diff --git a/Guix.org b/Guix.org index c57863a..7422b51 100644 --- a/Guix.org +++ b/Guix.org @@ -555,7 +555,7 @@ Don't forget to install =JetBrainsMono Nerd Font=. | system | patchelf | A program to modify existsing ELF executables | | system | glibc | A lot of stuff, including ELF interpeter and ~ldd~ | -** VPN +** OpenVPN | Category | Guix dependency | |----------+-----------------------------| | system | openvpn | @@ -563,6 +563,8 @@ Don't forget to install =JetBrainsMono Nerd Font=. | system | openresolv | | system | vpnc | +Update [2023-06-29 Thu]: My censors seem to be putting sticks in the wheels of OpenVPN... Switched to Wireguard for now. It can be configured with Network Manager. + I'm not sure how to properly spin up VPN on Guix, so here is what ended I'm doing after some trial and error. I'm using Mullvad VPN. The =~/.vpn= folder stores its OpenVPN config (=openvpn.ovpn=), modified as follows: @@ -673,6 +675,35 @@ echo "Connection: $CONN" pkexec nmcli con modify "$CONN" ipv6.method auto nmcli connection up "$CONN" #+end_src +** Wireguard +So, yeah, wireguard can be configured with =NetworkManager= just fine. + +The issue with DNS leaks remains, but fortunately =NetworkManager= runs all scripts in =/etc/NetworkManager/dispatcher.d/= when a connection changes, provided that scripts are: +- owned by root +- exectuable +- not readable by other users +- not setuid. +See [[https://askubuntu.com/questions/13963/call-script-after-connecting-to-a-wireless-network][this answer]] on StackExchange, and [[https://networkmanager.dev/docs/api/latest/NetworkManager-dispatcher.html][NetworkManager-dispatcher man page]]. + +#+name: get-nmcli +#+begin_src bash :tangle no +echo $(guix build network-manager | grep -ve '-doc$')/bin/nmcli +#+end_src + +So, here's the script: +#+begin_src bash :tangle no :noweb yes +#!/bin/sh +GREP=/run/current-system/profile/bin/grep +NMCLI=<> + +# Run only if wireguard is active +if $NMCLI connection show --active | $GREP -q wireguard; then + echo "nameserver 8.8.8.8" > /etc/resolv.conf +fi +#+end_src + +Expand the noweb with =C-c C-v v=, put it in =dispatcher.d= and run =chmod 700=. + ** flatpak As for now, the easiest way to install most of proprietary software is via flatpak. See the relevant section in [[file:Desktop.org][Desktop.org]]. diff --git a/bin/scripts/fix-resolve-conf b/bin/scripts/fix-resolve-conf index 6f14b77..324e26b 100755 --- a/bin/scripts/fix-resolve-conf +++ b/bin/scripts/fix-resolve-conf @@ -1,5 +1,5 @@ #!/bin/sh -# [[file:../../Guix.org::*VPN][VPN:5]] +# [[file:../../Guix.org::*OpenVPN][OpenVPN:5]] /home/pavel/.guix-extra-profiles/console/console/bin/cp /etc/resolv.conf /etc/resolv.conf-bak echo "nameserver 8.8.8.8" > /etc/resolv.conf -# VPN:5 ends here +# OpenVPN:5 ends here diff --git a/bin/scripts/restore-resolve-conf b/bin/scripts/restore-resolve-conf index 8f8613b..1e2409d 100755 --- a/bin/scripts/restore-resolve-conf +++ b/bin/scripts/restore-resolve-conf @@ -1,4 +1,4 @@ #!/bin/sh -# [[file:../../Guix.org::*VPN][VPN:6]] +# [[file:../../Guix.org::*OpenVPN][OpenVPN:6]] resolveconf -u -# VPN:6 ends here +# OpenVPN:6 ends here diff --git a/bin/scripts/vpn-fix-routes b/bin/scripts/vpn-fix-routes index 7a4cd86..786cada 100755 --- a/bin/scripts/vpn-fix-routes +++ b/bin/scripts/vpn-fix-routes @@ -1,5 +1,5 @@ #!/bin/sh -# [[file:../../Guix.org::*VPN][VPN:9]] +# [[file:../../Guix.org::*OpenVPN][OpenVPN:9]] echo "Adding default route to $route_vpn_gateway with /0 mask..." IP=/run/current-system/profile/sbin/ip @@ -9,4 +9,4 @@ $IP route add default via $route_vpn_gateway echo "Removing /1 routes..." $IP route del 0.0.0.0/1 via $route_vpn_gateway $IP route del 128.0.0.0/1 via $route_vpn_gateway -# VPN:9 ends here +# OpenVPN:9 ends here