OpenVPN: Difference between revisions

(10 intermediate revisions by 7 users not shown)

Line 1:

== VPN Client==

=== VPN Client ===

OpenVPN can be configured for automatic startup by enabling it in <tt>/etc/nixos/configuration.nix</tt>:

~~Auto-starting openvpn on Nixos~~ can ~~easily~~ be ~~done~~ by enabling it in ~~the~~ configuration nix.

~~Just place the configs where you want them to have and set it up like below.~~

services.openvpn.servers = {

{

...

services.openvpn.servers = {

officeVPN = { config = '' config /root/nixos/openvpn/officeVPN.conf ''; };

homeVPN = { config = '' config /root/nixos/openvpn/homeVPN.conf ''; };

serverVPN = { config = '' config /root/nixos/openvpn/serverVPN.conf ''; };

};

...

}

</syntaxHighlight>

You will need to create the referenced configuration files. The above example will start three VPN instances; more can be added.

Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files.

Use <em>systemctl</em> to start/stop VPN service. Each generated service will have a prefix `openvpn-`:

systemctl start openvpn-officeVPN.service

</syntaxHighlight>

Should you have trouble with DNS resolution for services that should be available via the VPN, try adding the following to the config:

{

...

services.openvpn.servers = {

officeVPN = {

config = '' config /root/nixos/openvpn/officeVPN.conf '';

updateResolvConf = true;

};

...

}

</syntaxHighlight>

~~This will start three vpn instances; more can be added. Also make sure that~~ you ~~use absolute path for certs~~ and ~~keys if~~ you ~~don't have integreated in~~ the ~~config files~~.

=== Network-Manager integration (GNOME) ===

If you want to allow the desktop user to manually set up and activate/deactivate VPN connections (on the GNOME desktop) you should install the OpenVPN plugin for NetworkManager, e.g.

{ pkgs, ... }:

{

networking.networkmanager = {

enable = true;

plugins = with pkgs; [

networkmanager-openvpn

];

};

}

</syntaxHighlight>

~~In case~~ you ~~want~~ to ~~mount filesystems through the vpn, then on shutdown there will be~~ a ~~90 second timeout~~. ~~However, newer systemd you can set mount options that will require systemd~~ to ~~first umount the mount before closing the vpn connection~~.

NOTE: Some VPN providers (e.g. NordVPN) require you to generate and use '''service credentials''' (i.e. ''not'' your usual email+password!) for a manual setup like this. Your provider's user account should have an option to create them.

~~Just enhance the options with the following option <code>"x-systemd.requires~~=~~openvpn-officeVPN.service"</code>.~~

=== Mounting filesystems via a VPN ===

~~This would then look like this:~~

If you mount filesystems through the VPN, the filesystem will not be unmounted properly because the VPN connection will be shut down prior to unmounting the filesystem. However, newer systemd versions allow you to set mount options to unmount the mount before closing the VPN connection via the mount option <tt>x-systemd.requires=openvpn-<em>vpnname</em>.service</tt>.

Example mount configurations:

fileSystems."/mnt/office" = {

{

...

fileSystems."/mnt/office" = {

device = "//10.8.0.x/Share";

fsType = "cifs";

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-officeVPN.service" ];

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"

};

"x-systemd.requires=openvpn-officeVPN.service" ];

fileSystems."/mnt/home" = {

};

fileSystems."/mnt/home" = {

device = "//10.9.0.x/Share";

fsType = "cifs";

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-homeVPN.service" ];

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"

};

"x-systemd.requires=openvpn-homeVPN.service" ];

};

...

}

</syntaxHighlight>

~~So basically~~ the ~~value for the <code>x-systemd.requires</code>~~ option ~~is <code>openvpn-{name~~}.~~service</code>~~

If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option.

If you ~~want~~ to ~~run~~ OpenVPN ~~clients in nixos declarative containers, be sure~~ to ~~set~~ [https://~~nixos~~.~~org~~/nixos/~~options~~.~~html#enabletun ''enableTun''~~] ~~option.~~

=== Supporting legacy cipher providers ===

If you need to connect to servers with legacy ciphers (e.g. '''BF-CBC'''), one way is to override OpenVPN to use '''openssl_legacy''' package (which is [https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/libraries/openssl/3.0/legacy.cnf configured to enable legacy providers]), for example via an overlay:

=== ~~VPN Server ===~~

final: prev: {

openvpn = prev.openvpn.override {

openssl = prev.openssl_legacy;

};

}

</syntaxHighlight>

==== Simple one-client VPN ~~Gateway~~ server ====

== VPN Server ==

~~One~~ of ~~the main use cases to run~~ a VPN server ~~is to provide~~ a ~~secure gateway to the internet for the connecting clients. This example builds a one-~~client VPN gateway in line with the [https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html OpenVPN Static Key Mini How-To]. The Pro is that only a single static key is required.

