OpenVPN Plugin issueshttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues2020-10-12T09:44:15+02:00https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/18firewall: Malformed device list2020-10-12T09:44:15+02:00Lukas Jelinekfirewall: Malformed device listWhen importing an OpenVPN client configuration, it creates a configuration for the firewall too (`/etc/config/firewall`). But it has the device list malformed.
### Steps to reproduce:
1. Import an OpenVPN client configuration (OpenVPN ...When importing an OpenVPN client configuration, it creates a configuration for the firewall too (`/etc/config/firewall`). But it has the device list malformed.
### Steps to reproduce:
1. Import an OpenVPN client configuration (OpenVPN -> Client Settings -> Add settings).
2. Look into `/etc/config/firewall`.
### Expected results:
The `list device` item in `config zone 'turris_vpn_client'` contains `vpn_*` where the wildcard is substituted by the file name.
### Actual results:
There are multiple `list device` items where each contains one character of the above mentioned device name.
### Affected versions:
- 5.1.0
- 5.2.0Turris OS 5.1.2Michal HruseckyMichal Hruseckyhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/36openvpn client stopped working with 6.5.0 update2024-03-07T14:55:07+01:00Amit Shahopenvpn client stopped working with 6.5.0 updateMy Turris Omnia just got auto-updated from 6.4.4 to 6.5.0. The openvpn client configuration that I have for multiple years suddenly stopped working properly. The vpn connection shows as connected, but no traffic flows through the router ...My Turris Omnia just got auto-updated from 6.4.4 to 6.5.0. The openvpn client configuration that I have for multiple years suddenly stopped working properly. The vpn connection shows as connected, but no traffic flows through the router anymore with the vpn on. I have to disable the vpn to get connectivity again.
Which logs can help debug this situation?https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/35Allow setting OpenVPN client credentials2022-12-06T13:16:20+01:00Martin MatějekAllow setting OpenVPN client credentialsAdd a way to set/update/delete OpenVPN client credentials from reForis.
## UI
Based on the discussion, I would propose something similar to how we are handling DHCP static leases. I.e. something like following wireframes:
<details><summ...Add a way to set/update/delete OpenVPN client credentials from reForis.
## UI
Based on the discussion, I would propose something similar to how we are handling DHCP static leases. I.e. something like following wireframes:
<details><summary>Click to expand</summary>
![reforis-openvpn-client-instances](/uploads/806d626cbb2b5a98f9e6ee9dc178abe4/reforis-openvpn-client-instances.png)
With following modal:
![reforis-openvpn-client-credentials-modal](/uploads/ecb637a2dedbcfd1ad66a7ad1fb03219/reforis-openvpn-client-credentials-modal.png)
</details>
The same modal could be also used for adding new VPN client configuration, but I am not sure how to make the UI of "upload config and optionally set the client credentials".
Feel free to change the design to be aligned with reForis style ;-)
## JSON messages
Changes in request sent from reforis.
### Adding new client
#### Before
```
{
"config": {"type": "string"}
}
```
#### New
```json
{
"config": {"type": "string"},
"credentials": { <-- this is optional attribute
"username": {"type": "string"},
"password": {"type": "string"}
}
}
```
### Set/Update client
#### Before
```json
{
"id": {"$ref": "#/definitions/client_id"},
"enabled": {"type": "boolean"}
}
```
#### New
```json
{
"id": {"$ref": "#/definitions/client_id"},
"enabled": "type": "boolean"},
"credentials": { <-- this is optional attribute
"username": {"type": "string"},
"password": {"type": "string"}
}
}
```
---
Depends on: turris/foris-controller/foris-controller-openvpn_client-module#5Aleksandr GumroianAleksandr Gumroianhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/33No input validation of OpenVPN server configuration fields2023-08-08T11:03:12+02:00Jan BetikNo input validation of OpenVPN server configuration fieldsThere should be at least some validation of input fields - bitwise AND of `VPN network address` and `VPN network mask` should be enough.
Related to https://gitlab.nic.cz/turris/user-docs/-/issues/179
----
When an IPv4 address is assign...There should be at least some validation of input fields - bitwise AND of `VPN network address` and `VPN network mask` should be enough.
Related to https://gitlab.nic.cz/turris/user-docs/-/issues/179
----
When an IPv4 address is assigned to a device, that device uses the subnet mask to determine what network address the device belongs to. The network address is the address that represents all the devices on the same network.
