nix/host/x86_64-linux/home/Ovpn.nix

63 lines
1.5 KiB
Nix

# easyrsa --days=36500 init-pki
# easyrsa --days=36500 build-ca
# easyrsa --days=36500 build-server-full <SERVER_NAME> nopass
# easyrsa --days=36500 build-client-full <CLIENT_NAME> nopass
# easyrsa gen-crl
# openssl dhparam -out dh2048.pem 2048
# Don't forget to set tls hostname on the client to match SERVER_NAME *AND* disable ipv6 ?
# easyrsa revoke <CLIENT_NAME>
# easyrsa gen-crl
# restart container
# SEE: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
# SRC: https://github.com/TinCanTech/easy-tls
{
pkgs,
util,
...
}: {
environment.systemPackages = with pkgs; [
easyrsa
openvpn
];
users = {
groups.openvpn = {};
users.openvpn = {
group = "openvpn";
isSystemUser = true;
# uid = 1000;
};
};
# NOTE: Change the `server` to match `cfg.clients` or write a substring here.
services.openvpn.servers.vpn = {
autoStart = true;
config = util.trimTabs ''
ca /var/lib/ovpn/pki/ca.crt
cert /var/lib/ovpn/pki/issued/home.crt
client-to-client
crl-verify /var/lib/ovpn/pki/crl.pem
dev tun
dh /var/lib/ovpn/dh2048.pem
explicit-exit-notify 1
group openvpn
ifconfig-pool-persist ipp.txt
keepalive 10 120
key /var/lib/ovpn/pki/private/home.key
persist-tun
port 22145
proto udp
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option DNS 10.0.0.1"
push "route 10.0.0.0 255.0.0.0"
server 10.0.1.0 255.255.255.0
status openvpn-status.log
topology subnet
user openvpn
verb 4
'';
};
}