSH access.
# + (mkForward external 22143 config.container.host 22143 tcp)
};

3
package/default.nix
View file

@ -43,10 +43,13 @@
neovim # Text editor.
nmap # Network scanning.
openssh # Ssh client.
openssl # Cryptography.
openvpn # Vpn client.
parallel # Run programs in parallel.
parted # CLI disk partition tool.
powertop # Monitor power usage.
pv # IO progress bar.
qrencode # Generate QR codes.
radare2 # Hex editor.
ripgrep # Better grep.
rsync # File copy tool.