When sending network data, the device uses this information to determine whether it can send packets locally, or if it must send the packets to a default gateway for remote delivery. When a host sends a packet, it compares the network portion of its own IP address to the network portion of the destination IP address, based on subnet masks. If the network bits match, both the source and destination host are on the same network and the packet can be delivered locally. If they do not match, the sending host forwards the packet to the default gateway to be sent on to the other network.
The AND Operation
ANDing is one of three basic binary operations used in digital logic. The other two are OR and NOT. While all three are used in data networks, AND is used in determining the network address. Therefore, our discussion here will be limited to logical AND. Logical AND is the comparison of two bits that yields the following results:
1 AND 1 = 1
0 AND 1 = 0
0 AND 0 = 0
1 AND 0 = 0
The IPv4 host address is logically ANDed, bit by bit, with its subnet mask to determine the network address to which the host is associated. When this bitwise ANDing between the address and the subnet mask is performed, the result yields the network address.Filip HronFilip Hronhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/32No state information about the OpenVPN server2022-05-24T11:33:41+02:00Jan BetikNo state information about the OpenVPN serverWhile creating a mistake in the configuration of the OpenVPN server (see https://gitlab.nic.cz/turris/user-docs/-/issues/179 and/or https://rt.nic.cz/Ticket/Display.html?id=1466569) there is no signal that the OpenVPN server is not runni...While creating a mistake in the configuration of the OpenVPN server (see https://gitlab.nic.cz/turris/user-docs/-/issues/179 and/or https://rt.nic.cz/Ticket/Display.html?id=1466569) there is no signal that the OpenVPN server is not running.
Everything looks fine although the openvpn task is not running and filling the logs with error messages.Aleksandr GumroianAleksandr Gumroianhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/31Hide information about manual configuration on Shield2022-01-13T14:25:09+01:00Aleksandr GumroianHide information about manual configuration on ShieldOn the OpenVPN -> Server Settings page, paragraph refers to manual configuration, which should not be displayed on Shield.
<details><summary>Click to expand</summary>
![image](/uploads/78e5b0784066a02e482b67b4ecaebcdf/image.png)
</details>On the OpenVPN -> Server Settings page, paragraph refers to manual configuration, which should not be displayed on Shield.
<details><summary>Click to expand</summary>
![image](/uploads/78e5b0784066a02e482b67b4ecaebcdf/image.png)
</details>https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/30(FR) Add option to export/import the OpenVPN server CA and config2022-01-14T16:42:44+01:00Jan Betik(FR) Add option to export/import the OpenVPN server CA and config> The OpenVPN server is having 10+ active profiles. So in ideal case, I would like to migrate the configuration from MOX to Omnia. This would avoid the need to distribute new OpenVPN profiles to the clients.
This feature request is base...> The OpenVPN server is having 10+ active profiles. So in ideal case, I would like to migrate the configuration from MOX to Omnia. This would avoid the need to distribute new OpenVPN profiles to the clients.
This feature request is based on this topic https://forum.turris.cz/t/openvpn-migration-from-mox-to-omnia/16274https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/29Confusing scope of the "Override server address" field2022-01-20T11:48:04+01:00Michal VasilekConfusing scope of the "Override server address" field![Screenshot_from_2021-09-23_22-53-18](/uploads/ef62ab0587403e9210776985d66ec681/Screenshot_from_2021-09-23_22-53-18.png)
The "Override server address" checkbox does something only when downloading the .ovpn file, otherwise it doesn't d...![Screenshot_from_2021-09-23_22-53-18](/uploads/ef62ab0587403e9210776985d66ec681/Screenshot_from_2021-09-23_22-53-18.png)
The "Override server address" checkbox does something only when downloading the .ovpn file, otherwise it doesn't do anything.
When I first tried to override the server address, I tried to do so when adding a new client because I wrongly assumed it would pre-generate config files and then just statically download them. I thought it succeeded, because the checkbox got deselected and the entry box disappeared. I think this tiny issue could have been prevented with a bit different design:
a) Don't reset the checkbox and entry box state when adding a new client, so the user doesn't think it succeeded (or at least downloads the .ovpn file with the entry box still filled with the required information).
