Skip to content
Permalink
Browse files

openvpn: support setting IP forwarding (nixos)

  • Loading branch information
peterhoeg committed May 25, 2018
1 parent 5da8543 commit ac8da13bdb9da6b2756bb5cf839e15690cba86a9
Showing with 122 additions and 109 deletions.
  1. +122 −109 nixos/modules/services/networking/openvpn.nix
@@ -78,126 +78,137 @@ in

options = {

services.openvpn.servers = mkOption {
default = {};

example = literalExample ''
{
server = {
config = '''
# Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
# server :
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /root/static.key
''';
up = "ip route add ...";
down = "ip route del ...";
};
client = {
config = '''
client
remote vpn.example.org
dev tun
proto tcp-client
port 8080
ca /root/.vpn/ca.crt
cert /root/.vpn/alice.crt
key /root/.vpn/alice.key
''';
up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
};
}
'';

description = ''
Each attribute of this option defines a systemd service that
runs an OpenVPN instance. These can be OpenVPN servers or
clients. The name of each systemd service is
<literal>openvpn-<replaceable>name</replaceable>.service</literal>,
where <replaceable>name</replaceable> is the corresponding
attribute name.
'';

type = with types; attrsOf (submodule {

options = {

config = mkOption {
type = types.lines;
description = ''
Configuration of this OpenVPN instance. See
<citerefentry><refentrytitle>openvpn</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.
'';
};

up = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is starting.
'';
};

down = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is shutting down.
'';
};

autoStart = mkOption {
default = true;
type = types.bool;
description = "Whether this OpenVPN instance should be started automatically.";
};
services.openvpn = {

updateResolvConf = mkOption {
default = false;
type = types.bool;
description = ''
Use the script from the update-resolv-conf package to automatically
update resolv.conf with the DNS information provided by openvpn. The
script will be run after the "up" commands and before the "down" commands.
'';
};

authUserPass = mkOption {
default = null;
description = ''
This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method.
WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
'';
type = types.nullOr (types.submodule {
enableForwarding = mkOption {
default = false;
type = types.bool;
description = ''
Set up IP forwarding on the host.
'';
};

servers = mkOption {
default = {};

example = literalExample ''
{
server = {
config = '''
# Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
# server :
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /root/static.key
''';
up = "ip route add ...";
down = "ip route del ...";
};
client = {
config = '''
client
remote vpn.example.org
dev tun
proto tcp-client
port 8080
ca /root/.vpn/ca.crt
cert /root/.vpn/alice.crt
key /root/.vpn/alice.key
''';
up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
};
}
'';

options = {
username = mkOption {
description = "The username to store inside the credentials file.";
type = types.string;
};
description = ''
Each attribute of this option defines a systemd service that
runs an OpenVPN instance. These can be OpenVPN servers or
clients. The name of each systemd service is
<literal>openvpn-<replaceable>name</replaceable>.service</literal>,
where <replaceable>name</replaceable> is the corresponding
attribute name.
'';

password = mkOption {
description = "The password to store inside the credentials file.";
type = types.string;
type = with types; attrsOf (submodule {

options = {

config = mkOption {
type = types.lines;
description = ''
Configuration of this OpenVPN instance. See
<citerefentry><refentrytitle>openvpn</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.
'';
};

up = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is starting.
'';
};

down = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is shutting down.
'';
};

autoStart = mkOption {
default = true;
type = types.bool;
description = "Whether this OpenVPN instance should be started automatically.";
};

updateResolvConf = mkOption {
default = false;
type = types.bool;
description = ''
Use the script from the update-resolv-conf package to automatically
update resolv.conf with the DNS information provided by openvpn. The
script will be run after the "up" commands and before the "down" commands.
'';
};

authUserPass = mkOption {
default = null;
description = ''
This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method.
WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
'';
type = types.nullOr (types.submodule {

options = {
username = mkOption {
description = "The username to store inside the credentials file.";
type = types.string;
};

password = mkOption {
description = "The password to store inside the credentials file.";
type = types.string;
};
};
};
});
});
};
};
};

});
});

};

};

};


###### implementation

config = mkIf (cfg.servers != {}) {
@@ -208,6 +219,8 @@ in

boot.kernelModules = [ "tun" ];

boot.kernel.sysctl = lib.mkIf cfg.enableForwarding { "net.ipv4.ip_forward" = true; };

};

}

0 comments on commit ac8da13

Please sign in to comment.
You can’t perform that action at this time.