104 lines
2.8 KiB
Nix
104 lines
2.8 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
localNetwork = "10.42.96.0/20";
|
|
in
|
|
{
|
|
# SOPS secrets for CyberGhost credentials
|
|
sops.secrets.cyberghost-auth = {
|
|
mode = "0400";
|
|
owner = "root";
|
|
};
|
|
sops.secrets.cyberghost-ca = {
|
|
mode = "0400";
|
|
owner = "root";
|
|
};
|
|
sops.secrets.cyberghost-cert = {
|
|
mode = "0400";
|
|
owner = "root";
|
|
};
|
|
sops.secrets.cyberghost-key = {
|
|
mode = "0400";
|
|
owner = "root";
|
|
};
|
|
|
|
environment.systemPackages = [ pkgs.openvpn ];
|
|
|
|
# OpenVPN client service
|
|
services.openvpn.servers.cyberghost = {
|
|
autoStart = true;
|
|
updateResolvConf = true;
|
|
config = ''
|
|
client
|
|
dev tun
|
|
proto udp
|
|
remote 87-1-hu.cg-dialup.net 443
|
|
resolv-retry infinite
|
|
nobind
|
|
persist-key
|
|
persist-tun
|
|
|
|
# Authentication
|
|
auth-user-pass ${config.sops.secrets.cyberghost-auth.path}
|
|
ca ${config.sops.secrets.cyberghost-ca.path}
|
|
cert ${config.sops.secrets.cyberghost-cert.path}
|
|
key ${config.sops.secrets.cyberghost-key.path}
|
|
|
|
# Security
|
|
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
|
|
data-ciphers-fallback AES-256-CBC
|
|
auth SHA256
|
|
remote-cert-tls server
|
|
script-security 2
|
|
|
|
# Connection
|
|
ping 5
|
|
explicit-exit-notify 2
|
|
route-delay 5
|
|
|
|
# Split tunnel: Don't pull routes from server, we'll set our own
|
|
route-nopull
|
|
|
|
# Route all traffic through VPN except local network
|
|
route 0.0.0.0 128.0.0.0 vpn_gateway
|
|
route 128.0.0.0 128.0.0.0 vpn_gateway
|
|
|
|
# Keep local network route direct
|
|
route ${localNetwork} net_gateway
|
|
|
|
verb 4
|
|
'';
|
|
};
|
|
|
|
# Kill switch: Block outgoing traffic if VPN is down
|
|
networking.firewall = {
|
|
extraCommands = ''
|
|
# Allow traffic to local network
|
|
iptables -A OUTPUT -d ${localNetwork} -j ACCEPT
|
|
|
|
# Allow traffic through VPN tunnel
|
|
iptables -A OUTPUT -o tun+ -j ACCEPT
|
|
|
|
# Allow loopback
|
|
iptables -A OUTPUT -o lo -j ACCEPT
|
|
|
|
# Allow established connections (for responses)
|
|
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allow OpenVPN to establish connection (UDP 443)
|
|
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
|
|
|
|
# Drop all other outgoing internet traffic (kill switch)
|
|
iptables -A OUTPUT ! -d ${localNetwork} -j DROP
|
|
'';
|
|
|
|
extraStopCommands = ''
|
|
iptables -D OUTPUT -d ${localNetwork} -j ACCEPT 2>/dev/null || true
|
|
iptables -D OUTPUT -o tun+ -j ACCEPT 2>/dev/null || true
|
|
iptables -D OUTPUT -o lo -j ACCEPT 2>/dev/null || true
|
|
iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
|
|
iptables -D OUTPUT -p udp --dport 443 -j ACCEPT 2>/dev/null || true
|
|
iptables -D OUTPUT ! -d ${localNetwork} -j DROP 2>/dev/null || true
|
|
'';
|
|
};
|
|
}
|