VPN: Difference between revisions

From NixOS Wiki
imported>Sjau
No edit summary
imported>Pancho
m Fix capitalization and target of WireGuard link
 
(7 intermediate revisions by 5 users not shown)
Line 1: Line 1:
== PPTP ==
* [[OpenVPN|VPN setup instructions for OpenVPN]]
 
* [[WireGuard|VPN setup instructions for WireGuard]]
...
 
== L2TP ==
 
...
 
== IPSec ==
 
...
 
 
== OpenVPN ==
 
=== VPN Client ===
Auto-starting openvpn on Nixos can easily be done by enabling it in the configuration nix.
Just place the configs where you want them to have and set it up like below.
 
<syntaxHighlight lang="nix">
services.openvpn.servers = {
    officeVPN  = { config = '' config /root/nixos/openvpn/officeVPN.conf ''; };
    homeVPN    = { config = '' config /root/nixos/openvpn/homeVPN.conf ''; };
    serverVPN  = { config = '' config /root/nixos/openvpn/serverVPN.conf ''; };
};
</syntaxHighlight>
 
This will start three vpn instances; more can be added. Also make sure that you use absolute path for certs and keys if you don't have integreated in the config files.
 
In case you want to mount filesystems through the vpn, then on shutdown there will be a 90 second timeout. However, newer systemd you can set mount options that will require systemd to first umount the mount before closing the vpn connection.
 
Just enhance the options with the following option <code>"x-systemd.requires=openvpn-officeVPN.service"</code>.
 
This would then look like this:
 
<syntaxHighlight lang="nix">
fileSystems."/mnt/office" = {
    device = "//10.8.0.x/Share";
    fsType = "cifs";
    options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-officeVPN.service" ];
};
fileSystems."/mnt/home" = {
    device = "//10.9.0.x/Share";
    fsType = "cifs";
    options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-homeVPN.service" ];
};
</syntaxHighlight>
 
So basically the value for the <code>x-systemd.requires</code> option is <code>openvpn-{name}.service</code>
 
If you want to run OpenVPN clients in nixos declarative containers, be sure to set [https://nixos.org/nixos/options.html#enabletun ''enableTun''] option.
 
=== VPN Server ===
 
==== Simple one-client VPN Gateway server ====
One of the main use cases to run a VPN server is to provide a secure gateway to the internet for the connecting clients. This example builds a one-client VPN gateway in line with the [https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html OpenVPN Static Key Mini How-To]. The Pro is that only a single static key is required.
 
<syntaxHighlight lang="nix">
let
  # generate via openvpn --genkey --secret static.key
  client-key = "/root/openvpn-laptop.key";
  domain = "vpn.localhost.localdomain";
  vpn-dev = "tun0";
  port = 1194;
in {
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nat = {
    enable = true;
    externalInterface = <your-server-out-itf>;
    internalInterfaces  = [ vpn-dev ];
  };
  networking.firewall.trustedInterfaces = [ vpn-dev ];
  networking.firewall.allowedUDPPorts = [ port ];
  environment.systemPackages = [ pkgs.openvpn ]; # for key generation
  services.openvpn.servers.smartphone.config = ''
    dev ${vpn-dev}
    proto udp
    ifconfig 10.8.0.1 10.8.0.2
    secret ${client-key}
    port ${toString port}
    cipher AES-256-CBC
    comp-lzo
 
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
  '';
 
  environment.etc."openvpn/smartphone-client.ovpn" = {
    text = ''
      client
      dev tun
      remote "${domain}"
      ifconfig 10.8.0.1 10.8.0.2
      port ${toString port}
 
      cipher AES-256-CBC
      comp-lzo
      keepalive 10 60
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      secret [inline]
 
    '';
    mode = "700";
  };
  system.activationScripts.openvpn-addkey = ''
    f="/etc/openvpn/smartphone-client.ovpn"
    if ! grep -q '<secret>' $f; then
      echo "appending secret key"
      echo "<secret>" >> $f
      cat ${client-key} >> $f
      echo "</secret>" >> $f
    fi
  '';
}
</syntaxHighlight>
 
== Tinc ==
 
...
 
