From mboxrd@z Thu Jan  1 00:00:00 1970
From: Damien Cassou <damien@cassou.me>
Subject: bug#39542: Adding openvpn client configurations to guix system
Date: Mon, 10 Feb 2020 16:57:15 +0100
Message-ID: <877e0u306c.fsf@cassou.me>
References: <87blq63hyj.fsf@cassou.me>
 <1BD29F0F-1268-4526-828D-C2AC25CFE2E5@lepiller.eu>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:43340)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j1BRj-0008Id-CX
 for bug-guix@gnu.org; Mon, 10 Feb 2020 10:58:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j1BRi-0001rh-Af
 for bug-guix@gnu.org; Mon, 10 Feb 2020 10:58:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:49310)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1j1BRi-0001rX-8K
 for bug-guix@gnu.org; Mon, 10 Feb 2020 10:58:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j1BRi-0000nm-7h
 for bug-guix@gnu.org; Mon, 10 Feb 2020 10:58:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.39542.B39542.15813502412987@debbugs.gnu.org>
In-Reply-To: <1BD29F0F-1268-4526-828D-C2AC25CFE2E5@lepiller.eu>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
To: julien@lepiller.eu, 39542@debbugs.gnu.org

Julien Lepiller <julien@lepiller.eu> writes:
> We already have an openvpn-client-service-type and an
> openvpn-server-service-type. It's not linked to network manager
> though, I have no idea what it expects there. What do you need
> exactly?

It seems to me that gnu/services/vpn.scm defines
openvpn-server-service-type that triggers the generation of a shepherd
service.

At the office we use 3 different VPNs that we activate on demand (test,
acceptance and production). If we follow the vpn.scm way, it seems that
this would require 3 shepherd services but I guess it's not possible to
instantiate the openvpn-client-service-type more than once. This seems
to be a dead end to me.

Instead of using an openvpn client daemon, I'm using a network manager
connection for each VPN configuration I need. Then I can ask network
manager to activate the VPN I want, when I want it. Network manager is
responsible for calling the openvpn client binary.

Below is a typical nmconnection file for an openvpn client. Many fields
are similar to openvpn-client-configuration fields.

[connection]
id=some-name
uuid=a401d9bb-ab82-a84f-731a-0ed18ebc48af
type=vpn
autoconnect=false
permissions=

[vpn]
ca=/etc/openvpn/client/some-name-ca.crt
cert=/etc/openvpn/client/some-name.crt
cert-pass-flags=0
cipher=BF-CBC
comp-lzo=adaptive
connection-type=password-tls
dev=tun
key=/etc/openvpn/client/some-name.key
ns-cert-type=server
password-flags=0
remote=some-ip:port
username=some-username
service-type=org.freedesktop.NetworkManager.openvpn

[vpn-secrets]
password=some-password

[ipv4]
dns-search=
method=auto
never-default=true

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto
never-default=true

-- 
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill