Re: workin on openvpn service

[ludo@gnu.org (Ludovic Courtès)]

Hello!

Julien Lepiller <tyreunom@lepiller.eu> skribis:

> I'm currently writing an openvpn service. Here is the patch (wip). It
> works for the client part, I didn't test the server part yet (but it
> generates a configuration file).

Sounds useful!

> First, how could I make openvpn-config-file look better?

You could use macros to simplify this.  In (gnu services dovecot) and
(gnu services cups), Andy added tools that allow you to describe typed
configuration parameters, and then generate a serialization procedure
that produces the right config file.

The goal is to extract this support code to remove duplication and
possibly use it elsewhere:

  https://lists.gnu.org/archive/html/guix-devel/2016-10/msg00490.html

So I’d suggest looking into it and see whether it would work for you
and/or what would be needed to make it work for you.

> When running as a server, the configuration may specify a ccd directory
> that contains files with information about clients (one client per
> file, named after the CN of the client's certificate). This file can be
> used to assign a specific IP to the client, or allow its subnet to
> access the VPN. They are tightly coupled with the configuration file.
> For instance, to allow "Alice"'s subnet to access the VPN, you would:
>
> create a ccd/Alice file with content:
>
>> iroute 192.168.1.0/24
>
> and add this configuration in the main server's configuration file:
>
>> route 192.168.1.0/24
>
> and optionally (in conjunction with client-to-client):
>
>> push "route 192.168.1.0/24"
>
> So I would like to create a record to contain information for each
> client, something like <openvpn-client-ccd>, that would contain a
> name, a subnet and a specific VPN IP address ("ifconfig-push" in the ccd
> file). The VPN IP has some restrictions on its last byte (should be one
> of 1, 5, 9, 13, 17, ..., 253). How would you verify that?

I would suggest writing a separate validation procedure for
<openvpn-client-ccd> records, similar to the suggestion at the bottom of
<https://lists.gnu.org/archive/html/guix-devel/2016-10/msg00303.html>.

> Is this the good approach? Also, how would you create multiple ccd
> files for different clients in the same directory (preferably
> in /gnu/store)?

You can use ‘computed-file’ to create a directory containing the files.

> From 272939aad601f7a0c736449edcfcc64dffe0a370 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Tue, 18 Oct 2016 23:16:31 +0200
> Subject: [PATCH] gnu: Add openvpn services
>
> * gnu/services/vpn.scm: new file.
> * gnu/local.mk(GNU_SYSTEM_MODULES): add it

[...]

> +(define (get-openvpn-shepherd-service role)
> +  (lambda (config)
> +          (define pid-file
             ^
Should be aligned with the ‘a’ of ‘lambda’.

HTH!

Ludo’.