Skip to content

Commit

Permalink
openvpn: support setting IP forwarding (nixos)
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterhoeg
peterhoeg committed Jun 20, 2019
1 parent 5da8543 commit 5021a1b
Showing 1 changed file with 33 additions and 6 deletions.
39 changes: 33 additions & 6 deletions nixos/modules/services/networking/openvpn.nix
View file
Expand Up @@ -10,6 +10,7 @@ let


makeOpenVPNJob = cfg: name: makeOpenVPNJob = cfg: name:
let let
dir = "openvpn/${name}";


path = (getAttr "openvpn-${name}" config.systemd.services).path; path = (getAttr "openvpn-${name}" config.systemd.services).path;


Expand Down Expand Up @@ -55,19 +56,34 @@ let
${cfg.authUserPass.username} ${cfg.authUserPass.username}
${cfg.authUserPass.password} ${cfg.authUserPass.password}
''}"} ''}"}
# General hardening
# These are needed to allow reloads while running as non-root
persist-key
persist-tun
ifconfig-pool-persist /var/lib/${dir}/pool.txt
# Do not run using the default nobody/nogroup as those are for NFS
user openvpn
group openvpn
replay-persist /var/lib/${dir}/replay
status /run/${dir}/status.txt
''; '';


in { in {
description = "OpenVPN instance ‘${name}’"; description = "OpenVPN instance ‘${name}’";


wantedBy = optional cfg.autoStart "multi-user.target"; wantedBy = [ "openvpn.target" ];
after = [ "network.target" ]; after = [ "network.target" ];


path = [ pkgs.iptables pkgs.iproute pkgs.nettools ]; path = with pkgs; [ iptables iproute nettools ];


serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --suppress-timestamps --config ${configFile}"; serviceConfig = {
serviceConfig.Restart = "always"; RuntimeDirectory = dir;
serviceConfig.Type = "notify"; StateDirectory = dir;
ExecStart = "@${openvpn}/sbin/openvpn openvpn --config ${configFile}";
Restart = "always";
Type = "notify";
};
}; };


in in
Expand Down Expand Up @@ -204,10 +220,21 @@ in


systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers); systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);


systemd.targets.openvpn = {
description = "Start all OpenVPN tunnels";
wantedBy = optional cfg.autoStart [ "multi-user.target" ];
};

environment.systemPackages = [ openvpn ]; environment.systemPackages = [ openvpn ];


boot.kernelModules = [ "tun" ]; boot.kernelModules = [ "tun" ];


}; users.extraUsers.openvpn = {
description = "OpenVPN user";
group = "openvpn";
uid = config.ids.uids.openvpn;
};


users.extraGroups.openvpn.gid = config.ids.gids.openvpn;
};
} }

0 comments on commit 5021a1b

Please sign in to comment.