mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
f8560764527494a31bd61233e8003483aa909be7
nix-config/systems/x86_64-linux/jallen-nas/vpn.nix
mjallen18 f856076452 stuffs
2026-02-02 19:33:04 -06:00

293 lines
11 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
# let
# configFile = pkgs.writeText "openvpn-config-us.protonvpn.udp" ''
# errors-to-stderr
# ${config.services.openvpn.servers."us.protonvpn.udp".config}
# auth-user-pass ${config.services.openvpn.servers."us.protonvpn.udp".authUserPass}
# '';
# in
{
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
sops = {
secrets = {
"protonvpn/username" = { };
"protonvpn/password" = { };
};
templates = {
"protonvpn" = {
mode = "660";
owner = "nix-apps";
group = "jallen-nas";
restartUnits = [ "openvpn-us.protonvpn.udp.service" ];
content = ''
${config.sops.placeholder."protonvpn/username"}
${config.sops.placeholder."protonvpn/password"}
'';
};
};
};
# networking.nftables = {
# enable = true;
# ruleset = ''
# table ip nat {
# chain postrouting {
# type nat hook postrouting priority 100;
# oifname "enp197s0" ip saddr 10.200.0.0/30 masquerade
# }
# }
# '';
# };
# systemd.services = {
# vpn-netns =
# let
# ip = "${pkgs.iproute2}/bin/ip";
# in {
# description = "Create VPN network namespace";
# wantedBy = [ "multi-user.target" ];
# before = [ "openvpn-us.protonvpn.udp.service" ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# ExecStart = pkgs.writeShellScript "vpn-netns-up" ''
# set -euxo pipefail
# # Ensure namespace exists
# ${ip} netns add vpn 2>/dev/null || true
# # Clean up any previous veth (deleting one end deletes the peer too)
# ${ip} link del veth-host 2>/dev/null || true
# # Create veth pair
# ${ip} link add veth-host type veth peer name veth-vpn
# # Move peer into namespace
# ${ip} link set veth-vpn netns vpn
# # Host side
# ${ip} addr add 10.200.0.1/30 dev veth-host 2>/dev/null || true
# ${ip} link set veth-host up
# # Namespace side
# ${ip} -n vpn addr add 10.200.0.2/30 dev veth-vpn 2>/dev/null || true
# ${ip} -n vpn link set veth-vpn up
# ${ip} -n vpn link set lo up
# # Default route in namespace via host
# ${ip} -n vpn route replace default via 10.200.0.1
# ${ip} -n vpn route replace 10.0.1.0/24 via 10.200.0.1 dev veth-vpn
# '';
# ExecStop = pkgs.writeShellScript "vpn-netns-down" ''
# set -eux
# ${ip} link del veth-host 2>/dev/null || true
# '';
# };
# };
# "openvpn-us.protonvpn.udp" = {
# after = [ "network-online.target" "vpn-netns.service" ];
# wants = [ "network-online.target" ];
# serviceConfig = {
# ExecStart = lib.mkOverride 90 ''
# ${pkgs.iproute2}/bin/ip netns exec vpn \
# ${pkgs.openvpn}/sbin/openvpn --config ${configFile}
# '';
# };
# };
# };
# Services configs
services = {
openvpn = {
servers = {
"us.protonvpn.udp" = lib.mkForce {
authUserPass = config.sops.templates."protonvpn".path;
updateResolvConf = lib.mkForce true;
config = ''
# ==============================================================================
# Copyright (c) 2023 Proton AG (Switzerland)
# Email: contact@protonvpn.com
#
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# ==============================================================================
