Difference between revisions of "VPN"

From base48
Jump to: navigation, search
(wus pointless)
(nixos config snippet)
 
Line 89: Line 89:
 
exit 0
 
exit 0
 
</nowiki>
 
</nowiki>
 +
 +
=== NixOS config ===
 +
 +
Save following snippet as ''vpn.nix'' and include it from ''configuration.nix'':
 +
 +
<syntaxhighlight lang="nix">
 +
let
 +
  credsPath = "/root/your-dir-with-certs/";
 +
in
 +
{
 +
  services.openvpn.servers = {
 +
    vpsf  = {
 +
      config = ''
 +
        client
 +
        dev tap
 +
        remote 77.93.223.7 443
 +
        proto udp
 +
 +
        keepalive 10 120
 +
        cipher AES-128-CBC
 +
        comp-lzo
 +
        mssfix
 +
 +
        ca ${credsPath}/ca.crt
 +
        cert ${credsPath}/client.crt
 +
        key ${credsPath}/client.key
 +
        dh ${credsPath}/dh2048.pem
 +
 +
      '';
 +
      updateResolvConf = true;
 +
    };
 +
  };
 +
}
 +
 +
</syntaxhighlight>

Latest revision as of 16:37, 16 June 2018

VPN

The VPN server is a 1U Atom D525 system, with EL6, running OpenVPN and it is shared with vpsFree.cz; it is located in Master Internet, Prague.

Every member of base48 is eligible to get a key, to access the server. Get it contact with User:Snajpa - the maintainer of the network - to get yours.

There are three different OpenVPN setups on the machine:

- vpn.vpsfree.cz @ UDP 443 - bridged setup, provides ipv6 connectivity, target devices: laptops, workstations, etc.

- vpn.vpsfree.cz @ TCP 443 - bridged setup, provides ipv6 connectivity, pushes default route via VPN (useful for networks with restrictive firewalls), target devices: laptops, workstations, etc.

- vpn-mobile.vpsfree.cz @ TCP 443 - routed setup, doesn't provide ipv6 (yet), target devices: Android, iOS, Mikrotik, etc. (devices not supporting UDP or bridged setup)

Note, that connecting to all three these VPN servers also pushes DNS resolvers to a client, which will cause your device to resolve from internal DNS servers. This is so that we can have DNS records for internal IP addresses under our base48.cz domain (and mainly for vpsFree.cz purposes, as there's a ton of metal, which doesn't have a public address).


Configuration files

client.conf

client
dev tap
remote vpn.vpsfree.cz 443
;remote vpn-mobile.vpsfree.cz 443
proto udp
;proto tcp

; This is for desktops
ca /get/from/snajpa/ca.crt
cert /get/from/snajpa/client.crt
key /get/from/snajpa/client.key
dh /get/from/snajpa/dh.pem

; For mobile setups, you can embed these ^ files in <ca></ca>,<cert></cert>, ... markup tags.

keepalive 10 120
cipher AES-128-CBC
comp-lzo
mssfix

script-security 2

verb 4

; Omit this for mobile setup
up-restart
up "/path/to/use-dns-from-server.sh up"
down "/path/to/use-dns-from-server.sh down"

use-dns-from-server.sh

#!/bin/bash
 
case "$1" in
    up)
        mv /etc/resolv.conf /etc/resolv.conf.bak
 
        for opt in ${!foreign_option_*};
        do
            echo ${!opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf
        done

	SEARCH="search "
	NEWRESOLV=/etc/resolv.conf.new
	echo "" > $NEWRESOLV
	while read line; do
		if echo $line | grep -i "domain"; then
			SEARCH+="$(echo $line | awk '{ print $2; }') "
		elif echo $line | grep -i "nameserver"; then
			echo $line >> $NEWRESOLV
		fi
	done < /etc/resolv.conf
	echo $SEARCH >> $NEWRESOLV
        echo "# Generated by OpenVPN Client UP Script" >> $NEWRESOLV
	tac $NEWRESOLV > /etc/resolv.conf
	rm $NEWRESOLV
        ;;
    down)
        mv /etc/resolv.conf.bak /etc/resolv.conf
        ;;
    *)
        echo "Pass either UP or DOWN"
        ;;
esac

exit 0

NixOS config

Save following snippet as vpn.nix and include it from configuration.nix:

let
  credsPath = "/root/your-dir-with-certs/";
in
{
  services.openvpn.servers = {
    vpsf  = {
      config = ''
        client
        dev tap
        remote 77.93.223.7 443
        proto udp

        keepalive 10 120
        cipher AES-128-CBC
        comp-lzo
        mssfix

        ca ${credsPath}/ca.crt
        cert ${credsPath}/client.crt
        key ${credsPath}/client.key
        dh ${credsPath}/dh2048.pem

      '';
      updateResolvConf = true;
    };
  };
}