== SoftEther ==
 
...
 
 
== Wireguard ==
 
=== Generate Private / Public Key ===
 
Each peer needs to have at least one private and one public key. The keys can be generated on any machine that already has wireguard installed using the wg utility. If wireguard isn't installed yet, it can be added as <code>wireguard</code> in the <code>environment.systemPackages</code> or installed using <code>nix-env -iA wireguard</code>.
 
The creation of the private/public key is rather simple. In the example below a folder wireguard-keys will be generated and the keys put in there.
 
<syntaxHighlight lang="nix">
mkdir ~/wireguard-keys
umask 077 ~/wireguard-keys
wg genkey > ~/wireguard-keys/private
wg pubkey < ~/wireguard-keys/private > ~/wireguard-keys/public
</syntaxHighlight>
 
For different connections/roles you can of course generate more private/public keys and name them as you want.
 
=== Server Instance ===
 
<syntaxHighlight lang="nix">
  # Enable Wireguard
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.100.0.1/24" ];
      listenPort = 51820;
      privateKey = "{server private key}";
      peers = [ {
        publicKey = "{client public key}";
        allowedIPs = [ "10.100.0.2/32" ];
      } ];
    };
  };
</syntaxHighlight>
 
* wg0: This is the network interface name. You can also use something meaningful like wg_XXX
* ips: This defines the server ip and subnet. In this case the server ip will be 10.100.0.1.
* listenPort: The port the server listens to; don't forget to portforward and allow it through the firewall
* privateKey: this is the private key of the server. Instead of <code>privateKey</code> also <code>privateKeyFile</code> could be used to point to the key file.
* peers: That's the list of peers. Wireguard must have each peer that can establish a connection to be listed.
* peers.publicKey: The public key of the peer/client.
* allowedIPs: The list of IPs that can be assigned to the client
 
=== Client Instance ===
 
<syntaxHighlight lang="nix">
  # Enable Wireguard
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.100.0.2/24" ];
      privateKey = "{client private key";
      peers = [ {
        publicKey = "{server public key}";
        allowedIPs = [ "10.200.0.0/24" ];
        endpoint = "{server ip}:51820";
        persistentKeepalive = 25;
      } ];
    };
  };
</syntaxHighlight>
 
* wg0: This is the network interface name. You can also use something meaningful like wg_home
* ips: This defines the client ip
* privateKey: this is the private key of the client/peer. Instead of <code>privateKey</code> also <code>privateKeyFile</code> * listenPort: The port the server listens to; don't forget to portforward and allow it through the firewall could be used to point to the key file.
* peers: That's the list of peers. Wireguard must have each peer that can establish a connection to be listed. A peer can be a server or another client. In the above exmample it's just a server entry.
* peers.publicKey: The public key of the peer/server.
* allowedIPs: The list of ips that will be routed through the vpn
* endpoint: The server's ip address and port used for connection. '''Notice: Domain names can also be used''', but during bootup when wireguard is initialized, [https://github.com/NixOS/nixpkgs/issues/30459 "DNS may not be available yet"]
* persistentKeepalive: This is not necessary but it helps to keep the connection alive through NAT.
 
=== More info ===
 
* More information on the  [https://www.wireguard.com/ "Wireguard  homepage"]
* Current [https://nixos.org/nixos/options.html#wireguard "supported options"] in NixOS
* To user more than one wireguard connection, just add more wgX blocks to your configuration.nix
* In order for different wg clients to talk to one another, you can enable ip forwarding on the server. All communications will then go through the wg server
* To enable direct peer-to-peer communications, add according peers you want to talk directly to as new peers, add each such peer's <code>publicKey</code> and <code>allowedIPs</code> to the peers section of the vpn.
 
== ZeroTier ==
 
...


[[Category:NixOS]]
[[Category:NixOS]]

Latest revision as of 05:09, 8 June 2021