I was asked to make this a tangled string :}
yemou.pink
global-protect-vpn.nix
edited
1{ pkgs, ... }:
2{
3 users.users.<user>.packages = with pkgs; [
4 (writeShellScriptBin "gp-vpn" ''
5 # Ask for sudo password before doing anything
6 # (prevents running out of time before the resolvectl command is ran later)
7 sudo -v
8
9 # Get the cookie
10 cookie=$(${pkgs.gpauth}/bin/gpauth -q --default-browser <vpn-server.tld>)
11
12 # Connect to the vpn
13 # (If you aren't using NixOS, the gpclient package may come with its own hip report
14 # script and you can just use `--hip` instead of specifying `--csd-wrapper`)
15 printf '%s\n' "$cookie" | sudo ${pkgs.gpclient}/bin/gpclient connect <vpn-server.tld> \
16 --csd-wrapper ${pkgs.openconnect}/libexec/openconnect/hipreport.sh \
17 --cookie-on-stdin &
18
19 # I don't like this, but it doesn't seem like gpclient has a way to run scripts after a
20 # connection is established and we need to make sure that dns-over-tls is disabled for
21 # connections to work.
22 # It's also possible you may need to disable dnssec for this interface as well or you
23 # may need to disable nothing at all in which case this script becomes much simpler
24 sleep 5
25 sudo resolvectl dnsovertls tun0 no
26
27 # Can either Ctrl + C to exit or run `sudo gpclient disconnect`
28 wait
29 '')
30 gpclient # This is needed so your browser gives you the "open global protect" prompt
31 ];
32}