From debbugs-submit-bounces@debbugs.gnu.org Sun Jul 26 00:53:58 2020 Received: (at submit) by debbugs.gnu.org; 26 Jul 2020 04:53:58 +0000 Received: from localhost ([127.0.0.1]:51566 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jzYfa-0006Fo-Af for submit@debbugs.gnu.org; Sun, 26 Jul 2020 00:53:58 -0400 Received: from lists.gnu.org ([209.51.188.17]:47896) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jzYfX-0006Fg-ST for submit@debbugs.gnu.org; Sun, 26 Jul 2020 00:53:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37878) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jzYfX-00057T-Hf for bug-guix@gnu.org; Sun, 26 Jul 2020 00:53:51 -0400 Received: from server0.selfhosted.xyz ([217.64.149.7]:36856) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jzYfV-0007bl-3L for bug-guix@gnu.org; Sun, 26 Jul 2020 00:53:51 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfhosted.xyz; s=dkim; t=1595739221; bh=TFNgMLmdRukyA/Id56PDh2joILoqkOAXDnYMq0TroEQ=; h=Date:From:To:Subject; b=iKCw95ClKp/YHeuXjaf/JkecV4esYapaMFKMNHMGVHa+y+mEfVFin1n+v/JIv4FIB HFh40J1ENfxfvjm5KSMwuLMSDwsw9ZvyE8WzOh3T+IbHjNuJpfPnG1VEq+Gcqo+2oV JYsWKSlKZcCa/N5/8JlK7Sjz0u+MZW2mYr9sDWXlH02zNTZnkgVsoCD3b9fbD9qcI1 dg/vhd77koYMG54eL+K/mU64IS2jPVdqs86kVEeT0h6fzZHzglPb1EW8OjCiFyg2KB FKaJnf5cWeIrogQZjeQasL99KLnSecnAfXPl8i3w5U5DuIThg5L8jwUk96C+E4asJF 9/9M3SokhILkQ== X-Fuglu-Suspect: cd089750817941438111f70a78a5260d X-Fuglu-Spamstatus: NO Received: from [127.0.0.1] (localhost [127.0.0.1]) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 26 Jul 2020 04:53:35 +0000 From: david larsson To: bug-guix@gnu.org Subject: openvpn service requires cert and key configuration Message-ID: <029ee37c6910a0136916fd1673a517bd@selfhosted.xyz> X-Sender: david.larsson@selfhosted.xyz Received-SPF: pass client-ip=217.64.149.7; envelope-from=david.larsson@selfhosted.xyz; helo=server0.selfhosted.xyz X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/26 00:53:41 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=1, FROM_SUSPICIOUS_NTLD_FP=1, PDS_OTHER_BAD_TLD=1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -0.4 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.9 (-) Hi, I have a vpn configuration that doesn't use cert and key configuration lines so I receive errors like the following in /var/log/messages when trying to start the vpn-client service: localhost openvpn[1660]: Options error: --cert fails with 'disabled': No such file or directory (errno=2) localhost openvpn[1660]: Options error: --key fails with 'disabled': No such file or directory (errno=2) (the lines would say the default /etc/openvpn/client.crt if I wouldn't have specified (cert "disabled") etc. in the guix service config) I need a way to disable that these lines are being generated to the config-file. On a related note; it would be great if other configuration options are added to this service as well. Below is my openvpn-client-service config where the commented lines are from the regular config-file which Im trying to define; as you can see many of the config-options can't be specified by openvpn-client-service (e.g. the cipher option, the replay-window option etc): (openvpn-client-service #:config (let* ( (myuser "myuser") [base-dir (string-append "/home/" myuser "/src/my-guixsd-config/etc_openvpn/") ]) (openvpn-client-configuration ;; client (dev 'tun) ;; remote-random (proto 'udp) ;; mute-replay-warnings ;; replay-window 256 ;; remote-cert-tls server lines is generated somehow ;; remote-cert-tls server ;; cipher aes-256-cbc ;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM ;; pull ;; nobind (bind? #f) ;; reneg-sec 432000 ;; resolv-retry infinite (resolv-retry? #t) ;; compress lzo (comp-lzo? #t) ;; verb 3 (verbosity 3) ;; persist-key (persist-key? #t) ;; persist-tun (persist-tun? #t) ;; auth-user-pass /etc/openvpn/credentials (auth-user-pass (string-append base-dir "credentials")) ;; ca /etc/openvpn/ovpn-ca.crt (ca (string-append base-dir "ovpn-ca.crt")) ;; tls-auth /etc/openvpn/ovpn-tls.key 1 (tls-auth (string-append base-dir "ovpn-tls.key")) ;; Generates error messages in /var/log/messages about missing /etc/openvpn/client.crt etc (key "disabled") (cert "disabled") ;; log /tmp/openvpn.log ;; script-security 2 ;; resolv-conf scripts not needed for guix ;; up /etc/openvpn/update-resolv-conf ;; down /etc/openvpn/update-resolv-conf (fast-io? #t) (remote (list ;; Resolves to multiple vpn servers in location (openvpn-remote-configuration (name "pool-1.prd.se.sthlm.ovpn.com") (port 1196)) (openvpn-remote-configuration (name "pool-1.prd.se.sthlm.ovpn.com") (port 1197)) (openvpn-remote-configuration (name "pool-2.prd.se.sthlm.ovpn.com") (port 1196)) (openvpn-remote-configuration (name "pool-2.prd.se.sthlm.ovpn.com") (port 1197)) ))))) Best regards, David From debbugs-submit-bounces@debbugs.gnu.org Tue Jul 28 00:27:48 2020 Received: (at 42544) by debbugs.gnu.org; 28 Jul 2020 04:27:48 +0000 Received: from localhost ([127.0.0.1]:56917 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k0HDQ-0005iJ-8L for submit@debbugs.gnu.org; Tue, 28 Jul 2020 00:27:48 -0400 Received: from server0.selfhosted.xyz ([217.64.149.7]:49874) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k0HDL-0005hz-8f for 42544@debbugs.gnu.org; Tue, 28 Jul 2020 00:27:46 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfhosted.xyz; s=dkim; t=1595910456; bh=jKGM8sTgrLfkjj1Tqg9aO3fvV54WfEItttywkL5TEWk=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=FSAgksRag3elhnQrsoZ/c4gPNo8eXwOoZ/unVjDISjKXkcRMKk+iPca00q9YCiW61 EzjBsn6wES2nX0fIEqdi3y9yQ+4tnzL6iMc4OmoruMvMB0JGccbMWA9z4D9SDsE3JQ Y1aOeC4KfWLntSa+hGeXZn73XpTOuNZ984DMmgtd6ZXtDKogw8uXd4ZEcbg39pEgMS sh2AYbXNxmXMc25qfN2nPEAl7FFIUIhnPJWbJah5AaNRWYA4lFPYwJDW+RukOyd1wd zkCva2J5JAnNuDAUynQaNzkzQ8Eg6w1tsHz8TWGXzYwVk9XjSvUEhgAS9sy3N54Wq2 /Gmc4Zq8ELM+A== X-Fuglu-Suspect: 2072355772e1406da05fcbe294fcc3f3 X-Fuglu-Spamstatus: NO Received: from [127.0.0.1] (localhost [127.0.0.1]) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 28 Jul 2020 04:27:30 +0000 From: david larsson To: 42544@debbugs.gnu.org Subject: Re: bug#42544: openvpn service requires cert and key configuration In-Reply-To: <029ee37c6910a0136916fd1673a517bd@selfhosted.xyz> References: <029ee37c6910a0136916fd1673a517bd@selfhosted.xyz> Message-ID: X-Sender: david.larsson@selfhosted.xyz X-Spam-Score: -1.8 (-) X-Debbugs-Envelope-To: 42544 Cc: bug-Guix X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.8 (-) On 2020-07-26 04:53, david larsson wrote: > Hi, > I have a vpn configuration that doesn't use cert and key configuration > lines so I receive errors like the following in /var/log/messages when > trying to start the vpn-client service: > > localhost openvpn[1660]: Options error: --cert fails with 'disabled': > No such file or directory (errno=2) > localhost openvpn[1660]: Options error: --key fails with 'disabled': > No such file or directory (errno=2) > > (the lines would say the default /etc/openvpn/client.crt if I wouldn't > have specified (cert "disabled") etc. in the guix service config) > > > I need a way to disable that these lines are being generated to the > config-file. > Can be solved by changing those options to maybe-strings in gnu/services/vpn.scm and setting the default to disabled: (cert ;;(string "/etc/openvpn/client.crt") (maybe-string 'disabled) "The certificate of the machine the daemon is running on. It should be signed by the authority given in @code{ca}.") (key ;;(string "/etc/openvpn/client.key") (maybe-string 'disabled) "The key of the machine the daemon is running on. It must be the key whose certificate is @code{cert}.") I may eventually send some patches, including