Next: , Previous: , Up: Services   [Contents][Index]


6.2.7.13 VPN Services

The (gnu services vpn) module provides services related to virtual private networks (VPNs). It provides a client service for your machine to connect to a VPN, and a servire service for your machine to host a VPN. Both services use OpenVPN.

Scheme Procedure: openvpn-client-service [#:config (openvpn-client-configuration)]

Return a service that runs openvpn, a VPN daemon, as a client.

Scheme Procedure: openvpn-server-service [#:config (openvpn-server-configuration)]

Return a service that runs openvpn, a VPN daemon, as a server.

Both can be run simultaneously.

Available openvpn-client-configuration fields are:

openvpn-client-configuration parameter: package openvpn

The OpenVPN package.

openvpn-client-configuration parameter: string pid-file

The OpenVPN pid file.

Defaults to ‘"/var/run/openvpn/openvpn.pid"’.

openvpn-client-configuration parameter: proto proto

The protocol (UDP or TCP) used to open a channel between clients and servers.

Defaults to ‘udp’.

openvpn-client-configuration parameter: dev dev

The device type used to represent the VPN connection.

Defaults to ‘tun’.

openvpn-client-configuration parameter: string ca

The certificate authority to check connections against.

Defaults to ‘"/etc/openvpn/ca.crt"’.

openvpn-client-configuration parameter: string cert

The certificate of the machine the daemon is running on. It should be signed by the authority given in ca.

Defaults to ‘"/etc/openvpn/client.crt"’.

openvpn-client-configuration parameter: string key

The key of the machine the daemon is running on. It must be the key whose certificate is cert.

Defaults to ‘"/etc/openvpn/client.key"’.

openvpn-client-configuration parameter: boolean comp-lzo?

Whether to use the lzo compression algorithm.

Defaults to ‘#t’.

openvpn-client-configuration parameter: boolean persist-key?

Don’t re-read key files across SIGUSR1 or –ping-restart.

Defaults to ‘#t’.

openvpn-client-configuration parameter: boolean persist-tun?

Don’t close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or –ping-restart restarts.

Defaults to ‘#t’.

openvpn-client-configuration parameter: number verbosity

Verbosity level.

Defaults to ‘3’.

openvpn-client-configuration parameter: tls-auth-client tls-auth

Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

Defaults to ‘#f’.

openvpn-client-configuration parameter: key-usage verify-key-usage?

Whether to check the server certificate has server usage extension.

Defaults to ‘#t’.

openvpn-client-configuration parameter: bind bind?

Bind to a specific local port number.

Defaults to ‘#f’.

openvpn-client-configuration parameter: resolv-retry resolv-retry?

Retry resolving server address.

Defaults to ‘#t’.

openvpn-client-configuration parameter: openvpn-remote-list remote

A list of remote servers to connect to.

Defaults to ‘()’.

Available openvpn-remote-configuration fields are:

openvpn-remote-configuration parameter: string name

Server name.

Defaults to ‘"my-server"’.

openvpn-remote-configuration parameter: number port

Port number the server listens to.

Defaults to ‘1194’.

Available openvpn-server-configuration fields are:

openvpn-server-configuration parameter: package openvpn

The OpenVPN package.

openvpn-server-configuration parameter: string pid-file

The OpenVPN pid file.

Defaults to ‘"/var/run/openvpn/openvpn.pid"’.

openvpn-server-configuration parameter: proto proto

The protocol (UDP or TCP) used to open a channel between clients and servers.

Defaults to ‘udp’.

openvpn-server-configuration parameter: dev dev

The device type used to represent the VPN connection.

Defaults to ‘tun’.

openvpn-server-configuration parameter: string ca

The certificate authority to check connections against.

Defaults to ‘"/etc/openvpn/ca.crt"’.

openvpn-server-configuration parameter: string cert

The certificate of the machine the daemon is running on. It should be signed by the authority given in ca.

Defaults to ‘"/etc/openvpn/client.crt"’.

openvpn-server-configuration parameter: string key

The key of the machine the daemon is running on. It must be the key whose certificate is cert.

