OpenVPN Plugin issueshttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues2023-08-08T11:03:12+02:00https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/33No input validation of OpenVPN server configuration fields2023-08-08T11:03:12+02:00Jan BetikNo input validation of OpenVPN server configuration fieldsThere should be at least some validation of input fields - bitwise AND of `VPN network address` and `VPN network mask` should be enough.
Related to https://gitlab.nic.cz/turris/user-docs/-/issues/179
----
When an IPv4 address is assign...There should be at least some validation of input fields - bitwise AND of `VPN network address` and `VPN network mask` should be enough.
Related to https://gitlab.nic.cz/turris/user-docs/-/issues/179
----
When an IPv4 address is assigned to a device, that device uses the subnet mask to determine what network address the device belongs to. The network address is the address that represents all the devices on the same network.
When sending network data, the device uses this information to determine whether it can send packets locally, or if it must send the packets to a default gateway for remote delivery. When a host sends a packet, it compares the network portion of its own IP address to the network portion of the destination IP address, based on subnet masks. If the network bits match, both the source and destination host are on the same network and the packet can be delivered locally. If they do not match, the sending host forwards the packet to the default gateway to be sent on to the other network.
The AND Operation
ANDing is one of three basic binary operations used in digital logic. The other two are OR and NOT. While all three are used in data networks, AND is used in determining the network address. Therefore, our discussion here will be limited to logical AND. Logical AND is the comparison of two bits that yields the following results:
1 AND 1 = 1
0 AND 1 = 0
0 AND 0 = 0
1 AND 0 = 0
The IPv4 host address is logically ANDed, bit by bit, with its subnet mask to determine the network address to which the host is associated. When this bitwise ANDing between the address and the subnet mask is performed, the result yields the network address.Filip HronFilip Hronhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/32No state information about the OpenVPN server2022-05-24T11:33:41+02:00Jan BetikNo state information about the OpenVPN serverWhile creating a mistake in the configuration of the OpenVPN server (see https://gitlab.nic.cz/turris/user-docs/-/issues/179 and/or https://rt.nic.cz/Ticket/Display.html?id=1466569) there is no signal that the OpenVPN server is not runni...While creating a mistake in the configuration of the OpenVPN server (see https://gitlab.nic.cz/turris/user-docs/-/issues/179 and/or https://rt.nic.cz/Ticket/Display.html?id=1466569) there is no signal that the OpenVPN server is not running.
Everything looks fine although the openvpn task is not running and filling the logs with error messages.Aleksandr GumroianAleksandr Gumroianhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/31Hide information about manual configuration on Shield2022-01-13T14:25:09+01:00Aleksandr GumroianHide information about manual configuration on ShieldOn the OpenVPN -> Server Settings page, paragraph refers to manual configuration, which should not be displayed on Shield.
<details><summary>Click to expand</summary>
![image](/uploads/78e5b0784066a02e482b67b4ecaebcdf/image.png)
</details>On the OpenVPN -> Server Settings page, paragraph refers to manual configuration, which should not be displayed on Shield.
<details><summary>Click to expand</summary>
![image](/uploads/78e5b0784066a02e482b67b4ecaebcdf/image.png)
</details>https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/30(FR) Add option to export/import the OpenVPN server CA and config2022-01-14T16:42:44+01:00Jan Betik(FR) Add option to export/import the OpenVPN server CA and config> The OpenVPN server is having 10+ active profiles. So in ideal case, I would like to migrate the configuration from MOX to Omnia. This would avoid the need to distribute new OpenVPN profiles to the clients.
This feature request is base...> The OpenVPN server is having 10+ active profiles. So in ideal case, I would like to migrate the configuration from MOX to Omnia. This would avoid the need to distribute new OpenVPN profiles to the clients.