=== Simple one-client VPN gateway server ===

The following is an example of a VPN server configuration which supports a single known client.

let

# generate via openvpn --genkey --secret ~~static~~.key

# generate via openvpn --genkey --secret openvpn-laptop.key

client-key = "/root/openvpn-laptop.key";

domain = "vpn.localhost.localdomain";

Line 50:

Line 105:

port = 1194;

in {

~~boot.kernel.sysctl."net.ipv4.ip_forward" = 1;~~

# sudo systemctl start nat

networking.nat = {

enable = true;

externalInterface = <your-server-out-~~itf~~>;

externalInterface = <your-server-out-if>;

internalInterfaces = [ vpn-dev ];

};

Line 65:

Line 120:

secret ${client-key}

port ${toString port}

cipher AES-256-CBC

auth-nocache

comp-lzo

keepalive 10 60

ping-timer-rem

Line 76:

Line 133:

environment.etc."openvpn/smartphone-client.ovpn" = {

text = ''

~~client~~

dev tun

remote "${domain}"

ifconfig 10.8.0.1 10.8.0.2

ifconfig 10.8.0.2 10.8.0.1

port ${toString port}

redirect-gateway def1

cipher AES-256-CBC

auth-nocache

comp-lzo

keepalive 10 60

Line 92:

Line 151:

'';

mode = "~~700~~";

mode = "600";

};

system.activationScripts.openvpn-addkey = ''

Line 105:

Line 164:

}

</syntaxHighlight>

[[Category:Networking]]

[[Category:VPN]]

