all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#42544: openvpn service requires cert and key configuration
@ 2020-07-26  4:53 david larsson
  2020-07-28  4:27 ` david larsson
  2020-07-31 23:44 ` bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file david larsson
  0 siblings, 2 replies; 3+ messages in thread
From: david larsson @ 2020-07-26  4:53 UTC (permalink / raw)
  To: 42544

Hi,
I have a vpn configuration that doesn't use cert and key configuration 
lines so I receive errors like the following in /var/log/messages when 
trying to start the vpn-client service:

localhost openvpn[1660]: Options error: --cert fails with 'disabled': No 
such file or directory (errno=2)
localhost openvpn[1660]: Options error: --key fails with 'disabled': No 
such file or directory (errno=2)

(the lines would say the default /etc/openvpn/client.crt if I wouldn't 
have specified (cert "disabled") etc. in the guix service config)


I need a way to disable that these lines are being generated to the 
config-file.


On a related note; it would be great if other configuration options are 
added to this service as well. Below is my openvpn-client-service config 
where the commented lines are from the regular config-file which Im 
trying to define; as you can see many of the config-options can't be 
specified by openvpn-client-service (e.g. the cipher option, the 
replay-window option etc):

                   (openvpn-client-service
                    #:config
                    (let* (
                          (myuser "myuser")
                          [base-dir (string-append "/home/" myuser 
"/src/my-guixsd-config/etc_openvpn/") ])
                      (openvpn-client-configuration
                       ;; client
                       (dev 'tun)
                       ;; remote-random
                       (proto 'udp)
                       ;; mute-replay-warnings
                       ;; replay-window 256

                       ;; remote-cert-tls server lines is generated 
somehow
                       ;; remote-cert-tls server

                       ;; cipher aes-256-cbc
                       ;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
                       ;; pull
                       ;; nobind
                       (bind? #f)
                       ;; reneg-sec 432000
                       ;; resolv-retry infinite
                       (resolv-retry? #t)
                       ;; compress lzo
                       (comp-lzo? #t)
                       ;; verb 3
                       (verbosity 3)
                       ;; persist-key
                       (persist-key? #t)
                       ;; persist-tun
                       (persist-tun? #t)
                       ;; auth-user-pass /etc/openvpn/credentials
                       (auth-user-pass (string-append base-dir 
"credentials"))
                       ;; ca /etc/openvpn/ovpn-ca.crt
                       (ca (string-append base-dir "ovpn-ca.crt"))
                       ;; tls-auth /etc/openvpn/ovpn-tls.key 1
                       (tls-auth (string-append base-dir "ovpn-tls.key"))
                       ;; Generates error messages in /var/log/messages 
about missing /etc/openvpn/client.crt etc
                       (key "disabled")
                       (cert "disabled")

                       ;; log /tmp/openvpn.log
                       ;; script-security 2
                       ;; resolv-conf scripts not needed for guix
                       ;; up /etc/openvpn/update-resolv-conf
                       ;; down /etc/openvpn/update-resolv-conf

                       (fast-io? #t)
                       (remote
                        (list
                         ;; Resolves to multiple vpn servers in location
                         (openvpn-remote-configuration
                          (name "pool-1.prd.se.sthlm.ovpn.com")
                          (port 1196))
                         (openvpn-remote-configuration
                          (name "pool-1.prd.se.sthlm.ovpn.com")
                          (port 1197))
                         (openvpn-remote-configuration
                          (name "pool-2.prd.se.sthlm.ovpn.com")
                          (port 1196))
                         (openvpn-remote-configuration
                          (name "pool-2.prd.se.sthlm.ovpn.com")
                          (port 1197))
                        )))))

Best regards,
David




^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#42544: openvpn service requires cert and key configuration
  2020-07-26  4:53 bug#42544: openvpn service requires cert and key configuration david larsson
@ 2020-07-28  4:27 ` david larsson
  2020-07-31 23:44 ` bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file david larsson
  1 sibling, 0 replies; 3+ messages in thread
From: david larsson @ 2020-07-28  4:27 UTC (permalink / raw)
  To: 42544; +Cc: bug-Guix

On 2020-07-26 04:53, david larsson wrote:
> Hi,
> I have a vpn configuration that doesn't use cert and key configuration
> lines so I receive errors like the following in /var/log/messages when
> trying to start the vpn-client service:
> 
> localhost openvpn[1660]: Options error: --cert fails with 'disabled':
> No such file or directory (errno=2)
> localhost openvpn[1660]: Options error: --key fails with 'disabled':
> No such file or directory (errno=2)
> 
> (the lines would say the default /etc/openvpn/client.crt if I wouldn't
> have specified (cert "disabled") etc. in the guix service config)
> 
> 
> I need a way to disable that these lines are being generated to the 
> config-file.
> 

Can be solved by changing those options to maybe-strings in 
gnu/services/vpn.scm and setting the default to disabled:

    (cert
     ;;(string "/etc/openvpn/client.crt")
     (maybe-string 'disabled)
     "The certificate of the machine the daemon is running on. It should 
be signed
by the authority given in @code{ca}.")

    (key
     ;;(string "/etc/openvpn/client.key")
     (maybe-string 'disabled)
     "The key of the machine the daemon is running on. It must be the key 
whose
certificate is @code{cert}.")

I may eventually send some patches, including the addition of some more 
config-options.

Best regards,
David




^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file.
  2020-07-26  4:53 bug#42544: openvpn service requires cert and key configuration david larsson
  2020-07-28  4:27 ` david larsson
@ 2020-07-31 23:44 ` david larsson
  1 sibling, 0 replies; 3+ messages in thread
From: david larsson @ 2020-07-31 23:44 UTC (permalink / raw)
  To: guix-patches

 From 5014aa2f455b127deaa013f327dc1cc42d0e1772 Mon Sep 17 00:00:00 2001
 From: David Larsson <david.larsson@selfhosted.xyz>
Date: Sat, 1 Aug 2020 00:16:02 +0200
Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options
  optional to include in the openvpn config file.

* gnu/services/vpn.scm (openvpn-client-configuration) 
(openvpn-server-configuration): Change cert and key options to type 
maybe-string.
---
  gnu/services/vpn.scm | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 658d5c3e88..6155fd7938 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -2,6 +2,7 @@
  ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
  ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
  ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2020 David Larsson <david.larsson@selfhosted.xyz>
  ;;;
  ;;; This file is part of GNU Guix.
  ;;;
@@ -277,12 +278,12 @@ servers.")
      "The certificate authority to check connections against.")

     (cert
-    (string "/etc/openvpn/client.crt")
+    (maybe-string 'disabled)
      "The certificate of the machine the daemon is running on. It should 
be signed
  by the authority given in @code{ca}.")

     (key
-    (string "/etc/openvpn/client.key")
+    (maybe-string 'disabled)
      "The key of the machine the daemon is running on. It must be the 
key whose
  certificate is @code{cert}.")

-- 
2.18.0




^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-07-31 23:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-26  4:53 bug#42544: openvpn service requires cert and key configuration david larsson
2020-07-28  4:27 ` david larsson
2020-07-31 23:44 ` bug#42544: [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file david larsson

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.