OpenVPN: Difference between revisions
imported>Samueldr m fixes heading levels |
Format using nixfmt |
||
| (6 intermediate revisions by 5 users not shown) | |||
| Line 6: | Line 6: | ||
... | ... | ||
services.openvpn.servers = { | services.openvpn.servers = { | ||
officeVPN = { config = | officeVPN = { config = "config /root/nixos/openvpn/officeVPN.conf"; }; | ||
homeVPN = { config = | homeVPN = { config = "config /root/nixos/openvpn/homeVPN.conf"; }; | ||
serverVPN = { config = | serverVPN = { config = "config /root/nixos/openvpn/serverVPN.conf"; }; | ||
}; | }; | ||
... | ... | ||
| Line 17: | Line 17: | ||
Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files. | Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files. | ||
Use <em>systemctl</em> to start/stop VPN service. Each generated service will have a prefix `openvpn-`: | |||
<syntaxHighlight> | |||
systemctl start openvpn-officeVPN.service | |||
</syntaxHighlight> | |||
Should you have trouble with DNS resolution for services that should be available via the VPN, try adding the following to the config: | |||
<syntaxHighlight lang="nix"> | |||
{ | |||
... | |||
services.openvpn.servers = { | |||
officeVPN = { | |||
config = "config /root/nixos/openvpn/officeVPN.conf"; | |||
updateResolvConf = true; | |||
}; | |||
}; | |||
... | |||
} | |||
</syntaxHighlight> | |||
=== Network-Manager integration (GNOME) === | |||
If you want to allow the desktop user to manually set up and activate/deactivate VPN connections (on the GNOME desktop) you should install the OpenVPN plugin for NetworkManager, e.g. | |||
<syntaxHighlight lang="nix"> | |||
{ pkgs, ... }: | |||
{ | |||
networking.networkmanager = { | |||
enable = true; | |||
plugins = with pkgs; [ | |||
networkmanager-openvpn | |||
]; | |||
}; | |||
} | |||
</syntaxHighlight> | |||
NOTE: Some VPN providers (e.g. NordVPN) require you to generate and use '''service credentials''' (i.e. ''not'' your usual email+password!) for a manual setup like this. Your provider's user account should have an option to create them. | |||
=== Mounting filesystems via a VPN === | === Mounting filesystems via a VPN === | ||
| Line 29: | Line 67: | ||
device = "//10.8.0.x/Share"; | device = "//10.8.0.x/Share"; | ||
fsType = "cifs"; | fsType = "cifs"; | ||
options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" | options = [ | ||
"x-systemd.requires=openvpn-officeVPN.service" ]; | "noauto" | ||
"user" | |||
"uid=1000" | |||
"gid=100" | |||
"username=xxx" | |||
"password=xxx" | |||
"iocharset=utf8" | |||
"x-systemd.requires=openvpn-officeVPN.service" | |||
]; | |||
}; | }; | ||
fileSystems."/mnt/home" = { | fileSystems."/mnt/home" = { | ||
device = "//10.9.0.x/Share"; | device = "//10.9.0.x/Share"; | ||
fsType = "cifs"; | fsType = "cifs"; | ||
options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" | options = [ | ||
"x-systemd.requires=openvpn-homeVPN.service" ]; | "noauto" | ||
"user" | |||
"uid=1000" | |||
"gid=100" | |||
"username=xxx" | |||
"password=xxx" | |||
"iocharset=utf8" | |||
"x-systemd.requires=openvpn-homeVPN.service" | |||
]; | |||
}; | }; | ||
... | ... | ||
| Line 43: | Line 97: | ||
If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option. | If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option. | ||
=== Supporting legacy cipher providers === | |||
If you need to connect to servers with legacy ciphers (e.g. '''BF-CBC'''), one way is to override OpenVPN to use '''openssl_legacy''' package (which is [https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/libraries/openssl/3.0/legacy.cnf configured to enable legacy providers]), for example via an overlay: | |||
<syntaxHighlight lang="nix"> | |||
final: prev: { | |||
openvpn = prev.openvpn.override { | |||
openssl = prev.openssl_legacy; | |||
}; | |||
} | |||
</syntaxHighlight> | |||
== VPN Server == | == VPN Server == | ||
| Line 55: | Line 120: | ||
vpn-dev = "tun0"; | vpn-dev = "tun0"; | ||
port = 1194; | port = 1194; | ||
in { | in | ||
{ | |||
# sudo systemctl start nat | # sudo systemctl start nat | ||
networking.nat = { | networking.nat = { | ||
enable = true; | enable = true; | ||
externalInterface = <your-server-out-if>; | externalInterface = <your-server-out-if>; | ||
internalInterfaces | internalInterfaces = [ vpn-dev ]; | ||
}; | }; | ||
networking.firewall.trustedInterfaces = [ vpn-dev ]; | networking.firewall.trustedInterfaces = [ vpn-dev ]; | ||
| Line 116: | Line 182: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
[[Category: | [[Category:Networking]] | ||
[[Category:VPN]] | |||