GNU bug report logs -
#39542
Adding openvpn client configurations to guix system
Previous Next
Reported by: Damien Cassou <damien <at> cassou.me>
Date: Mon, 10 Feb 2020 09:34:01 UTC
Severity: normal
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
On 2020-02-10 15:57, Damien Cassou wrote:
> Julien Lepiller <julien <at> lepiller.eu> writes:
>> We already have an openvpn-client-service-type and an
>> openvpn-server-service-type. It's not linked to network manager
>> though, I have no idea what it expects there. What do you need
>> exactly?
>
> It seems to me that gnu/services/vpn.scm defines
> openvpn-server-service-type that triggers the generation of a shepherd
> service.
>
> At the office we use 3 different VPNs that we activate on demand (test,
> acceptance and production). If we follow the vpn.scm way, it seems that
> this would require 3 shepherd services but I guess it's not possible to
> instantiate the openvpn-client-service-type more than once. This seems
> to be a dead end to me.
Hi Damien,
I think I have a solution for you, where you can start 3 different vpn's
with herd start vpn1-client, herd start vpn2-client etc.
Below is an ovpn-service.scm module, modeled after vpn.scm. which you
can include with (use-modules (ovpn-service)) in your config.scm, by
saving it in the same dir as config.scm. This is tested and works.
Now, I think you can modify all occurences of the word "ovpn", to, say
vpn1, vpn2, and vpn3, and save 3 different files, and then use
(use-modules (vpn1-service) (vpn2-service) (vpn3-service)) etc. in the
config.scm. An example configuration in the config.scm OS-services
section would be:
(ovpn-client-service
#:config
(let ([ base-dir
"/home/myuser/src/my-guixsd-config/etc_openvpn/"]
)
(ovpn-client-configuration
;; client
(dev 'tun)
;; remote-random
(proto 'udp)
;; mute-replay-warnings
;; replay-window 256
;; remote-cert-tls server lines is generated
somehow
;; remote-cert-tls server
;; cipher aes-256-cbc
;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
;; pull
;; nobind
(bind? #f)
;; reneg-sec 432000
;; resolv-retry infinite
(resolv-retry? #t)
;; compress lzo
(comp-lzo? #t)
;; verb 3
(verbosity 3)
;; persist-key
(persist-key? #t)
;; persist-tun
(persist-tun? #t)
;; auth-user-pass /etc/openvpn/credentials
(auth-user-pass (string-append base-dir
"credentials"))
;; ca /etc/openvpn/ovpn-ca.crt
(ca (string-append base-dir "ovpn-ca.crt"))
;; tls-auth /etc/openvpn/ovpn-tls.key 1
(tls-auth (string-append base-dir "ovpn-tls.key"))
;; log /tmp/openvpn.log
;; script-security 2
;; resolv-conf scripts not needed for guix
;; up /etc/openvpn/update-resolv-conf
;; down /etc/openvpn/update-resolv-conf
(fast-io? #t)
(remote
(list
;; Resolves to multiple vpn servers in location
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1196))
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1197))
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1196))
(ovpn-remote-configuration
(name "whatever.ovpn.com")
(port 1197))
)))))
Please let me know if this works for you!
Best regards,
David Larsson
This bug report was last modified 3 years and 153 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.