Dear List!
Code is freezed for testing now. Please be aware that this code will eat your dog and burn your house! Please test it in a nonproductive environment and tell me what you find.
This is essential for my ongoing project to implement a "vpn-Firewall WUI".
Any feedback (as always) is greatly appreciated. I don't expect any errors but i like you to have another pair of eyes on the code.
Thank you!
Hey Alex,
I just installed the files on my system. This is my first impression:
Over the entire application, the wording is very poor. It is hard to understand what is going on - even for someone who is experienced with what the GUI does. Buttons say "static net", headlines are "add net". What kind of net? What is a static net?
Quote: A static net can be used to give OVPN roadwarrior a fixed IP. There can be more networks (for Manager, Admins,...). With the fixed addresses you are able to define your own firewallrules for specific static networks or even single roadwarrior.
Much better is for example: You are able to define static networks on this page, from which roadwarrior clients can get static address assignments.
Short and sweet. Instructions about why this is useful should go on the wiki.
The listing of the networks is pretty nice. I like it, but it does not use the entire width of the WUI. There is no edit button in case I want to edit the description. The network should not be editable, I think. The descriptions of the columns are also a bit too short. "net" -> "network", "Max. clients" is not very understandable as well as "used". I would put it as "Used addresses" and "4/32".
The form above the listing where you create a new network does not look like the forms on top of other pages like the port forwarding.
When creating/editing a roadwarrior connection, it is again hard to tell what all the options do. There is no thing such as "OpenVPN DHCP". Put it as a choice between "Use dynamic address pool 1.2.3.0/24" and the static address assignment.
Why is the max. number of fixed leases shown in that table? I cannot see any use for that over here.
The list of host addresses where to pick from is cool, but the subnet mask is _always_ /30. No matter what the actual network size is.
What does checking the redirect gw option change? Can I check it for multiple networks? Is it bound to a network or is it just an option to enable the gateway redirection for this client in general?
What does "net to route" do?
I had to create /var/ipfire/ovpn/ccd (nobody:nobody) manually.
I rather don't like the header of the configuration files in the ccd directory.
Is there a reason why the parameters are separated by "=" than "," in ccd.conf?
The source code has got very many comments in German which is not very convenient, because not all developers do speak German.
I hope this feedback helps you a little bit. I have not reviewed the implementation (i.e. CGI scripts), yet. Will do that when things above are fixed. It would be nice if you could provide diffs.
Michael
Hello Alexander Marx, and for the first, thanks for your nice ideas and work on this topic. I think this new features brings a very good possibility to have more control in the OpenVPN environment on IPFire over the WUI. The "client-config-directory" was before present on IPFire but only editable only over the console, also the kernel routing needs to be done over the console, additional push routes can be added meanwhile over the "advanced server options" of the WUI, but to bring all to the WUI might be a nice idea.
So i have loaded up your files and have integrated them on my testing system (the dog is still alive and the house doesn´t burn ;-). After a perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" the WUI displays also your new features and the first slight impression is very good. So what i have seen for the first checkout, the entry in server.conf for the kernel based routing can be seen, so the "static net" option of the WUI seems to work.
Somethings i have missed: - If i use "Redirect GW" and "Net to route" (i think this should be redirect-gateway ? def1 ? and "iroute"), i miss the explicit ccd file with the common name of the client connection and his individual client configuration content. "ifconfig-push", "iroute" and "redirect-gateway" should normally takes place in this text file located under /var/ipfire/ovpn/ccd i think. I have found a new file in the /var/ipfire/ovpn directory called "ccd.conf" but the "client-config-directory" wasn´t used in my case.
- It could maybe an idea if "ifconfig-push" have assigned some IP´s to the clients (they are no longer available), the "Host address" column of the flip menu shouldn´t display them anymore. It is surely also possible to reach an similar effect with a plausicheck, but it might be bulky to try first all assigned addresses out until a free one is available.
- If i add a new connection, "client staus and control" laid out the new connection but the "Net name" column shows me a "dynamic" although i choose a "Static Net".
- Is it possible that existing connections needs to be made new ? Cause the "Net name" column doesn´t update their state (dynamic or static) ? So i think also the ccd entries won´t be done subsequent for existing clients.
So thats for the first some of my impressions.
I would like also to point out that this solution might be a possibility to add some "Multi-Client N2N" infrastructures, which brings a lot of advantages to the existing P2P Net-to-Net which is currently available on IPFire. --> All traffic goes trough one port, a high adjustment of the traffic trough different networks are possible, auth-pam (server site authentication) is also possible for N2N, more directives can be used in server mode compared to P2P mode, .... But may there are some other things to handle then, for example .p12 authentication over IPFire WUI.... But this only for a short idea what can be possible with the new directives.
Also a great idea is the implementation of a ovpnfw.cgi .
So far from me and my first feedback.
Greetings
Erik
Am 29.10.2012 um 11:31 schrieb Alexander Marx:
Dear List!
Code is freezed for testing now. Please be aware that this code will eat your dog and burn your house! Please test it in a nonproductive environment and tell me what you find.
This is essential for my ongoing project to implement a "vpn-Firewall WUI".
Any feedback (as always) is greatly appreciated. I don't expect any errors but i like you to have another pair of eyes on the code.
Thank you!
--
Alexander Marx Fachinformatiker Systemintegration
<CCD-29.10.12.tar.gz>_______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
-
Alexander Marx -
Erik K. -
Michael Tremer