ovpn: use a single key per-device
this should fix the traffic collisions i'm seeing with the existing setup
This commit is contained in:
parent
45967fde7b
commit
002639cc76
|
@ -9,6 +9,8 @@
|
|||
sane.roles.pc = true;
|
||||
sane.services.wg-home.enable = true;
|
||||
sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
|
||||
sane.ovpn.addrV4 = "172.23.119.72";
|
||||
# sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:0332:aa96/128";
|
||||
|
||||
# sane.guest.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = false;
|
||||
|
|
|
@ -7,50 +7,61 @@
|
|||
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
def-ovpn = name: { endpoint, publicKey, addrV4, id }: {
|
||||
sane.vpn."ovpnd-${name}" = {
|
||||
inherit endpoint publicKey addrV4 id;
|
||||
privateKeyFile = config.sops.secrets."wg/ovpnd_${name}_privkey".path;
|
||||
# N.B.: OVPN issues each key (i.e. device) a different IP (addrV4), and requires you use it.
|
||||
# the IP it issues can be used to connect to any of their VPNs.
|
||||
# effectively the IP and key map 1-to-1.
|
||||
# it seems to still be possible to keep two active tunnels on one device, using the same key/IP address, though.
|
||||
def-ovpn = name: { endpoint, publicKey, id }: let
|
||||
inherit (config.sane.ovpn) addrV4;
|
||||
in {
|
||||
sane.vpn."ovpnd-${name}" = lib.mkIf (addrV4 != null) {
|
||||
inherit addrV4 endpoint publicKey id;
|
||||
privateKeyFile = config.sops.secrets."ovpn_privkey".path;
|
||||
dns = [
|
||||
"46.227.67.134"
|
||||
"192.165.9.158"
|
||||
# "2a07:a880:4601:10f0:cd45::1"
|
||||
# "2001:67c:750:1:cafe:cd45::1"
|
||||
];
|
||||
};
|
||||
|
||||
sops.secrets."wg/ovpnd_${name}_privkey" = {
|
||||
sops.secrets."ovpn_privkey" = lib.mkIf (addrV4 != null) {
|
||||
# needs to be readable by systemd-network or else it says "Ignoring network device" and doesn't expose it to networkctl.
|
||||
owner = "systemd-network";
|
||||
};
|
||||
};
|
||||
in lib.mkMerge [
|
||||
{
|
||||
options = with lib; {
|
||||
sane.ovpn.addrV4 = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = ''
|
||||
ovpn issues one IP address per device.
|
||||
set `null` to disable OVPN for this host.
|
||||
'';
|
||||
};
|
||||
}
|
||||
}
|
||||
(def-ovpn "us" {
|
||||
endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
|
||||
publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
|
||||
id = 1;
|
||||
addrV4 = "172.27.237.218";
|
||||
# addrV6 = "fd00:0000:1337:cafe:1111:1111:ab00:4c8f";
|
||||
})
|
||||
# TODO: us-atl disabled until i can give it a different link-local address and wireguard key than us-mi
|
||||
# (def-ovpn "us-atl" {
|
||||
# endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
|
||||
# publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
|
||||
# address = [
|
||||
# "172.21.182.178/32"
|
||||
# "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
|
||||
# ];
|
||||
# })
|
||||
(def-ovpn "us-mi" {
|
||||
endpoint = "vpn34.prd.miami.ovpn.com:9929";
|
||||
publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
|
||||
id = 2;
|
||||
addrV4 = "172.21.182.178";
|
||||
# addrV6 = "fd00:0000:1337:cafe:1111:1111:cfcb:27e3";
|
||||
})
|
||||
(def-ovpn "ukr" {
|
||||
endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
|
||||
publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
|
||||
id = 3;
|
||||
addrV4 = "172.18.180.159";
|
||||
# addrV6 = "fd00:0000:1337:cafe:1111:1111:ec5c:add3";
|
||||
})
|
||||
# TODO: us-atl disabled until i need it again, i guess.
|
||||
# (def-ovpn "us-atl" {
|
||||
# endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
|
||||
# publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
|
||||
# id = 4;
|
||||
# })
|
||||
]
|
||||
|
|
28
secrets/lappy/ovpn_privkey.bin
Normal file
28
secrets/lappy/ovpn_privkey.bin
Normal file
|
@ -0,0 +1,28 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:u2Bej5jF/UoLQxPe4+aW1519oAAZ/hKMPu6rXFiRk/mVoLVic6+noflsOtbn,iv:H7+E3kmJS4nlsH9kVmIYakEQMpaE6sm3FrLVww7Cdxs=,tag:PvyMf+BT1T8qWxscftq68g==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTnNsMFdkcGwyZCt2eXR5\nVGREZDltT3E5V3EyMDlrWkxNTFVSeWkrbTI4CnZlL0wwRzlTNkxoMC9HQUcwV3VO\nR1c3OFpOUUFvSHBGZlZ3bVAxLzVOMmMKLS0tIHpOaStaV2VOdkVZRWp2L1dPUmNE\nRmNnSHRWZy9OL1ZrMzREcXg3RStlNkEKMs4nNfHcfuWOhttzzGeHELbVlm6hskdf\nMDifoyXBAk8iiqPFpLFAkkOt6bsn5Xwjo1EaVllLkb/l0wvRpTBgHw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bElSMUJid2hYN2hrMnV6\nMmJzMTNLYXNHUkZJdzMxOWZ5enUrbWFXSlZjCnEwbVRsT1EyemZYaFQvaEJtMk8w\nci9TV1ZCYzNWSTZzaExqVXUraUFxaDAKLS0tIE5Nc0RyczBUVFBiWmhWNURxNVlR\nMllYRGFrWVJlOVdsZjVHenpLMUFRTVkKSLKhh+oK+aSw3kWu9oo8szMEObzv2UCc\n4cWoemgyFWBnA8/ucZZs6nXuXouK7OuwLiwREVctjxstPF11hP6vJg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTmxYZ3gxZEU0SGFERm81\nTzlkMGFYTGI2bUNCTzVReENVWFhFNTBvc1NzCjlZUkNHcCtwMnduWUZTTTdjRzBi\nNlJqeFhuY1hhVmlLSkZ4VjRSYVBtdncKLS0tIC9WZ3dqdm45ZUd0RnpDamt4MmJE\nbE5sejJ4NEt4eEVKejJWaFgwMFBuUWMKtID7tF8Uq1PCu/mH70MQYq9fuTuKwjNu\nh0XaWAeQP4XYEFizGxCw9Viy4ZWy738sbgPHXeUGnb+Jy9DpTHo+zw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-05-26T13:18:51Z",
|
||||
"mac": "ENC[AES256_GCM,data:Jc8qZ47WVHL8m3V/tQ/aWyORCDVzebffSxhqTOOyHdu4FpuQIJMkVfqipKnbQVC1oRSB8BSDW6LcVywWJpk00XG/NfqYYPw3q0UTpisJrX6GjqdqGDadBdOeuqlfTTCYJfAFDU4JiLnUCYlpdY2eUnD/fRi+2DsLFtsGj1Sdo4U=,iv:CL4THOlK+GZFd8h0WQmlOJBp+vijQSobPJG/KoFEuTI=,tag:PGLmQRDXcpXHVUOJonHK5A==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user