From f790147fb013fa9b52a20f18ee5012a637694d6a Mon Sep 17 00:00:00 2001 From: colin Date: Sat, 9 Jul 2022 00:48:09 -0700 Subject: [PATCH] add ukraine VPN --- modules/universal/vpn.nix | 27 +++++++++++++++++++++++++ pkgs/sane-scripts/src/bin/sane-vpn-down | 14 ++++++++++++- pkgs/sane-scripts/src/bin/sane-vpn-up | 14 ++++++++++++- secrets/universal.yaml | 5 +++-- 4 files changed, 56 insertions(+), 4 deletions(-) diff --git a/modules/universal/vpn.nix b/modules/universal/vpn.nix index 8f5547471..a4002a17b 100644 --- a/modules/universal/vpn.nix +++ b/modules/universal/vpn.nix @@ -25,7 +25,34 @@ autostart = false; }; + networking.wg-quick.interfaces.ovpnd-ukr = { + address = [ + "172.18.180.159/32" + "fd00:0000:1337:cafe:1111:1111:ec5c:add3/128" + ]; + dns = [ + "46.227.67.134" + "192.165.9.158" + ]; + peers = [ + { + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + endpoint = "vpn96.prd.kyiv.ovpn.com:9929"; + publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg="; + } + ]; + privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path; + # to start: `systemctl start wg-quick-ovpnd-ukr` + autostart = false; + }; + sops.secrets."wg_ovpnd_privkey" = { sopsFile = ../../secrets/universal.yaml; }; + sops.secrets."wg_ovpnd_ukr_privkey" = { + sopsFile = ../../secrets/universal.yaml; + }; } diff --git a/pkgs/sane-scripts/src/bin/sane-vpn-down b/pkgs/sane-scripts/src/bin/sane-vpn-down index 2b0fdb1fb..9fe727840 100755 --- a/pkgs/sane-scripts/src/bin/sane-vpn-down +++ b/pkgs/sane-scripts/src/bin/sane-vpn-down @@ -1,4 +1,16 @@ #!/usr/bin/env bash + +# first arg should be the region, e.g. `us` or `ukr` + +case $1 in +ukr) + iface=wg-quick-ovpnd-ukr;; +us) + iface=wg-quick-ovpnd;; +*) + echo "invalid vpn name '$1'"; exit 1;; +esac + echo vpn: $(curl https://ipinfo.io/ip) -sudo systemctl stop wg-quick-ovpnd +sudo systemctl stop $iface echo plain: $(curl https://ipinfo.io/ip) diff --git a/pkgs/sane-scripts/src/bin/sane-vpn-up b/pkgs/sane-scripts/src/bin/sane-vpn-up index bed09122a..17e4eb575 100755 --- a/pkgs/sane-scripts/src/bin/sane-vpn-up +++ b/pkgs/sane-scripts/src/bin/sane-vpn-up @@ -1,4 +1,16 @@ #!/usr/bin/env bash + +# first arg should be the region, e.g. `us` or `ukr` + +case $1 in +ukr) + iface=wg-quick-ovpnd-ukr;; +us) + iface=wg-quick-ovpnd;; +*) + echo "invalid vpn name '$1'"; exit 1;; +esac + echo plain: $(curl https://ipinfo.io/ip) -sudo systemctl start wg-quick-ovpnd +sudo systemctl start $iface echo vpn: $(curl https://ipinfo.io/ip) diff --git a/secrets/universal.yaml b/secrets/universal.yaml index 404ef2034..e6cb35840 100644 --- a/secrets/universal.yaml +++ b/secrets/universal.yaml @@ -1,4 +1,5 @@ wg_ovpnd_privkey: ENC[AES256_GCM,data:qmyCOcD5TA7SKqSDCTZOTahkfYVZMJUGuyselmQbqj1uer3e4cBRSMuIiRI=,iv:jnHvGgVu/8HWT8MkI2wtGqlCs6wTu0C8huHpkdDmBYk=,tag:a0r0f/6LTBUuhvLGu+SFug==,type:str] +wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str] sops: kms: [] gcp_kms: [] @@ -77,8 +78,8 @@ sops: T1ZLaWRwWFJkNE82NC80QTdjZ1l1Zm8K7QhAMCO/65Z0N4coN+sc7WYNVI+BvV01 q5DXWTtePrPRQ8ZCqT7gWdSQc8iS410HEZ2Nya5IA+ktGxMO9h1EXA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-21T09:01:02Z" - mac: ENC[AES256_GCM,data:G6crbY/fKKHjiCI7m+uOIRHrW2CJFM6DPD598h/vqRwYI0laIkasr7vUMuV72RyqAW52F90kIYyLY5qhu4uTOBqHK5aJHAxNo55knHrpXYQemMMt5UGC3AwgswLWkqze43EhIj7NrA6LTFF4MX+rD3yhFC+IAQOgZ1HiIk9h0sY=,iv:kDDHyNlaCCq9AVSr5qaF1OYZxNAGgxSGL5bxYL3Q79w=,tag:5FNaXMHjTyjyPScOXgep6Q==,type:str] + lastmodified: "2022-07-09T07:40:05Z" + mac: ENC[AES256_GCM,data:U7kbbCm6I+S86En04h+jKFhqm+++iFHluA0ceChTEJEFaWX4FqMQHAthHl4Bce+AMjhdu5IjTajnAHp2RDvGRMoyissAH0+SwWR5lEKVhHZFl2jQga1T8rmScfCnP5nK8lRUiSBtbEZWPE+Pct63mR7rEUVFLtKIIoqOYfpB6XI=,iv:sa3eUtOnjs49y2EL/ndP/1f9iyOB4wTAc97TZ8zhBXQ=,tag:n91xs8Carw6OO/rk3dO+Fw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3