VEGAS: add OpenVPN

This commit is contained in:
Max Headroom 2021-10-16 19:59:19 +02:00
parent 32e41ddcd9
commit 3c15c90258
6 changed files with 160 additions and 0 deletions

54
data/vpn-ca-bundle.crt Normal file
View file

@ -0,0 +1,54 @@
-----BEGIN CERTIFICATE-----
MIIElzCCAv+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x
OTA4MTcxMzQ3NThaFw0zOTA4MTcxMzQ3NThaMDoxGDAWBgNVBAoMD1BSSVZBVEVW
T0lELk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkq
hkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA24YctyMKaCy4gYaWw5O28GW45OML8PAC
DZjeV6fksrI2VlaYYQgQgRrSpFc/f5PL/vl+tlqUmMkVgwkHfA1E0HDS5yl4/13J
nbkbvhLpaXB7ex0kox17dY7c/ZQuN4/DQHh6R5TT9pCKJBPc7za4GnDuv/s6ww/3
Vn4ath3m8WfaPpIXd1/HG3z9Dz3hmH0fww9vsiDXhGxHzZjxjiNaeM9EMh2297E3
yA8wZ4gwCB3wuMKUS/tSJgLOGcRaZgAc+cUIUK6lHqLN8JP7ACpkf1czfEGSTksu
RFNNW2XihXdcE+zh5925buLGpNOQzNwmzdQLrzGPm/IHRluqA361IfqUmR3Oxxr6
vxVG2E9spbRodSKR5884Cg18frAnWk+2HPvW9bsxJpd/GX4sLgjwKDZ43eZ0HoBW
kzfmowJidMB710O5MQOr7Urzl3Qef735Vbc8siKk0gwZasQap59APk5meDtIX7yP
BkwiSUpCR6ynsUck7FliJ2wt022REFcDAgMBAAGjgacwgaQwHwYDVR0jBBgwFoAU
8LCS6AW2IgDn+b4+nfst+CiFO88wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAcYwHQYDVR0OBBYEFPCwkugFtiIA5/m+Pp37LfgohTvPMEEGCCsGAQUFBwEB
BDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1jYS5wcml2YXRldm9pZC5uZXQv
Y2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAFpue77wmQIF7WMVdrmAmB2fBJSTH
qoRTcP5enPIVoS5fi/bhMeIW4iADKRtCo9YezLqAPWoQ+UzDOObmAa3yx/pfJqhV
wMt7E2FvQXkef9v9wcsXSSNE4SWD4UefDBFiTtGcNR4SVAqWAJF4Yym6kjE0OLs7
it4kpvQBC9uxTcBHHIWMhJ85hZbMbTQ1GG1iluhxJFOpl2Zm7GBax2E3a+Fs/msx
yUIGe7ugVKiWX2Cx4e/kEmWogGESeNVEXYnDPxztr+mu5rbzRNU32FzWRlxG1qg3
e77KjTrHC63w230t/Pw7wuYQJzX25bkqIaQat9Xfw/ODtZqrStVwJAooD8z5zpYG
ul9ndmXfM6okRy7eJoSF1nijHNo9p4k+IsAu8j2UShjfTglBTjWA6ZHWuji4AArw
qCdKu2v/DqnGhNAt6zRTmOMW7tct/VBwJtpDdB4IzG+EvH6JdIxQpDew5LuPwbk5
c7VzeA8sxGbslFyLO3Oa1Yy87uQSes+uBHhq
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEnDCCAwSgAwIBAgIBHzANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y
MDA0MjcxMjI3MDBaFw00MDA0MjcxMjI3MDBaMD8xGDAWBgNVBAoMD1BSSVZBVEVW
T0lELk5FVDEjMCEGA1UEAwwaUHJpdmF0ZSBWb2lkIFZQTiBBdXRob3JpdHkwggGi
MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCv/EZR+YWCMwrfb5gMyFe/257a
rIrClOz8omD1qmKEk/oj7mKqROV20LBELMV52tAXJOVEIUSDi9OhQ8qryWZyRGa9
4iQ9DvzlP8BER2NP2xjuT8NRMo7yzl2ge0PlLD6si8N1rkXKlfrvKkFEgqlPNnl0
AScM0SfSkG7y1g+bnsfF2uSj/p3i+FO0zoEIfBC8oKWgcmmV7p/HCdCjVEY7CBfR
KR6gbRxK+hxSsH8SfCV/MZev9jFCV+vWO5YvATGCrZjqVaaPp34fBGWSLLzQ3yLj
2OvVD8fgxyKPdNHgao7PmTh5QrzrXpichjSxUvGbm/Hz+xhr3uW+sTnCtXogchHm
0+CAhmNdfCr4ctR7WcY146YUhVcO+T/If7KgMhQBejkGqOBuRgrxLQ2xHL6G9oQx
278b/BIDl1jWvZccmhpanDa8Mc9JWINd5enOiBN+J+i6YDnnuG3ociTu7nJs3mPo
HJfOgKqTV0SkdrCeunKpjuBi5M46pK5XuvzJgFsCAwEAAaOBpzCBpDAfBgNVHSME
GDAWgBTwsJLoBbYiAOf5vj6d+y34KIU7zzAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
DwEB/wQEAwIBxjAdBgNVHQ4EFgQUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
Lm5ldC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBgQB+jXOnP4BO69Z1+/S42/O6
hjjs7kxtYTRNfDKONhB3MD2pSxn2qiwRiH+jL1LJZEmkFkqWV05jMpn8qBeA+yXf
WUbF5Iiupb5IfF8GXqXkFeDIP4kiVCY7/XHF5JrjCBT0csaiI9fNiDDBseRoU/b4
LWAGGlgvE7jnQpgVu4/7/MW1yNw2JgetoZFGSNh12AVe1UWjy1DmLHCkWAbjWka+
iArEtm0EZ1Ypjy0l9A/sCZLmhWtYJrjHNiETvzRlv8UNjUg1Lv7IxWQI7TvZJp7T
DBghFt/i6w/fdOc5r73lZT3/PDGLO9/NpbQVzT8LiJkwlF5uJB3avdlb3pMWjqPy
1ty2mbX9eNKZUeEAGb4crEGlWIcLqnr0aFtaISlOB2dmOonMo26uCXNtLG61Yw9I
MhHsvnmrPXU9rjuHUtBt9HgEO7RwXZYEehuf8pz8Ur11S7x/7PxOypv4KBUBusDe
+hLcS5acpktYNkr2IiZ3NXDihVN65hxzMM6rUb6Sojc=
-----END CERTIFICATE-----

