Vpn: Re-implement on openvpn.
This commit is contained in:
parent
98ec027a1d
commit
25f0252908
|
@ -1,27 +1,20 @@
|
|||
# easyrsa init-pki
|
||||
# easyrsa build-ca
|
||||
# easyrsa build-server-full <SERVER_NAME> nopass
|
||||
# easyrsa build-client-full <CLIENT_NAME> nopass
|
||||
# openssl dhparam -out dh2048.pem 2048
|
||||
# Don't forget to set tls hostname on the client to match SERVER_NAME *AND* disable ipv6 ?
|
||||
# SEE: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
|
||||
# SRC: https://github.com/TinCanTech/easy-tls
|
||||
{
|
||||
config,
|
||||
container,
|
||||
lib,
|
||||
pkgs,
|
||||
util,
|
||||
...
|
||||
}: let
|
||||
cfg = config.container.module.vpn;
|
||||
|
||||
wireguardPeers = let
|
||||
mkPeer = name: ip: PublicKey: {
|
||||
inherit PublicKey;
|
||||
PresharedKeyFile = "/var/lib/wireguard/preshared/${name}";
|
||||
AllowedIPs = [
|
||||
"${ip}/32"
|
||||
];
|
||||
};
|
||||
in [
|
||||
(mkPeer "dashaphone" "10.1.1.3" "O/3y8+QKEY8UoLVlmbc8xdhs248L4wtQcl1MsBBfoQo=")
|
||||
(mkPeer "laptop" "10.1.1.9" "xxoCNPSB86zs8L8p+wXhqaIwpNDkiZu1Yjv8sj8XhgY=")
|
||||
(mkPeer "phone" "10.1.1.5" "bFmFisMqbDpIrAg3o/GiRl9XhceZEVnZtkegZDTL4yg=")
|
||||
(mkPeer "tablet" "10.1.1.6" "BdslswVc9OgUpEhJd0sugDBmYw44DiS0FbUPT5EjOG0=")
|
||||
(mkPeer "work" "10.1.1.2" "Pk0AASSInKO9O8RaQEmm1uNrl0cwWTJDcT8rLn7PSA0=")
|
||||
];
|
||||
in {
|
||||
options.container.module.vpn = {
|
||||
enable = lib.mkEnableOption "the vpn server.";
|
||||
|
@ -30,7 +23,7 @@ in {
|
|||
type = lib.types.str;
|
||||
};
|
||||
port = lib.mkOption {
|
||||
default = 51820;
|
||||
default = 22145;
|
||||
type = lib.types.int;
|
||||
};
|
||||
storage = lib.mkOption {
|
||||
|
@ -42,53 +35,72 @@ in {
|
|||
config = lib.mkIf cfg.enable {
|
||||
systemd.tmpfiles.rules = container.mkContainerDir cfg [
|
||||
"data"
|
||||
"data/preshared"
|
||||
];
