pyrox.dev / nixpkgs
lol
fork atom

nixos/system/boot/initrd-openvpn: Add openvpn options for initrd nixos/tests/initrd-openvpn: Add test for openvpn in the initramfs

The module in this commit adds new options that allows the
integration of an OpenVPN client into the initrd.
This can be used e.g. to remotely unlock LUKS devices.

This commit also adds two tests for `boot.initrd.network.openvpn`.
The first one is a basic test to validate that a failing connection
does not prevent the machine from booting.

The second test validates that this module actually creates a valid
openvpn connection.
For this, it spawns three nodes:

- The client that uses boot.initrd.network.openvpn
- An OpenVPN server that acts as gateway and forwards a port
to the client
- A node that is external to the OpenVPN network

The client connects to the OpenVPN server and spawns a netcat instance
that echos a value to every client.
Afterwards, the external node checks if it receives this value over the
forwarded port on the OpenVPN gateway.

CRTified c684398c db5bbef3

options
unified split
Changed files
+278
nixos
modules
module-list.nix
system
boot
initrd-openvpn.nix
tests
all-tests.nix
initrd-network-openvpn
default.nix
initrd.ovpn
shared.key
+1
nixos/modules/module-list.nix 
···

       
937

       
937

       
 

       
  ./system/boot/grow-partition.nix


     

       
938

       
938

       
 

       
  ./system/boot/initrd-network.nix


     

       
939

       
939

       
 

       
  ./system/boot/initrd-ssh.nix


     

       

       
940

       
+

       
  ./system/boot/initrd-openvpn.nix


     

       
940

       
941

       
 

       
  ./system/boot/kernel.nix


     

       
941

       
942

       
 

       
  ./system/boot/kexec.nix


     

       
942

       
943

       
 

       
  ./system/boot/loader/efi.nix
+81
nixos/modules/system/boot/initrd-openvpn.nix 
···

       

       
1

       
+

       
{ config, lib, pkgs, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       



     

       

       
5

       
+

       
let


     

       

       
6

       
+

       



     

       

       
7

       
+

       
  cfg = config.boot.initrd.network.openvpn;


     

       

       
8

       
+

       
  


     

       

       
9

       
+

       
in


     

       

       
10

       
+

       



     

       

       
11

       
+

       
{


     

       

       
12

       
+

       



     

       

       
13

       
+

       
  options = {


     

       

       
14

       
+

       



     

       

       
15

       
+

       
    boot.initrd.network.openvpn.enable = mkOption {


     

       

       
16

       
+

       
      type = types.bool;


     

       

       
17

       
+

       
      default = false;


     

       

       
18

       
+

       
      description = ''


     

       

       
19

       
+

       
        Starts an OpenVPN client during initrd boot. It can be used to e.g. 


     

       

       
20

       
+

       
        remotely accessing the SSH service controlled by 


     

       

       
21

       
+

       
        <option>boot.initrd.network.ssh</option> or other network services 


     

       

       
22

       
+

       
        included. Service is killed when stage-1 boot is finished.


     

       

       
23

       
+

       
      '';


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
    


     

       

       
26

       
+

       
    boot.initrd.network.openvpn.configuration = mkOption {


     

       

       
27

       
+

       
      type = types.path; # Same type as boot.initrd.secrets


     

       

       
28

       
+

       
      description = ''


     

       

       
29

       
+

       
        The configuration file for OpenVPN. 


     

       

       
30

       
+

       



     

       

       
31

       
+

       
        <warning>


     

       

       
32

       
+

       
          <para>


     

       

       
33

       
+

       
            Unless your bootloader supports initrd secrets, this configuration


     

       

       
34

       
+

       
            is stored insecurely in the global Nix store.


