On 01/24/2018 3:33 PM, Tom Rymes wrote:
I suppose that this isn't particularly "Development" related, but I think it does touch upon features and functionality that are important to making the project attractive to new users and I also think that, perhaps, some changes might be needed to the WUI to keep up with changes to clients. I would think that a tried-and-true configuration that makes it easy for any user to implement a VPN using built-in clients would be a major benefit to the project.
Just to keep everyone up to date, I have posted instructions for setting up an IPSec Roadwarrior connection with MacOS to the Wiki.
https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_...
If anyone can test it out and see if I have forgotten anything, made a typo, or two, or simply just made it too complicated, that would be awesome.
I think that there might be some additional improvements that could be made, including adding a uniqueids=no (or similar) to allow more than one connection to the tunnel at a time. That would, of course, require manual editing of /etc/ipsec.user.conf, but that's already the case.
My suspicion is that this could easily be made to work with iOS, but I haven't tried yet.
Also, I was able to install and work with Algo (https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/), and I can say that it is simply head and shoulders above what we currently offer in IPFire. Setup is easy on the server side (once I worked out a few small, confusing items), and installation on the client (especially for Apple devices) is so easy it could make a grown man cry.
MacOS: Download file, double-click file, enter password, done. iOS: Download file to mac, airdrop to device, tap accept, tap install, enter password, done.
If you want, you can set up Algo to tell MacOS and iOS clients to automatically connect to VPN when on cellular, when on WiFi, or both. You can also manually edit the profile on the server to do things like force VPN except when connected to Wi-Fi on ESSID "MyNetwork", etc.
I haven't tried Windows clients, yet, but just avoiding the "what do I put in this field?" portion of configuring a tunnel is a major achievement.
I am not in possession of the skills required to move the WUI forward in this area, or I would gladly do so. Having said that, there are two things I think would be worthwhile:
1.) Add the server hostname to the SAN when generating certs. https://bugzilla.ipfire.org/show_bug.cgi?id=11594 2.) Update the Roadwarrior portion of the WUI to automatically configure the various parts to work properly with Windows/Mac/iOS/Android. Eliminate fields such as "Local ID" if those have to be set to a specific value for a given platform, etc. This can get a bit tricky, as if the user didn't specify the proper setting when generating the host cert, then it may not work with all platforms.
Does anyone other than myself and Peter have any thoughts on this? I'm surprised that nobody else has chimed in about something I consider a really important/beneficial feature. This is important for any business needing to provide remote access to roaming users, plus anyone that wants to protect their data from prying eyes while on public Wi-Fi, etc.
Tom