From 9f874dd95e4375a86daa4dc5251fa79de890ab5b Mon Sep 17 00:00:00 2001
From: Raphael Robatsch <raphael-git@tapesoftware.net>
Date: Sat, 3 Dec 2022 09:31:53 +0000
Subject: [PATCH] nixos/tests/initrd-network-openvpn: fix

- The default cipher is BF-CBC, which openvpn refuses to use by default.
  Switched to AES-256-CBC.
- openvpn does not require an external "ip" executable anymore, and does
  not support the "ipconfig" option by default, so remove that option.
---
 nixos/modules/system/boot/initrd-openvpn.nix   | 5 +----
 nixos/tests/initrd-network-openvpn/default.nix | 1 +
 nixos/tests/initrd-network-openvpn/initrd.ovpn | 3 ++-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/system/boot/initrd-openvpn.nix b/nixos/modules/system/boot/initrd-openvpn.nix
index b41e7524320e..cbc61d55d6bb 100644
--- a/nixos/modules/system/boot/initrd-openvpn.nix
+++ b/nixos/modules/system/boot/initrd-openvpn.nix
@@ -68,11 +68,8 @@ in
       $out/bin/openvpn --show-gateway
     '';
 
-    # Add `iproute /bin/ip` to the config, to ensure that openvpn
-    # is able to set the routes
     boot.initrd.network.postCommands = ''
-      (cat /etc/initrd.ovpn; echo -e '\niproute /bin/ip') | \
-        openvpn /dev/stdin &
+      openvpn /etc/initrd.ovpn &
     '';
   };
 
diff --git a/nixos/tests/initrd-network-openvpn/default.nix b/nixos/tests/initrd-network-openvpn/default.nix
index bb4c41e6d709..dbb34c28eea7 100644
--- a/nixos/tests/initrd-network-openvpn/default.nix
+++ b/nixos/tests/initrd-network-openvpn/default.nix
@@ -91,6 +91,7 @@ import ../make-test-python.nix ({ lib, ...}:
             config = ''
               dev tun0
               ifconfig 10.8.0.1 10.8.0.2
+              cipher AES-256-CBC
               ${secretblock}
             '';
           };
diff --git a/nixos/tests/initrd-network-openvpn/initrd.ovpn b/nixos/tests/initrd-network-openvpn/initrd.ovpn
index 5926a48af00f..3ada4130e868 100644
--- a/nixos/tests/initrd-network-openvpn/initrd.ovpn
+++ b/nixos/tests/initrd-network-openvpn/initrd.ovpn
@@ -3,6 +3,7 @@ dev tun
 ifconfig 10.8.0.2 10.8.0.1
 # Only force VLAN 2 through the VPN
 route 192.168.2.0 255.255.255.0 10.8.0.1
+cipher AES-256-CBC
 secret [inline]
 <secret>
 #
@@ -26,4 +27,4 @@ be5a69522a8e60ccb217f8521681b45d
 e7811584363597599cce2040a68ac00e
 f2125540e0f7f4adc37cb3f0d922eeb7
 -----END OpenVPN Static key V1-----
-</secret>
\ No newline at end of file
+</secret>