Initial prototype for Wireguard based PIA VPN - not quite 'ready' yet

common/network/ca.rsa.4096.crt

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
+BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
+dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
+IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
+FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
+MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
+EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
+QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
+AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
+ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
+bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
+hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
+De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
+V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
+25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
+fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
+p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
+Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
+tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
+jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
+meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
+1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
+HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
+yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
+pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
+Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
+tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
+LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
+6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
+5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
+JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
+iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
+8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
++no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
+-----END CERTIFICATE-----

common/network/default.nix

@@ -9,6 +9,7 @@ in
   imports = [
     ./hosts.nix
     ./pia-openvpn.nix
+    ./pia-wireguard.nix
     ./ping.nix
     ./tailscale.nix
     ./vpn.nix

common/network/pia-openvpn.nix

@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 
 let
-  cfg = config.pia;
+  cfg = config.pia.openvpn;
   vpnfailsafe = pkgs.stdenv.mkDerivation {
     pname = "vpnfailsafe";
     version = "0.0.1";
@@ -14,7 +14,7 @@ let
   };
 in
 {
-  options.pia = {
+  options.pia.openvpn = {
     enable = lib.mkEnableOption "Enable private internet access";
     server = lib.mkOption {
       type = lib.types.str;

common/network/pia-wireguard.nix

@@ -0,0 +1,201 @@
+{ config, lib, pkgs, ... }:
+
+# Server list:
+#   https://serverlist.piaservers.net/vpninfo/servers/v6
+# Reference materials:
+#   https://github.com/pia-foss/manual-connections
+#   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
+
+let
+  cfg = config.pia.wireguard;
+
+  getPIAToken = ''
+    PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
+    PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
+    # PIA_TOKEN only lasts 24hrs
+    PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
+  '';
+in {
+  options.pia.wireguard = {
+    enable = lib.mkEnableOption "Enable private internet access";
+    serverHostname = lib.mkOption {
+      type = lib.types.str;
+      default = "zurich406";
+    };
+    serverIp = lib.mkOption {
+      type = lib.types.str;
+      default = "156.146.62.153";
+    };
+    interfaceName = lib.mkOption {
+      type = lib.types.str;
+      default = "piaw";
+    };
+    portForwarding = lib.mkEnableOption "Enables PIA port fowarding";
+
+    # TODO implement this such that the wireguard VPN doesn't have to live in a container
+    useInVPNContainer = lib.mkEnableOption "Configures the PIA WG VPN for use in the VPN container";
+  };
+
+  config = lib.mkIf cfg.enable {
+    vpn-container.mounts = [ "/tmp/${cfg.interfaceName}.conf" "/tmp/${cfg.interfaceName}-address.conf" ];
+    containers.vpn.interfaces = [ cfg.interfaceName ];
+
+    # allow traffic for wireguard interface to pass since wireguard trips up rpfilter
+    # networking.firewall = {
+    #   extraCommands = ''
+    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+    #   '';
+    #   extraStopCommands = ''
+    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+    #   '';
+    # };
+    networking.firewall.checkReversePath = "loose";
+
+    systemd.services.pia-vpn-wireguard-init = {
+      description = "Creates PIA VPN Wireguard Interface";
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      before = [ "container@vpn.service" ];
+      requiredBy = [ "container@vpn.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ wireguard-tools jq curl iproute ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+
+      script = ''
+        # Prepare to connect by generating wg secrets and auth'ing with PIA since the container
+        # cannot do without internet to start with. NAT'ing the host's internet would address this
+        # issue but is not ideal because then leaking network outside of the VPN is more likely.
+
+        WG_HOSTNAME=${cfg.serverHostname}
+        WG_SERVER_IP=${cfg.serverIp}
+
+        ${getPIAToken}
+
+        privKey=$(wg genkey)
+        pubKey=$(echo "$privKey" | wg pubkey)
+
+        wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
+
+        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
+        touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
+        chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
+        echo "               
+        [Interface]
+        # Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
+        PrivateKey = $privKey
+        ListenPort = 51820
+        [Peer]
+        PersistentKeepalive = 25
+        PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
+        AllowedIPs = 0.0.0.0/0
+        Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
+        " >> /tmp/${cfg.interfaceName}.conf
+        echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
+
+        # Create wg interface now so it inherits from the namespace with internet access
+        # the container will handle actually connecting the interface since that info is
+        # not preserved upon moving into the container's networking namespace
+        # Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
+        [[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
+        ip link add ${cfg.interfaceName} type wireguard
+      '';
+
+      preStop = ''
+        ip link del ${cfg.interfaceName}
+      '';
+    };
+
+    vpn-container.config.systemd.services.pia-vpn-wireguard = {
+      description = "PIA VPN WireGuard Tunnel";
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ wireguard-tools iproute curl jq ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+
+      script = ''
+        # pseudo calls wg-quick
+        # wg-quick down /tmp/${cfg.interfaceName}.conf
+        # cannot actually call wg-quick because the interface has to be already created at this point
+
+        # assumes wg interface was already created
+        # ip link add ${cfg.interfaceName} type wireguard
+
+        myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
+
+        wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
+        ip -4 address add $myaddress dev ${cfg.interfaceName}
+        ip link set mtu 1420 up dev ${cfg.interfaceName}
+        wg set ${cfg.interfaceName} fwmark 51820
+        ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table 51820
+
+        # TODO is this needed?
+        ip -4 rule add not fwmark 51820 table 51820
+        ip -4 rule add table main suppress_prefixlength 0
+        # sysctl -q net.ipv4.conf.all.src_valid_mark=1
+
+        # Reserve port
+        ${getPIAToken}
+        payload_and_signature=`curl -s -m 5 --connect-to "${cfg.serverHostname}::${cfg.serverIp}:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://${cfg.serverHostname}:19999/getSignature"`
+        signature=$(echo "$payload_and_signature" | jq -r '.signature')
+        payload=$(echo "$payload_and_signature" | jq -r '.payload')
+        port=$(echo "$payload" | base64 -d | jq -r '.port')
+
+        # write reserved port to file readable for all users
+        echo $port > /tmp/${cfg.interfaceName}-port
+        chmod 644 /tmp/${cfg.interfaceName}-port
+
+        rm -f /tmp/${cfg.interfaceName}-port-renewal
+        touch /tmp/${cfg.interfaceName}-port-renewal
+        chmod 700 /tmp/${cfg.interfaceName}-port-renewal
+        echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
+        echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
+      '';
+
+      preStop = ''
+        wg-quick down /tmp/${cfg.interfaceName}.conf
+      '';
+    };
+
+    vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
+      enable = cfg.portForwarding;
+      description = "PIA VPN WireGuard Tunnel Port Forwarding";
+      after = [ "pia-vpn-wireguard.service" ];
+      requires = [ "pia-vpn-wireguard.service" ];
+      path = with pkgs; [ curl ];
+      script = ''
+        signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
+        payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
+        bind_port_response=`curl -Gs -m 5 --connect-to "${cfg.serverHostname}::${cfg.serverIp}:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://${cfg.serverHostname}:19999/bindPort"`
+      '';
+    };
+
+    vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
+      enable = cfg.portForwarding;
+      # partOf = [ "pia-vpn-wireguard-forward-port.service" ];
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "*:0/10"; # 10 minutes
+    };
+
+    # TODO enable firewall on the PIA interface
+    # TODO handle errors
+    # TODO handle 2 month limit for port
+    # TODO print status, success, and failures to the console
+
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+  };
+}

