VPN: Difference between revisions

From base48
imported>Snajpa
imported>Rmarko
(nixos config snippet)
 
(One intermediate revision by one other user not shown)
Line 90: Line 90:
</nowiki>
</nowiki>


=== List of users with access ===
=== NixOS config ===
<nowiki>
 
[vpsFree.cz admins, incl. snajpa]
Save following snippet as ''vpn.nix'' and include it from ''configuration.nix'':
b42
 
potion
<syntaxhighlight lang="nix">
XanthiX
let
</nowiki>
  credsPath = "/root/your-dir-with-certs/";
in
{
  services.openvpn.servers = {
    vpsf  = {
      config = ''
        client
        dev tap
        remote 77.93.223.7 443
        proto udp
 
        keepalive 10 120
        cipher AES-128-CBC
        comp-lzo
        mssfix
 
        ca ${credsPath}/ca.crt
        cert ${credsPath}/client.crt
        key ${credsPath}/client.key
        dh ${credsPath}/dh2048.pem
 
      '';
      updateResolvConf = true;
    };
  };
}
 
</syntaxhighlight>

Latest revision as of 16:37, 16 June 2018

VPN

The VPN server is a 1U Atom D525 system, with EL6, running OpenVPN and it is shared with vpsFree.cz; it is located in Master Internet, Prague.

Every member of base48 is eligible to get a key, to access the server. Get it contact with User:Snajpa - the maintainer of the network - to get yours.

There are three different OpenVPN setups on the machine:

- vpn.vpsfree.cz @ UDP 443 - bridged setup, provides ipv6 connectivity, target devices: laptops, workstations, etc.

- vpn.vpsfree.cz @ TCP 443 - bridged setup, provides ipv6 connectivity, pushes default route via VPN (useful for networks with restrictive firewalls), target devices: laptops, workstations, etc.

- vpn-mobile.vpsfree.cz @ TCP 443 - routed setup, doesn't provide ipv6 (yet), target devices: Android, iOS, Mikrotik, etc. (devices not supporting UDP or bridged setup)

Note, that connecting to all three these VPN servers also pushes DNS resolvers to a client, which will cause your device to resolve from internal DNS servers. This is so that we can have DNS records for internal IP addresses under our base48.cz domain (and mainly for vpsFree.cz purposes, as there's a ton of metal, which doesn't have a public address).


Configuration files

client.conf

client
dev tap
remote vpn.vpsfree.cz 443
;remote vpn-mobile.vpsfree.cz 443
proto udp
;proto tcp

; This is for desktops
ca /get/from/snajpa/ca.crt
cert /get/from/snajpa/client.crt
key /get/from/snajpa/client.key
dh /get/from/snajpa/dh.pem

; For mobile setups, you can embed these ^ files in <ca></ca>,<cert></cert>, ... markup tags.

keepalive 10 120
cipher AES-128-CBC
comp-lzo
mssfix

script-security 2

verb 4

; Omit this for mobile setup
up-restart
up "/path/to/use-dns-from-server.sh up"
down "/path/to/use-dns-from-server.sh down"

use-dns-from-server.sh

#!/bin/bash
 
case "$1" in
    up)
        mv /etc/resolv.conf /etc/resolv.conf.bak
 
        for opt in ${!foreign_option_*};
        do
            echo ${!opt} | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf
        done

	SEARCH="search "
	NEWRESOLV=/etc/resolv.conf.new
	echo "" > $NEWRESOLV
	while read line; do
		if echo $line | grep -i "domain"; then
			SEARCH+="$(echo $line | awk '{ print $2; }') "
		elif echo $line | grep -i "nameserver"; then
			echo $line >> $NEWRESOLV
		fi
	done < /etc/resolv.conf
	echo $SEARCH >> $NEWRESOLV
        echo "# Generated by OpenVPN Client UP Script" >> $NEWRESOLV
	tac $NEWRESOLV > /etc/resolv.conf
	rm $NEWRESOLV
        ;;
    down)
        mv /etc/resolv.conf.bak /etc/resolv.conf
        ;;
    *)
        echo "Pass either UP or DOWN"
        ;;
esac

exit 0

NixOS config

Save following snippet as vpn.nix and include it from configuration.nix:

<syntaxhighlight lang="nix"> let

 credsPath = "/root/your-dir-with-certs/";

in {

 services.openvpn.servers = {
   vpsf  = {
     config = 
       client
       dev tap
       remote 77.93.223.7 443
       proto udp
       keepalive 10 120
       cipher AES-128-CBC
       comp-lzo
       mssfix
       ca ${credsPath}/ca.crt
       cert ${credsPath}/client.crt
       key ${credsPath}/client.key
       dh ${credsPath}/dh2048.pem
     ;
     updateResolvConf = true;
   };
 };

}

</syntaxhighlight>