From b50dea93a1e6e68b31a89e473ce4af1aa9d69882 Mon Sep 17 00:00:00 2001
From: Fabian Hauser <fabian@fh2.ch>
Date: Mon, 25 Oct 2021 10:30:51 +0200
Subject: [PATCH] Update threema vpn configuration

---
 .../fhauser/work/openvpn.nix                  | 32 +++++++++++++------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/defaults/user-configuration/fhauser/work/openvpn.nix b/defaults/user-configuration/fhauser/work/openvpn.nix
index a9accdc..8bead71 100644
--- a/defaults/user-configuration/fhauser/work/openvpn.nix
+++ b/defaults/user-configuration/fhauser/work/openvpn.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }: {
+{ pkgs, lib, config, ... }: {
   services.openvpn.servers.threema = let
     cafile = pkgs.writeTextFile {
       name = "threema-vpn-ca.crt";
@@ -25,6 +25,14 @@
         -----END CERTIFICATE-----
       '';
     };
+    dhcpIps = if config.networking.hostName == "speer" then
+      [ "10.2.1.1" ] # TODO: Extract speer gw ip to meta
+    else [
+      "185.88.236.100"
+      "212.103.68.20"
+    ];
+    dhcpOptions = with builtins;
+      concatStringsSep "\n" (map (ip: "dhcp-option DNS ${ip}") dhcpIps);
   in {
     autoStart = false;
     config = ''
@@ -42,29 +50,35 @@
 
       route 10.83.0.0 255.255.0.0 default default
       route 10.90.0.0 255.255.0.0 default default
-      #route 5.148.175.192 255.255.255.224 default default
-      #route 5.148.189.192 255.255.255.224 default default
       route 192.168.11.0 255.255.255.0 default default
       route 192.168.13.0 255.255.255.0 default default
       route 136.243.104.147 255.255.255.255 default default
-      route 193.70.13.37 255.255.255.255 default default
+      route 188.126.81.131 255.255.255.255 default default
       route 95.211.228.137 255.255.255.255 default default
-      route 5.148.189.112 255.255.255.240 default default
       route 185.88.236.64 255.255.255.192 default default
       route 212.103.68.0 255.255.255.192 default default
+      route 194.56.189.145 255.255.255.255 default default
+      route 54.38.37.213 255.255.255.255 default default
+      # VPN exclusions: Jitsi and TURN
+      route 185.88.236.76 255.255.255.255 net_gateway default
+      route 185.88.236.77 255.255.255.255 net_gateway default
       route 185.88.236.98 255.255.255.255 net_gateway default
-      route 5.148.189.116 255.255.255.255 net_gateway default
+      route 185.88.236.113 255.255.255.255 net_gateway default
+      route 185.88.236.114 255.255.255.255 net_gateway default
+      route 212.103.68.7 255.255.255.255 net_gateway default
+      route 212.103.68.8 255.255.255.255 net_gateway default
+      route 212.103.68.40 255.255.255.255 net_gateway default
+      route 212.103.68.41 255.255.255.255 net_gateway default
 
-      dhcp-option DNS 185.88.236.100
-      dhcp-option DNS 212.103.68.20
+      ${dhcpOptions}
 
       reneg-bytes 0
       auth-nocache
       tls-cipher DEFAULT
       cipher AES-128-CBC
+      reneg-sec 0
       data-ciphers AES-128-CBC
       data-ciphers-fallback AES-128-CBC
-      reneg-sec 0
       remap-usr1 SIGTERM
     '';
     updateResolvConf = true;