Allow to use captive portals without disabling VPN-only

networking.nix

@@ -25,12 +25,30 @@ in {
       iptables -A OUTPUT -o virbr+ -j ACCEPT
       iptables -A OUTPUT -o virbr0-nic -j ACCEPT
 
+      # Allow access for special user for use captive portals without
+      # disabling vpn-only restrictions (to avoid leaks at the first seconds
+      # after connection)
+      iptables -A OUTPUT -m owner --uid-owner captive \
+               -p tcp -m multiport --dports 80,443 \
+               -j ACCEPT
+
+      iptables -A OUTPUT -m owner --uid-owner captive \
+               -p udp -m multiport --dports 53 \
+               -j ACCEPT
+
       # iptables -A OUTPUT -d 192.0.2.17 -j ACCEPT
       ${secrets.iptables}
     '';
     checkReversePath = false;
   };
 
+  # User without vpn-only restrictions (for captive portals)
+  users.users.captive = {
+    isNormalUser = true;
+  };
+
+  services.nscd.enable = false;
+
   services.openvpn.servers.vpn = {
     autoStart = true;
     config = secrets.vpn-config;

security.nix

@@ -40,9 +40,14 @@
     enable = true;
     extraConfig = ''
       %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
+      %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
     '';
   };
 
+  environment.systemPackages = with pkgs; [
+    (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
+  ];
+
   security.wrappers = {
     pmount.source = "${pkgs.pmount}/bin/pmount";
     pumount.source = "${pkgs.pmount}/bin/pumount";