31
data/vpn-host-VEGAS.crt Normal file
View file

@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFaDCCA9CgAwIBAgIBIjANBgkqhkiG9w0BAQsFADA/MRgwFgYDVQQKDA9QUklW
QVRFVk9JRC5ORVQxIzAhBgNVBAMMGlByaXZhdGUgVm9pZCBWUE4gQXV0aG9yaXR5
MB4XDTIwMDQyNzEzMDYxNloXDTIyMDQyODEzMDYxNlowODEYMBYGA1UECgwPUFJJ
VkFURVZPSUQuTkVUMRwwGgYDVQQDDBN2cG4ucHJpdmF0ZXZvaWQubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3BQDphcpY+Qrrfc//QinB8/Qux5
fJCDMgnIeFsk/S/Ow2R/FDbcJpHw74vt06eVqvtnOAIE5e95sCgpeOKl0MDiRSyJ
qt+4X8SAYkLXGk7zx60Z5iynmfdZpikwc6P6GYNBoExVMh6+lcJRuAFcrbR/Fu4K
tFAFSJVhtDq0v+ceiawa80nQuecECUo9/dwfOcrFrXHYRKn3oSv6wMt8zp8EMUuj
hWZ/97u17ZvsBIUFFs7tk9KgMbPsSYoM64L+uHVynzaPC3rp4BMTyaESx4ifgort
VtkbBDH79DBwcjnr+jFSJWfJcA1J2XAtiu9hUoscygxVLsZXnENYobSOFwIDAQAB
o4IB9DCCAfAwHwYDVR0jBBgwFoAUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
Lm5ldC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwegYDVR0fBHMwcTBvoDegNYYzaHR0cDovL2lwYS1jYS5wcml2
YXRldm9pZC5uZXQvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQK
DAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQW
BBRA1NlyyOaU/BqBqaIcZVi1/ziGYDCBvwYDVR0RBIG3MIG0oEYGCisGAQQBgjcU
AgOgOAw2dnBuaG9zdC92ZWdhcy5iYWNrYm9uZS5wcml2YXRldm9pZC5uZXRAUFJJ
VkFURVZPSUQuTkVUoFUGBisGAQUCAqBLMEmgERsPUFJJVkFURVZPSUQuTkVUoTQw
MqADAgEBoSswKRsHdnBuaG9zdBsedmVnYXMuYmFja2JvbmUucHJpdmF0ZXZvaWQu
bmV0ghN2cG4ucHJpdmF0ZXZvaWQubmV0MA0GCSqGSIb3DQEBCwUAA4IBgQBpYdmX
dxZTV1/iBcVQl3W93ted08jpvpLdRvDX2qcB6c9L2CB7UZ5UDBYgfU9XZetaYg6E
Wje4VIq+Kwd+69bv0HIbGKb+6i2yfw3Yx8yvWOse79JqW5OvJ96fDiOYfEuDxbOH
79hKfJ/F5HAToSXW+XWpdNQDDlfWFgippZqqcXZUkOujhwMubYGMXAgXwe9oulgp
wmjzqH95eajOLItYFF4/v1L5CArzYBV6JBcY2TWZRyuAo6Kw94ve9zCfnQvxzLaj
nSc98u0sj6bmYCHGLJNER4W+85UlZu3uZRo0GPqmfz/CWwDjI2ODQxJQcQ7KFVbH
y8qEtddkRBd4cb4Fr9Ag2HJc1zm4I7vG6+Rx6fP6oAltpYK7GOUrkQ13R6PXOpZr
M9j3Qmm5JK/DsGltNwo0sCX9OzdCOql/ZNoQ1wK1dFqaLl25HkpI6I0xw2lvgQDi
qDXn5eY8Ip0gZ2Wbeyc6ssoE54T3Ta1fpD3wOHSTLK5MjeL3a0zURvzNf2o=
-----END CERTIFICATE-----

