diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix
index a418839d22b8ba..001a259efc45f7 100644
--- a/nixos/modules/services/networking/openvpn.nix
+++ b/nixos/modules/services/networking/openvpn.nix
@@ -78,126 +78,137 @@ in
options = {
- services.openvpn.servers = mkOption {
- default = {};
-
- example = literalExample ''
- {
- server = {
- config = '''
- # Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
- # server :
- dev tun
- ifconfig 10.8.0.1 10.8.0.2
- secret /root/static.key
- ''';
- up = "ip route add ...";
- down = "ip route del ...";
- };
-
- client = {
- config = '''
- client
- remote vpn.example.org
- dev tun
- proto tcp-client
- port 8080
- ca /root/.vpn/ca.crt
- cert /root/.vpn/alice.crt
- key /root/.vpn/alice.key
- ''';
- up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
- down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
- };
- }
- '';
-
- description = ''
- Each attribute of this option defines a systemd service that
- runs an OpenVPN instance. These can be OpenVPN servers or
- clients. The name of each systemd service is
- openvpn-name.service,
- where name is the corresponding
- attribute name.
- '';
-
- type = with types; attrsOf (submodule {
-
- options = {
-
- config = mkOption {
- type = types.lines;
- description = ''
- Configuration of this OpenVPN instance. See
- openvpn8
- for details.
- '';
- };
-
- up = mkOption {
- default = "";
- type = types.lines;
- description = ''
- Shell commands executed when the instance is starting.
- '';
- };
-
- down = mkOption {
- default = "";
- type = types.lines;
- description = ''
- Shell commands executed when the instance is shutting down.
- '';
- };
-
- autoStart = mkOption {
- default = true;
- type = types.bool;
- description = "Whether this OpenVPN instance should be started automatically.";
- };
+ services.openvpn = {
- updateResolvConf = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Use the script from the update-resolv-conf package to automatically
- update resolv.conf with the DNS information provided by openvpn. The
- script will be run after the "up" commands and before the "down" commands.
- '';
- };
-
- authUserPass = mkOption {
- default = null;
- description = ''
- This option can be used to store the username / password credentials
- with the "auth-user-pass" authentication method.
-
- WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
- '';
- type = types.nullOr (types.submodule {
+ enableForwarding = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Set up IP forwarding on the host.
+ '';
+ };
+
+ servers = mkOption {
+ default = {};
+
+ example = literalExample ''
+ {
+ server = {
+ config = '''
+ # Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
+ # server :
+ dev tun
+ ifconfig 10.8.0.1 10.8.0.2
+ secret /root/static.key
+ ''';
+ up = "ip route add ...";
+ down = "ip route del ...";
+ };
+
+ client = {
+ config = '''
+ client
+ remote vpn.example.org
+ dev tun
+ proto tcp-client
+ port 8080
+ ca /root/.vpn/ca.crt
+ cert /root/.vpn/alice.crt
+ key /root/.vpn/alice.key
+ ''';
+ up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
+ down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
+ };
+ }
+ '';
- options = {
- username = mkOption {
- description = "The username to store inside the credentials file.";
- type = types.string;
- };
+ description = ''
+ Each attribute of this option defines a systemd service that
+ runs an OpenVPN instance. These can be OpenVPN servers or
+ clients. The name of each systemd service is
+ openvpn-name.service,
+ where name is the corresponding
+ attribute name.
+ '';
- password = mkOption {
- description = "The password to store inside the credentials file.";
- type = types.string;
+ type = with types; attrsOf (submodule {
+
+ options = {
+
+ config = mkOption {
+ type = types.lines;
+ description = ''
+ Configuration of this OpenVPN instance. See
+ openvpn8
+ for details.
+ '';
+ };
+
+ up = mkOption {
+ default = "";
+ type = types.lines;
+ description = ''
+ Shell commands executed when the instance is starting.
+ '';
+ };
+
+ down = mkOption {
+ default = "";
+ type = types.lines;
+ description = ''
+ Shell commands executed when the instance is shutting down.
+ '';
+ };
+
+ autoStart = mkOption {
+ default = true;
+ type = types.bool;
+ description = "Whether this OpenVPN instance should be started automatically.";
+ };
+
+ updateResolvConf = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Use the script from the update-resolv-conf package to automatically
+ update resolv.conf with the DNS information provided by openvpn. The
+ script will be run after the "up" commands and before the "down" commands.
+ '';
+ };
+
+ authUserPass = mkOption {
+ default = null;
+ description = ''
+ This option can be used to store the username / password credentials
+ with the "auth-user-pass" authentication method.
+
+ WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
+ '';
+ type = types.nullOr (types.submodule {
+
+ options = {
+ username = mkOption {
+ description = "The username to store inside the credentials file.";
+ type = types.string;
+ };
+
+ password = mkOption {
+ description = "The password to store inside the credentials file.";
+ type = types.string;
+ };
};
- };
- });
+ });
+ };
};
- };
- });
+ });
+
+ };
};
};
-
###### implementation
config = mkIf (cfg.servers != {}) {
@@ -208,6 +219,8 @@ in
boot.kernelModules = [ "tun" ];
+ boot.kernel.sysctl = lib.mkIf cfg.enableForwarding { "net.ipv4.ip_forward" = true; };
+
};
}