This feature request is based on this topic https://forum.turris.cz/t/openvpn-migration-from-mox-to-omnia/16274https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/29Confusing scope of the "Override server address" field2022-01-20T11:48:04+01:00Michal VasilekConfusing scope of the "Override server address" field![Screenshot_from_2021-09-23_22-53-18](/uploads/ef62ab0587403e9210776985d66ec681/Screenshot_from_2021-09-23_22-53-18.png)
The "Override server address" checkbox does something only when downloading the .ovpn file, otherwise it doesn't d...![Screenshot_from_2021-09-23_22-53-18](/uploads/ef62ab0587403e9210776985d66ec681/Screenshot_from_2021-09-23_22-53-18.png)
The "Override server address" checkbox does something only when downloading the .ovpn file, otherwise it doesn't do anything.
When I first tried to override the server address, I tried to do so when adding a new client because I wrongly assumed it would pre-generate config files and then just statically download them. I thought it succeeded, because the checkbox got deselected and the entry box disappeared. I think this tiny issue could have been prevented with a bit different design:
a) Don't reset the checkbox and entry box state when adding a new client, so the user doesn't think it succeeded (or at least downloads the .ovpn file with the entry box still filled with the required information).
b) Remove the whole "Add new client" section and add a plus button to the heading of the table which shows a modal with the entry box. This way the user can not get confused where the server address override is effective.https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/27Detect and alter user if we can't detect public IP for server2021-08-20T11:12:14+02:00Karel KociDetect and alter user if we can't detect public IP for serverThe OpenVPN server makes sense pretty much only with public IP. In most cases we should be able to verify IP address assigned to WAN (if it is not from blocks reserved for on-site networks) but that is not 100% (think about 1:1 NAT and o...The OpenVPN server makes sense pretty much only with public IP. In most cases we should be able to verify IP address assigned to WAN (if it is not from blocks reserved for on-site networks) but that is not 100% (think about 1:1 NAT and other stupid stuff) thus we should only display warning.
I am not sure if we support client connecting over IPv6 but I think that:
* warning that OpenVPN server probably won't work should be if user misses IPv6 and has private IPv4.
* notice if he has IPv6 about limitations of running OpenVPN server on IPv6 only (such as no access from IPv4 network) If user has IPv6 and private IPv4https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/26Port 0 after enabling server2022-01-11T15:36:36+01:00Lukas JelinekPort 0 after enabling serverIf I enable the OpenVPN server, the _Port_ field contains 0. It's confusing because the default port number is 1194 (and we don't allow to set a custom value here). After saving, this field contains 1194.
I think it should be:
- _1194_ ...If I enable the OpenVPN server, the _Port_ field contains 0. It's confusing because the default port number is 1194 (and we don't allow to set a custom value here). After saving, this field contains 1194.
I think it should be:
- _1194_ as the default value **(preferred)**, or
- _default_ as information that the default value will be used, or
- an empty value (nothing filled in).https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/23Disabled fields in Server settings2021-07-19T16:19:24+02:00Michal HruseckyDisabled fields in Server settingsLooking at server settings, there is device and port and I can't change either of them. If I can't change them, then it probably doesn't make sense to show them to the user? I think device might make sense if we want to allow switching t...Looking at server settings, there is device and port and I can't change either of them. If I can't change them, then it probably doesn't make sense to show them to the user? I think device might make sense if we want to allow switching to `tap` interface, but definitely not freeform. Port might make sense for advanced users, but would need to be supported by backend. Probably both is for discussion with @mmatejekhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/20Add site-to-site support2022-01-20T12:08:36+01:00Martin PrudekAdd site-to-site supportCounterpart of turris/foris-controller/foris-controller-openvpn_client-module#8
There might two checkboxes: "Enable site-to-site". If enabled, the second one "Masquraded" would become active.
Enabling the first checkbox would basically...Counterpart of turris/foris-controller/foris-controller-openvpn_client-module#8
There might two checkboxes: "Enable site-to-site". If enabled, the second one "Masquraded" would become active.
Enabling the first checkbox would basically add VPN interface.
Depending on the state of the second checkbox we would either:
- add the interface to LAN zone (disabled)
- add the interface to LAN (or WAN??) zone and masquerade all traffic passing through it.https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/12Split into client and server plugins.2022-11-09T13:05:40+01:00Bogdan BodnarSplit into client and server plugins.https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/11Use <SubmitButton/> in forms.2022-01-20T12:27:44+01:00Bogdan BodnarUse <SubmitButton/> in forms.