Hello Alexander Marx, and for the first, thanks for your nice ideas and work on this topic. I think this new features brings a very good possibility to have more control in the OpenVPN environment on IPFire over the WUI. The "client-config-directory" was before present on IPFire but only editable only over the console, also the kernel routing needs to be done over the console, additional push routes can be added meanwhile over the "advanced server options" of the WUI, but to bring all to the WUI might be a nice idea.
So i have loaded up your files and have integrated them on my testing system (the dog is still alive and the house doesn´t burn ;-). After a perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" the WUI displays also your new features and the first slight impression is very good. So what i have seen for the first checkout, the entry in server.conf for the kernel based routing can be seen, so the "static net" option of the WUI seems to work.
Somethings i have missed: - If i use "Redirect GW" and "Net to route" (i think this should be redirect-gateway ? def1 ? and "iroute"), i miss the explicit ccd file with the common name of the client connection and his individual client configuration content. "ifconfig-push", "iroute" and "redirect-gateway" should normally takes place in this text file located under /var/ipfire/ovpn/ccd i think. I have found a new file in the /var/ipfire/ovpn directory called "ccd.conf" but the "client-config-directory" wasn´t used in my case.
- It could maybe an idea if "ifconfig-push" have assigned some IP´s to the clients (they are no longer available), the "Host address" column of the flip menu shouldn´t display them anymore. It is surely also possible to reach an similar effect with a plausicheck, but it might be bulky to try first all assigned addresses out until a free one is available.
- If i add a new connection, "client staus and control" laid out the new connection but the "Net name" column shows me a "dynamic" although i choose a "Static Net".
- Is it possible that existing connections needs to be made new ? Cause the "Net name" column doesn´t update their state (dynamic or static) ? So i think also the ccd entries won´t be done subsequent for existing clients.
So thats for the first some of my impressions.
I would like also to point out that this solution might be a possibility to add some "Multi-Client N2N" infrastructures, which brings a lot of advantages to the existing P2P Net-to-Net which is currently available on IPFire. --> All traffic goes trough one port, a high adjustment of the traffic trough different networks are possible, auth-pam (server site authentication) is also possible for N2N, more directives can be used in server mode compared to P2P mode, .... But may there are some other things to handle then, for example .p12 authentication over IPFire WUI.... But this only for a short idea what can be possible with the new directives.
Also a great idea is the implementation of a ovpnfw.cgi .
So far from me and my first feedback.
Greetings
Erik
Am 29.10.2012 um 11:31 schrieb Alexander Marx:
Dear List!
Code is freezed for testing now. Please be aware that this code will eat your dog and burn your house! Please test it in a nonproductive environment and tell me what you find.
This is essential for my ongoing project to implement a "vpn-Firewall WUI".
Any feedback (as always) is greatly appreciated. I don't expect any errors but i like you to have another pair of eyes on the code.
Thank you!
--
Alexander Marx Fachinformatiker Systemintegration
<CCD-29.10.12.tar.gz>_______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development