     

       

       
35

       
+

       
          </para>


     

       

       
36

       
+

       
        </warning>


     

       

       
37

       
+

       
      '';


     

       

       
38

       
+

       
      example = "./configuration.ovpn";


     

       

       
39

       
+

       
    };


     

       

       
40

       
+

       



     

       

       
41

       
+

       
  };


     

       

       
42

       
+

       



     

       

       
43

       
+

       
  config = mkIf (config.boot.initrd.network.enable && cfg.enable) {


     

       

       
44

       
+

       
    assertions = [


     

       

       
45

       
+

       
      {


     

       

       
46

       
+

       
        assertion = cfg.configuration != null;


     

       

       
47

       
+

       
        message = "You should specify a configuration for initrd OpenVPN";


     

       

       
48

       
+

       
      }


     

       

       
49

       
+

       
    ];


     

       

       
50

       
+

       
    


     

       

       
51

       
+

       
    # Add kernel modules needed for OpenVPN


     

       

       
52

       
+

       
    boot.initrd.kernelModules = [ "tun" "tap" ];


     

       

       
53

       
+

       



     

       

       
54

       
+

       
    # Add openvpn and ip binaries to the initrd


     

       

       
55

       
+

       
    # The shared libraries are required for DNS resolution


     

       

       
56

       
+

       
    boot.initrd.extraUtilsCommands = ''


     

       

       
57

       
+

       
      copy_bin_and_libs ${pkgs.openvpn}/bin/openvpn


     

       

       
58

       
+

       
      copy_bin_and_libs ${pkgs.iproute}/bin/ip


     

       

       
59

       
+

       



     

       

       
60

       
+

       
      cp -pv ${pkgs.glibc}/lib/libresolv.so.2 $out/lib


     

       

       
61

       
+

       
      cp -pv ${pkgs.glibc}/lib/libnss_dns.so.2 $out/lib


     

       

       
62

       
+

       
    '';


     

       

       
63

       
+

       
    


     

       

       
64

       
+

       
    boot.initrd.secrets = {


     

       

       
65

       
+

       
      "/etc/initrd.ovpn" = cfg.configuration;


     

       

       
66

       
+

       
    };


     

       

       
67

       
+

       
    


     

       

       
68

       
+

       
    # openvpn --version would exit with 1 instead of 0


     

       

       
69

       
+

       
    boot.initrd.extraUtilsCommandsTest = ''


     

       

       
70

       
+

       
      $out/bin/openvpn --show-gateway


     

       

       
71

       
+

       
    '';


     

       

       
72

       
+

       



     

       

       
73

       
+

       
    # Add `iproute /bin/ip` to the config, to ensure that openvpn


     

       

       
74

       
+

       
    # is able to set the routes


     

       

       
75

       
+

       
    boot.initrd.network.postCommands = ''


     

       

       
76

       
+

       
      (cat /etc/initrd.ovpn; echo -e '\niproute /bin/ip') | \


     

       

       
77

       
+

       
        openvpn /dev/stdin &


     

       

       
78

       
+

       
    '';


     

       

       
79

       
+

       
  };


     

       

       
80

       
+

       



     

       

       
81

       
+

       
}
+1
nixos/tests/all-tests.nix 
···

       
150

       
150

       
 

       
  incron = handleTest ./incron.nix {};


     

       
151

       
151

       
 

       
  influxdb = handleTest ./influxdb.nix {};


     

       
152

       
152

       
 

       
  initrd-network-ssh = handleTest ./initrd-network-ssh {};


     

       

       
153

       
+

       
  initrd-network-openvpn = handleTest ./initrd-network-openvpn {};


     

       
153

       
154

       
 

       
  initrdNetwork = handleTest ./initrd-network.nix {};


     

       
154

       
155

       
 

       
  installer = handleTest ./installer.nix {};


     

       
155

       
156

       
 

       
  iodine = handleTest ./iodine.nix {};
+145
nixos/tests/initrd-network-openvpn/default.nix 
···

       

       
1

       
+

       
import ../make-test-python.nix ({ lib, ...}:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
{


     

       

       
4

       
+

       
  name = "initrd-network-openvpn";


     

       

       
5

       
+

       



     

       

       
6

       
+

       
  nodes =


     

       

       
7

       
+

       
    let


     

       

       
8

       
+

       



     

       

       
9

       
+

       
      # Inlining of the shared secret for the


     

       

       
10

       
+

       
      # OpenVPN server and client


     

       

       
11

       
+

       
      secretblock = ''


     

       

       
12

       
+

       
        secret [inline]


     

       

       
13

       
+

       
        <secret>


     

       

