OpenVPN: Difference between revisions

Line 1:

=VPN Client=

=== VPN Client ===

OpenVPN can be configured for automatic startup by enabling it in <tt>/etc/nixos/configuration.nix</tt>:

~~Auto-starting openvpn on Nixos~~ can ~~easily~~ be ~~done~~ by enabling it in ~~the~~ configuration nix.

~~Just place the configs where you want them to have and set it up like below.~~

services.openvpn.servers = {

{

...

services.openvpn.servers = {

officeVPN = { config = '' config /root/nixos/openvpn/officeVPN.conf ''; };

homeVPN = { config = '' config /root/nixos/openvpn/homeVPN.conf ''; };

serverVPN = { config = '' config /root/nixos/openvpn/serverVPN.conf ''; };

};

...

}

</syntaxHighlight>

~~This~~ will start three ~~vpn~~ instances; more can be added~~. Also make sure that you use absolute path for certs and keys if you don't have integreated in the config files~~.

You will need to create the referenced configuration files. The above example will start three VPN instances; more can be added.

~~In case~~ you ~~want to mount filesystems through~~ the ~~vpn, then on shutdown there will be a 90 second timeout. However, newer systemd you can set mount options that will require systemd to first umount the mount before closing the vpn connection~~.

Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files.

~~Just enhance the options with the following option <code>"x-systemd.requires~~=~~openvpn-officeVPN.service"</code>.~~

==Mounting filesystems via a VPN==

~~This would then look like this:~~

If you mount filesystems through the VPN, the filesystem will not be unmounted properly because the VPN connection will be shut down prior to unmounting the filesystem. However, newer systemd versions allow you to set mount options to unmount the mount before closing the VPN connection via the mount option <tt>x-systemd.requires=openvpn-<em>vpnname</em>.service</tt>.

Example mount configurations:

fileSystems."/mnt/office" = {

{

...

fileSystems."/mnt/office" = {

device = "//10.8.0.x/Share";

fsType = "cifs";

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-officeVPN.service" ];

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"

};

"x-systemd.requires=openvpn-officeVPN.service" ];

fileSystems."/mnt/home" = {

};

fileSystems."/mnt/home" = {

device = "//10.9.0.x/Share";

fsType = "cifs";

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-homeVPN.service" ];

options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"

};

"x-systemd.requires=openvpn-homeVPN.service" ];

};

...

}

</syntaxHighlight>

~~So basically the value for the <code>x-systemd.requires</code> option is <code>openvpn-{name}.service</code>~~

If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option.

If you want to run OpenVPN clients in ~~nixos~~ declarative containers, ~~be sure~~ to set ~~[https~~:~~//nixos.org/nixos/options.html#enabletun ''~~enableTun~~'']~~ option.

~~=== VPN Server ===~~

==== Simple one-client VPN ~~Gateway~~ server ====

=VPN Server=

~~One~~ of ~~the main use cases to run~~ a VPN server ~~is to provide~~ a ~~secure gateway to the internet for the connecting clients. This example builds a one-~~client VPN gateway in line with the [https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html OpenVPN Static Key Mini How-To]. The Pro is that only a single static key is required.

==Simple one-client VPN gateway server==

The following is an example of a VPN server configuration which supports a single known client.

@@ Line 1: / Line 1: @@
+=VPN Client=
-=== VPN Client ===
+OpenVPN can be configured for automatic startup by enabling it in <tt>/etc/nixos/configuration.nix</tt>:
-Auto-starting openvpn on Nixos can easily be done by enabling it in the configuration nix.
-Just place the configs where you want them to have and set it up like below.
 <syntaxHighlight lang="nix">
-services.openvpn.servers = {
+{
+  ...
+  services.openvpn.servers = {
      officeVPN  = { config = '' config /root/nixos/openvpn/officeVPN.conf ''; };
      homeVPN    = { config = '' config /root/nixos/openvpn/homeVPN.conf ''; };
      serverVPN  = { config = '' config /root/nixos/openvpn/serverVPN.conf ''; };
-};
+  };
+  ...
+}
 </syntaxHighlight>
-This will start three vpn instances; more can be added. Also make sure that you use absolute path for certs and keys if you don't have integreated in the config files.
+You will need to create the referenced configuration files. The above example will start three VPN instances; more can be added.
-In case you want to mount filesystems through the vpn, then on shutdown there will be a 90 second timeout. However, newer systemd you can set mount options that will require systemd to first umount the mount before closing the vpn connection.
+Ensure you use absolute paths for any files such as certificates and keys referenced from the configuration files.
-Just enhance the options with the following option <code>"x-systemd.requires=openvpn-officeVPN.service"</code>.
+==Mounting filesystems via a VPN==
-This would then look like this:
+If you mount filesystems through the VPN, the filesystem will not be unmounted properly because the VPN connection will be shut down prior to unmounting the filesystem. However, newer systemd versions allow you to set mount options to unmount the mount before closing the VPN connection via the mount option <tt>x-systemd.requires=openvpn-<em>vpnname</em>.service</tt>.
+Example mount configurations:
 <syntaxHighlight lang="nix">
-fileSystems."/mnt/office" = {
+{
+  ...
+  fileSystems."/mnt/office" = {
      device = "//10.8.0.x/Share";
      fsType = "cifs";
-     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-officeVPN.service" ];
+     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"
-};
+      "x-systemd.requires=openvpn-officeVPN.service" ];
-fileSystems."/mnt/home" = {
+  };
+  fileSystems."/mnt/home" = {
      device = "//10.9.0.x/Share";
      fsType = "cifs";
-     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8" "x-systemd.requires=openvpn-homeVPN.service" ];
+     options = [ "noauto" "user" "uid=1000" "gid=100" "username=xxx" "password=xxx" "iocharset=utf8"
-};
+      "x-systemd.requires=openvpn-homeVPN.service" ];
+  };
+  ...
+}
 </syntaxHighlight>
-So basically the value for the <code>x-systemd.requires</code> option is <code>openvpn-{name}.service</code>
+If you want to run OpenVPN clients in NixOS declarative containers, you will need to set the {{nixos:option|enableTun}} container option.
-If you want to run OpenVPN clients in nixos declarative containers, be sure to set [https://nixos.org/nixos/options.html#enabletun ''enableTun''] option.
-=== VPN Server ===
-==== Simple one-client VPN Gateway server ====
+=VPN Server=
-One of the main use cases to run a VPN server is to provide a secure gateway to the internet for the connecting clients. This example builds a one-client VPN gateway in line with the [https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html OpenVPN Static Key Mini How-To]. The Pro is that only a single static key is required.
+==Simple one-client VPN gateway server==
+The following is an example of a VPN server configuration which supports a single known client.
 <syntaxHighlight lang="nix">