GNU bug report logs - #42544
openvpn service requires cert and key configuration

Previous Next

To reply to this bug, email your comments to 42544 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: david larsson <david.larsson <at> selfhosted.xyz>
To: bug-guix <at> gnu.org
Subject: openvpn service requires cert and key configuration
Date: Sun, 26 Jul 2020 04:53:35 +0000

Hi,
I have a vpn configuration that doesn't use cert and key configuration 
lines so I receive errors like the following in /var/log/messages when 
trying to start the vpn-client service:

localhost openvpn[1660]: Options error: --cert fails with 'disabled': No 
such file or directory (errno=2)
localhost openvpn[1660]: Options error: --key fails with 'disabled': No 
such file or directory (errno=2)

(the lines would say the default /etc/openvpn/client.crt if I wouldn't 
have specified (cert "disabled") etc. in the guix service config)


I need a way to disable that these lines are being generated to the 
config-file.


On a related note; it would be great if other configuration options are 
added to this service as well. Below is my openvpn-client-service config 
where the commented lines are from the regular config-file which Im 
trying to define; as you can see many of the config-options can't be 
specified by openvpn-client-service (e.g. the cipher option, the 
replay-window option etc):

                  (openvpn-client-service
                   #:config
                   (let* (
                         (myuser "myuser")
                         [base-dir (string-append "/home/" myuser 
"/src/my-guixsd-config/etc_openvpn/") ])
                     (openvpn-client-configuration
                      ;; client
                      (dev 'tun)
                      ;; remote-random
                      (proto 'udp)
                      ;; mute-replay-warnings
                      ;; replay-window 256

                      ;; remote-cert-tls server lines is generated 
somehow
                      ;; remote-cert-tls server

                      ;; cipher aes-256-cbc
                      ;; ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
                      ;; pull
                      ;; nobind
                      (bind? #f)
                      ;; reneg-sec 432000
                      ;; resolv-retry infinite
                      (resolv-retry? #t)
                      ;; compress lzo
                      (comp-lzo? #t)
                      ;; verb 3
                      (verbosity 3)
                      ;; persist-key
                      (persist-key? #t)
                      ;; persist-tun
                      (persist-tun? #t)
                      ;; auth-user-pass /etc/openvpn/credentials
                      (auth-user-pass (string-append base-dir 
"credentials"))
                      ;; ca /etc/openvpn/ovpn-ca.crt
                      (ca (string-append base-dir "ovpn-ca.crt"))
                      ;; tls-auth /etc/openvpn/ovpn-tls.key 1
                      (tls-auth (string-append base-dir "ovpn-tls.key"))
                      ;; Generates error messages in /var/log/messages 
about missing /etc/openvpn/client.crt etc
                      (key "disabled")
                      (cert "disabled")

                      ;; log /tmp/openvpn.log
                      ;; script-security 2
                      ;; resolv-conf scripts not needed for guix
                      ;; up /etc/openvpn/update-resolv-conf
                      ;; down /etc/openvpn/update-resolv-conf

                      (fast-io? #t)
                      (remote
                       (list
                        ;; Resolves to multiple vpn servers in location
                        (openvpn-remote-configuration
                         (name "pool-1.prd.se.sthlm.ovpn.com")
                         (port 1196))
                        (openvpn-remote-configuration
                         (name "pool-1.prd.se.sthlm.ovpn.com")
                         (port 1197))
                        (openvpn-remote-configuration
                         (name "pool-2.prd.se.sthlm.ovpn.com")
                         (port 1196))
                        (openvpn-remote-configuration
                         (name "pool-2.prd.se.sthlm.ovpn.com")
                         (port 1197))
                       )))))

Best regards,
David

Message #8 received at 42544 <at> debbugs.gnu.org (full text, mbox):

From: david larsson <david.larsson <at> selfhosted.xyz>
To: 42544 <at> debbugs.gnu.org
Cc: bug-Guix <bug-guix-bounces+someone=selfhosted.xyz <at> gnu.org>
Subject: Re: bug#42544: openvpn service requires cert and key configuration
Date: Tue, 28 Jul 2020 04:27:30 +0000

On 2020-07-26 04:53, david larsson wrote:
> Hi,
> I have a vpn configuration that doesn't use cert and key configuration
> lines so I receive errors like the following in /var/log/messages when
> trying to start the vpn-client service:
> 
> localhost openvpn[1660]: Options error: --cert fails with 'disabled':
> No such file or directory (errno=2)
> localhost openvpn[1660]: Options error: --key fails with 'disabled':
> No such file or directory (errno=2)
> 
> (the lines would say the default /etc/openvpn/client.crt if I wouldn't
> have specified (cert "disabled") etc. in the guix service config)
> 
> 
> I need a way to disable that these lines are being generated to the 
> config-file.
> 

Can be solved by changing those options to maybe-strings in 
gnu/services/vpn.scm and setting the default to disabled:

   (cert
    ;;(string "/etc/openvpn/client.crt")
    (maybe-string 'disabled)
    "The certificate of the machine the daemon is running on. It should 
be signed
by the authority given in @code{ca}.")

   (key
    ;;(string "/etc/openvpn/client.key")
    (maybe-string 'disabled)
    "The key of the machine the daemon is running on. It must be the key 
whose
certificate is @code{cert}.")

I may eventually send some patches, including the addition of some more 
config-options.

Best regards,
David

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: david larsson <david.larsson <at> selfhosted.xyz>
To: guix-patches <at> gnu.org
Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options
 optional to include in the openvpn config file.
Date: Fri, 31 Jul 2020 23:44:51 +0000

From 5014aa2f455b127deaa013f327dc1cc42d0e1772 Mon Sep 17 00:00:00 2001
From: David Larsson <david.larsson <at> selfhosted.xyz>
Date: Sat, 1 Aug 2020 00:16:02 +0200
Subject: [bug#42544] [PATCH]: gnu: services: Make some openvpn options
 optional to include in the openvpn config file.

* gnu/services/vpn.scm (openvpn-client-configuration) 
(openvpn-server-configuration): Change cert and key options to type 
maybe-string.
---
 gnu/services/vpn.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 658d5c3e88..6155fd7938 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2017 Julien Lepiller <julien <at> lepiller.eu>
 ;;; Copyright © 2017 Clément Lassieur <clement <at> lassieur.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe <at> gmail.com>
+;;; Copyright © 2020 David Larsson <david.larsson <at> selfhosted.xyz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -277,12 +278,12 @@ servers.")
     "The certificate authority to check connections against.")

    (cert
-    (string "/etc/openvpn/client.crt")
+    (maybe-string 'disabled)
     "The certificate of the machine the daemon is running on. It should 
be signed
 by the authority given in @code{ca}.")

    (key
-    (string "/etc/openvpn/client.key")
+    (maybe-string 'disabled)
     "The key of the machine the daemon is running on. It must be the 
key whose
 certificate is @code{cert}.")

-- 
2.18.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.