OpenVPN: Difference between revisions

← Older edit

VisualWikitext

@@ Line 6: / Line 6: @@
    ...
    services.openvpn.servers = {
-     officeVPN  = { config = '' config /root/nixos/openvpn/officeVPN.conf ''; };
+     officeVPN  = { config = "config /root/nixos/openvpn/officeVPN.conf"; };
-     homeVPN    = { config = '' config /root/nixos/openvpn/homeVPN.conf ''; };
+     homeVPN    = { config = "config /root/nixos/openvpn/homeVPN.conf"; };
-     serverVPN  = { config = '' config /root/nixos/openvpn/serverVPN.conf ''; };
+     serverVPN  = { config = "config /root/nixos/openvpn/serverVPN.conf"; };
    };
    ...
@@ Line 30: / Line 30: @@
    services.openvpn.servers = {
      officeVPN  = {
-       config = '' config /root/nixos/openvpn/officeVPN.conf '';
+       config = "config /root/nixos/openvpn/officeVPN.conf";
        updateResolvConf = true;
      };
@@ Line 37: / Line 37: @@
 }
 </syntaxHighlight>
+=== Network-Manager integration (GNOME) ===
+If you want to allow the desktop user to manually set up and activate/deactivate VPN connections (on the GNOME desktop) you should install the OpenVPN plugin for NetworkManager, e.g.
+<syntaxHighlight lang="nix">
+{ pkgs, ... }:
+{
+  networking.networkmanager = {
+    enable = true;
+    plugins = with pkgs; [
+      networkmanager-openvpn
+    ];
+  };
+}
+</syntaxHighlight>
+NOTE: Some VPN providers (e.g. NordVPN) require you to generate and use '''service credentials''' (i.e. ''not'' your usual email+password!) for a manual setup like this. Your provider's user account should have an option to create them.
 === Mounting filesystems via a VPN ===
@@ Line 49: / Line 67: @@
      device = "//10.8.0.x/Share";
      fsType = "cifs";
-     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"
+     options = [
-       "x-systemd.requires=openvpn-officeVPN.service" ];
+      "noauto"
+      "user"
+      "uid=1000"
+      "gid=100"
+      "username=xxx"
+      "password=xxx"
+      "iocharset=utf8"
+       "x-systemd.requires=openvpn-officeVPN.service"
+    ];
    };
    fileSystems."/mnt/home" = {
      device = "//10.9.0.x/Share";
      fsType = "cifs";
-     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"
+     options = [
-       "x-systemd.requires=openvpn-homeVPN.service" ];
+      "noauto"
+      "user"
+      "uid=1000"
+      "gid=100"
+      "username=xxx"
+      "password=xxx"
+      "iocharset=utf8"
+       "x-systemd.requires=openvpn-homeVPN.service"
+    ];
    };
    ...
@@ Line 63: / Line 97: @@
 If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option.
+=== Supporting legacy cipher providers ===
+If you need to connect to servers with legacy ciphers (e.g. '''BF-CBC'''), one way is to override OpenVPN to use '''openssl_legacy''' package (which is [https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/libraries/openssl/3.0/legacy.cnf configured to enable legacy providers]), for example via an overlay:
+<syntaxHighlight lang="nix">
+final: prev: {
+  openvpn = prev.openvpn.override {
+    openssl = prev.openssl_legacy;
+  };
+}
+</syntaxHighlight>
 == VPN Server ==
@@ Line 75: / Line 120: @@
    vpn-dev = "tun0";
    port = 1194;
-in {
+in
+{
    # sudo systemctl start nat
    networking.nat = {
      enable = true;
      externalInterface = <your-server-out-if>;
-     internalInterfaces  = [ vpn-dev ];
+     internalInterfaces = [ vpn-dev ];
    };
    networking.firewall.trustedInterfaces = [ vpn-dev ];
@@ Line 136: / Line 182: @@
 </syntaxHighlight>
-[[Category:Configuration]]
+[[Category:Networking]]
+[[Category:VPN]]