       
14

       
+

       
        ${lib.readFile ./shared.key}


     

       

       
15

       
+

       
        </secret>


     

       

       
16

       
+

       
        '';


     

       

       
17

       
+

       



     

       

       
18

       
+

       
    in


     

       

       
19

       
+

       
    {


     

       

       
20

       
+

       



     

       

       
21

       
+

       
      # Minimal test case to check a successful boot, even with invalid config


     

       

       
22

       
+

       
      minimalboot =


     

       

       
23

       
+

       
        { ... }:


     

       

       
24

       
+

       
        {


     

       

       
25

       
+

       
          boot.initrd.network = {


     

       

       
26

       
+

       
            enable = true;


     

       

       
27

       
+

       
            openvpn = {


     

       

       
28

       
+

       
              enable = true;


     

       

       
29

       
+

       
              configuration = "/dev/null";


     

       

       
30

       
+

       
            };


     

       

       
31

       
+

       
          };


     

       

       
32

       
+

       
        };


     

       

       
33

       
+

       



     

       

       
34

       
+

       
      # initrd VPN client


     

       

       
35

       
+

       
      ovpnclient =


     

       

       
36

       
+

       
        { ... }:


     

       

       
37

       
+

       
        {


     

       

       
38

       
+

       
          virtualisation.useBootLoader = true;


     

       

       
39

       
+

       
          virtualisation.vlans = [ 1 ];


     

       

       
40

       
+

       



     

       

       
41

       
+

       
          boot.initrd = {


     

       

       
42

       
+

       
            # This command does not fork to keep the VM in the state where


     

       

       
43

       
+

       
            # only the initramfs is loaded


     

       

       
44

       
+

       
            preLVMCommands =


     

       

       
45

       
+

       
            ''


     

       

       
46

       
+

       
              /bin/nc -p 1234 -lke /bin/echo TESTVALUE


     

       

       
47

       
+

       
            '';


     

       

       
48

       
+

       



     

       

       
49

       
+

       
            network = {


     

       

       
50

       
+

       
              enable = true;


     

       

       
51

       
+

       



     

       

       
52

       
+

       
              # Work around udhcpc only getting a lease on eth0


     

       

       
53

       
+

       
              postCommands = ''


     

       

       
54

       
+

       
                /bin/ip addr add 192.168.1.2/24 dev eth1


     

       

       
55

       
+

       
              '';


     

       

       
56

       
+

       



     

       

       
57

       
+

       
              # Example configuration for OpenVPN


     

       

       
58

       
+

       
              # This is the main reason for this test


     

       

       
59

       
+

       
              openvpn = {


     

       

       
60

       
+

       
                enable = true;


     

       

       
61

       
+

       
                configuration = "${./initrd.ovpn}";


     

       

       
62

       
+

       
              };


     

       

       
63

       
+

       
            };


     

       

       
64

       
+

       
          };


     

       

       
65

       
+

       
        };


     

       

       
66

       
+

       



     

       

       
67

       
+

       
      # VPN server and gateway for ovpnclient between vlan 1 and 2


     

       

       
68

       
+

       
      ovpnserver =


     

       

       
69

       
+

       
        { ... }:


     

       

       
70

       
+

       
        {


     

       

       
71

       
+

       
          virtualisation.vlans = [ 1 2 ];


     

       

       
72

       
+

       



     

       

       
73

       
+

       
          # Enable NAT and forward port 12345 to port 1234


     

       

       
74

       
+

       
          networking.nat = {


     

       

       
75

       
+

       
            enable = true;


     

       

       
76

       
+

       
            internalInterfaces = [ "tun0" ];


     

       

       
77

       
+

       
            externalInterface = "eth2";


     

       

       
78

       
+

       
            forwardPorts = [ { destination = "10.8.0.2:1234";


     

       

       
79

       
+

       
                               sourcePort = 12345; } ];


     

       

       
80

       
+

       
          };


     

       

       
81

       
+

       



     

       

       
82

       
+

       
          # Trust tun0 and allow the VPN Server to be reached


     

       

       
83

       
+

       
          networking.firewall = {


     

       

       
84

       
+

       
            trustedInterfaces = [ "tun0" ];


     