@@ Line 1: / Line 1: @@
+== VPN Client==
-=== VPN Client ===
+OpenVPN can be configured for automatic startup by enabling it in <tt>/etc/nixos/configuration.nix</tt>:
-Auto-starting openvpn on Nixos can easily be done by enabling it in the configuration nix.
-Just place the configs where you want them to have and set it up like below.
 <syntaxHighlight lang="nix">
-services.openvpn.servers = {
+{
+  ...
+  services.openvpn.servers = {
      officeVPN  = { config = '' config /root/nixos/openvpn/officeVPN.conf ''; };
      homeVPN    = { config = '' config /root/nixos/openvpn/homeVPN.conf ''; };
      serverVPN  = { config = '' config /root/nixos/openvpn/serverVPN.conf ''; };
-};
+  };
+  ...
+}
+</syntaxHighlight>
+You will need to create the referenced configuration files. The above example will start three VPN instances; more can be added.
+Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files.
+Use <em>systemctl</em> to start/stop VPN service. Each generated service will have a prefix `openvpn-`:
+<syntaxHighlight>
+systemctl start openvpn-officeVPN.service
+</syntaxHighlight>
+Should you have trouble with DNS resolution for services that should be available via the VPN, try adding the following to the config:
+<syntaxHighlight lang="nix">
+{
+  ...
+  services.openvpn.servers = {
+    officeVPN  = {
+      config = '' config /root/nixos/openvpn/officeVPN.conf '';
+      updateResolvConf = true;
+    };
+  };
+  ...
+}
 </syntaxHighlight>
-This will start three vpn instances; more can be added. Also make sure that you use absolute path for certs and keys if you don't have integreated in the config files.
+=== Network-Manager integration (GNOME) ===
+If you want to allow the desktop user to manually set up and activate/deactivate VPN connections (on the GNOME desktop) you should install the OpenVPN plugin for NetworkManager, e.g.
+<syntaxHighlight lang="nix">
+{ pkgs, ... }:
+{
+  networking.networkmanager = {
+    enable = true;
+    plugins = with pkgs; [
+      networkmanager-openvpn
+    ];
+  };
+}
+</syntaxHighlight>
-In case you want to mount filesystems through the vpn, then on shutdown there will be a 90 second timeout. However, newer systemd you can set mount options that will require systemd to first umount the mount before closing the vpn connection.
+NOTE: Some VPN providers (e.g. NordVPN) require you to generate and use '''service credentials''' (i.e. ''not'' your usual email+password!) for a manual setup like this. Your provider's user account should have an option to create them.
-Just enhance the options with the following option <code>"x-systemd.requires=openvpn-officeVPN.service"</code>.
+=== Mounting filesystems via a VPN ===
-This would then look like this:
+If you mount filesystems through the VPN, the filesystem will not be unmounted properly because the VPN connection will be shut down prior to unmounting the filesystem. However, newer systemd versions allow you to set mount options to unmount the mount before closing the VPN connection via the mount option <tt>x-systemd.requires=openvpn-<em>vpnname</em>.service</tt>.
+Example mount configurations:
 <syntaxHighlight lang="nix">
-fileSystems."/mnt/office" = {
+{
+  ...
+  fileSystems."/mnt/office" = {
      device = "//10.8.0.x/Share";
      fsType = "cifs";
-     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-officeVPN.service" ];
+     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"
-};
+      "x-systemd.requires=openvpn-officeVPN.service" ];
-fileSystems."/mnt/home" = {
+  };
+  fileSystems."/mnt/home" = {
      device = "//10.9.0.x/Share";
      fsType = "cifs";
-     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-homeVPN.service" ];
+     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"
-};
+      "x-systemd.requires=openvpn-homeVPN.service" ];
+  };
+  ...
+}
 </syntaxHighlight>
-So basically the value for the <code>x-systemd.requires</code> option is <code>openvpn-{name}.service</code>
+If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option.
-If you want to run OpenVPN clients in nixos declarative containers, be sure to set [https://nixos.org/nixos/options.html#enabletun ''enableTun''] option.
+=== Supporting legacy cipher providers ===
+If you need to connect to servers with legacy ciphers (e.g. '''BF-CBC'''), one way is to override OpenVPN to use '''openssl_legacy''' package (which is [https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/libraries/openssl/3.0/legacy.cnf configured to enable legacy providers]), for example via an overlay:
-=== VPN Server ===
+<syntaxHighlight lang="nix">
+final: prev: {
+  openvpn = prev.openvpn.override {
+    openssl = prev.openssl_legacy;
+  };
+}
+</syntaxHighlight>
-==== Simple one-client VPN Gateway server ====
+== VPN Server ==
-One of the main use cases to run a VPN server is to provide a secure gateway to the internet for the connecting clients. This example builds a one-client VPN gateway in line with the [https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html OpenVPN Static Key Mini How-To]. The Pro is that only a single static key is required.
+=== Simple one-client VPN gateway server ===
+The following is an example of a VPN server configuration which supports a single known client.
 <syntaxHighlight lang="nix">
 let
-   # generate via openvpn --genkey --secret static.key
+   # generate via openvpn --genkey --secret openvpn-laptop.key
    client-key = "/root/openvpn-laptop.key";
    domain = "vpn.localhost.localdomain";
@@ Line 50: / Line 105: @@
    port = 1194;
 in {
-   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+   # sudo systemctl start nat
    networking.nat = {
      enable = true;
-     externalInterface = <your-server-out-itf>;
+     externalInterface = <your-server-out-if>;
      internalInterfaces  = [ vpn-dev ];
    };
@@ Line 65: / Line 120: @@
      secret ${client-key}
      port ${toString port}
      cipher AES-256-CBC
+    auth-nocache
      comp-lzo
      keepalive 10 60
      ping-timer-rem
@@ Line 76: / Line 133: @@
    environment.etc."openvpn/smartphone-client.ovpn" = {
      text = ''
-      client
        dev tun
        remote "${domain}"
-       ifconfig 10.8.0.1 10.8.0.2
+       ifconfig 10.8.0.2 10.8.0.1
        port ${toString port}
+      redirect-gateway def1
        cipher AES-256-CBC
+      auth-nocache
        comp-lzo
        keepalive 10 60
@@ Line 92: / Line 151: @@
      '';
-     mode = "700";
+     mode = "600";
    };
    system.activationScripts.openvpn-addkey = ''
@@ Line 105: / Line 164: @@
 }
 </syntaxHighlight>
+[[Category:Networking]]
+[[Category:VPN]]