# If you are a paying user you can also enable the ProtonVPN ad blocker (NetShield) or Moderate NAT:
# Use: "ErqosBHsDoqr8Hcq+f1" as username to enable anti-malware filtering
# Use: "ErqosBHsDoqr8Hcq+f2" as username to additionally enable ad-blocking filtering
# Use: "ErqosBHsDoqr8Hcq+nr" as username to enable Moderate NAT
# Note that you can combine the "+nr" suffix with other suffixes.
client
dev tun
proto udp
remote 37.221.112.194 51820
remote 37.221.112.194 80
remote 146.70.217.66 51820
remote 217.138.198.246 51820
remote 149.22.84.89 51820
remote 146.70.217.66 4569
remote 149.22.94.86 80
remote 95.173.221.92 1194
remote 79.127.160.158 5060
remote 217.138.198.246 80
remote 149.40.62.62 4569
remote 79.127.160.158 4569
remote 149.22.84.89 5060
remote 95.173.221.33 51820
remote 149.22.84.89 1194
remote 146.70.183.146 80
remote 149.22.94.86 5060
remote 62.93.176.129 5060
remote 95.173.221.33 80
remote 146.70.183.146 1194
remote 79.127.160.158 1194
remote 217.138.198.246 4569
remote 217.138.198.246 80
remote 95.173.221.33 5060
remote 95.173.221.33 1194
remote 149.22.94.86 1194
remote 149.40.62.62 1194
remote 62.93.176.129 51820
remote 95.173.221.92 4569
remote 37.221.112.194 1194
remote 95.173.221.92 5060
remote 149.40.62.62 5060
remote 217.138.198.246 5060
remote 79.127.160.158 51820
remote 62.93.176.129 1194
remote 95.173.221.33 4569
remote 146.70.217.66 1194
remote 95.173.221.92 51820
remote 62.93.176.129 4569
remote 149.22.94.86 51820
remote 37.221.112.194 4569
remote 149.40.62.62 51820
remote 146.70.183.146 5060
remote 217.138.198.246 4569
remote 146.70.217.66 5060
remote 146.70.217.66 80
remote 149.22.94.86 4569
remote 217.138.198.246 51820
remote 146.70.183.146 51820
remote 217.138.198.246 5060
remote 95.173.221.92 80
remote 217.138.198.246 1194
remote 37.221.112.194 5060
remote 79.127.160.158 80
remote 217.138.198.246 1194
remote 149.40.62.62 80
remote 62.93.176.129 80
remote 149.22.84.89 80
remote 149.22.84.89 4569
remote 146.70.183.146 4569
server-poll-timeout 20
remote-random
resolv-retry infinite
nobind
cipher AES-256-GCM
setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass
script-security 2
<ca>
-----BEGIN CERTIFICATE-----
MIIFnTCCA4WgAwIBAgIUCI574SM3Lyh47GyNl0WAOYrqb5QwDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCQ0gxHzAdBgNVBAoMFlByb3RvbiBUZWNobm9sb2dpZXMg
QUcxEjAQBgNVBAsMCVByb3RvblZQTjEaMBgGA1UEAwwRUHJvdG9uVlBOIFJvb3Qg
Q0EwHhcNMTkxMDE3MDgwNjQxWhcNMzkxMDEyMDgwNjQxWjBeMQswCQYDVQQGEwJD
