* bug#42544: openvpn service requires cert and key configuration
@ 2020-07-26 4:53 david larsson
2020-07-28 4:27 ` david larsson
2020-07-31 23:44 ` bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file david larsson
0 siblings, 2 replies; 3+ messages in thread
From: david larsson @ 2020-07-26 4:53 UTC (permalink / raw)
To: 42544
Hi,
I have a vpn configuration that doesn't use cert and key configuration
lines so I receive errors like the following in /var/log/messages when
trying to start the vpn-client service:
localhost openvpn[1660]: Options error: --cert fails with 'disabled': No
such file or directory (errno=2)
localhost openvpn[1660]: Options error: --key fails with 'disabled': No
such file or directory (errno=2)
(the lines would say the default /etc/openvpn/client.crt if I wouldn't
have specified (cert "disabled") etc. in the guix service config)
I need a way to disable that these lines are being generated to the
config-file.
On a related note; it would be great if other configuration options are
added to this service as well. Below is my openvpn-client-service config
where the commented lines are from the regular config-file which Im
trying to define; as you can see many of the config-options can't be
specified by openvpn-client-service (e.g. the cipher option, the
replay-window option etc):
(openvpn-client-service
#:config
(let* (
(myuser "myuser")
[base-dir (string-append "/home/" myuser
"/src/my-guixsd-config/etc_openvpn/") ])
(openvpn-client-configuration
;; client
(dev 'tun)
;; remote-random
(proto 'udp)
;; mute-replay-warnings
;; replay-window 256
;; remote-cert-tls server lines is generated
somehow
;; remote-cert-tls server
;; cipher aes-256-cbc
;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
;; pull
;; nobind
(bind? #f)
;; reneg-sec 432000
;; resolv-retry infinite
(resolv-retry? #t)
;; compress lzo
(comp-lzo? #t)
;; verb 3
(verbosity 3)
;; persist-key
(persist-key? #t)
;; persist-tun
(persist-tun? #t)
;; auth-user-pass /etc/openvpn/credentials
(auth-user-pass (string-append base-dir
"credentials"))
;; ca /etc/openvpn/ovpn-ca.crt
(ca (string-append base-dir "ovpn-ca.crt"))
;; tls-auth /etc/openvpn/ovpn-tls.key 1
(tls-auth (string-append base-dir "ovpn-tls.key"))
;; Generates error messages in /var/log/messages
about missing /etc/openvpn/client.crt etc
(key "disabled")
(cert "disabled")
;; log /tmp/openvpn.log
;; script-security 2
;; resolv-conf scripts not needed for guix
;; up /etc/openvpn/update-resolv-conf
;; down /etc/openvpn/update-resolv-conf
(fast-io? #t)
(remote
(list
;; Resolves to multiple vpn servers in location
(openvpn-remote-configuration
(name "pool-1.prd.se.sthlm.ovpn.com")
(port 1196))
(openvpn-remote-configuration
(name "pool-1.prd.se.sthlm.ovpn.com")
(port 1197))
(openvpn-remote-configuration
(name "pool-2.prd.se.sthlm.ovpn.com")
(port 1196))
(openvpn-remote-configuration
(name "pool-2.prd.se.sthlm.ovpn.com")
(port 1197))
)))))
Best regards,
David
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#42544: openvpn service requires cert and key configuration
2020-07-26 4:53 bug#42544: openvpn service requires cert and key configuration david larsson
@ 2020-07-28 4:27 ` david larsson
2020-07-31 23:44 ` bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file david larsson
1 sibling, 0 replies; 3+ messages in thread
From: david larsson @ 2020-07-28 4:27 UTC (permalink / raw)
To: 42544; +Cc: bug-Guix
On 2020-07-26 04:53, david larsson wrote:
> Hi,
> I have a vpn configuration that doesn't use cert and key configuration
> lines so I receive errors like the following in /var/log/messages when
> trying to start the vpn-client service:
>
> localhost openvpn[1660]: Options error: --cert fails with 'disabled':
> No such file or directory (errno=2)
> localhost openvpn[1660]: Options error: --key fails with 'disabled':
> No such file or directory (errno=2)
>
> (the lines would say the default /etc/openvpn/client.crt if I wouldn't
> have specified (cert "disabled") etc. in the guix service config)
>
>
> I need a way to disable that these lines are being generated to the
> config-file.
>
Can be solved by changing those options to maybe-strings in
gnu/services/vpn.scm and setting the default to disabled:
(cert
;;(string "/etc/openvpn/client.crt")
(maybe-string 'disabled)
"The certificate of the machine the daemon is running on. It should
be signed
by the authority given in @code{ca}.")
(key
;;(string "/etc/openvpn/client.key")
(maybe-string 'disabled)
"The key of the machine the daemon is running on. It must be the key
whose
certificate is @code{cert}.")
I may eventually send some patches, including the addition of some more
config-options.
Best regards,
David
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file.
2020-07-26 4:53 bug#42544: openvpn service requires cert and key configuration david larsson
2020-07-28 4:27 ` david larsson
@ 2020-07-31 23:44 ` david larsson
1 sibling, 0 replies; 3+ messages in thread
From: david larsson @ 2020-07-31 23:44 UTC (permalink / raw)
To: guix-patches
From 5014aa2f455b127deaa013f327dc1cc42d0e1772 Mon Sep 17 00:00:00 2001
From: David Larsson <david.larsson@selfhosted.xyz>
Date: Sat, 1 Aug 2020 00:16:02 +0200
Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options
optional to include in the openvpn config file.
* gnu/services/vpn.scm (openvpn-client-configuration)
(openvpn-server-configuration): Change cert and key options to type
maybe-string.
---
gnu/services/vpn.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 658d5c3e88..6155fd7938 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2020 David Larsson <david.larsson@selfhosted.xyz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -277,12 +278,12 @@ servers.")
"The certificate authority to check connections against.")
(cert
- (string "/etc/openvpn/client.crt")
+ (maybe-string 'disabled)
"The certificate of the machine the daemon is running on. It should
be signed
by the authority given in @code{ca}.")
(key
- (string "/etc/openvpn/client.key")
+ (maybe-string 'disabled)
"The key of the machine the daemon is running on. It must be the
key whose
certificate is @code{cert}.")
--
2.18.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-31 23:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-26 4:53 bug#42544: openvpn service requires cert and key configuration david larsson
2020-07-28 4:27 ` david larsson
2020-07-31 23:44 ` bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file david larsson
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).