Add nix flake for running this program; security& logging update.

* Added flake definition so this program can be run easily via nix. * Added `user` and `group` setting to YAML configuration, allowing openvpn to run unprivileged (after initialization). * Nix flake app runs as `nobody:nobody`. * Added a "logLevel" flag to program and set default to "Info" so SAML response (credentials) aren't logged by default. * Updated README with instructions. Tested on MacOS x86; needs testing on M1 & Linux.
ajm113 · Mar 9, 2023 · 2ef4a7b · 2ef4a7b
1 parent 4937b5a
commit 2ef4a7b
Show file tree

Hide file tree

Showing 8 changed files with 422 additions and 6 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,8 @@
 aws-vpn-client
 openvpn
 *.yml
-*.openvpn
+*.openvpn
+.devenv
+.direnv
+.envrc
+
diff --git a/README.md b/README.md
@@ -17,11 +17,61 @@ AWS compatible OpenVPN v2.4.9, based on the
 
 1. Build patched openvpn version and put it to the folder with a script
 2. Build aws-vpn-client wrapper `go build .`
-3. `cp ./awsvpnclient.yml.example ./awsvpnclient.yml` and update the necsery paths.
+3. `cp ./awsvpnclient.yml.example ./awsvpnclient.yml` and update the necessary paths.
 4. Finally run `./aws-vpn-client serve --config myconfig.openvpn` to connect to the AWS.
 
+## Security
+
+OpenVPN recommends running the openvpn binary as an unprivileged user after initialization (see https://openvpn.net/community-resources/hardening-openvpn-security/). The `awsvpnclinet.yml` file includes the `user` and `group` keys, demonstrating how to run
+`openvpn` as the `nobody` user (and group). If those keys are not present, the binary will run continue to run as whichever
+user launched it originally.
+
 ## Todo
 
 * Unit tests
 * General Code Cleanup
 * Better integrate SAML HTTP server with a script or rewrite everything on golang
+
+# Using via Nix Flakes
+
+This program can be run via `nix`, using the `flakes` feature. You will need to know how to install nix and what flakes 
+are in order to follow these instructions.
+
+## Apps
+
+Two apps are defined. One makes it easy to open a tunnel with a given VPN profile, the other lets you run the original program (meaning
+you must provide all arguments):
+
+- *default app* - Use `nix run .` (or replace `.` with the flake reference for this repo) to run the default program. Just give a path to the OpenVPN configuration file and it should work. Note you will likely
+need to run under `sudo`:
+
+```
+$ sudo su
+...
+# nix run . -- ~/.config/AWSVPNClient/OpenVpnConfigs/<profile>
+```
+
+Note that this app is hard-coded to run as the `nobody` user (and group). If that does not exist on your system, you will have
+to override the existing configuration.
+
+- *aws-vpn-client-unwrapped app* - Use `nix run .#aws-vpn-client-unwrapped` to run the original program, allowing more control over arguments given. 
+
+## Packages
+
+This flake provides two main packages, `aws-vpn-client` (also the default package) and `aws-vpn-client-unwrapped`. 
+
+Besides those two packages, it also provides a patched `openvpn` client (necessary to using this program).
+
+### `aws-vpn-client-unwrapped`
+
+This is the original program from this repo, provided for more control over arguments. For convenience, a `awsvpnclient.yml` is generated when the program is installed and is placed 
+in the `bin` directory next to the executable. (It will not be used automatically tho - the original program always looks in the current workign directory or
+your home directory for that file). 
+### `aws-vpn-client` 
+
+This is a wrapper around the original program, updated so you can just pass the path to a VPN configuration and it will open that tunnel. 
+
+## Shell (Development)
+
+This flake uses the excellent tools from `devensh.sh` to provide a Go environment for development. Use `nix develop` to
+enter the shell.
diff --git a/awsvpnclient.go b/awsvpnclient.go
@@ -57,6 +57,12 @@ func main() {
 					Value:     os.TempDir(),
 					Usage:     "Temp folder location of formatted openvpn configurations.",
 				},
+				&cli.StringFlag{
+					TakesFile: false,
+					Name:      "logLevel",
+					Value:     "1",
+					Usage:     "Logging detail. Should be an integer value between -1 and 5 (logging levels in the zerolog library). Defaults to '0' (Info level).",
+				},
 			},
 		},
 	}

diff --git a/awsvpnclient.yml.example b/awsvpnclient.yml.example
@@ -5,5 +5,7 @@ vpn:
   sudo: /usr/bin/sudo
   shellargs:
     - "-c"
+  user: nobody
+  group: nobody
 server:
   addr: "127.0.0.1:35001"
diff --git a/config.go b/config.go
@@ -13,6 +13,8 @@ type (
 		Sudo      string
 		Shell     string
 		ShellArgs []string
+		User      string
+		Group     string
 	}
 
 	server struct {

diff --git a/flake.lock b/flake.lock