|
||||
|
||||
# HACK: When using `networking.interfaces.*` it breaks. This works tho.
|
||||
systemd.services.vpn-route = {
|
||||
enable = true;
|
||||
description = "Hack vpn routes on host";
|
||||
after = [ "container@vpn.service" ];
|
||||
wants = [ "container@vpn.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip route add 10.1.1.0/24 via ${cfg.address} dev ve-vpn";
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
|
||||
containers.vpn = container.mkContainer cfg {
|
||||
bindMounts = {
|
||||
"/var/lib/wireguard" = {
|
||||
"/data" = {
|
||||
hostPath = "${cfg.storage}/data";
|
||||
isReadOnly = false;
|
||||
isReadOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = { ... }: container.mkContainerConfig cfg {
|
||||
networking.useNetworkd = true;
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.src_valid_mark" = 1;
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
wireguard-tools
|
||||
easyrsa
|
||||
openvpn
|
||||
];
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
netdevs = {
|
||||
"50-wg0" = {
|
||||
inherit wireguardPeers;
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
MTUBytes = "1300";
|
||||
Name = "wg0";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = cfg.port;
|
||||
PrivateKeyFile = "/var/lib/wireguard/privkey";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networks.wg0 = {
|
||||
matchConfig.Name = "wg0";
|
||||
address = [
|
||||
"10.1.1.0/24"
|
||||
];
|
||||
networkConfig = {
|
||||
IPMasquerade = "ipv4";
|
||||
IPv4Forwarding = "yes";
|
||||
users = {
|
||||
groups.openvpn = {};
|
||||
users.openvpn = {
|
||||
group = "openvpn";
|
||||
isSystemUser = true;
|
||||
uid = 1000;
|
||||
};
|
||||
};
|
||||
services.openvpn.servers.vpn = {
|
||||
autoStart = true;
|
||||
config = util.trimTabs ''
|
||||
ca /data/pki/ca.crt
|
||||
cert /data/pki/issued/home.crt
|
||||
client-to-client
|
||||
dev tun
|
||||
dh /data/dh2048.pem
|
||||
explicit-exit-notify 1
|
||||
group openvpn
|
||||
ifconfig-pool-persist ipp.txt
|
||||
keepalive 10 120
|
||||
key /data/pki/private/home.key
|
||||
persist-tun
|
||||
port ${toString cfg.port}
|
||||
proto udp
|
||||
push "dhcp-option DNS 10.0.0.1"
|
||||
push "dhcp-option DNS 10.0.0.1"
|
||||
push "route 10.0.0.0 255.0.0.0"
|
||||
push "route 192.168.1.0 255.255.255.0"
|
||||
server 10.1.1.0 255.255.255.0
|
||||
status openvpn-status.log
|
||||
topology subnet
|
||||
user openvpn
|
||||
verb 4
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
7
home/program/bash/module/Qr.nix
Normal file
7
home/program/bash/module/Qr.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }: {
|
||||
text = ''
|
||||
function qr() {
|
||||
qrencode -t ansiutf8
|
||||
}
|
||||
'';
|
||||
}
|
|
@ -28,6 +28,7 @@
|
|||
search.enable = true;
|
||||
status.enable = true;
|
||||
stock.enable = true;
|
||||
vpn.enable = true;
|
||||
watch.enable = true;
|
||||
yt.enable = true;
|
||||
};
|
||||
|
|
|
@ -1,3 +1,8 @@
|
|||
# 10.0.0.0/24 - wired clients.
|
||||
# 10.1.0.0/24 - containers.
|
||||
# 10.1.1.0/24 - vpn clients.
|
||||
# 192.168.1.0/24 - 5G wireless clients.
|
||||
# 192.168.2.0/24 - 2.4G wireless clients.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
|
@ -45,7 +50,8 @@ in {
|
|||
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
|
||||
|
||||
# Full access from VPN clients.
|
||||
iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}
|
||||
# iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}
|
||||
iptables -I INPUT -j ACCEPT -s 10.1.1.0/24 -d ${internal}
|
||||
iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal}
|
||||
|
||||
# Full access from Lan.
|
||||
|
@ -69,8 +75,8 @@ in {
|
|||
+ (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport udp)
|
||||
+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport udp)
|
||||
|
||||
# Allow VPN connections from Wan.
|
||||
# + (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp)
|
||||
# VPN connections.
|
||||
+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp)
|
||||
|
||||
# Nginx HTTP.
|
||||
+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)
|
||||
|
@ -89,7 +95,7 @@ in {
|
|||
# Print serivce.
|
||||
+ (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp);
|
||||
|
||||
# External SSH access.
|
||||
# SSH access.
|
||||
# + (mkForward external 22143 config.container.host 22143 tcp)
|
||||
};
|
||||
|
||||
|
|
|
@ -43,10 +43,13 @@
|
|||
neovim # Text editor.
|
||||
nmap # Network scanning.
|
||||
openssh # Ssh client.
|
||||
openssl # Cryptography.
|
||||
openvpn # Vpn client.
|
||||
parallel # Run programs in parallel.
|
||||
parted # CLI disk partition tool.
|
||||
powertop # Monitor power usage.
|
||||
pv # IO progress bar.
|
||||
qrencode # Generate QR codes.
|
||||
radare2 # Hex editor.
|
||||
ripgrep # Better grep.
|
||||
rsync # File copy tool.
|
||||
|
|
Loading…
Reference in a new issue