Defaults to ‘"/etc/openvpn/client.key"’.

openvpn-server-configuration parameter: boolean comp-lzo?

Whether to use the lzo compression algorithm.

Defaults to ‘#t’.

openvpn-server-configuration parameter: boolean persist-key?

Don’t re-read key files across SIGUSR1 or –ping-restart.

Defaults to ‘#t’.

openvpn-server-configuration parameter: boolean persist-tun?

Don’t close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or –ping-restart restarts.

Defaults to ‘#t’.

openvpn-server-configuration parameter: number verbosity

Verbosity level.

Defaults to ‘3’.

openvpn-server-configuration parameter: tls-auth-server tls-auth

Add an additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.

Defaults to ‘#f’.

openvpn-server-configuration parameter: number port

Specifies the port number on which the server listens.

Defaults to ‘1194’.

openvpn-server-configuration parameter: ip-mask server

An ip and mask specifying the subnet inside the virtual network.

Defaults to ‘"10.8.0.0 255.255.255.0"’.

openvpn-server-configuration parameter: cidr6 server-ipv6

A CIDR notation specifying the IPv6 subnet inside the virtual network.

Defaults to ‘#f’.

openvpn-server-configuration parameter: string dh

The Diffie-Hellman parameters file.

Defaults to ‘"/etc/openvpn/dh2048.pem"’.

openvpn-server-configuration parameter: string ifconfig-pool-persist

The file that records client IPs.

Defaults to ‘"/etc/openvpn/ipp.txt"’.

openvpn-server-configuration parameter: gateway redirect-gateway?

When true, the server will act as a gateway for its clients.

Defaults to ‘#f’.

openvpn-server-configuration parameter: boolean client-to-client?

When true, clients are allowed to talk to each other inside the VPN.

Defaults to ‘#f’.

openvpn-server-configuration parameter: keepalive keepalive

Causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down. keepalive requires a pair. The first element is the period of the ping sending, and the second element is the timeout before considering the other side down.

openvpn-server-configuration parameter: number max-clients

The maximum number of clients.

Defaults to ‘100’.

openvpn-server-configuration parameter: string status

The status file. This file shows a small report on current connection. It is truncated and rewritten every minute.

Defaults to ‘"/var/run/openvpn/status"’.

openvpn-server-configuration parameter: openvpn-ccd-list client-config-dir

The list of configuration for some clients.

Defaults to ‘()’.

Available openvpn-ccd-configuration fields are:

openvpn-ccd-configuration parameter: string name

Client name.

Defaults to ‘"client"’.

openvpn-ccd-configuration parameter: ip-mask iroute

Client own network

Defaults to ‘#f’.

openvpn-ccd-configuration parameter: ip-mask ifconfig-push

Client VPN IP.

Defaults to ‘#f’.

Data Type: nginx-upstream-configuration

Data type representing the configuration of an nginx upstream block. This type has the following parameters:

name

Name for this group of servers.

servers

Specify the addresses of the servers in the group. The address can be specified as a IP address (e.g. ‘127.0.0.1’), domain name (e.g. ‘backend1.example.com’) or a path to a UNIX socket using the prefix ‘unix:’. For addresses using an IP address or domain name, the default port is 80, and a different port can be specified explicitly.

Data Type: nginx-location-configuration

Data type representing the configuration of an nginx location block. This type has the following parameters:

uri

URI which this location block matches.

body

Body of the location block, specified as a string. This can contain many configuration directives. For example, to pass requests to a upstream server group defined using an nginx-upstream-configuration block, the following directive would be specified in the body ‘proxy_pass http://upstream-name;’.

Data Type: nginx-named-location-configuration

Data type representing the configuration of an nginx named location block. Named location blocks are used for request redirection, and not used for regular request processing. This type has the following parameters:

name

Name to identify this location block.

body

See nginx-location-configuration body, as the body for named location blocks can be used in a similar way to the nginx-location-configuration body. One restriction is that the body of a named location block cannot contain location blocks.


Next: , Previous: , Up: Services   [Contents][Index]