1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
3 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
5 ;;; This file is part of GNU Guix.
7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
8 ;;; under the terms of the GNU General Public License as published by
9 ;;; the Free Software Foundation; either version 3 of the License, or (at
10 ;;; your option) any later version.
12 ;;; GNU Guix is distributed in the hope that it will be useful, but
13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 ;;; GNU General Public License for more details.
17 ;;; You should have received a copy of the GNU General Public License
18 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
20 (define-module (gnu services vpn)
21 #:use-module (gnu services)
22 #:use-module (gnu services configuration)
23 #:use-module (gnu services shepherd)
24 #:use-module (gnu system shadow)
25 #:use-module (gnu packages admin)
26 #:use-module (gnu packages vpn)
27 #:use-module (guix packages)
28 #:use-module (guix records)
29 #:use-module (guix gexp)
30 #:use-module (srfi srfi-1)
31 #:use-module (ice-9 match)
32 #:use-module (ice-9 regex)
33 #:export (openvpn-client-service
34 openvpn-server-service
35 openvpn-client-service-type
36 openvpn-server-service-type
37 openvpn-client-configuration
38 openvpn-server-configuration
39 openvpn-remote-configuration
40 openvpn-ccd-configuration
41 generate-openvpn-client-documentation
42 generate-openvpn-server-documentation))
48 (define (uglify-field-name name)
51 (_ (let ((str (symbol->string name)))
52 (if (string-suffix? "?" str)
53 (substring str 0 (1- (string-length str)))
56 (define (serialize-field field-name val)
57 (if (eq? field-name 'pid-file)
59 (format #t "~a ~a\n" (uglify-field-name field-name) val)))
60 (define serialize-string serialize-field)
61 (define (serialize-boolean field-name val)
63 (serialize-field field-name val)
66 (define (ip-mask? val)
68 (if (string-match "^([0-9]+\\.){3}[0-9]+ ([0-9]+\\.){3}[0-9]+$" val)
69 (let ((numbers (string-tokenize val char-set:digit)))
70 (all-lte numbers (list 255 255 255 255 255 255 255 255)))
72 (define serialize-ip-mask serialize-string)
74 (define-syntax define-enumerated-field-type
76 (define (id-append ctx . parts)
77 (datum->syntax ctx (apply symbol-append (map syntax->datum parts))))
79 ((_ name (option ...))
81 (define (#,(id-append #'name #'name #'?) x)
82 (memq x '(option ...)))
83 (define (#,(id-append #'name #'serialize- #'name) field-name val)
84 (serialize-field field-name val)))))))
86 (define-enumerated-field-type proto
88 (define-enumerated-field-type dev
91 (define key-usage? boolean?)
92 (define (serialize-key-usage field-name value)
94 (format #t "remote-cert-tls server\n")
97 (define bind? boolean?)
98 (define (serialize-bind field-name value)
101 (format #t "nobind\n")))
103 (define resolv-retry? boolean?)
104 (define (serialize-resolv-retry field-name value)
106 (format #t "resolv-retry infinite\n")
109 (define (serialize-tls-auth role location)
110 (serialize-field 'tls-auth
111 (string-append location " " (match role
114 (define (tls-auth? val)
117 (define (serialize-tls-auth-server field-name val)
118 (serialize-tls-auth 'server val))
119 (define (serialize-tls-auth-client field-name val)
120 (serialize-tls-auth 'client val))
121 (define tls-auth-server? tls-auth?)
122 (define tls-auth-client? tls-auth?)
124 (define (serialize-number field-name val)
125 (serialize-field field-name (number->string val)))
127 (define (all-lte left right)
130 (and (<= (string->number (car left)) (car right))
131 (all-lte (cdr left) (cdr right)))))
135 (if (string-match "^([0-9]+\\.){3}[0-9]+/[0-9]+$" val)
136 (let ((numbers (string-tokenize val char-set:digit)))
137 (all-lte numbers (list 255 255 255 255 32)))
143 (string-match "^([0-9a-f]{0,4}:){0,8}/[0-9]{1,3}$" val)
146 (define (serialize-cidr4 field-name val)
147 (if (eq? val #f) #f (serialize-field field-name val)))
149 (define (serialize-cidr6 field-name val)
150 (if (eq? val #f) #f (serialize-field field-name val)))
154 (if (string-match "^([0-9]+\\.){3}[0-9]+$" val)
155 (let ((numbers (string-tokenize val char-set:digit)))
156 (all-lte numbers (list 255 255 255 255)))
159 (define (serialize-ip field-name val)
160 (if (eq? val #f) #f (serialize-field field-name val)))
162 (define (keepalive? val)
164 (and (number? (car val))
165 (number? (car (cdr val))))))
166 (define (serialize-keepalive field-name val)
167 (format #t "~a ~a ~a\n" (uglify-field-name field-name)
168 (number->string (car val)) (number->string (car (cdr val)))))
170 (define gateway? boolean?)