b) Remove the whole "Add new client" section and add a plus button to the heading of the table which shows a modal with the entry box. This way the user can not get confused where the server address override is effective.https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/28Downloading the .ovpn file uses Content-Type: text/html2021-11-27T20:33:00+01:00Michal VasilekDownloading the .ovpn file uses Content-Type: text/htmlWhen trying to download a .ovpn file with Firefox, I get the file with the following response header:
```
Content-Type: text/html; charset=utf-8
```
This might be the reason why in some edge cases like in #21, the browser decides to ove...When trying to download a .ovpn file with Firefox, I get the file with the following response header:
```
Content-Type: text/html; charset=utf-8
```
This might be the reason why in some edge cases like in #21, the browser decides to override the extension from .ovpn to .html.Aleksandr GumroianAleksandr Gumroianhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/27Detect and alter user if we can't detect public IP for server2021-08-20T11:12:14+02:00Karel KociDetect and alter user if we can't detect public IP for serverThe OpenVPN server makes sense pretty much only with public IP. In most cases we should be able to verify IP address assigned to WAN (if it is not from blocks reserved for on-site networks) but that is not 100% (think about 1:1 NAT and o...The OpenVPN server makes sense pretty much only with public IP. In most cases we should be able to verify IP address assigned to WAN (if it is not from blocks reserved for on-site networks) but that is not 100% (think about 1:1 NAT and other stupid stuff) thus we should only display warning.
I am not sure if we support client connecting over IPv6 but I think that:
* warning that OpenVPN server probably won't work should be if user misses IPv6 and has private IPv4.
* notice if he has IPv6 about limitations of running OpenVPN server on IPv6 only (such as no access from IPv4 network) If user has IPv6 and private IPv4https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/26Port 0 after enabling server2022-01-11T15:36:36+01:00Lukas JelinekPort 0 after enabling serverIf I enable the OpenVPN server, the _Port_ field contains 0. It's confusing because the default port number is 1194 (and we don't allow to set a custom value here). After saving, this field contains 1194.
I think it should be:
- _1194_ ...If I enable the OpenVPN server, the _Port_ field contains 0. It's confusing because the default port number is 1194 (and we don't allow to set a custom value here). After saving, this field contains 1194.
I think it should be:
- _1194_ as the default value **(preferred)**, or
- _default_ as information that the default value will be used, or
- an empty value (nothing filled in).https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/25Error occurred while fetching data2022-01-27T17:34:15+01:00Lukas JelinekError occurred while fetching dataAfter automatic upgrade to TOS 5.2 (and manual reboot), reForis on my Omnia started to display _"An error occurred while fetching data."_
This message is displayed both in the _OpenVPN_ sections (_Server settings_, _Client settings_) an...After automatic upgrade to TOS 5.2 (and manual reboot), reForis on my Omnia started to display _"An error occurred while fetching data."_
This message is displayed both in the _OpenVPN_ sections (_Server settings_, _Client settings_) and at the dashboard.
The web console contains the following messages:
```
GET https://my-omnia-address/reforis/openvpn/api/client-settings
HTTP/2 500 Internal Server Error
```
The response content contains this stack trace:
```
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/foris_controller/message_router.py", line 117,
in process_message File "/usr/lib/python3.7/site-packages/foris_controller/module_base.py", line 61,
in perform_action File "/usr/lib/python3.7/site-packages/foris_controller_modules/openvpn_client/__init__.py", line 31,
in action_list File "/usr/lib/python3.7/site-packages/foris_controller/utils.py", line 111,
in inner File "/usr/lib/python3.7/site-packages/foris_controller_modules/openvpn_client/handlers/openwrt.py", line 39,
in list File "/usr/lib/python3.7/site-packages/foris_controller_backends/openvpn_client/__init__.py", line 57,
in list File "/usr/lib/python3.7/site-packages/foris_controller_backends/uci/__init__.py", line 361,
in read File "/usr/lib/python3.7/site-packages/foris_controller_backends/uci/__init__.py", line 367,
in export_data File "/usr/lib/python3.7/site-packages/foris_controller_backends/uci/__init__.py", line 182,
in _run_uci_command foris_controller.exceptions.UciException:
['uci', '-n', '-c', '/etc/config/', '-P', '/tmp/.uci-foris-controller', 'export', 'openvpn']:
command failed (b'uci: Parse error (invalid character in name field) at line 61, byte 25\n')
```https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/24Generated config has "undefined" as remote2022-12-05T13:09:02+01:00Vojtech MyslivecGenerated config has "undefined" as remoteRelated to #22
### Issue description
When I write a hostname into the server address field (which is not allowed currently, see linked issue) and then click "Download" button, generated config file has following line:
```
remote undef...Related to #22
### Issue description
When I write a hostname into the server address field (which is not allowed currently, see linked issue) and then click "Download" button, generated config file has following line:
```
remote undefined 1194
```
Which makes the client configuration unusable.
