{ config, pkgs, lib, ... }:
let
cfg = config.shb.vpn;
quoteEach = lib.concatMapStrings (x: ''"${x}"'');
nordvpnConfig =
{ name
, dev
, authFile
, remoteServerIP
, dependentServices ? []
}: ''
client
dev ${dev}
proto tcp
remote ${remoteServerIP} 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
status /tmp/openvpn/${name}.status
remote-cert-tls server
auth-user-pass ${authFile}
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
script-security 2
route-noexec
route-up ${routeUp name dependentServices}/bin/routeUp.sh
down ${routeDown name dependentServices}/bin/routeDown.sh
<ca>
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
</tls-auth>
'';
routeUp = name: dependentServices: pkgs.writeShellApplication {
name = "routeUp.sh";
runtimeInputs = [ pkgs.iproute2 pkgs.systemd pkgs.nettools ];
text = ''
echo "Running route-up..."
echo "dev=''${dev:?}"
echo "ifconfig_local=''${ifconfig_local:?}"
echo "route_vpn_gateway=''${route_vpn_gateway:?}"
set -x
ip rule
ip rule add from "''${ifconfig_local:?}/32" table ${name}
ip rule add to "''${route_vpn_gateway:?}/32" table ${name}
ip rule
ip route list table ${name} || :
retVal=$?
if [ $retVal -eq 2 ]; then
echo "table is empty"
elif [ $retVal -ne 0 ]; then
exit 1
fi
ip route add default via "''${route_vpn_gateway:?}" dev "''${dev:?}" table ${name}
ip route flush cache
ip route list table ${name} || :
retVal=$?
if [ $retVal -eq 2 ]; then
echo "table is empty"
elif [ $retVal -ne 0 ]; then
exit 1
fi
echo "''${ifconfig_local:?}" > /run/openvpn/${name}/ifconfig_local
dependencies=(${quoteEach dependentServices})
for i in "''${dependencies[@]}"; do
systemctl restart "$i" || :
done
echo "Running route-up DONE"
'';
};
routeDown = name: dependentServices: pkgs.writeShellApplication {
name = "routeDown.sh";
runtimeInputs = [ pkgs.iproute2 pkgs.systemd pkgs.nettools pkgs.coreutils ];
text = ''
echo "Running route-down..."
echo "dev=''${dev:?}"
echo "ifconfig_local=''${ifconfig_local:?}"
echo "route_vpn_gateway=''${route_vpn_gateway:?}"
set -x
ip rule
ip rule del from "''${ifconfig_local:?}/32" table ${name}
ip rule del to "''${route_vpn_gateway:?}/32" table ${name}
ip rule
# This will probably fail because the dev is already gone.
ip route list table ${name} || :
retVal=$?
if [ $retVal -eq 2 ]; then
echo "table is empty"
elif [ $retVal -ne 0 ]; then
exit 1
fi
ip route del default via "''${route_vpn_gateway:?}" dev "''${dev:?}" table ${name} || :
ip route flush cache
ip route list table ${name} || :
retVal=$?
if [ $retVal -eq 2 ]; then
echo "table is empty"
elif [ $retVal -ne 0 ]; then
exit 1
fi
rm /run/openvpn/${name}/ifconfig_local
dependencies=(${quoteEach dependentServices})
for i in "''${dependencies[@]}"; do
systemctl stop "$i" || :
done
echo "Running route-down DONE"
'';
};
someEnabled = lib.any (lib.mapAttrsToList (name: c: c.enable) cfg);
in
{
options =
let
instanceOption = lib.types.submodule {
options = {
enable = lib.mkEnableOption "OpenVPN config";
package = lib.mkPackageOptionMD pkgs "openvpn" {};
provider = lib.mkOption {
description = "VPN provider, if given uses ready-made configuration.";
type = lib.types.nullOr (lib.types.enum [ "nordvpn" ]);
default = null;
};
dev = lib.mkOption {
description = "Name of the interface.";
type = lib.types.str;
example = "tun0";
};
routingNumber = lib.mkOption {
description = "Unique number used to route packets.";
type = lib.types.int;
example = 10;
};
remoteServerIP = lib.mkOption {
description = "IP of the VPN server to connect to.";
type = lib.types.str;
};
authFile = lib.mkOption {
description = "Location of file holding authentication secrets for provider.";
type = lib.types.anything;
};
proxyPort = lib.mkOption {
description = "If not null, sets up a proxy that listens on the given port and sends traffic to the VPN.";
type = lib.types.nullOr lib.types.int;
default = null;
};
};
};
in
{
shb.vpn = lib.mkOption {
description = "OpenVPN instances.";
default = {};
type = lib.types.attrsOf instanceOption;
};
};
config = {
services.openvpn.servers =
let
instanceConfig = name: c: lib.mkIf c.enable {
${name} = {
autoStart = true;
up = "mkdir -p /run/openvpn/${name}";
config = nordvpnConfig {
inherit name;
inherit (c) dev remoteServerIP authFile;
dependentServices = lib.optional (c.proxyPort != null) "tinyproxy-${name}.service";
};
};
};
in
lib.mkMerge (lib.mapAttrsToList instanceConfig cfg);
systemd.tmpfiles.rules = map (name:
"d /tmp/openvpn/${name}.status 0700 root root"
) (lib.attrNames cfg);
networking.iproute2.enable = true;
networking.iproute2.rttablesExtraConfig =
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: c: "${toString c.routingNumber} ${name}") cfg);
shb.tinyproxy =
let
instanceConfig = name: c: lib.mkIf (c.enable && c.proxyPort != null) {
${name} = {
enable = true;
# package = pkgs.tinyproxy.overrideAttrs (old: {
# withDebug = false;
# patches = old.patches ++ [
# (pkgs.fetchpatch {
# name = "";
# url = "https://github.com/tinyproxy/tinyproxy/pull/494/commits/2532ba09896352b31f3538d7819daa1fc3f829f1.patch";
# sha256 = "sha256-Q0MkHnttW8tH3+hoCt9ACjHjmmZQgF6pC/menIrU0Co=";
# })
# ];
# });
dynamicBindFile = "/run/openvpn/${name}/ifconfig_local";
settings = {
Port = c.proxyPort;
Listen = "127.0.0.1";
Syslog = "On";
LogLevel = "Info";
Allow = [ "127.0.0.1" "::1" ];
ViaProxyName = ''"tinyproxy"'';
};
};
};
in
lib.mkMerge (lib.mapAttrsToList instanceConfig cfg);
};
}