common/network/vpn.nix

@@ -26,6 +26,8 @@ in
       '';
     };
 
+    useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
+
     config = mkOption {
       type = types.anything;
       default = {};
@@ -41,6 +43,8 @@ in
   };
 
   config = mkIf cfg.enable {
+    pia.wireguard.enable = !cfg.useOpenVPN;
+
     containers.${cfg.containerName} = {
       ephemeral = true;
       autoStart = true;
@@ -59,7 +63,7 @@ in
         }
       )));
 
-      enableTun = true;
+      enableTun = cfg.useOpenVPN;
       privateNetwork = true;
       hostAddress = "172.16.100.1";
       localAddress = "172.16.100.2";
@@ -67,12 +71,13 @@ in
       config = {
         imports = allModules ++ [cfg.config];
 
+        # speeds up evaluation
         nixpkgs.pkgs = pkgs;
 
         networking.firewall.enable = mkForce false;
 
-        pia.enable = true;
-        pia.server = "swiss.privacy.network"; # swiss vpn
+        pia.openvpn.enable = cfg.useOpenVPN;
+        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
 
         # TODO fix so it does run it's own resolver again
         # run it's own DNS resolver
@@ -85,12 +90,12 @@ in
     # load secrets the container needs
     age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
 
-    # forwarding for vpn container
-    networking.nat.enable = true;
-    networking.nat.internalInterfaces = [
+    # forwarding for vpn container (only for OpenVPN)
+    networking.nat.enable = mkIf cfg.useOpenVPN true;
+    networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
       "ve-${cfg.containerName}"
     ];
-    networking.ip_forward = true;
+    networking.ip_forward = mkIf cfg.useOpenVPN true;
 
     # assumes only one potential interface
     networking.usePredictableInterfaceNames = false;