Re: network-manager-openvpn

[Luc Deschenaux <luc deschenaux mta sunrise ch>]

Le dimanche 06 septembre 2009 à 19:12 +0200, Tim Niemueller a écrit : 
> On 06.09.2009 18:27, Luc Deschenaux wrote:
> > Hello !
> 
> Hello Luc.

Hello everybody !

> > Nice try, but you could do better :)
> 
> Feel free to send patches.

I know that patches are always welcome :) 
But i dont have the time to make it work like everybody at first glance
will expect it should, ie: allowing to import any valid openvpn
configuration file.

Let me just send you, instead of a patch, a more serious analysis of
what could make network-manager-openvpn less annoying:

1. It should be possible to activate simutaneously many openvpn
configurations using checkboxes instead of radiobuttons, (in server mode
also, say in a second time...).

2. It should be possible to "import" any openvpn configuration file, eg:

* Copy the config (as a file or individual parameters in gconf) and
patch it: parse options for actually supported parameters and patch or
add "up", "down", "cd", ...

(using gconf to store openvpn parameters is much less cool when it's
time to copy the configs directly from disk or to port the application,
but it is ok to store the config location or other external details in
gconf). 

* Options not modifiable actually by network-manager-openvpn should also
be gathered and displayed, eg: in a dynamic listbox like for the routes,
with an add button. There could be a pop-up in the first column to set
or change the option name, an editable field in the second column to set
or change its value.

> However, send them to the NM mailing list, as
> I'm not longer an active developer on that project.
> 
It was the only mail address specified for the debian package.

Feel free to forward this mail to the mailing list for me or to send me
the mailing list address. Thanks in advance !

Oh forget it i found the address :)

> > At least there should be a way to enable openvpn connections defined
> > somewhere in /etc/openvpn or so. 
> 
> Not to do that was a concious design decision at that time.
> > Or you could add a text field so that one could add options not
> > supported by network-manager-openvpn, or that would be filled in when
> > importing a configuration file.
> 
> That's not the way the applet was designed. The applet should cover most
> of the typical use cases and make it easy to configure those. And from
> my experience that works nicely. Though I haven't followed the recent
> development and discussions. So my statements may be obsolete by now and
> different decisions may have been made. I'm pretty sure though that a
> "command line args" input field is the worst idea ever.

It just mean "anything should be done so that it works for every
possible configuration" :)

> > ps: 
> [...]
> 
> Contact the mailing list. But first you should go and read
> http://catb.org/~esr/faqs/smart-questions.html and change your style of
> writing. I wouldn't expect an answer otherwise.
> 

I wrote first the mail impulsively, but with a smile :)
Nothing agressive or disrespectful from my point of view.
Isn't it better than no feedback at all ?

Beside this i didn't ask anything... it was only constructive remarks
and suggestions.

Many openvpn users (me first) will never use this version of the
network-manager-openvpn applet which is not handling the configuration
they are using, and, after some waste of time trying to use it, will
continue to run openvpn as a service, eventually starting additional
openvpn processes manually or using kvpnc, and keep in mind a bad image
of network-manager-openvpn. 

One could use kvpnc, or modify network-manager-openvpn, or reinvent the
wheel and write a configuration tool using standard openvpn
configuration files, for server and client configs, generating keys, and
write some glue to paste it in the gnome-network-manager applet.

But actually i need nothing, so i won't use, modify, write nor reinvent
anything... network-manager-openvpn was available so i tried it and
wasted time doing so...

> 	Tim
> 

Regards,

L:üc:

ps: Past events forged my style :)

Le dimanche 06 septembre 2009 à 18:28 +0200, Luc Deschenaux a écrit :
Hello !
> 
> It tooks me days and hours, and learning how to use openvpn "manually"
> before understanding (while trying to import my configuration in order
> to enable it through the gnome-network-manager applet and seeing it
was
> not possible) that network-manager-openvpn is quite unusable and
> obsolete.
> 
> Nice try, but you could do better :)
> 
> At least there should be a way to enable openvpn connections defined
> somewhere in /etc/openvpn or so. 
> 
> Or you could add a text field so that one could add options not
> supported by network-manager-openvpn, or that would be filled in when
> importing a configuration file.
> 
> Thanks anyway :)
> 
> L:üc:
> 
> ps: 
> 
> When trying to import a configuration the gateway name (remote) is set
> to "-cert-tls" because of the "remote-cert-tls" directive in my
> configuration file. 
> 
> When i correct this, i have the message "Connection failed because
there
> was no valid VPN secrets"... 
> 
> Then when i remove the connection settings, it still appears in the
> network-manager-applet menu.
> 
> 
> pièce jointe document texte brut (client.conf)
> client
> dev tun
> proto udp
> remote somewhere.net 1194
> float
> resolv-retry infinite
> nobind
> 
> # If you are connecting through an
> # HTTP proxy to reach the actual OpenVPN
> # server, put the proxy server/IP and
> # port number here.  See the man page
> # if your proxy server requires
> # authentication.
> ;http-proxy-retry # retry on connection failures
> ;http-proxy [proxy server] [proxy port #]
> 
> ca ca.crt
> cert client.crt
> key client.key
> 
> tls-auth ta.key 1
> 
> remote-cert-tls server
> tls-remote somewhere.net
> 
> keepalive 10 60
> ping-timer-rem
> persist-tun
> persist-key
> 
> user nobody
> group nogroup
> #daemon
>