Feedback on New OpenVPN tunnels

net2net
openvpn
v7

(Giacomo Sanchietti) #1

After some days of work, I finally have a preview of new OpenVPN tunnels (net2net).
The main goal of this refactor is to simplify the creation of tunnels to connect 2 remote networks using a VPN.
Scenario: one company named Sauron Inc with two offices: Mordor and Barad-dûr.

We designed the web interface for this workflow:

  • The goblin accesses the firewall of the head office (Mordor, of course), and creates a new tunnel server:


    The goblin must enter:

    • the network of the VPN (must not be used inside the system)
    • a free port where the server will listens for incoming connections
    • the public address of the server which will be used from the client
    • a list of local (server-side) and remote (client-side) networks to connect
  • The goblin then clicks the “Download button” and saves the client configuration on its own computer

  • As final step, the goblin accesses the secondary Barad-dûr and clicks on “Upload” button



Done, Sauron Inc will be happy because the goblin did his job very quickly!

Other features:

  • Tunnel status is displayed inside the page configuration page:

  • OpenVPN feature has been split in two pages:

  • Selection of cipher and protocols

  • Tunnel client can be now enabled and disabled

  • Client and server configuration are now templates and can be easily customized using template custom

Open issues:

  • There is a new client prop called WanPriorities to allow the selection of a preferred red interface used for VPN connection (@davidep will help me to create a nice UI widget for it)
  • Davide proposes to remove the “Server” tab from the roadwarrior page and include a new “Server” button which displays the content of the actual tab
  • Should the goblin be able to see the tunnel status under the “Status” section from a new “OpenVPN tunnel status” page?

I hope to have your feedback to improve current implementation before moving to QA.
/cc @dj_marian @sharpec @kelevra @filippo_carletti

Please @alefattorini feel free to shout for someone else!

Thanks to @davide_marini for the original design.

Reference:


Development Updates - July 2017
NethServer 7.3 update 1 Released
OpenVPN question about route-nopull route-noexec
So, what are you working on? - 19 Jun 17
OPEN VPN with Private internet access
(Michael Kicks) #2

Is the daemon shared with roadwarrior connections?


(Giacomo Sanchietti) #3

You will have one server for each tunnel, plus the roadwarrior server.
This allows the administrator to have multiple configurations for different scenarios. :wink:


(Michael Kicks) #4

Am i correct if I suppose multiple UDP ports?
This should mean that every tunnel is independent and can be fully managed with no interference to other services/tunnel…


(Giacomo Sanchietti) #5

Yes, every server has its own UDP/TCP port as you can see from the screenshots.


(Alessio Fattorini) #6

That’s a great news! Thanks @giacomo for sharing. I’d like to involve also
@harry @EddieA @Hunv @ssabbath @bwdjames @flatspin @AZChas @dz00te @WillZen @Jclendineng @jackyes @buddha @Adam and the amazing @ambassadors_group


(Alessio Fattorini) #7

(EnzoC) #8

great! Will be really helpful for future business developments.

Forgive me for the boorish, but since you find us, multiple roadwarrior?
Translated did not come very well, original would be
"Perdona la cafonata, ma visto che ti ci trovi…:innocent:"


(Giacomo Sanchietti) #9

You could use the tunnel server as roadwarrior server, the only limitation in this scenario is the authentication which is psk-only.


(Walter Ferry Dissmann) #10

Wow man, this is just fantastic! Farewell IPSEC forever!

Your narrative is hilarious too! :smiley:

ONE NETHSERVER TO RULE THEM ALL!!!


(Paolo Bagnoli) #11

@giacomo great work!
Really useful.

Paolo


(devfx11) #12

Very nice guide, feature.
I just started to use Nethserver recently, so far i like it.

What i also like is that things are improved and updated constantly.

Good job Nethserver team & community.
I will be using Nethserver from now on more and more.
Thanks for making a great product and I hope you keep it free, as much as possible.


(Michael Kicks) #13

Not so soon man… L2TP is available on every mobile OS. IPSec will last a long time anyway…


(Alessio Fattorini) #14

Thanks for all your love guys, anyway I guess that @giacomo is looking for a valuable feedback. I ask you to look through the proposal and tell us

  • Are we taking the right path?
  • Do you see any issue in the implementation suggested?
  • Can we improve it somehow?

As Giacomo said, fix things BEFORE is better than fix them AFTER


(Walter Ferry Dissmann) #15

OpenVPN is in the best ones tho! :stuck_out_tongue:

I´m just saying for me, only cenarios i used IPSEC was to conect Mordor do Bard-dur, soooo that being handled by OpenVPN, byebye ipsec :smiley:

BTW @giacomo and @alefattorini i will test it out maybe next month, and for sure i will give you guys a feedback! :slight_smile:


(Giacomo Sanchietti) #16

Everything ready for test, enjoy!

I will give particular attention to the first test case: update existing installations and check that nothing breaks!


(Alessio Fattorini) #17

@quality_team and all people interested in the VPN module.
It’s time to help now! Feel free to ask and follow that
Let’s test!

I’d like to involve some Firewall experts too: @islipfd19 @jitkian @dnutan @Hunv @firsttiger @ssabbath @kolli_vasu @m.traeumner @Imre_Bertalan @ssabbath


(Alessio Fattorini) #18

(Michael Kicks) #19

By design… no NAT on tunnels?
Even for Roadwarrior server?


(Giacomo Sanchietti) #20

Could you please explain a little your needs?

Maybe are you referring to --client-nat OpenVPN option (https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)?