New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC/RDY] make l2tp work with Strongswan #31019
Conversation
++ optional (cfg.basePackages ? networkmanager_l2tp) | ||
{ | ||
target = "ipsec.d/stub"; | ||
text = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here I just want to create the ipsec.d folder but didn't know how to do it without creating a stub file.
|
||
# with nopeerdns, ppp writes into this folder | ||
environment.etc."ppp/stub".text = '' | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same problem, I dunno how to create just the folder
config = with cfg; | ||
let | ||
# would like to add some path when network manager is enabled | ||
secrets2 = cfg.secrets ++ [ "toto" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here in principle it should add conditionnally lib.optional networkmanager_l2tp "/etc/ipsec.d/*.secrets" but whatever I do it never makes it into secret2. For instance here 'toto' is not written to the file. I suspect cfg.secrets to partially support the ++ operator (like it discards its content). The PR should not be merged as long as this is not fixed.
2ed07b0
to
50198b4
Compare
50198b4
to
060412f
Compare
060412f
to
4d8bfa7
Compare
cf8c05a
to
6d6b7c3
Compare
e777c32
to
28ecf5a
Compare
I fixed my previous comments by letting systemd create the folders and believe it's (finally) ready. |
28ecf5a
to
053d39f
Compare
the new version brings a new panel in IPsec settings which allows to reenable old algorithms for IPsec phases 1/2 (dropped in recent libreswan/strongswan etc). Also updates the homepage with the new one.
l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default.
053d39f
to
fe4f4de
Compare
Thanks! |
thanks for merging this. I must say when I marked the PR as READY, it did work, I tried it recently and it didn't work anymore and I haven't had the chance to inquire it. The changes you merged are definitely necessary to make it work though. I just note it for other people who might have problems. Maybe the problems were due to other nix components and have been fixed by now. I will check again soon. |
Motivation for this change
I badly needed l2tp VPN to work for my job so I fought hard with 0 experience on the matter. After a 1-month struggle (#30147), here is the PR.
I hope this is how it should be done, I am not sure yet on which nixos files should go where (concerning /etc files).
This is definitely the kind of setup that could use some tests but I've already spent way too much time on this so.
Big thanks to the l2tp maintainer who has been immensely helpful.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)