NixOS Wiki

OpenVPN: Difference between revisions

← Older edit
VisualWikitext
imported>HLandau
No edit summary
Bittner (talk | contribs)
5 edits
Add network-manager integration
 
(9 intermediate revisions by 7 users not shown)
Line 1: Line 1:
=VPN Client=
== VPN Client==
OpenVPN can be configured for automatic startup by enabling it in <tt>/etc/nixos/configuration.nix</tt>:
OpenVPN can be configured for automatic startup by enabling it in <tt>/etc/nixos/configuration.nix</tt>:


Line 18: Line 18:
Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files.
Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files.


==Mounting filesystems via a VPN==
Use <em>systemctl</em> to start/stop VPN service. Each generated service will have a prefix `openvpn-`:
<syntaxHighlight>
systemctl start openvpn-officeVPN.service
</syntaxHighlight>
 
Should you have trouble with DNS resolution for services that should be available via the VPN, try adding the following to the config:
 
<syntaxHighlight lang="nix">
{
  ...
  services.openvpn.servers = {
    officeVPN  = {
      config = '' config /root/nixos/openvpn/officeVPN.conf '';
      updateResolvConf = true;
    };
  };
  ...
}
</syntaxHighlight>
 
=== Network-Manager integration (GNOME) ===
 
If you want to allow the desktop user to manually set up and activate/deactivate VPN connections (on the GNOME desktop) you should install the OpenVPN plugin for NetworkManager, e.g.
 
<syntaxHighlight lang="nix">
{ pkgs, ... }:
{
  networking.networkmanager = {
    enable = true;
    plugins = with pkgs; [
      networkmanager-openvpn
    ];
  };
}
</syntaxHighlight>
 
NOTE: Some VPN providers (e.g. NordVPN) require you to generate and use '''service credentials''' (i.e. ''not'' your usual email+password!) for a manual setup like this. Your provider's user account should have an option to create them.
 
=== Mounting filesystems via a VPN ===


If you mount filesystems through the VPN, the filesystem will not be unmounted properly because the VPN connection will be shut down prior to unmounting the filesystem. However, newer systemd versions allow you to set mount options to unmount the mount before closing the VPN connection via the mount option <tt>x-systemd.requires=openvpn-<em>vpnname</em>.service</tt>.
If you mount filesystems through the VPN, the filesystem will not be unmounted properly because the VPN connection will be shut down prior to unmounting the filesystem. However, newer systemd versions allow you to set mount options to unmount the mount before closing the VPN connection via the mount option <tt>x-systemd.requires=openvpn-<em>vpnname</em>.service</tt>.
Line 44: Line 82:
If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option.
If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option.


=VPN Server=
=== Supporting legacy cipher providers ===
==Simple one-client VPN gateway server==
If you need to connect to servers with legacy ciphers (e.g. '''BF-CBC'''), one way is to override OpenVPN to use '''openssl_legacy''' package (which is [https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/libraries/openssl/3.0/legacy.cnf configured to enable legacy providers]), for example via an overlay:
 
<syntaxHighlight lang="nix">
final: prev: {
  openvpn = prev.openvpn.override {
    openssl = prev.openssl_legacy;
  };
}
</syntaxHighlight>
 
== VPN Server ==
=== Simple one-client VPN gateway server ===
The following is an example of a VPN server configuration which supports a single known client.
The following is an example of a VPN server configuration which supports a single known client.


<syntaxHighlight lang="nix">
<syntaxHighlight lang="nix">
let
let
   # generate via openvpn --genkey --secret static.key
   # generate via openvpn --genkey --secret openvpn-laptop.key
   client-key = "/root/openvpn-laptop.key";
   client-key = "/root/openvpn-laptop.key";
   domain = "vpn.localhost.localdomain";
   domain = "vpn.localhost.localdomain";
Line 56: Line 105:
   port = 1194;
   port = 1194;
in {
in {
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   # sudo systemctl start nat
   networking.nat = {
   networking.nat = {
     enable = true;
     enable = true;
     externalInterface = <your-server-out-itf>;
     externalInterface = <your-server-out-if>;
     internalInterfaces  = [ vpn-dev ];
     internalInterfaces  = [ vpn-dev ];
   };
   };
Line 71: Line 120:
     secret ${client-key}
     secret ${client-key}
     port ${toString port}
     port ${toString port}
     cipher AES-256-CBC
     cipher AES-256-CBC
    auth-nocache
     comp-lzo
     comp-lzo
     keepalive 10 60
     keepalive 10 60
     ping-timer-rem
     ping-timer-rem
Line 82: Line 133:
   environment.etc."openvpn/smartphone-client.ovpn" = {
   environment.etc."openvpn/smartphone-client.ovpn" = {
     text = ''
     text = ''
      client
       dev tun
       dev tun
       remote "${domain}"
       remote "${domain}"
       ifconfig 10.8.0.1 10.8.0.2
       ifconfig 10.8.0.2 10.8.0.1
       port ${toString port}
       port ${toString port}
      redirect-gateway def1


       cipher AES-256-CBC
       cipher AES-256-CBC
      auth-nocache
       comp-lzo
       comp-lzo
       keepalive 10 60
       keepalive 10 60
Line 98: Line 151:


     '';
     '';
     mode = "700";
     mode = "600";
   };
   };
   system.activationScripts.openvpn-addkey = ''
   system.activationScripts.openvpn-addkey = ''
Line 111: Line 164:
}
}
</syntaxHighlight>
</syntaxHighlight>
[[Category:Networking]]
[[Category:VPN]]
Retrieved from "https://wiki.nixos.org/wiki/OpenVPN"