the addition of some more config-options. Best regards, David From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 31 19:45:11 2020 Received: (at submit) by debbugs.gnu.org; 31 Jul 2020 23:45:12 +0000 Received: from localhost ([127.0.0.1]:38815 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k1ei7-0002AM-MN for submit@debbugs.gnu.org; Fri, 31 Jul 2020 19:45:11 -0400 Received: from lists.gnu.org ([209.51.188.17]:49018) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k1ei4-0002AD-US for submit@debbugs.gnu.org; Fri, 31 Jul 2020 19:45:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38114) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k1ei4-0000ui-9u for guix-patches@gnu.org; Fri, 31 Jul 2020 19:45:08 -0400 Received: from server0.selfhosted.xyz ([217.64.149.7]:39294) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k1ei2-00035U-2V for guix-patches@gnu.org; Fri, 31 Jul 2020 19:45:08 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfhosted.xyz; s=dkim; t=1596239096; bh=7noIXKRg3U+PKIa/RegbMU4FolBGgF8hIrlxd6ljU30=; h=Date:From:To:Subject; b=lj3b/3ZwAxtzE1DXoDPHr28jY65y2qp1uHpfwKREtYqofe2CvHwU66UkENQrFl/wh CjHXh7vRAajEtf68DgWv1CFHj769IcroCihwIbUY/AOPc/HPlYF5DySaa9UYE6g6S1 urLV42F60eHVKdWTB/TlXrRtQMLhexT3jrU5JE/n4Ma0FU1qVlFHP65SQXKysjH4Ws IZRpEVIGDLagDjabpKa+RHKIKrwkzpellJNB1XcMxjP/yx0bqyufbCpOzg6wr5fMHV Kbl4/7bsec51XMw5o5qWb29AosWtjy6Xk2vTDT2uth/40m0LAdbC36m6f03k1aeZhe 2Bnv6JNqWdESw== X-Fuglu-Suspect: 92602d32d5ed4892b824583f3542c473 X-Fuglu-Spamstatus: NO Received: from [127.0.0.1] (localhost [127.0.0.1]) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 31 Jul 2020 23:44:51 +0000 From: david larsson To: guix-patches@gnu.org Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file. Message-ID: X-Sender: david.larsson@selfhosted.xyz Received-SPF: pass client-ip=217.64.149.7; envelope-from=david.larsson@selfhosted.xyz; helo=server0.selfhosted.xyz X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/31 19:44:57 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=1, FROM_SUSPICIOUS_NTLD_FP=1, PDS_OTHER_BAD_TLD=1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.1 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From 5014aa2f455b127deaa013f327dc1cc42d0e1772 Mon Sep 17 00:00:00 2001 From: David Larsson Date: Sat, 1 Aug 2020 00:16:02 +0200 Subject: [bug#42544] [PATCH]: gnu: servi [...] Content analysis details: (1.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom; id=david.larsson%40selfhosted.xyz; ip=209.51.188.17; r=debbugs.gnu.org] 0.0 T_PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: selfhosted.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.51.188.17 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.9 (-) From 5014aa2f455b127deaa013f327dc1cc42d0e1772 Mon Sep 17 00:00:00 2001 From: David Larsson Date: Sat, 1 Aug 2020 00:16:02 +0200 Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file. * gnu/services/vpn.scm (openvpn-client-configuration) (openvpn-server-configuration): Change cert and key options to type maybe-string. --- gnu/services/vpn.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 658d5c3e88..6155fd7938 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2017 Julien Lepiller ;;; Copyright © 2017 Clément Lassieur ;;; Copyright © 2017 Mathieu Othacehe +;;; Copyright © 2020 David Larsson ;;; ;;; This file is part of GNU Guix. ;;; @@ -277,12 +278,12 @@ servers.") "The certificate authority to check connections against.") (cert - (string "/etc/openvpn/client.crt") + (maybe-string 'disabled) "The certificate of the machine the daemon is running on. It should be signed by the authority given in @code{ca}.") (key - (string "/etc/openvpn/client.key") + (maybe-string 'disabled) "The key of the machine the daemon is running on. It must be the key whose certificate is @code{cert}.") -- 2.18.0