OpenVPN: Difference between revisions
imported>Samueldr m fixes heading levels |
Add network-manager integration |
||
| (5 intermediate revisions by 4 users not shown) | |||
| Line 17: | Line 17: | ||
Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files. | Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files. | ||
Use <em>systemctl</em> to start/stop VPN service. Each generated service will have a prefix `openvpn-`: | |||
<syntaxHighlight> | |||
systemctl start openvpn-officeVPN.service | |||
</syntaxHighlight> | |||
Should you have trouble with DNS resolution for services that should be available via the VPN, try adding the following to the config: | |||
<syntaxHighlight lang="nix"> | |||
{ | |||
... | |||
services.openvpn.servers = { | |||
officeVPN = { | |||
config = '' config /root/nixos/openvpn/officeVPN.conf ''; | |||
updateResolvConf = true; | |||
}; | |||
}; | |||
... | |||
} | |||
</syntaxHighlight> | |||
=== Network-Manager integration (GNOME) === | |||
If you want to allow the desktop user to manually set up and activate/deactivate VPN connections (on the GNOME desktop) you should install the OpenVPN plugin for NetworkManager, e.g. | |||
<syntaxHighlight lang="nix"> | |||
{ pkgs, ... }: | |||
{ | |||
networking.networkmanager = { | |||
enable = true; | |||
plugins = with pkgs; [ | |||
networkmanager-openvpn | |||
]; | |||
}; | |||
} | |||
</syntaxHighlight> | |||
NOTE: Some VPN providers (e.g. NordVPN) require you to generate and use '''service credentials''' (i.e. ''not'' your usual email+password!) for a manual setup like this. Your provider's user account should have an option to create them. | |||
=== Mounting filesystems via a VPN === | === Mounting filesystems via a VPN === | ||
| Line 43: | Line 81: | ||
If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option. | If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option. | ||
=== Supporting legacy cipher providers === | |||
If you need to connect to servers with legacy ciphers (e.g. '''BF-CBC'''), one way is to override OpenVPN to use '''openssl_legacy''' package (which is [https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/development/libraries/openssl/3.0/legacy.cnf configured to enable legacy providers]), for example via an overlay: | |||
<syntaxHighlight lang="nix"> | |||
final: prev: { | |||
openvpn = prev.openvpn.override { | |||
openssl = prev.openssl_legacy; | |||
}; | |||
} | |||
</syntaxHighlight> | |||
== VPN Server == | == VPN Server == | ||
| Line 116: | Line 165: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
[[Category: | [[Category:Networking]] | ||
[[Category:VPN]] | |||