Add nix flake for running this program; security& logging update.

[m4dc4p]

• Added flake definition so this program can be run easily via nix.

• Added user and group setting to YAML configuration, allowing openvpn to run unprivileged (after initialization).

• Nix flake app runs as nobody:nobody.

• Added a "logLevel" flag to program and set default to "Info" so SAML response (credentials) aren't logged by default.

• Updated README with instructions.

Tested on MacOS x86; needs testing on M1 & Linux.

[m4dc4p]

@ajm113 I also put up a PR to merge the patches included in this repo into openvpn itself. Unsure how they will respond (if it at all) - OpenVPN/openvpn#273.

Note they don't merge from that repo - only from their mailing list - but they'll at least discuss the patch there.

[m4dc4p]

BTW, the name unix-aws-vpn-client is definitely better than linux-aws-vpn-client.

[ajm113]

@m4dc4p Thank you so much again! I'll do a little testing today after/break from work. Sorry for the delay. I usually try my best to check on my GitHub, but also noticed I don't have email notifications enabled of my repos. 🙃

I also put up a PR to merge the patches included in this repo into openvpn itself. Unsure how they will respond (if it at all)

Thanks for discussing the patch with them at least. I think the patch is more or less AWS specific in general, but it would be nice to have some sort of flag or option in OpenVPN to enable us to use the slightly modified protocol without having to be forced to edit OpenVPN code.

unix-aws-vpn-client is definitely better

I'll start updating README and the project URL some time today. 😄

[ajm113]

Just a tiny update. The changes are great so far! I'm just doing a little more reading of Nix and how to utilize it and test the changes. Sorry it's taking me so long. I'll do a little more testing/reading this weekend.

[m4dc4p]

No worries! I'm actually exploring expect in order to use openvpn w/o modification. If I get anywhere and put it up I'll let you know. Glad to answer questions about this PR,as well.

Here are some resources to get you started on nix. The ones you find one nixos.org aren't great :(

• https://devenv.sh/getting-started (where the flake.nix I created is derived from)
• https://jvns.ca/blog/2023/02/28/some-notes-on-using-nix - not a tutorial but a different perspective
• https://zero-to-nix.com - pretty new resource, worth reading I think!

[ajm113]

Thanks for the resources! I'm playing with the PR at the moment and found one issue so far running nix/flake. (Maybe it's just my inexperience getting the best of me here) When running via nix run ... Everything works fine until the tunnel is actually being created. I run into this error from OpenVPN:

2023-03-12 03:01:34 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2023-03-12 03:01:34 Exiting due to fatal error

By default on Linux you need root/administration permissions in order to interface with networking to create the tunnel. Reason why I wanted the Go code to handle this bit if you add a sudo line in your awsvpnclient.yml. Is there a way in nix we maybe to have nix allow sudo/root rights? -- Of course, running sudo nix run blows everything out of the water since nix treats it as a "new" user environment. Feel like this would create friction in the user experience. Sorry if this a dumb question! Felt like it's fair to learn as I go here since I would technically "own" nix side of things as the project grows. Thanks again!

[m4dc4p]

Oh, I’d forgotten about sudo (in my testing I set the sticky bit on the openvpn binary). If I don’t get a commit together, you can follow the same pattern I used to put the openvpn path into the config.

I found a way to do this with expect so I don’t think I’ll continue with this solution much longer.

[ajm113]

Hey @m4dc4p ! Just following up, no rush at all, but is it okay if we move the nix changes out of this PR for now into it's own separate PR? I'd love to get some of your changes in at least for now. I just want to hold off on nix a tiny bit longer. We proposed the idea of offloading how the user wants to start the browser in PR #1. In theory should make your flake addition good to go once I make some changes how the cli executes a shell script. I just need a little more time testing the flow and making sure nothing breaks when trying to run it as nix package.

Let me know if you have any question or if you want to offload anything on my end! :)

[m4dc4p]

No worries at all!

…

On Mon, Mar 27, 2023 at 16:30 Andrew McRobb ***@***.***> wrote: Hey @m4dc4p <https://github.com/m4dc4p> ! Just following up, no rush at all, but is it okay if we move the nix changes out of this PR for now into it's own separate PR? I'd love to get some of your changes in at least for now. I just want to hold off on nix a tiny bit longer. We proposed the idea of offloading how the user wants to start the browser in PR #1 <#1>. In theory should make your flake addition good to go once I make some changes how the cli executes a shell script. Let me know if you have any question! :) — Reply to this email directly, view it on GitHub <#3 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAESAJHXRG7LY2SL3AUPCTW6IPK7ANCNFSM6AAAAAAVVRHGKE> . You are receiving this because you were mentioned.Message ID: ***@***.***>