From: david larsson <david.larsson@selfhosted.xyz>
To: Damien Cassou <damien@cassou.me>
Cc: bug-Guix <bug-guix-bounces+someone=selfhosted.xyz@gnu.org>,
39542@debbugs.gnu.org
Subject: bug#39542: Adding openvpn client configurations to guix system
Date: Sat, 01 Aug 2020 13:44:24 +0000 [thread overview]
Message-ID: <ed1d83f2e7970c6367b2d2a43082bbcd@selfhosted.xyz> (raw)
In-Reply-To: <877e0u306c.fsf@cassou.me>
On 2020-02-10 15:57, Damien Cassou wrote:
> Julien Lepiller <julien@lepiller.eu> writes:
>> We already have an openvpn-client-service-type and an
>> openvpn-server-service-type. It's not linked to network manager
>> though, I have no idea what it expects there. What do you need
>> exactly?
>
> It seems to me that gnu/services/vpn.scm defines
> openvpn-server-service-type that triggers the generation of a shepherd
> service.
>
> At the office we use 3 different VPNs that we activate on demand (test,
> acceptance and production). If we follow the vpn.scm way, it seems that
> this would require 3 shepherd services but I guess it's not possible to
> instantiate the openvpn-client-service-type more than once. This seems
> to be a dead end to me.
Hi Damien,
I think I have a solution for you, where you can start 3 different vpn's
with herd start vpn1-client, herd start vpn2-client etc.
Below is an ovpn-service.scm module, modeled after vpn.scm. which you
can include with (use-modules (ovpn-service)) in your config.scm, by
saving it in the same dir as config.scm. This is tested and works.
Now, I think you can modify all occurences of the word "ovpn", to, say
vpn1, vpn2, and vpn3, and save 3 different files, and then use
(use-modules (vpn1-service) (vpn2-service) (vpn3-service)) etc. in the
config.scm. An example configuration in the config.scm OS-services
section would be:
(ovpn-client-service
#:config
(let ([ base-dir
"/home/myuser/src/my-guixsd-config/etc_openvpn/"]
)
(ovpn-client-configuration
;; client
(dev 'tun)
;; remote-random
(proto 'udp)
;; mute-replay-warnings
;; replay-window 256
;; remote-cert-tls server lines is generated
somehow
;; remote-cert-tls server
;; cipher aes-256-cbc
;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
;; pull
;; nobind
(bind? #f)
;; reneg-sec 432000
;; resolv-retry infinite
(resolv-retry? #t)
;; compress lzo
(comp-lzo? #t)
;; verb 3
(verbosity 3)
;; persist-key
(persist-key? #t)
;; persist-tun
(persist-tun? #t)
;; auth-user-pass /etc/openvpn/credentials
(auth-user-pass (string-append base-dir
"credentials"))
;; ca /etc/openvpn/ovpn-ca.crt
(ca (string-append base-dir "ovpn-ca.crt"))
;; tls-auth /etc/openvpn/ovpn-tls.key 1
(tls-auth (string-append base-dir "ovpn-tls.key"))
;; log /tmp/openvpn.log
;; script-security 2
;; resolv-conf scripts not needed for guix
;; up /etc/openvpn/update-resolv-conf
;; down /etc/openvpn/update-resolv-conf
(fast-io? #t)
(remote
(list
;; Resolves to multiple vpn servers in location
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1196))
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1197))
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1196))
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1197))
)))))
Please let me know if this works for you!
Best regards,
David Larsson
next prev parent reply other threads:[~2020-08-01 13:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-10 9:33 bug#39542: Adding openvpn client configurations to guix system Damien Cassou
2020-02-10 12:31 ` Julien Lepiller
2020-02-10 15:57 ` Damien Cassou
2020-08-01 13:44 ` david larsson [this message]
2020-08-01 14:58 ` david larsson
2020-08-02 18:33 ` Damien Cassou
2022-03-15 15:10 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ed1d83f2e7970c6367b2d2a43082bbcd@selfhosted.xyz \
--to=david.larsson@selfhosted.xyz \
--cc=39542@debbugs.gnu.org \
--cc=bug-guix-bounces+someone=selfhosted.xyz@gnu.org \
--cc=damien@cassou.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).