       

       
85

       
+

       
            allowedUDPPorts = [ 1194 ];


     

       

       
86

       
+

       
          };


     

       

       
87

       
+

       



     

       

       
88

       
+

       
          # Minimal OpenVPN server configuration


     

       

       
89

       
+

       
          services.openvpn.servers.testserver =


     

       

       
90

       
+

       
          {


     

       

       
91

       
+

       
            config = ''


     

       

       
92

       
+

       
              dev tun0


     

       

       
93

       
+

       
              ifconfig 10.8.0.1 10.8.0.2


     

       

       
94

       
+

       
              ${secretblock}


     

       

       
95

       
+

       
            '';


     

       

       
96

       
+

       
          };


     

       

       
97

       
+

       
        };


     

       

       
98

       
+

       



     

       

       
99

       
+

       
      # Client that resides in the "external" VLAN


     

       

       
100

       
+

       
      testclient =


     

       

       
101

       
+

       
        { ... }:


     

       

       
102

       
+

       
        {


     

       

       
103

       
+

       
          virtualisation.vlans = [ 2 ];


     

       

       
104

       
+

       
        };


     

       

       
105

       
+

       
  };


     

       

       
106

       
+

       



     

       

       
107

       
+

       



     

       

       
108

       
+

       
  testScript =


     

       

       
109

       
+

       
    ''


     

       

       
110

       
+

       
      # Minimal test case, checks whether enabling (with invalid config) harms


     

       

       
111

       
+

       
      # the boot process


     

       

       
112

       
+

       
      with subtest("Check for successful boot with broken openvpn config"):


     

       

       
113

       
+

       
          minimalboot.start()


     

       

       
114

       
+

       
          # If we get to multi-user.target, we booted successfully


     

       

       
115

       
+

       
          minimalboot.wait_for_unit("multi-user.target")


     

       

       
116

       
+

       
          minimalboot.shutdown()


     

       

       
117

       
+

       



     

       

       
118

       
+

       
      # Elaborated test case where the ovpnclient (where this module is used)


     

       

       
119

       
+

       
      # can be reached by testclient only over ovpnserver.


     

       

       
120

       
+

       
      # This is an indirect test for success.


     

       

       
121

       
+

       
      with subtest("Check for connection from initrd VPN client, config as file"):


     

       

       
122

       
+

       
          ovpnserver.start()


     

       

       
123

       
+

       
          testclient.start()


     

       

       
124

       
+

       
          ovpnclient.start()


     

       

       
125

       
+

       



     

       

       
126

       
+

       
          # Wait until the OpenVPN Server is available


     

       

       
127

       
+

       
          ovpnserver.wait_for_unit("openvpn-testserver.service")


     

       

       
128

       
+

       
          ovpnserver.succeed("ping -c 1 10.8.0.1")


     

       

       
129

       
+

       



     

       

       
130

       
+

       
          # Wait for the client to connect


     

       

       
131

       
+

       
          ovpnserver.wait_until_succeeds("ping -c 1 10.8.0.2")


     

       

       
132

       
+

       



     

       

       
133

       
+

       
          # Wait until the testclient has network


     

       

       
134

       
+

       
          testclient.wait_for_unit("network.target")


     

       

       
135

       
+

       



     

       

       
136

       
+

       
          # Check that ovpnclient is reachable over vlan 1


     

       

       
137

       
+

       
          ovpnserver.succeed("nc -w 2 192.168.1.2 1234 | grep -q TESTVALUE")


     

       

       
138

       
+

       



     

       

       
139

       
+

       
          # Check that ovpnclient is reachable over tun0


     

       

       
140

       
+

       
          ovpnserver.succeed("nc -w 2 10.8.0.2 1234 | grep -q TESTVALUE")


     

       

       
141

       
+

       



     

       

       
142

       
+

       
          # Check that ovpnclient is reachable from testclient over the gateway


     

       

       
143

       
+

       
          testclient.succeed("nc -w 2 192.168.2.3 12345 | grep -q TESTVALUE")


     

       

       
144

       
+

       
    '';


     

       

       
145

       
+

       
})
+29
nixos/tests/initrd-network-openvpn/initrd.ovpn 
···

       

