openvpn: add option to store credentials #33890

lschuermann · 2018-01-15T07:43:46Z

Motivation for this change

Many commercial and also a few private OpenVPN Servers don't allow public/private key based authentication but instead require a username/password combination. This change allows these credentials to be set inside the NixOS configuration, enabling to automatically connect to these VPNs.

Things done

Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
Built on platform(s)
- NixOS
- macOS
- other Linux distributions
Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
Tested execution of all binary files (usually in ./result/bin/)
Fits CONTRIBUTING.md.

I'm currently facing the issue, that the generated credentials file inside the Nix-store is readable by all users. I have not found any way to set permissions with the pkgs.writeTextFile functions. Is it possible to protect the credentials-file and if so, how can I accomplish that?

Mic92 · 2018-01-15T13:43:51Z

nixos/modules/services/networking/openvpn.nix

@@ -161,6 +166,27 @@ in
            '';
          };

+          authUserPass = mkOption {


There should be a warning, that using this option, will put user and password world-readable in nix store.
To avoid this a user would have to specify a file path for auth-user-pass in services.openvpn.servers.<name>.config instead.
For the latter one, we could also provide an option.

Setting the credentials inside the NixOS configuration would really help in many situations, even with the compromise of a world-readable username/password.

I'm not entirely sure though if we should provide an additional option to configure a custom credentials-file, as this is just a generic OpenVPN option. I guess it would make more sense when, at some point, the OpenVPN configuration can be done with the Nix language entirely. The only reason for this change is, that it is not possible to set the credentials from the NixOS configuration otherwise. What do you think?

Also, I guess that this use-case is not the only one which could benefit from credentials being stored somewhat safely inside the Nix store. Is there really no option to accomplish that / something planned?

See NixOS/nix#8 and NixOS/rfcs#5
It's not trivial to solve. Therefore we need to live with the status quo.

Mic92 · 2018-01-16T08:18:55Z

Thanks!

openvpn: add option to store credentials

e45a06e

GrahamcOfBorg added 10.rebuild-darwin: 0 10.rebuild-linux: 0 labels Jan 15, 2018

Mic92 reviewed Jan 15, 2018

View reviewed changes

openvpn: add warning about world-readable credentials

22e83d2

Mic92 merged commit c4d37f1 into NixOS:master Jan 16, 2018

lschuermann deleted the openvpn-auth-user-pass branch October 14, 2018 09:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

openvpn: add option to store credentials #33890

openvpn: add option to store credentials #33890

lschuermann commented Jan 15, 2018 •

edited

Mic92 Jan 15, 2018 •

edited

lschuermann Jan 15, 2018

lschuermann Jan 15, 2018

Mic92 Jan 16, 2018 •

edited

Mic92 commented Jan 16, 2018

openvpn: add option to store credentials #33890

openvpn: add option to store credentials #33890

Conversation

lschuermann commented Jan 15, 2018 • edited

Motivation for this change

Things done

Mic92 Jan 15, 2018 • edited

Choose a reason for hiding this comment

lschuermann Jan 15, 2018

Choose a reason for hiding this comment

lschuermann Jan 15, 2018

Choose a reason for hiding this comment

Mic92 Jan 16, 2018 • edited

Choose a reason for hiding this comment

Mic92 commented Jan 16, 2018

lschuermann commented Jan 15, 2018 •

edited

Mic92 Jan 15, 2018 •

edited

Mic92 Jan 16, 2018 •

edited