171 (define (serialize-gateway field-name val)
173 (format #t "push \"redirect-gateway\"\n")))
176 (define-configuration openvpn-remote-configuration
182 "Port number the server listens to."))
184 (define-configuration openvpn-ccd-configuration
190 "Client own network")
195 (define (openvpn-remote-list? val)
198 (and (openvpn-remote-configuration? (car val))
199 (openvpn-remote-list? (cdr val))))))
200 (define (serialize-openvpn-remote-list field-name val)
201 (for-each (lambda (remote)
202 (format #t "remote ~a ~a\n" (openvpn-remote-configuration-name remote)
203 (number->string (openvpn-remote-configuration-port remote))))
206 (define (openvpn-ccd-list? val)
209 (and (openvpn-ccd-configuration? (car val))
210 (openvpn-ccd-list? (cdr val))))))
211 (define (serialize-openvpn-ccd-list field-name val)
214 (define (create-ccd-directory val)
215 "Create a ccd directory containing files for the ccd configuration option
216 of OpenVPN. Each file in this directory represents particular settings for a
217 client. Each file is named after the name of the client."
218 (let ((files (map (lambda (ccd)
219 (list (openvpn-ccd-configuration-name ccd)
220 (with-output-to-string
222 (serialize-configuration
223 ccd openvpn-ccd-configuration-fields)))))
226 (with-imported-modules '((guix build utils))
228 (use-modules (guix build utils))
229 (use-modules (ice-9 match))
234 ((name config-string)
235 (call-with-output-file
236 (string-append #$output "/" name)
237 (lambda (port) (display config-string port))))))
240 (define-syntax define-split-configuration
243 ((_ name1 name2 (common-option ...) (first-option ...) (second-option ...))
245 (define-configuration #,#'name1
248 (define-configuration #,#'name2
250 second-option ...))))))
252 (define-split-configuration openvpn-client-configuration
253 openvpn-server-configuration
256 "The OpenVPN package.")
259 (string "/var/run/openvpn/openvpn.pid")
260 "The OpenVPN pid file.")
264 "The protocol (UDP or TCP) used to open a channel between clients and
269 "The device type used to represent the VPN connection.")
272 (string "/etc/openvpn/ca.crt")
273 "The certificate authority to check connections against.")
276 (string "/etc/openvpn/client.crt")
277 "The certificate of the machine the daemon is running on. It should be signed
278 by the authority given in @code{ca}.")
281 (string "/etc/openvpn/client.key")
282 "The key of the machine the daemon is running on. It must be the whose
283 certificate is @code{cert}.")
287 "Whether to use the lzo compression algorithm.")
291 "Don't re-read key files across SIGUSR1 or --ping-restart.")
295 "Don't close and reopen TUN/TAP device or run up/down scripts across
296 SIGUSR1 or --ping-restart restarts.")
301 ;; client-specific configuration
304 "Add an additional layer of HMAC authentication on top of the TLS control
305 channel to protect against DoS attacks.")
309 "Whether to check the server certificate has server usage extension.")
313 "Bind to a specific local port number.")
317 "Retry resolving server address.")
320 (openvpn-remote-list '())
321 "A list of remote servers to connect to."))
322 ;; server-specific configuration
325 "Add an additional layer of HMAC authentication on top of the TLS control
326 channel to protect against DoS attacks.")
330 "Specifies the port number on which the server listens.")
333 (ip-mask "10.8.0.0 255.255.255.0")
334 "An ip and mask specifying the subnet inside the virtual network.")
338 "A CIDR notation specifying the IPv6 subnet inside the virtual network.")
341 (string "/etc/openvpn/dh2048.pem")
342 "The Diffie-Hellman parameters file.")
344 (ifconfig-pool-persist
345 (string "/etc/openvpn/ipp.txt")
346 "The file that records client IPs.")
350 "When true, the server will act as a gateway for its clients.")
354 "When true, clients are alowed to talk to each other inside the VPN.")
357 (keepalive '(10 120))
358 "Causes ping-like messages to be sent back and forth over the link so that
359 each side knows when the other side has gone down. @code{keepalive} requires
360 a pair. The first element is the period of the ping sending, and the second
361 element is the timeout before considering the other side down.")
365 "The maximum number of clients.")
368 (string "/var/run/openvpn/status")
369 "The status file. This file shows a small report on current connection. It
370 is trunkated and rewritten every minute.")
373 (openvpn-ccd-list '())
374 "The list of configuration for some clients.")))
376 (define (openvpn-config-file role config)
378 (with-output-to-string
380 (serialize-configuration config
383 openvpn-server-configuration-fields)
385 openvpn-client-configuration-fields))))))
387 ('server (create-ccd-directory
388 (openvpn-server-configuration-client-config-dir
391 (computed-file "openvpn.conf"
393 (use-modules (ice-9 match))
394 (call-with-output-file #$output
397 ('server (display "" port))
398 ('client (display "client\n" port)))
399 (display #$config-str port)
402 (string-append "client-config-dir "
403 #$ccd-dir "\n") port))
404 ('client (display "" port)))))))))
406 (define (openvpn-shepherd-service role)
408 (let* ((config-file (openvpn-config-file role config))
409 (pid-file ((match role
410 ('server openvpn-server-configuration-pid-file)
411 ('client openvpn-client-configuration-pid-file))
413 (openvpn ((match role
414 ('server openvpn-server-configuration-openvpn)
415 ('client openvpn-client-configuration-openvpn))
417 (log-file (match role
418 ('server "/var/log/openvpn-server.log")
419 ('client "/var/log/openvpn-client.log"))))
420 (list (shepherd-service
421 (documentation (string-append "Run the OpenVPN "
426 (provision (match role
427 ('server '(vpn-server))
428 ('client '(vpn-client))))
429 (requirement '(networking))
430 (start #~(make-forkexec-constructor
431 (list (string-append #$openvpn "/sbin/openvpn")
432 "--writepid" #$pid-file "--config" #$config-file
434 #:pid-file #$pid-file))
435 (stop #~(make-kill-destructor)))))))
437 (define %openvpn-accounts
438 (list (user-group (name "openvpn") (system? #t))
443 (comment "Openvpn daemon user")
444 (home-directory "/var/empty")
445 (shell (file-append shadow "/sbin/nologin")))))
447 (define %openvpn-activation
449 (use-modules (guix build utils))
450 (mkdir-p "/var/run/openvpn")))
452 (define openvpn-server-service-type
453 (service-type (name 'openvpn-server)
455 (list (service-extension shepherd-root-service-type
456 (openvpn-shepherd-service 'server))
457 (service-extension account-service-type
458 (const %openvpn-accounts))
459 (service-extension activation-service-type
460 (const %openvpn-activation))))))
462 (define openvpn-client-service-type
463 (service-type (name 'openvpn-client)
465 (list (service-extension shepherd-root-service-type
466 (openvpn-shepherd-service 'client))
467 (service-extension account-service-type
468 (const %openvpn-accounts))
469 (service-extension activation-service-type
470 (const %openvpn-activation))))))
472 (define* (openvpn-client-service #:key (config (openvpn-client-configuration)))
473 (validate-configuration config openvpn-client-configuration-fields)
474 (service openvpn-client-service-type config))
476 (define* (openvpn-server-service #:key (config (openvpn-server-configuration)))
477 (validate-configuration config openvpn-server-configuration-fields)
478 (service openvpn-server-service-type config))
480 (define (generate-openvpn-server-documentation)
481 (generate-documentation
482 `((openvpn-server-configuration
483 ,openvpn-server-configuration-fields
484 (ccd openvpn-ccd-configuration))
485 (openvpn-ccd-configuration ,openvpn-ccd-configuration-fields))
486 'openvpn-server-configuration))
488 (define (generate-openvpn-client-documentation)
489 (generate-documentation
490 `((openvpn-client-configuration
491 ,openvpn-client-configuration-fields
492 (remote openvpn-remote-configuration))
493 (openvpn-remote-configuration ,openvpn-remote-configuration-fields))
494 'openvpn-client-configuration))