       
1

       
+

       
remote 192.168.1.3


     

       

       
2

       
+

       
dev tun


     

       

       
3

       
+

       
ifconfig 10.8.0.2 10.8.0.1


     

       

       
4

       
+

       
# Only force VLAN 2 through the VPN


     

       

       
5

       
+

       
route 192.168.2.0 255.255.255.0 10.8.0.1


     

       

       
6

       
+

       
secret [inline]


     

       

       
7

       
+

       
<secret>


     

       

       
8

       
+

       
#


     

       

       
9

       
+

       
# 2048 bit OpenVPN static key


     

       

       
10

       
+

       
#


     

       

       
11

       
+

       
-----BEGIN OpenVPN Static key V1-----


     

       

       
12

       
+

       
553aabe853acdfe51cd6fcfea93dcbb0


     

       

       
13

       
+

       
c8797deadd1187606b1ea8f2315eb5e6


     

       

       
14

       
+

       
67c0d7e830f50df45686063b189d6c6b


     

       

       
15

       
+

       
aab8bb3430cc78f7bb1f78628d5c3742


     

       

       
16

       
+

       
0cef4f53a5acab2894905f4499f95d8e


     

       

       
17

       
+

       
e69b7b6748b17016f89e19e91481a9fd


     

       

       
18

       
+

       
bf8c10651f41a1d4fdf5f438925a6733


     

       

       
19

       
+

       
13cec8f04701eb47b8f7ffc48bc3d7af


     

       

       
20

       
+

       
65f07bce766015b87c3db4d668c655ff


     

       

       
21

       
+

       
be5a69522a8e60ccb217f8521681b45d


     

       

       
22

       
+

       
27c0b70bdfbfbb426c7646d80adf7482


     

       

       
23

       
+

       
3ddac58b25cb1c1bb100de974478b4c6


     

       

       
24

       
+

       
8b45a94261a2405e99810cb2b3abd49f


     

       

       
25

       
+

       
21b3198ada87ff3c4e656a008e540a8d


     

       

       
26

       
+

       
e7811584363597599cce2040a68ac00e


     

       

       
27

       
+

       
f2125540e0f7f4adc37cb3f0d922eeb7


     

       

       
28

       
+

       
-----END OpenVPN Static key V1-----


     

       

       
29

       
+

       
</secret>
+21
nixos/tests/initrd-network-openvpn/shared.key 
···

       

       
1

       
+

       
#


     

       

       
2

       
+

       
# 2048 bit OpenVPN static key


     

       

       
3

       
+

       
#


     

       

       
4

       
+

       
-----BEGIN OpenVPN Static key V1-----


     

       

       
5

       
+

       
553aabe853acdfe51cd6fcfea93dcbb0


     

       

       
6

       
+

       
c8797deadd1187606b1ea8f2315eb5e6


     

       

       
7

       
+

       
67c0d7e830f50df45686063b189d6c6b


     

       

       
8

       
+

       
aab8bb3430cc78f7bb1f78628d5c3742


     

       

       
9

       
+

       
0cef4f53a5acab2894905f4499f95d8e


     

       

       
10

       
+

       
e69b7b6748b17016f89e19e91481a9fd


     

       

       
11

       
+

       
bf8c10651f41a1d4fdf5f438925a6733


     

       

       
12

       
+

       
13cec8f04701eb47b8f7ffc48bc3d7af


     

       

       
13

       
+

       
65f07bce766015b87c3db4d668c655ff


     

       

       
14

       
+

       
be5a69522a8e60ccb217f8521681b45d


     

       

       
15

       
+

       
27c0b70bdfbfbb426c7646d80adf7482


     

       

       
16

       
+

       
3ddac58b25cb1c1bb100de974478b4c6


     

       

       
17

       
+

       
8b45a94261a2405e99810cb2b3abd49f


     

       

       
18

       
+

       
21b3198ada87ff3c4e656a008e540a8d


     

       

       
19

       
+

       
e7811584363597599cce2040a68ac00e


     

       

       
20

       
+

       
f2125540e0f7f4adc37cb3f0d922eeb7


     

       

       
21

       
+

       
-----END OpenVPN Static key V1-----