SDEfMB0GA1UECgwWUHJvdG9uIFRlY2hub2xvZ2llcyBBRzESMBAGA1UECwwJUHJv
dG9uVlBOMRowGAYDVQQDDBFQcm90b25WUE4gUm9vdCBDQTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAMkUT7zMUS5C+NjQ7YoGpVFlfbN9HFgG4JiKfHB8
QxnPPRgyTi0zVOAj1ImsRilauY8Ddm5dQtd8qcApoz6oCx5cFiiSQG2uyhS/59Zl
5wqIkw1o+CgwZgeWkq04lcrxhhfPgJZRFjrYVezy/Z2Ssd18s3/FFNQ+2iV1KC2K
z8eSPr50u+l9vEKsKiNGkJTdlWjoDKZM2C15i/h8Smi+PdJlx7WMTtYoVC1Fzq0r
aCPDQl18kspu11b6d8ECPWghKcDIIKuA0r0nGqF1GvH1AmbC/xUaNrKgz9AfioZL
MP/l22tVG3KKM1ku0eYHX7NzNHgkM2JKnBBannImQQBGTAcvvUlnfF3AHx4vzx7H
ahpBz8ebThx2uv+vzu8lCVEcKjQObGwLbAONJN2enug8hwSSZQv7tz7onDQWlYh0
El5fnkrEQGbukNnSyOqTwfobvBllIPzBqdO38eZFA0YTlH9plYjIjPjGl931lFAA
3G9t0x7nxAauLXN5QVp1yoF1tzXc5kN0SFAasM9VtVEOSMaGHLKhF+IMyVX8h5Iu
IRC8u5O672r7cHS+Dtx87LjxypqNhmbf1TWyLJSoh0qYhMr+BbO7+N6zKRIZPI5b
MXc8Be2pQwbSA4ZrDvSjFC9yDXmSuZTyVo6Bqi/KCUZeaXKof68oNxVYeGowNeQd
g/znAgMBAAGjUzBRMB0GA1UdDgQWBBR44WtTuEKCaPPUltYEHZoyhJo+4TAfBgNV
HSMEGDAWgBR44WtTuEKCaPPUltYEHZoyhJo+4TAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4ICAQBBmzCQlHxOJ6izys3TVpaze+rUkA9GejgsB2DZXIcm
4Lj/SNzQsPlZRu4S0IZV253dbE1DoWlHanw5lnXwx8iU82X7jdm/5uZOwj2NqSqT
bTn0WLAC6khEKKe5bPTf18UOcwN82Le3AnkwcNAaBO5/TzFQVgnVedXr2g6rmpp9
gdedeEl9acB7xqfYfkrmijqYMm+xeG2rXaanch3HjweMDuZdT/Ub5G6oir0Kowft
lA1ytjXRg+X+yWymTpF/zGLYfSodWWjMKhpzZtRJZ+9B0pWXUyY7SuCj5T5SMIAu
x3NQQ46wSbHRolIlwh7zD7kBgkyLe7ByLvGFKa2Vw4PuWjqYwrRbFjb2+EKAwPu6
VTWz/QQTU8oJewGFipw94Bi61zuaPvF1qZCHgYhVojRy6KcqncX2Hx9hjfVxspBZ
DrVH6uofCmd99GmVu+qizybWQTrPaubfc/a2jJIbXc2bRQjYj/qmjE3hTlmO3k7V
EP6i8CLhEl+dX75aZw9StkqjdpIApYwX6XNDqVuGzfeTXXclk4N4aDPwPFM/Yo/e
KnvlNlKbljWdMYkfx8r37aOHpchH34cv0Jb5Im+1H07ywnshXNfUhRazOpubJRHn
bjDuBwWS1/Vwp5AJ+QHsPXhJdl3qHc1szJZVJb3VyAWvG/bWApKfFuZX18tiI4N0
EA==
-----END CERTIFICATE-----
</ca>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
6acef03f62675b4b1bbd03e53b187727
423cea742242106cb2916a8a4c829756
3d22c7e5cef430b1103c6f66eb1fc5b3
75a672f158e2e2e936c3faa48b035a6d
e17beaac23b5f03b10b868d53d03521d
8ba115059da777a60cbfd7b2c9c57472
78a15b8f6e68a3ef7fd583ec9f398c8b
d4735dab40cbd1e3c62a822e97489186
c30a0b48c7c38ea32ceb056d3fa5a710
e10ccc7a0ddb363b08c3d2777a3395e1
0c0b6080f56309192ab5aacd4b45f55d
a61fc77af39bd81a19218a79762c3386
2df55785075f37d8c71dc8a42097ee43
344739a0dd48d03025b0450cf1fb5e8c
aeb893d9a96d1f15519bb3c4dcb40ee3
16672ea16c012664f8a9f11255518deb
-----END OpenVPN Static key V1-----
</tls-crypt>
'';
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink