73 lines
2.9 KiB
Nix
73 lines
2.9 KiB
Nix
{ pkgs, lib, ... }: {
|
|
services.openvpn.servers.threema = let
|
|
cafile = pkgs.writeTextFile {
|
|
name = "threema-vpn-ca.crt";
|
|
text = ''
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIDMjCCAhqgAwIBAgIJANmI9BYPseTxMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
|
|
BAMMCk9wZW5WUE4gQ0EwHhcNMTkwNTE1MTQzOTM0WhcNMjkwNTEyMTQzOTM0WjAV
|
|
MRMwEQYDVQQDDApPcGVuVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
|
CgKCAQEA7NaiObgz2L5wmGIgOWUe1n6Q1g6Y5CYsrMQI8yhIDqKSx0fTL9eT2hvn
|
|
zThnltxKJRVTn0qGPf/7QF6WzjIXfKSJH5Cb+OKgYmqfRI2TW+ncqyJCaa3Fl9lI
|
|
VgU4knro6Cp9dhNhrNmRoRFvZ/17noB4+WPds7EgRObDi2ERuwAbONgz56J2Rea6
|
|
RHVL6HMFY7v8Zp8B/MnzSba/OSJC7RXCuCs6qNOgJOoHnp5PnsB3V40mszy4h/0Q
|
|
jVbBdZ3K4rEjNiawhCOetXhgHSaVGH4MP5oWrAN4UiI+IIfz6Ywz5mc7F6yBZa/e
|
|
aCG+r2bMUIepVPE25AUfuZ6O8+0+iwIDAQABo4GEMIGBMB0GA1UdDgQWBBQDHenu
|
|
05GGgcztJ1FCUWQlbYxGLjBFBgNVHSMEPjA8gBQDHenu05GGgcztJ1FCUWQlbYxG
|
|
LqEZpBcwFTETMBEGA1UEAwwKT3BlblZQTiBDQYIJANmI9BYPseTxMAwGA1UdEwQF
|
|
MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQDTQtMeER20/3r/
|
|
Zn+IRpIEJh/ITxEE6kKCKo59wwVEFA0Ba+7d+BslFTCPhADM2p0AzPt5OSEo0A2N
|
|
nWGL3hhBPcnrBTFUma58gGz++v5Oy8GpfaCoXjCqfANjAbApY0JCCSWb1BJWkhXt
|
|
vDMlVXv6UzfF4HCeEQCof4QcW8ca4csrOceW76S7Cc3Or4iyTXKQrZ5PKy081CfV
|
|
sTLgGMQX4kZT9MBg13wDj0WkdJaWxQ2C73/me/YypcctN7t1wy7pUx33rEE1xh/o
|
|
9fsKcFs0qqYKRUY8AnghhuimBrkHoqUcdrG/6WO7+hbipxIDStm4Qbnptde3fhJT
|
|
rGUhGexA
|
|
-----END CERTIFICATE-----
|
|
'';
|
|
};
|
|
in {
|
|
autoStart = false;
|
|
config = ''
|
|
remote vpn.threema.ch 38417 tcp-client
|
|
|
|
nobind
|
|
dev tun
|
|
persist-tun
|
|
persist-key
|
|
pull
|
|
auth-user-pass
|
|
tls-client
|
|
ca ${cafile}
|
|
remote-cert-tls server
|
|
|
|
route 10.83.0.0 255.255.0.0 default default
|
|
route 10.90.0.0 255.255.0.0 default default
|
|
#route 5.148.175.192 255.255.255.224 default default
|
|
#route 5.148.189.192 255.255.255.224 default default
|
|
route 192.168.11.0 255.255.255.0 default default
|
|
route 192.168.13.0 255.255.255.0 default default
|
|
route 136.243.104.147 255.255.255.255 default default
|
|
route 193.70.13.37 255.255.255.255 default default
|
|
route 95.211.228.137 255.255.255.255 default default
|
|
route 5.148.189.112 255.255.255.240 default default
|
|
route 185.88.236.64 255.255.255.192 default default
|
|
route 212.103.68.0 255.255.255.192 default default
|
|
route 185.88.236.98 255.255.255.255 net_gateway default
|
|
route 5.148.189.116 255.255.255.255 net_gateway default
|
|
|
|
dhcp-option DNS 185.88.236.100
|
|
dhcp-option DNS 212.103.68.20
|
|
|
|
reneg-bytes 0
|
|
auth-nocache
|
|
tls-cipher DEFAULT
|
|
cipher AES-128-CBC
|
|
#data-ciphers AES-128-CBC # TODO: Enable with openvpn 2.5
|
|
reneg-sec 0
|
|
remap-usr1 SIGTERM
|
|
'';
|
|
updateResolvConf = true;
|
|
};
|
|
|
|
systemd.services.openvpn-threema.serviceConfig.Restart = lib.mkForce "no";
|
|
}
|