Re: network-manager-openvpn

On 09-12-14 06:09 PM, Dan Williams wrote:
On Mon, 2009-12-14 at 09:24 -0500, Matt Wilks wrote:
This must have been discussed before on this list, but I'm curious the
reasoning behind making network-manager-openvpn have its own GUI for
configuration in the first place.  Why not offer functionality similar
to the Windows/Mac clients that simply manage your connections via
configuration files?  You'd get all the flexibility of OpenVPN with none
of the overhead of constantly having to write patches to support /
debate the inclusion of individual options.

For a number of reasons;

Thanks for your response Dan, I appreciate you taking the time to do so.
Allow me to make a few comments.

1) not everyone wants to use configuration files,
2) not everyone is aware of (or cares about) the intricacies of
configuration options, some cannot be used with others, some require
others to be turned on,

Granted.  However, I would think that anyone who is attempting to
connect to a work/school VPN is more likely to have a configuration file
handed to them then a set of OpenVPN parameters.  That is how we do it
with the VPN I am responsible for.

3) GUI interfaces are often more approachable and do not preclude
advanced users from using config files anyway, and

I think you are making an incorrect distinction here between advanced
and beginner users.  Using a config file does not necessarily mean that
a user is advanced.  In our case, we distribute a config file precisely
because so many of our users are not advanced and we don't want them
having to fiddle around with options on various clients.

4) handling random config files is often problematic,

I'm not sure I understand why.  Using the model of OpenVPN-GUI or
Tunnelblick (Windows and Mac GUIs respectively) however, you would just
have NetworkManager monitor a directory for config files.  Could be a
directory in the user's home (ala Tunnelblick) or a system directory
(ala OpenVPN-GUI).  Even if the user were able to specify arbitrary
configuration file locations, how is this any more problematic then the
dialogs to specify the ca, key and user cert that currently exist in the
NetworkManager GUI?

5) it wasnt' integrated into the consistent NetworkManager
configuration system.

I have to admit ignorance about the standards for configuring
NetworkManager, but I imagine that they say something about storing
configuration internally rather than referencing external files?

Now that we have good import/export capability for openvpn, it's not
actually that hard to use your own configs.  If there's options that
people use, we can also whitelist them and add them to import/export
even if they aren't shown in the GUI.

What prompted my initial query was the lack of support for <ca>, <cert>
and <key> directives (supported in OpenVPN since 2.1-beta7, Nov 2005).
They allow you to specify the key files directly in the configuration
file, making it a self-contained configuration for a connection using
keys to authenticate.  NetworkManager also seemed to miss the fact that
my config required both keys and a password; not hard to manually set
but it wasn't caught by the import.

Just because there's a GUI doesn't preclude you from writing a config
file and importing it of course.

That's true, and apart from the missing config I mentioned above, I
found it to be a relatively painless process.  Kudos!  However I don't
see how this benefits the NetworkManager developers.  Writing a plugin
that used external config files would be a one-time job.  As it stands
now, each new option must be whitelisted and incorporated into the

Again, thanks for taking the time to respond.  Much appreciated.

Matt Wilks                   Colossians 2:6-7
University of Toronto        Information Security, I+TS
(416) 978-3328               matt madhaus cns utoronto ca
4 Bancroft Ave., Rm. 102     Toronto, ON  M5S 1C1

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]