openvpn service requires cert and key configuration

  • Open
  • quality assurance status badge
Details
One participant
  • david larsson
Owner
unassigned
Submitted by
david larsson
Severity
normal
D
D
david larsson wrote on 26 Jul 2020 06:53
(address . bug-guix@gnu.org)
029ee37c6910a0136916fd1673a517bd@selfhosted.xyz
Hi,
I have a vpn configuration that doesn't use cert and key configuration
lines so I receive errors like the following in /var/log/messages when
trying to start the vpn-client service:

localhost openvpn[1660]: Options error: --cert fails with 'disabled': No
such file or directory (errno=2)
localhost openvpn[1660]: Options error: --key fails with 'disabled': No
such file or directory (errno=2)

(the lines would say the default /etc/openvpn/client.crt if I wouldn't
have specified (cert "disabled") etc. in the guix service config)


I need a way to disable that these lines are being generated to the
config-file.


On a related note; it would be great if other configuration options are
added to this service as well. Below is my openvpn-client-service config
where the commented lines are from the regular config-file which Im
trying to define; as you can see many of the config-options can't be
specified by openvpn-client-service (e.g. the cipher option, the
replay-window option etc):

(openvpn-client-service
#:config
(let* (
(myuser "myuser")
[base-dir (string-append "/home/" myuser
"/src/my-guixsd-config/etc_openvpn/") ])
(openvpn-client-configuration
;; client
(dev 'tun)
;; remote-random
(proto 'udp)
;; mute-replay-warnings
;; replay-window 256

;; remote-cert-tls server lines is generated
somehow
;; remote-cert-tls server

;; cipher aes-256-cbc
;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
;; pull
;; nobind
(bind? #f)
;; reneg-sec 432000
;; resolv-retry infinite
(resolv-retry? #t)
;; compress lzo
(comp-lzo? #t)
;; verb 3
(verbosity 3)
;; persist-key
(persist-key? #t)
;; persist-tun
(persist-tun? #t)
;; auth-user-pass /etc/openvpn/credentials
(auth-user-pass (string-append base-dir
"credentials"))
;; ca /etc/openvpn/ovpn-ca.crt
(ca (string-append base-dir "ovpn-ca.crt"))
;; tls-auth /etc/openvpn/ovpn-tls.key 1
(tls-auth (string-append base-dir "ovpn-tls.key"))
;; Generates error messages in /var/log/messages
about missing /etc/openvpn/client.crt etc
(key "disabled")
(cert "disabled")

;; log /tmp/openvpn.log
;; script-security 2
;; resolv-conf scripts not needed for guix
;; up /etc/openvpn/update-resolv-conf
;; down /etc/openvpn/update-resolv-conf

(fast-io? #t)
(remote
(list
;; Resolves to multiple vpn servers in location
(openvpn-remote-configuration
(name "pool-1.prd.se.sthlm.ovpn.com")
(port 1196))
(openvpn-remote-configuration
(name "pool-1.prd.se.sthlm.ovpn.com")
(port 1197))
(openvpn-remote-configuration
(name "pool-2.prd.se.sthlm.ovpn.com")
(port 1196))
(openvpn-remote-configuration
(name "pool-2.prd.se.sthlm.ovpn.com")
(port 1197))
)))))

Best regards,
David
D
D
david larsson wrote on 28 Jul 2020 06:27
(address . 42544@debbugs.gnu.org)(name . bug-Guix)(address . bug-guix-bounces+someone=selfhosted.xyz@gnu.org)
d5483c834de758e7b096ca49b6a0b369@selfhosted.xyz
On 2020-07-26 04:53, david larsson wrote:
Toggle quote (18 lines)
> Hi,
> I have a vpn configuration that doesn't use cert and key configuration
> lines so I receive errors like the following in /var/log/messages when
> trying to start the vpn-client service:
>
> localhost openvpn[1660]: Options error: --cert fails with 'disabled':
> No such file or directory (errno=2)
> localhost openvpn[1660]: Options error: --key fails with 'disabled':
> No such file or directory (errno=2)
>
> (the lines would say the default /etc/openvpn/client.crt if I wouldn't
> have specified (cert "disabled") etc. in the guix service config)
>
>
> I need a way to disable that these lines are being generated to the
> config-file.
>

Can be solved by changing those options to maybe-strings in
gnu/services/vpn.scm and setting the default to disabled:

(cert
;;(string "/etc/openvpn/client.crt")
(maybe-string 'disabled)
"The certificate of the machine the daemon is running on. It should
be signed
by the authority given in @code{ca}.")

(key
;;(string "/etc/openvpn/client.key")
(maybe-string 'disabled)
"The key of the machine the daemon is running on. It must be the key
whose
certificate is @code{cert}.")

I may eventually send some patches, including the addition of some more
config-options.

Best regards,
David
D
D
david larsson wrote on 1 Aug 2020 01:44
[bug#42544] [PATCH]: gnu: services: Make some openvpn options optional to include in the openvpn config file.
(address . guix-patches@gnu.org)
c15f2913c46b32490bb282fd8b5f9e48@selfhosted.xyz
From 5014aa2f455b127deaa013f327dc1cc42d0e1772 Mon Sep 17 00:00:00 2001
From: David Larsson <david.larsson@selfhosted.xyz>
Date: Sat, 1 Aug 2020 00:16:02 +0200
Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options
optional to include in the openvpn config file.

* gnu/services/vpn.scm (openvpn-client-configuration)
(openvpn-server-configuration): Change cert and key options to type
maybe-string.
---
gnu/services/vpn.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 658d5c3e88..6155fd7938 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2020 David Larsson <david.larsson@selfhosted.xyz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -277,12 +278,12 @@ servers.")
"The certificate authority to check connections against.")

(cert
- (string "/etc/openvpn/client.crt")
+ (maybe-string 'disabled)
"The certificate of the machine the daemon is running on. It should
be signed
by the authority given in @code{ca}.")

(key
- (string "/etc/openvpn/client.key")
+ (maybe-string 'disabled)
"The key of the machine the daemon is running on. It must be the
key whose
certificate is @code{cert}.")

--
2.18.0
?