Feedback on New OpenVPN tunnels

giacomo · June 21, 2017, 1:19pm

After some days of work, I finally have a preview of new OpenVPN tunnels (net2net).
The main goal of this refactor is to simplify the creation of tunnels to connect 2 remote networks using a VPN.
Scenario: one company named Sauron Inc with two offices: Mordor and Barad-dûr.

We designed the web interface for this workflow:

The goblin accesses the firewall of the head office (Mordor, of course), and creates a new tunnel server:

server.png484×955 54.2 KB

The goblin must enter:
- the network of the VPN (must not be used inside the system)
- a free port where the server will listens for incoming connections
- the public address of the server which will be used from the client
- a list of local (server-side) and remote (client-side) networks to connect
The goblin then clicks the “Download button” and saves the client configuration on its own computer
As final step, the goblin accesses the secondary Barad-dûr and clicks on “Upload” button

Done, Sauron Inc will be happy because the goblin did his job very quickly!

Other features:

Tunnel status is displayed inside the page configuration page:

server_table.png1610×355 22.4 KB
OpenVPN feature has been split in two pages:

roadwarrior.png442×669 20.8 KB
Selection of cipher and protocols
Tunnel client can be now enabled and disabled
Client and server configuration are now templates and can be easily customized using template custom

Open issues:

There is a new client prop called WanPriorities to allow the selection of a preferred red interface used for VPN connection (@davidep will help me to create a nice UI widget for it)
Davide proposes to remove the “Server” tab from the roadwarrior page and include a new “Server” button which displays the content of the actual tab
Should the goblin be able to see the tunnel status under the “Status” section from a new “OpenVPN tunnel status” page?

I hope to have your feedback to improve current implementation before moving to QA.
/cc @dj_marian @sharpec @kelevra @filippo_carletti

Please @alefattorini feel free to shout for someone else!

Thanks to @davide_marini for the original design.

Reference:

pike · June 21, 2017, 1:39pm

Is the daemon shared with roadwarrior connections?

giacomo · June 21, 2017, 1:57pm

You will have one server for each tunnel, plus the roadwarrior server.
This allows the administrator to have multiple configurations for different scenarios.

pike · June 21, 2017, 3:22pm

Am i correct if I suppose multiple UDP ports?
This should mean that every tunnel is independent and can be fully managed with no interference to other services/tunnel…

giacomo · June 21, 2017, 3:25pm

Yes, every server has its own UDP/TCP port as you can see from the screenshots.

alefattorini · June 21, 2017, 3:32pm

That’s a great news! Thanks @giacomo for sharing. I’d like to involve also
@harry @EddieA @Hunv @ssabbath @bwdjames @flatspin @AZChas @dz00te @WillZen @Jclendineng @jackyes @buddha @Adam and the amazing @ambassadors_group

sharpec · June 22, 2017, 4:27am

great! Will be really helpful for future business developments.

Forgive me for the boorish, but since you find us, multiple roadwarrior?
Translated did not come very well, original would be
“Perdona la cafonata, ma visto che ti ci trovi…”

giacomo · June 22, 2017, 7:03am

You could use the tunnel server as roadwarrior server, the only limitation in this scenario is the authentication which is psk-only.

ssabbath · June 22, 2017, 7:09pm

Wow man, this is just fantastic! Farewell IPSEC forever!

Your narrative is hilarious too!

ONE NETHSERVER TO RULE THEM ALL!!!

paolo_bagnoli · June 24, 2017, 8:20pm

@giacomo great work!
Really useful.

Paolo

devfx11 · June 24, 2017, 9:03pm

Very nice guide, feature.
I just started to use Nethserver recently, so far i like it.

What i also like is that things are improved and updated constantly.

Good job Nethserver team & community.
I will be using Nethserver from now on more and more.
Thanks for making a great product and I hope you keep it free, as much as possible.

pike · June 25, 2017, 4:21pm

Not so soon man… L2TP is available on every mobile OS. IPSec will last a long time anyway…

alefattorini · June 26, 2017, 10:25am

Thanks for all your love guys, anyway I guess that @giacomo is looking for a valuable feedback. I ask you to look through the proposal and tell us

Are we taking the right path?
Do you see any issue in the implementation suggested?
Can we improve it somehow?

As Giacomo said, fix things BEFORE is better than fix them AFTER

ssabbath · June 26, 2017, 1:22pm

OpenVPN is in the best ones tho!

I´m just saying for me, only cenarios i used IPSEC was to conect Mordor do Bard-dur, soooo that being handled by OpenVPN, byebye ipsec

BTW @giacomo and @alefattorini i will test it out maybe next month, and for sure i will give you guys a feedback!

giacomo · June 28, 2017, 3:20pm

Everything ready for test, enjoy!

I will give particular attention to the first test case: update existing installations and check that nothing breaks!

alefattorini · June 29, 2017, 2:41pm

@quality_team and all people interested in the VPN module.
It’s time to help now! Feel free to ask and follow that
Let’s test!

I’d like to involve some Firewall experts too: @islipfd19 @jitkian @dnutan @Hunv @firsttiger @ssabbath @kolli_vasu @m.traeumner @Imre_Bertalan @ssabbath

pike · July 4, 2017, 10:26am

By design… no NAT on tunnels?
Even for Roadwarrior server?

giacomo · July 4, 2017, 1:59pm

Could you please explain a little your needs?

Maybe are you referring to --client-nat OpenVPN option (https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)?