Re: (pre-)creation of tunnel network interfaces

[Alex Kost]

Danny Milosavljevic (2016-02-26 01:44 +0300) wrote:

> Hi,
>
> I'm using openconnect to connect to a few VPNs.
>
> Most of openconnect actually doesn't require root.
> In order to avoid root, I'd like to pre-create the tunnel interfaces.
>
> This would be done by
>
>   # ip tuntap add vpn0 mode tun user dannym
>                   ^                  ^--- this is the user that is allowed to 
> use the tunnel later
>                    ---- the new tunnel interface
>
> How do I specify this in a system config?

By adding a service that starts this command to your operating-system
declaration.  It would be something like this (not tested!):

(use-modules
 (ice-9 match)
 (gnu)
 (gnu packages linux) ; for iproute
 (gnu services)
 (gnu services shepherd)
 (guix records))

(define-record-type* <vpn-tunnel>
  vpn-tunnel make-vpn-tunnel
  vpn-tunnel?
  (interface-name vpn-tunnel-interface-name)
  (user-name vpn-tunnel-user-name))

(define vpn-tunnel-service-type
  (shepherd-service-type
   'vpn-tunnel
   (match-lambda
     (($ <vpn-tunnel> interface user)
      (let ((ip #~(string-append #$iproute "/sbin/ip")))
        (shepherd-service
         (documentation "Create tunnel interface.")
         (provision '(vpn-tunnel))
         (requirement '(networking))
         (start
          #~(lambda _
              ;; Return #t if successfully started.
              (zero? (system* #$ip "tuntap" "add" #$interface
                              "mode" "tun"
                              "user" #$user))))
         (respawn? #f)))))))

(define (vpn-tunnel-service interface-name user-name)
  "Return a service that ..."
  (service vpn-tunnel-service-type
           (vpn-tunnel (interface-name interface-name)
                       (user-name user-name))))

(operating-system
  ;; ...
  (services (cons* (vpn-tunnel-service "vpn0" "dannym")
                   ;; ...
                   %desktop-services)))

-- 
Alex