Re: network-manager-openvpn

From: Dan Williams <dcbw redhat com>
To: luc deschenaux freesurf ch
Cc: networkmanager-list gnome org
Subject: Re: network-manager-openvpn
Date: Thu, 10 Sep 2009 13:49:24 -0700
On Mon, 2009-09-07 at 22:24 +0200, Luc Deschenaux wrote:
> Le dimanche 06 septembre 2009 à 19:12 +0200, Tim Niemueller a écrit : 
> > On 06.09.2009 18:27, Luc Deschenaux wrote:
> > > Hello !
> > 
> > Hello Luc.
> 
> Hello everybody !
> 
> > > Nice try, but you could do better :)
> > 
> > Feel free to send patches.
> 
> I know that patches are always welcome :) 
> But i dont have the time to make it work like everybody at first glance
> will expect it should, ie: allowing to import any valid openvpn
> configuration file.
> 
> Let me just send you, instead of a patch, a more serious analysis of
> what could make network-manager-openvpn less annoying:
> 
> 1. It should be possible to activate simutaneously many openvpn
> configurations using checkboxes instead of radiobuttons, (in server mode
> also, say in a second time...).

Yes, this is something that's been on the map for a while but there was
other stuff that we considered more important.  It will take some rework
internally in NetworkManager, though NM 0.7 already has half the work
done.

> 2. It should be possible to "import" any openvpn configuration file, eg:

The 0.7 openvpn plugin should already be able to import an openvpn
connection, but I think we just never got around to implementing export.
What specific configuration were you having problems with?  Can you
attach that config so we can see what's going on with it?

> * Copy the config (as a file or individual parameters in gconf) and
> patch it: parse options for actually supported parameters and patch or
> add "up", "down", "cd", ...
> 
> (using gconf to store openvpn parameters is much less cool when it's
> time to copy the configs directly from disk or to port the application,
> but it is ok to store the config location or other external details in
> gconf). 
> 
> * Options not modifiable actually by network-manager-openvpn should also
> be gathered and displayed, eg: in a dynamic listbox like for the routes,
> with an add button. There could be a pop-up in the first column to set
> or change the option name, an editable field in the second column to set
> or change its value.

0.7 already provides the ability to specify custom routes to apply to
the connection in addition to any routes sent by the server.  The plugin
does not yet support (nor I think does NM) using openvpn in a
multi-client server configuration, though peer-to-peer openvpn using a
shared secret should work just fine.

Dan

> > However, send them to the NM mailing list, as
> > I'm not longer an active developer on that project.
> > 
> It was the only mail address specified for the debian package.
> 
> Feel free to forward this mail to the mailing list for me or to send me
> the mailing list address. Thanks in advance !
> 
> Oh forget it i found the address :)
> 
> > > At least there should be a way to enable openvpn connections defined
> > > somewhere in /etc/openvpn or so. 
> > 
> > Not to do that was a concious design decision at that time.
> > > Or you could add a text field so that one could add options not
> > > supported by network-manager-openvpn, or that would be filled in when
> > > importing a configuration file.
> > 
> > That's not the way the applet was designed. The applet should cover most
> > of the typical use cases and make it easy to configure those. And from
> > my experience that works nicely. Though I haven't followed the recent
> > development and discussions. So my statements may be obsolete by now and
> > different decisions may have been made. I'm pretty sure though that a
> > "command line args" input field is the worst idea ever.
> 
> It just mean "anything should be done so that it works for every
> possible configuration" :)
> 
> > > ps: 
> > [...]
> > 
> > Contact the mailing list. But first you should go and read
> > http://catb.org/~esr/faqs/smart-questions.html and change your style of
> > writing. I wouldn't expect an answer otherwise.
> > 
> 
> I wrote first the mail impulsively, but with a smile :)
> Nothing agressive or disrespectful from my point of view.
> Isn't it better than no feedback at all ?
> 
> Beside this i didn't ask anything... it was only constructive remarks
> and suggestions.
> 
> Many openvpn users (me first) will never use this version of the
> network-manager-openvpn applet which is not handling the configuration
> they are using, and, after some waste of time trying to use it, will
> continue to run openvpn as a service, eventually starting additional
> openvpn processes manually or using kvpnc, and keep in mind a bad image
> of network-manager-openvpn. 
> 
> One could use kvpnc, or modify network-manager-openvpn, or reinvent the
> wheel and write a configuration tool using standard openvpn
> configuration files, for server and client configs, generating keys, and
> write some glue to paste it in the gnome-network-manager applet.
> 
> But actually i need nothing, so i won't use, modify, write nor reinvent
> anything... network-manager-openvpn was available so i tried it and
> wasted time doing so...
> 
> > 	Tim
> > 
> 
> Regards,
> 
> L:üc:
> 
> ps: Past events forged my style :)
> 
> Le dimanche 06 septembre 2009 à 18:28 +0200, Luc Deschenaux a écrit :
> Hello !
> > 
> > It tooks me days and hours, and learning how to use openvpn "manually"
> > before understanding (while trying to import my configuration in order
> > to enable it through the gnome-network-manager applet and seeing it
> was
> > not possible) that network-manager-openvpn is quite unusable and
> > obsolete.
> > 
> > Nice try, but you could do better :)
> > 
> > At least there should be a way to enable openvpn connections defined
> > somewhere in /etc/openvpn or so. 
> > 
> > Or you could add a text field so that one could add options not
> > supported by network-manager-openvpn, or that would be filled in when
> > importing a configuration file.
> > 
> > Thanks anyway :)
> > 
> > L:üc:
> > 
> > ps: 
> > 
> > When trying to import a configuration the gateway name (remote) is set
> > to "-cert-tls" because of the "remote-cert-tls" directive in my
> > configuration file. 
> > 
> > When i correct this, i have the message "Connection failed because
> there
> > was no valid VPN secrets"... 
> > 
> > Then when i remove the connection settings, it still appears in the
> > network-manager-applet menu.
> > 
> > 
> > pièce jointe document texte brut (client.conf)
> > client
> > dev tun
> > proto udp
> > remote somewhere.net 1194
> > float
> > resolv-retry infinite
> > nobind
> > 
> > # If you are connecting through an
> > # HTTP proxy to reach the actual OpenVPN
> > # server, put the proxy server/IP and
> > # port number here.  See the man page
> > # if your proxy server requires
> > # authentication.
> > ;http-proxy-retry # retry on connection failures
> > ;http-proxy [proxy server] [proxy port #]
> > 
> > ca ca.crt
> > cert client.crt
> > key client.key
> > 
> > tls-auth ta.key 1
> > 
> > remote-cert-tls server
> > tls-remote somewhere.net
> > 
> > keepalive 10 60
> > ping-timer-rem
> > persist-tun
> > persist-key
> > 
> > user nobody
> > group nogroup
> > #daemon
> > 
> 
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list
Follow-Ups:
- Re: network-manager-openvpn
  - From: Luc Deschenaux
References:
- Re: network-manager-openvpn
  - From: Luc Deschenaux
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]