Skip to content

Commit

Permalink
openvpn: support setting IP forwarding (nixos)
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterhoeg
peterhoeg committed May 25, 2018
1 parent 5da8543 commit ac8da13
Showing 1 changed file with 122 additions and 109 deletions.
231 changes: 122 additions & 109 deletions nixos/modules/services/networking/openvpn.nix
View file
Expand Up @@ -78,126 +78,137 @@ in

options = {

services.openvpn.servers = mkOption {
default = {};

example = literalExample ''
{
server = {
config = '''
# Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
# server :
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /root/static.key
''';
up = "ip route add ...";
down = "ip route del ...";
};
client = {
config = '''
client
remote vpn.example.org
dev tun
proto tcp-client
port 8080
ca /root/.vpn/ca.crt
cert /root/.vpn/alice.crt
key /root/.vpn/alice.key
''';
up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
};
}
'';

description = ''
Each attribute of this option defines a systemd service that
runs an OpenVPN instance. These can be OpenVPN servers or
clients. The name of each systemd service is
<literal>openvpn-<replaceable>name</replaceable>.service</literal>,
where <replaceable>name</replaceable> is the corresponding
attribute name.
'';

type = with types; attrsOf (submodule {

options = {

config = mkOption {
type = types.lines;
description = ''
Configuration of this OpenVPN instance. See
<citerefentry><refentrytitle>openvpn</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.
'';
};

up = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is starting.
'';
};

down = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is shutting down.
'';
};

autoStart = mkOption {
default = true;
type = types.bool;
description = "Whether this OpenVPN instance should be started automatically.";
};
services.openvpn = {

updateResolvConf = mkOption {
default = false;
type = types.bool;
description = ''
Use the script from the update-resolv-conf package to automatically
update resolv.conf with the DNS information provided by openvpn. The
script will be run after the "up" commands and before the "down" commands.
'';
};

authUserPass = mkOption {
default = null;
description = ''
This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method.
WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
'';
type = types.nullOr (types.submodule {
enableForwarding = mkOption {
default = false;
type = types.bool;
description = ''
Set up IP forwarding on the host.
'';
};

servers = mkOption {
default = {};

example = literalExample ''
{
server = {
config = '''
# Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
# server :
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /root/static.key
''';
up = "ip route add ...";
down = "ip route del ...";
};
client = {
config = '''
client
remote vpn.example.org
dev tun
proto tcp-client
port 8080
ca /root/.vpn/ca.crt
cert /root/.vpn/alice.crt
key /root/.vpn/alice.key
''';
up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
};
}
'';

options = {
username = mkOption {
description = "The username to store inside the credentials file.";
type = types.string;
};
description = ''
Each attribute of this option defines a systemd service that
runs an OpenVPN instance. These can be OpenVPN servers or
clients. The name of each systemd service is
<literal>openvpn-<replaceable>name</replaceable>.service</literal>,
where <replaceable>name</replaceable> is the corresponding
attribute name.
'';

password = mkOption {
description = "The password to store inside the credentials file.";
type = types.string;
type = with types; attrsOf (submodule {

options = {

config = mkOption {
type = types.lines;
description = ''
Configuration of this OpenVPN instance. See
<citerefentry><refentrytitle>openvpn</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.
'';
};

up = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is starting.
'';
};

down = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands executed when the instance is shutting down.
'';
};

autoStart = mkOption {
default = true;
type = types.bool;
description = "Whether this OpenVPN instance should be started automatically.";
};

updateResolvConf = mkOption {
default = false;
type = types.bool;
description = ''
Use the script from the update-resolv-conf package to automatically
update resolv.conf with the DNS information provided by openvpn. The
script will be run after the "up" commands and before the "down" commands.
'';
};

authUserPass = mkOption {
default = null;
description = ''
This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method.
WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
'';
type = types.nullOr (types.submodule {

options = {
username = mkOption {
description = "The username to store inside the credentials file.";
type = types.string;
};

password = mkOption {
description = "The password to store inside the credentials file.";
type = types.string;
};
};
};
});
});
};
};
};

});
});

};

};

};


###### implementation

config = mkIf (cfg.servers != {}) {
Expand All @@ -208,6 +219,8 @@ in

boot.kernelModules = [ "tun" ];

boot.kernel.sysctl = lib.mkIf cfg.enableForwarding { "net.ipv4.ip_forward" = true; };

};

}

0 comments on commit ac8da13

Please sign in to comment.