### Proposed fix
When a user writes non-valid value into the address/host field, "Download" button should not be clickable. Alternatively, the config file should include original WAN address, but I find the former variant more correct and intuitive for a user.Aleksandr GumroianAleksandr Gumroianhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/23Disabled fields in Server settings2021-07-19T16:19:24+02:00Michal HruseckyDisabled fields in Server settingsLooking at server settings, there is device and port and I can't change either of them. If I can't change them, then it probably doesn't make sense to show them to the user? I think device might make sense if we want to allow switching t...Looking at server settings, there is device and port and I can't change either of them. If I can't change them, then it probably doesn't make sense to show them to the user? I think device might make sense if we want to allow switching to `tap` interface, but definitely not freeform. Port might make sense for advanced users, but would need to be supported by backend. Probably both is for discussion with @mmatejekhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/22Server address validation is not IP2022-12-06T15:20:32+01:00Michal HruseckyServer address validation is not IPThe point of server address in client configuration is possibility to enter DNS name of the machine that has dynamic public IP, so it shouldn't be validated as IP address.The point of server address in client configuration is possibility to enter DNS name of the machine that has dynamic public IP, so it shouldn't be validated as IP address.OpenVPN Plugin 1.4.2Aleksandr GumroianAleksandr Gumroianhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/21Output .ovpn file2021-09-23T22:47:15+02:00Michal HruseckyOutput .ovpn fileWhe you try to download client configuration, the file is named `turris.html` but it contains the OpenVPN configuration file, so it should be named `turris.ovpn`Whe you try to download client configuration, the file is named `turris.html` but it contains the OpenVPN configuration file, so it should be named `turris.ovpn`OpenVPN Plugin 1.4.2Aleksandr GumroianAleksandr Gumroianhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/20Add site-to-site support2022-01-20T12:08:36+01:00Martin PrudekAdd site-to-site supportCounterpart of turris/foris-controller/foris-controller-openvpn_client-module#8
There might two checkboxes: "Enable site-to-site". If enabled, the second one "Masquraded" would become active.
Enabling the first checkbox would basically...Counterpart of turris/foris-controller/foris-controller-openvpn_client-module#8
There might two checkboxes: "Enable site-to-site". If enabled, the second one "Masquraded" would become active.
Enabling the first checkbox would basically add VPN interface.
Depending on the state of the second checkbox we would either:
- add the interface to LAN zone (disabled)
- add the interface to LAN (or WAN??) zone and masquerade all traffic passing through it.https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/19OpenVPN does not run on boot when enabled in (re)Foris2021-08-20T11:06:34+02:00Ghost UserOpenVPN does not run on boot when enabled in (re)ForisWhen OpenVPN service is enabled in (re)Foris the service does not automatically start on boot. I have to ssh into the router and run `/etc/init.d/openvpn start` to start it again. This is on Turris OS 5.1.2.When OpenVPN service is enabled in (re)Foris the service does not automatically start on boot. I have to ssh into the router and run `/etc/init.d/openvpn start` to start it again. This is on Turris OS 5.1.2.https://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/17Client Registration: Consider different naming2020-12-10T18:46:24+01:00Lukas JelinekClient Registration: Consider different namingWhen a client configuration is downloaded, its name is always `turris.conf`. It has several drawbacks:
1. Some people reported that some OpenVPN clients don't accept `*.conf` files (probably accept only `*.ovpn`).
2. If multiple configu...When a client configuration is downloaded, its name is always `turris.conf`. It has several drawbacks:
1. Some people reported that some OpenVPN clients don't accept `*.conf` files (probably accept only `*.ovpn`).
2. If multiple configurations are saved, their names must be changed manually (or are changed to `turris(1).conf` etc. by browsers).
I suggest to consider a diffent naming. It would use client names and ovpn as extensions, e.g. `notebook.ovpn` for a client named `notebook`.
Related to #15, https://gitlab.nic.cz/turris/foris/foris-openvpn-plugin/-/merge_requests/7/diffs
Blocked by: turris/foris-controller/foris-controller-openvpn-module#15Filip HronFilip Hronhttps://gitlab.nic.cz/turris/reforis/reforis-openvpn/-/issues/16Client Settings: Cursor type on "Browse"2020-10-13T10:40:33+02:00Lukas JelinekClient Settings: Cursor type on "Browse"When you move the mouse cursor on the *Browse* button it remains to be a standard arrow (like `cursor: default` in CSS). But it should change to a pointing hand (like `cursor: pointer` in CSS) which indicates that the button is clickable.When you move the mouse cursor on the *Browse* button it remains to be a standard arrow (like `cursor: default` in CSS). But it should change to a pointing hand (like `cursor: pointer` in CSS) which indicates that the button is clickable.