Run Microsoft Azurevpnclient On NixOS

Help
3

@dinvlad Calling it a “complete solution” would be far from the truth. I’m sure I could get it there with someone experienced in packaging nix applications. Currently, I have the following problems:

Problems

Capabilities

Apparently I’m missing some capabilities, so I’ve tried adding:

  security.wrappers = {
    microsoft-azurevpnclient = {
      owner = "root";
      group = "root";
      # setuid = true;
      capabilities = "cap_net_admin+ep";
      source = "${(pkgs.callPackage ../azurevpn.nix { })}/bin/microsoft-azurevpnclient";
    };
  };

But that now prevents me from launching the application:

bwrap: Unexpected capabilities but not setuid, old file caps config?

Polkit

I’m pretty sure that the above capabilities were working before I started using bwrap. I’m using bwrap to place the certs (well, currently just one cert, see the next point for details) in the directory azure vpn expects. But I was never able to figure out, how to write a proper polkit rule, so only azure vpn would have the permissions to modify the DNS. I got it working by always return YES though… which is… yay, but suboptimal for obvious reasons.

Certificates

Currently, I’ve just copied one of the certificates, and I’m inserting it harcoded to the location it is expected using bwrap. Optimally, this would be done placing all the existing certificates in the location, not hardcoding them. But I wasn’t able to successfully generate that. I think there is an attempt of doing that left in the repo.

How to get to where I am

If somebody can help me with those problems, I could clean the repo up and maybe even get it to a state where it could be submitted to nixpkgs. If you want to try and achieve that, I guess the easiest way would be to:

  1. Clone GitHub - Elias-Graf/nix-azure-vpn
  2. cd nix-azure-vpn
  3. nix-build && result/bin/microsoft-azurevpnclient

And work from there. I could post some more code that I’ve been trying to get to work in my system configuration, but as I mostly failed, I don’t think it would be too relevant. If you have solutions, feel free to get back to me though, I’d be happy to try them out :slight_smile:

Also linking: Help getting azure vpn to work, which was very helpful to get this far. Maybe @VTimofeenko is interested in helping even more, they seem to be quite talented.

1 Like