bug#42544: openvpn service requires cert and key configuration

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

From: david larsson <david.larsson@selfhosted.xyz>
To: 42544@debbugs.gnu.org
Subject: bug#42544: openvpn service requires cert and key configuration
Date: Sun, 26 Jul 2020 04:53:35 +0000	[thread overview]
Message-ID: <029ee37c6910a0136916fd1673a517bd@selfhosted.xyz> (raw)

Hi,
I have a vpn configuration that doesn't use cert and key configuration 
lines so I receive errors like the following in /var/log/messages when 
trying to start the vpn-client service:

localhost openvpn[1660]: Options error: --cert fails with 'disabled': No 
such file or directory (errno=2)
localhost openvpn[1660]: Options error: --key fails with 'disabled': No 
such file or directory (errno=2)

(the lines would say the default /etc/openvpn/client.crt if I wouldn't 
have specified (cert "disabled") etc. in the guix service config)


I need a way to disable that these lines are being generated to the 
config-file.


On a related note; it would be great if other configuration options are 
added to this service as well. Below is my openvpn-client-service config 
where the commented lines are from the regular config-file which Im 
trying to define; as you can see many of the config-options can't be 
specified by openvpn-client-service (e.g. the cipher option, the 
replay-window option etc):

                   (openvpn-client-service
                    #:config
                    (let* (
                          (myuser "myuser")
                          [base-dir (string-append "/home/" myuser 
"/src/my-guixsd-config/etc_openvpn/") ])
                      (openvpn-client-configuration
                       ;; client
                       (dev 'tun)
                       ;; remote-random
                       (proto 'udp)
                       ;; mute-replay-warnings
                       ;; replay-window 256

                       ;; remote-cert-tls server lines is generated 
somehow
                       ;; remote-cert-tls server

                       ;; cipher aes-256-cbc
                       ;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
                       ;; pull
                       ;; nobind
                       (bind? #f)
                       ;; reneg-sec 432000
                       ;; resolv-retry infinite
                       (resolv-retry? #t)
                       ;; compress lzo
                       (comp-lzo? #t)
                       ;; verb 3
                       (verbosity 3)
                       ;; persist-key
                       (persist-key? #t)
                       ;; persist-tun
                       (persist-tun? #t)
                       ;; auth-user-pass /etc/openvpn/credentials
                       (auth-user-pass (string-append base-dir 
"credentials"))
                       ;; ca /etc/openvpn/ovpn-ca.crt
                       (ca (string-append base-dir "ovpn-ca.crt"))
                       ;; tls-auth /etc/openvpn/ovpn-tls.key 1
                       (tls-auth (string-append base-dir "ovpn-tls.key"))
                       ;; Generates error messages in /var/log/messages 
about missing /etc/openvpn/client.crt etc
                       (key "disabled")
                       (cert "disabled")

                       ;; log /tmp/openvpn.log
                       ;; script-security 2
                       ;; resolv-conf scripts not needed for guix
                       ;; up /etc/openvpn/update-resolv-conf
                       ;; down /etc/openvpn/update-resolv-conf

                       (fast-io? #t)
                       (remote
                        (list
                         ;; Resolves to multiple vpn servers in location
                         (openvpn-remote-configuration
                          (name "pool-1.prd.se.sthlm.ovpn.com")
                          (port 1196))
                         (openvpn-remote-configuration
                          (name "pool-1.prd.se.sthlm.ovpn.com")
                          (port 1197))
                         (openvpn-remote-configuration
                          (name "pool-2.prd.se.sthlm.ovpn.com")
                          (port 1196))
                         (openvpn-remote-configuration
                          (name "pool-2.prd.se.sthlm.ovpn.com")
                          (port 1197))
                        )))))

Best regards,
David

next             reply	other threads:[~2020-07-26  4:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-26  4:53 david larsson [this message]
2020-07-28  4:27 ` bug#42544: openvpn service requires cert and key configuration david larsson
2020-07-31 23:44 ` bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file david larsson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=029ee37c6910a0136916fd1673a517bd@selfhosted.xyz \
    --to=david.larsson@selfhosted.xyz \
    --cc=42544@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).