View file

@ -0,0 +1,73 @@
{ config, hosts, lib, pkgs, tools, ... }:
let
inherit (hosts.${config.networking.hostName}) interfaces;
inherit (interfaces) vstub;
inherit (config.networking) hostName;
sharedConfig = pkgs.writeText "openvpn-shared.conf" ''
port 51194
float
mssfix 1340
topology subnet
client-to-client
persist-key
persist-tun
# vpn supernet
push "route 10.100.0.0 255.255.0.0"
# internal services supernet
push "route 10.10.0.0 255.255.0.0"
# host machine virtual stub
push "route ${vstub.addr} 255.255.255.255"
# dns config
push "dhcp-option DOMAIN vpn.${tools.meta.domain}"
push "dhcp-option DNS ${vstub.addr}"
ca ${../../../../data/vpn-ca-bundle.crt}
cert ${../../../../data + "/vpn-host-${hostName}.crt"}
key ${config.age.secrets.vpn-host-key.path}
dh ${config.security.dhparams.params.vpn.path}
'';
in
{
age.secrets.vpn-host-key = {
file = ../../../../secrets + "/vpn-host-key-${hostName}.age";
mode = "0400";
};
security.dhparams.params.vpn.bits = 4096;
networking.firewall = {
allowedTCPPorts = [ 51194 ];
allowedUDPPorts = [ 51194 ];
};
networking.nat.internalInterfaces = [
"tun-storm"
"tun-cyclone"
];
services.openvpn.servers = {
storm = {
autoStart = true;
config = ''
proto udp4
dev tun-storm
server 10.100.0.0 255.255.255.0
config ${sharedConfig}
'';
};
cyclone = {
autoStart = true;
config = ''
proto tcp4
dev tun-cyclone
server 10.100.1.0 255.255.255.0
config ${sharedConfig}
'';
};
};
systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {
wants = [ "dhparams-gen-vpn.service" ];
after = [ "dhparams-gen-vpn.service" ];
});
}

View file

@ -32,6 +32,7 @@
./services/nix/binary-cache.nix ./services/nix/binary-cache.nix
./services/nix/nar-serve.nix ./services/nix/nar-serve.nix
./services/object-storage ./services/object-storage
./services/openvpn
./services/warehouse ./services/warehouse
./services/websites ./services/websites
] ]

View file

@ -22,4 +22,5 @@ in with hosts;
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
} }

Binary file not shown.