Allow to use captive portals without disabling VPN-only

2019-06-01 18:35:58 +00:00 · 2019-06-01 18:35:58 +00:00 · 76596a3e66
parent 7438942f91
commit 76596a3e66
2 changed files with 23 additions and 0 deletions
--- a/networking.nix
+++ b/networking.nix
@ -25,12 +25,30 @@ in {
      iptables -A OUTPUT -o virbr+ -j ACCEPT
      iptables -A OUTPUT -o virbr0-nic -j ACCEPT

+      # Allow access for special user for use captive portals without
+      # disabling vpn-only restrictions (to avoid leaks at the first seconds
+      # after connection)
+      iptables -A OUTPUT -m owner --uid-owner captive \
+               -p tcp -m multiport --dports 80,443 \
+               -j ACCEPT
+
+      iptables -A OUTPUT -m owner --uid-owner captive \
+               -p udp -m multiport --dports 53 \
+               -j ACCEPT
+
      # iptables -A OUTPUT -d 192.0.2.17 -j ACCEPT
      ${secrets.iptables}
    '';
    checkReversePath = false;
  };

+  # User without vpn-only restrictions (for captive portals)
+  users.users.captive = {
+    isNormalUser = true;
+  };
+
+  services.nscd.enable = false;
+
  services.openvpn.servers.vpn = {
    autoStart = true;
    config = secrets.vpn-config;
--- a/security.nix
+++ b/security.nix
@ -40,9 +40,14 @@
    enable = true;
    extraConfig = ''
      %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
+      %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
    '';
  };

+  environment.systemPackages = with pkgs; [
+    (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
+  ];
+
  security.wrappers = {
    pmount.source = "${pkgs.pmount}/bin/pmount";
    pumount.source = "${pkgs.pmount}/bin/pumount";