feat: pyload config change, cyberghost change

2025-11-30 19:53:13 +01:00
parent f277d089bd
commit 82c15e8d26
4 changed files with 52 additions and 29 deletions
--- a/hosts/nas/modules/cyberghost.nix
+++ b/hosts/nas/modules/cyberghost.nix
@@ -12,6 +12,14 @@ in
    mode = "0400";
    owner = "root";
  };
+  sops.secrets.cyberghost-cert = {
+    mode = "0400";
+    owner = "root";
+  };
+  sops.secrets.cyberghost-key = {
+    mode = "0400";
+    owner = "root";
+  };

  environment.systemPackages = [ pkgs.openvpn ];

@@ -23,7 +31,7 @@ in
      client
      dev tun
      proto udp
-      87-1-hu.cg-dialup.net 443
+      remote 87-1-hu.cg-dialup.net 443
      resolv-retry infinite
      nobind
      persist-key
@@ -32,11 +40,20 @@ in
      # Authentication
      auth-user-pass ${config.sops.secrets.cyberghost-auth.path}
      ca ${config.sops.secrets.cyberghost-ca.path}
+      cert ${config.sops.secrets.cyberghost-cert.path}
+      key ${config.sops.secrets.cyberghost-key.path}

      # Security
-      cipher AES-256-CBC
+      data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
+      data-ciphers-fallback AES-256-CBC
      auth SHA256
      remote-cert-tls server
+      script-security 2
+
+      # Connection
+      ping 5
+      explicit-exit-notify 2
+      route-delay 5

      # Split tunnel: Don't pull routes from server, we'll set our own
      route-nopull
@@ -48,7 +65,7 @@ in
      # Keep local network route direct
      route ${localNetwork} net_gateway

-      verb 3
+      verb 4
    '';
  };