VPN architecture

From: Colin Walters <walters verbum org>
To: networkmanager-list gnome org
Subject: VPN architecture
Date: Sun, 07 Nov 2004 13:28:26 -0500

So,

NetworkManager is truly awesome, except that I still have to manually
run this hackish VPN script (runs vpnc) to connect to my work's VPN.  I
could probably sort of work this into a NetworkManagerDispatcher
callout, but a real architecture for this would be better for a number
of reasons:

1) I need to add a specific route, and a specific nameserver to the
network configuration.  For the latter, I can just take
over /etc/resolv.conf, but then it could be blown away later by e.g. a
DHCP renewal.  For routing, it'd be nice to not have to get my
hands dirty with lowlevel details.
2) I'd like to be able to prompt the user for a password
3) I'd like notification of VPN status inside the applet; perhaps
this could be a little lock icon.  

So to implement this, I'm thinking that we define a new service,
org.freedesktop.NetworkManagerVPN.  NetworkManager would then
talk to this service (probably implemented as a separate daemon)
when networking parameters change.  The VPN daemon would then
invoke methods on NetworkManager, like:
void org.freedesktop.NetworkManager.VPNActive(in string name)
void org.freedesktop.NetworkManager.VPNInactive(in string name)
void org.freedesktop.NetworkManager.AddRouteIPv4(in string netmask, 
                                                in string gateway,
                                                in string device)
void org.freedesktop.NetworkManager.AddNameserverIPv4(in string quad)
void org.freedesktop.NetworkManager.AddNameserverIPv4Routed(in string quad, in string netmask)

NetworkManagerVPN would also listen to NetworkManager's signals on network status changes,
of course.

To really implement this well though, NetworkManager will have to start
driving things at a lower level.  For example, instead of simply exec'ing
dhclient, NetworkManager should speak DHCP itself (as a separate process though
still), and e.g. gather a list of returned nameservers itself, then
add the VPN ones to it and synthesize /etc/resolv.conf.  Also,
to implement AddNamserverIPv4Routed, NM will really have to run its own
caching nameserver.

Thoughts?

Follow-Ups:
- Re: VPN architecture
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]