Re: Always Use VPN w/ this Connection (was Singe DES encryption should be enabled)

[Dan Williams <dcbw redhat com>]

On Fri, 2007-02-23 at 23:24 +0000, Jack Spaar wrote:
> On Fri, 23 Feb 2007 01:12:47 -0500, Jon Nettleton wrote:
> 
> > <clip>
> > 
> > So I fired up glade and threw together some code to take the vpn dialogs
> > through another iteration.  I have some screenshots that can definitely
> > use some critiquing.
> > 
> > http://www.hekanetworks.com/~jnettlet/NetworkManager/nm-openvpn-newest-main.jpg
> > 
> > http://www.hekanetworks.com/~jnettlet/NetworkManager/nm-openvpn-newest-advanced-network.jpg
> > 
> > http://www.hekanetworks.com/~jnettlet/NetworkManager/nm-openvpn-newest-advanced-encryption.jpg
> > 
> > 
> Hi Jon and everybody,
> 
> As a VPN and NM user it makes makes me happy to see progress in the VPN
> area.  These mock-ups sparked a thought about a possible feature.  It
> would just rock if I could tell NM to "Always use a VPN with this
> Connection".
> 
> I currently use dispatcher scripts to kluge this (including ugly stuff to
> get VPN passwords from the sorta API-less gnome-keyring).  But these
> mock-ups have got me thinking about how to do it "right".  I know that
> ideas are way cheaper than patches, but maybe we can at least sanity-check
> the concept for now.  Google Summer of Code project anyone?
> 
> So is this a even a good idea and is it a good fit for NM's goals?
> Can a clean/simple UI be imagined?  This is critical.
> Is it just too early for NM to be thinking about this feature?
> 
> I kind of think that Jon's patches prove that it's not too early to at
> least flesh the idea out, if people are interested.
> 
> One thing I am pretty sure of is that this could only be done well by
> integrating it into NM proper.  That's true both for the UI and for
> under-the-hood.
> 
> On the UI side, I guess there would be a "use a VPN with this connection"
> checkbox on the "Create a new wireless network" dialog, a prompt to choose
> the VPN later (and make default?), and a way to change it later. I'm fuzzy
> on this, and a good UI really drives the rest of the implementation.  Are
> there UI bits to specify whether/how often to retry a dropped VPN, or is
> that too messy for "Just Works(TM)"?
> 
> A great feature (and one my dispatcher script kluge can't do) would be to
> prevent exposure to the insecure network when the VPN is not up yet or has
> dropped.  To me that seems like the greatest under-the-hood challenge and
> would require architectural guidance from Dan and Co.  That's just not
> something to be patched up without adult supervision.
> 
> Even without a feature that ties the network's advertised connection
> status to the VPN's state, it could still be useful in the same way
> dispatcher scripts currently are.  It just becomes "*Start* a VPN w/ this
> Connection" instead of "*Always Use* a VPN w/ this Connection".  Maybe
> that's a decent first step.  The next step being "also try to keep the VPN
> alive", and then finally "don't connect without the VPN."
> 
> Any thoughts on whether this is useful/appropriate/realistic ? It seems at
> least the "Start a VPN automatically" is within easy reach.

I believe you're right, and this is a good idea.  How UI bits get done
depend on how you look at it.  Should there be a picker in the setup UI
for a _connection_ that says "always use this VPN", or should the VPN
setup bits have a picker for "when this connection is made, start me"?  

If this option was checked, we'd probably want to suppress the
connection state signals until the VPN connection was successful (like I
think you suggest), just to avoid inadvertent leakage.

I don't think it would be all that hard, actually.  But remember, doing
stuff must not impede a "Just Works" default, and I think it's fairly
easy to make sure that tying a VPN to a connection would not do so.

Dan

> Any thoughts on what would be a great UI for this?
> 
> --Jack Spaar
> 
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list