Hi, I have a vpn configuration that doesn't use cert and key configuration lines so I receive errors like the following in /var/log/messages when trying to start the vpn-client service: localhost openvpn[1660]: Options error: --cert fails with 'disabled': No such file or directory (errno=2) localhost openvpn[1660]: Options error: --key fails with 'disabled': No such file or directory (errno=2) (the lines would say the default /etc/openvpn/client.crt if I wouldn't have specified (cert "disabled") etc. in the guix service config) I need a way to disable that these lines are being generated to the config-file. On a related note; it would be great if other configuration options are added to this service as well. Below is my openvpn-client-service config where the commented lines are from the regular config-file which Im trying to define; as you can see many of the config-options can't be specified by openvpn-client-service (e.g. the cipher option, the replay-window option etc): (openvpn-client-service #:config (let* ( (myuser "myuser") [base-dir (string-append "/home/" myuser "/src/my-guixsd-config/etc_openvpn/") ]) (openvpn-client-configuration ;; client (dev 'tun) ;; remote-random (proto 'udp) ;; mute-replay-warnings ;; replay-window 256 ;; remote-cert-tls server lines is generated somehow ;; remote-cert-tls server ;; cipher aes-256-cbc ;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM ;; pull ;; nobind (bind? #f) ;; reneg-sec 432000 ;; resolv-retry infinite (resolv-retry? #t) ;; compress lzo (comp-lzo? #t) ;; verb 3 (verbosity 3) ;; persist-key (persist-key? #t) ;; persist-tun (persist-tun? #t) ;; auth-user-pass /etc/openvpn/credentials (auth-user-pass (string-append base-dir "credentials")) ;; ca /etc/openvpn/ovpn-ca.crt (ca (string-append base-dir "ovpn-ca.crt")) ;; tls-auth /etc/openvpn/ovpn-tls.key 1 (tls-auth (string-append base-dir "ovpn-tls.key")) ;; Generates error messages in /var/log/messages about missing /etc/openvpn/client.crt etc (key "disabled") (cert "disabled") ;; log /tmp/openvpn.log ;; script-security 2 ;; resolv-conf scripts not needed for guix ;; up /etc/openvpn/update-resolv-conf ;; down /etc/openvpn/update-resolv-conf (fast-io? #t) (remote (list ;; Resolves to multiple vpn servers in location (openvpn-remote-configuration (name "pool-1.prd.se.sthlm.ovpn.com") (port 1196)) (openvpn-remote-configuration (name "pool-1.prd.se.sthlm.ovpn.com") (port 1197)) (openvpn-remote-configuration (name "pool-2.prd.se.sthlm.ovpn.com") (port 1196)) (openvpn-remote-configuration (name "pool-2.prd.se.sthlm.ovpn.com") (port 1197)) ))))) Best regards, David
On 2020-07-26 04:53, david larsson wrote:
> Hi,
> I have a vpn configuration that doesn't use cert and key configuration
> lines so I receive errors like the following in /var/log/messages when
> trying to start the vpn-client service:
>
> localhost openvpn[1660]: Options error: --cert fails with 'disabled':
> No such file or directory (errno=2)
> localhost openvpn[1660]: Options error: --key fails with 'disabled':
> No such file or directory (errno=2)
>
> (the lines would say the default /etc/openvpn/client.crt if I wouldn't
> have specified (cert "disabled") etc. in the guix service config)
>
>
> I need a way to disable that these lines are being generated to the
> config-file.
>
Can be solved by changing those options to maybe-strings in
gnu/services/vpn.scm and setting the default to disabled:
(cert
;;(string "/etc/openvpn/client.crt")
(maybe-string 'disabled)
"The certificate of the machine the daemon is running on. It should
be signed
by the authority given in @code{ca}.")
(key
;;(string "/etc/openvpn/client.key")
(maybe-string 'disabled)
"The key of the machine the daemon is running on. It must be the key
whose
certificate is @code{cert}.")
I may eventually send some patches, including the addition of some more
config-options.
Best regards,
David
From 5014aa2f455b127deaa013f327dc1cc42d0e1772 Mon Sep 17 00:00:00 2001 From: David Larsson <david.larsson@selfhosted.xyz> Date: Sat, 1 Aug 2020 00:16:02 +0200 Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file. * gnu/services/vpn.scm (openvpn-client-configuration) (openvpn-server-configuration): Change cert and key options to type maybe-string. --- gnu/services/vpn.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 658d5c3e88..6155fd7938 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu> ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com> +;;; Copyright © 2020 David Larsson <david.larsson@selfhosted.xyz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -277,12 +278,12 @@ servers.") "The certificate authority to check connections against.") (cert - (string "/etc/openvpn/client.crt") + (maybe-string 'disabled) "The certificate of the machine the daemon is running on. It should be signed by the authority given in @code{ca}.") (key - (string "/etc/openvpn/client.key") + (maybe-string 'disabled) "The key of the machine the daemon is running on. It must be the key whose certificate is @code{cert}.") -- 2.18.0