tjh.dev
1{
2 lib,
3 stdenv,
4 openvpn,
5 fetchpatch,
6 fetchurl,
7 libnl,
8 autoreconfHook,
9 pkg-config,
10}:
11
12openvpn.overrideAttrs (
13 oldAttrs:
14 let
15 inherit (lib) optional;
16 fetchMullvadPatch =
17 { commit, sha256 }:
18 fetchpatch {
19 url = "https://github.com/mullvad/openvpn/commit/${commit}.patch";
20 inherit sha256;
21 };
22 in
23 rec {
24 pname = "openvpn-mullvad";
25 version = "2.6.8";
26
27 src = fetchurl {
28 url = "https://swupdate.openvpn.net/community/releases/openvpn-${version}.tar.gz";
29 sha256 = "sha256-Xt4VZcim2IAQD38jUxen7p7qg9UFLbVUfxOp52r3gF0=";
30 };
31
32 nativeBuildInputs = oldAttrs.nativeBuildInputs or [ ] ++ [
33 autoreconfHook
34 pkg-config
35 ];
36
37 buildInputs = oldAttrs.buildInputs or [ ] ++ optional stdenv.hostPlatform.isLinux [ libnl.dev ];
38
39 configureFlags = [
40 # Assignment instead of appending to make sure to use exactly the flags required by mullvad
41
42 # Flags are based on https://github.com/mullvad/mullvadvpn-app-binaries/blob/main/Makefile#L17
43 "--enable-static"
44 "--disable-shared"
45 "--disable-debug"
46 "--disable-plugin-down-root"
47 "--disable-management"
48 "--disable-port-share"
49 "--disable-systemd"
50 "--disable-dependency-tracking"
51 "--disable-pkcs11"
52 "--disable-plugin-auth-pam"
53 "--enable-plugins"
54 "--disable-lzo"
55 "--disable-lz4"
56 "--enable-comp-stub"
57 ]
58 ++ optional stdenv.hostPlatform.isLinux [
59 # Flags are based on https://github.com/mullvad/mullvadvpn-app-binaries/blob/main/Makefile#L35
60 "--enable-dco" # requires libnl
61 "--disable-iproute2"
62 ];
63
64 patches = oldAttrs.patches or [ ] ++ [
65 # look at compare to find the relevant commits
66 # https://github.com/OpenVPN/openvpn/compare/release/2.6...mullvad:mullvad-patches
67 # used openvpn version is the latest tag ending with -mullvad
68 # https://github.com/mullvad/openvpn/tags
69 (fetchMullvadPatch {
70 # "Reduce PUSH_REQUEST_INTERVAL to one second"
71 commit = "6fb5e33345831e2bb1df884343893b67ecb83be3";
72 sha256 = "sha256-MmYeFSw6c/QJh0LqLgkx+UxrbtTVv6zEFcnYEqznR1c=";
73 })
74 (fetchMullvadPatch {
75 # "Send an event to any plugins when authentication fails"
76 commit = "96d5bf40610927684ed5d13f8b512b63e8f764ef";
77 sha256 = "sha256-HsVx0ZlK7VIFSFet4bG+UEG9W38tavNIP/udesH+Mmg=";
78 })
79 (fetchMullvadPatch {
80 # "Shutdown when STDIN is closed"
81 commit = "30708cefbd067928c896e3ef2420b22b82167ab8";
82 sha256 = "sha256-apL5CWc470DvleQ/pjracsTL+v0zT00apj5cTHWPQZs=";
83 })
84 (fetchMullvadPatch {
85 # "Undo dependency on Python docutils"
86 commit = "debde9db82d8c2bd4857482c5242722eb1c08e6a";
87 sha256 = "sha256-UKbQa3MDTJLKg0kZ47N7Gier3a6HP2yB6A551yqhWZU=";
88 })
89 (fetchMullvadPatch {
90 # "Prevent signal when stdin is closed from being cleared (#10)"
91 commit = "78812c51f3b2b6cb9efb73225e1002d055800889";
92 sha256 = "sha256-XaAE90nMgS862NZ5PWcdWKa0YClxr4S24Nq1OVXezTc=";
93 })
94 (fetchMullvadPatch {
95 # "Disable libcap-ng"
96 commit = "ca3d25f2eff82b5fbfe1012ce900a961d35b35de";
97 sha256 = "sha256-6bEUJ1FHXi1mzxkAaNdrMIHVrhewWenhRnW53rr2o6E=";
98 })
99 (fetchMullvadPatch {
100 # "Remove libnsl dep"
101 commit = "2d9821971fb29fff7243b49292a74eedb4036236";
102 sha256 = "sha256-Eeci6U6go1ujmbVQvIVM/xa4GSambLPSaowVIvtYlzQ=";
103 })
104 ];
105 postPatch = oldAttrs.postPatch or "" + ''
106 rm ./configure
107 '';
108
109 meta = oldAttrs.meta or { } // {
110 description = "OpenVPN with Mullvad-specific patches applied";
111 homepage = "https://github.com/mullvad/openvpn";
112 maintainers = with lib; [ maintainers.cole-h ];
113 };
114 }
115)