unofficial mirror of bug-guix@gnu.org 
 help / color / Atom feed
From: david larsson <david.larsson@selfhosted.xyz>
To: Damien Cassou <damien@cassou.me>
Cc: bug-Guix <bug-guix-bounces+someone=selfhosted.xyz@gnu.org>,
	39542@debbugs.gnu.org
Subject: bug#39542: Adding openvpn client configurations to guix system
Date: Sat, 01 Aug 2020 13:44:24 +0000
Message-ID: <ed1d83f2e7970c6367b2d2a43082bbcd@selfhosted.xyz> (raw)
In-Reply-To: <877e0u306c.fsf@cassou.me>

On 2020-02-10 15:57, Damien Cassou wrote:
> Julien Lepiller <julien@lepiller.eu> writes:
>> We already have an openvpn-client-service-type and an
>> openvpn-server-service-type. It's not linked to network manager
>> though, I have no idea what it expects there. What do you need
>> exactly?
> 
> It seems to me that gnu/services/vpn.scm defines
> openvpn-server-service-type that triggers the generation of a shepherd
> service.
> 
> At the office we use 3 different VPNs that we activate on demand (test,
> acceptance and production). If we follow the vpn.scm way, it seems that
> this would require 3 shepherd services but I guess it's not possible to
> instantiate the openvpn-client-service-type more than once. This seems
> to be a dead end to me.

Hi Damien,

I think I have a solution for you, where you can start 3 different vpn's 
with herd start vpn1-client, herd start vpn2-client etc.

Below is an ovpn-service.scm module, modeled after vpn.scm. which you 
can include with (use-modules (ovpn-service)) in your config.scm, by 
saving it in the same dir as config.scm. This is tested and works.

Now, I think you can modify all occurences of the word "ovpn", to, say 
vpn1, vpn2, and vpn3, and save 3 different files, and then use 
(use-modules (vpn1-service) (vpn2-service) (vpn3-service)) etc. in the 
config.scm. An example configuration in the config.scm OS-services 
section would be:

                   (ovpn-client-service
                    #:config
                    (let ([ base-dir 
"/home/myuser/src/my-guixsd-config/etc_openvpn/"]
                          )
                      (ovpn-client-configuration
                       ;; client
                       (dev 'tun)
                       ;; remote-random
                       (proto 'udp)
                       ;; mute-replay-warnings
                       ;; replay-window 256

                       ;; remote-cert-tls server lines is generated 
somehow
                       ;; remote-cert-tls server

                       ;; cipher aes-256-cbc
                       ;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
                       ;; pull
                       ;; nobind
                       (bind? #f)
                       ;; reneg-sec 432000
                       ;; resolv-retry infinite
                       (resolv-retry? #t)
                       ;; compress lzo
                       (comp-lzo? #t)
                       ;; verb 3
                       (verbosity 3)
                       ;; persist-key
                       (persist-key? #t)
                       ;; persist-tun
                       (persist-tun? #t)
                       ;; auth-user-pass /etc/openvpn/credentials
                       (auth-user-pass (string-append base-dir 
"credentials"))
                       ;; ca /etc/openvpn/ovpn-ca.crt
                       (ca (string-append base-dir "ovpn-ca.crt"))
                       ;; tls-auth /etc/openvpn/ovpn-tls.key 1
                       (tls-auth (string-append base-dir "ovpn-tls.key"))

                       ;; log /tmp/openvpn.log
                       ;; script-security 2
                       ;; resolv-conf scripts not needed for guix
                       ;; up /etc/openvpn/update-resolv-conf
                       ;; down /etc/openvpn/update-resolv-conf

                       (fast-io? #t)
                       (remote
                        (list
                         ;; Resolves to multiple vpn servers in location
                         (ovpn-remote-configuration
                          (name "whatever.ovpn.com")
                          (port 1196))
                         (ovpn-remote-configuration
                          (name "whatever.ovpn.com")
                          (port 1197))
                         (ovpn-remote-configuration
                          (name "whatever.ovpn.com")
                          (port 1196))
                         (ovpn-remote-configuration
                          (name "whatever.ovpn.com")
                          (port 1197))
                         )))))

Please let me know if this works for you!

Best regards,
David Larsson




  reply index

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-10  9:33 Damien Cassou
2020-02-10 12:31 ` Julien Lepiller
2020-02-10 15:57   ` Damien Cassou
2020-08-01 13:44     ` david larsson [this message]
2020-08-01 14:58       ` david larsson
2020-08-02 18:33       ` Damien Cassou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ed1d83f2e7970c6367b2d2a43082bbcd@selfhosted.xyz \
    --to=david.larsson@selfhosted.xyz \
    --cc=39542@debbugs.gnu.org \
    --cc=bug-guix-bounces+someone=selfhosted.xyz@gnu.org \
    --cc=damien@cassou.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

unofficial mirror of bug-guix@gnu.org 

Archives are clonable:
	git clone --mirror https://yhetil.org/guix-bugs/0 guix-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-bugs guix-bugs/ https://yhetil.org/guix-bugs \
		bug-guix@gnu.org
	public-inbox-index guix-bugs

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.bugs
	nntp://news.gmane.io/gmane.comp.gnu.guix.bugs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git