Re: network-manager-openvpn

[Dan Williams <dcbw redhat com>]

On Wed, 2009-09-23 at 15:49 +0200, Luc Deschenaux wrote:
> Le mardi 22 septembre 2009 à 23:09 -0700, Dan Williams a écrit :
> > On Fri, 2009-09-11 at 04:27 +0200, Luc Deschenaux wrote:
> > > > > 1. It should be possible to activate simutaneously many openvpn
> > > > > configurations using checkboxes instead of radiobuttons, (in server mode
> > > > > also, say in a second time...).
> > > > 
> > > > Yes, this is something that's been on the map for a while but there was
> > > > other stuff that we considered more important.  It will take some rework
> > > > internally in NetworkManager, though NM 0.7 already has half the work
> > > > done.
> > > > 
> > > > > 2. It should be possible to "import" any openvpn configuration file, eg:
> > > > 
> > > > The 0.7 openvpn plugin should already be able to import an openvpn
> > > > connection, but I think we just never got around to implementing export.
> > > 
> > > Every configuration parameter should be importable/modifiable, not only
> > > the ones used in a given configuration.
> > > 
> > > > What specific configuration were you having problems with?  Can you
> > > > attach that config so we can see what's going on with it?
> > > 
> > > My config was attached :) But someone may need to use other parameters
> > > as well.
> > >  
> > > > > * Options not modifiable actually by network-manager-openvpn should also
> > > > > be gathered and displayed, eg: in a dynamic listbox like for the routes,
> > > > > with an add button. There could be a pop-up in the first column to set
> > > > > or change the option name, an editable field in the second column to set
> > > > > or change its value.
> > > > 
> > > 
> > > > 0.7 already provides the ability to specify custom routes to apply to
> > > > the connection in addition to any routes sent by the server.
> > > 
> > > >  
> > > Read slowly, im not talking about routes here, talking about all the
> > > openvpn parameters that are not yet configurable/importable with the
> > > current graphical interface. They could just be configured through or
> > > imported into a single listbox as described above.
> > 
> > But that's *horrible* UI and not something I'd like to condone.  I'd
> > rather add the options on an as-needed basis to ensure we don't just
> > dump everything in, and find out that we overloaded the UI with 50
> > options that almost nobody uses.  Which I suspect is true for at least
> > half of openvpn's options, because they did absolutely no work in
> > consolidating them and asking the people who requested the options what
> > they were actually trying to accomplish to constrain the number of
> > switches that openvpn supports.  I'm interested in making it work for 90
> > - 95% of use-cases, but I don't think we should be designing for that
> > last 5%, especially when it makes things nearly unusable for the other
> > 90.
> > 
> > Dan
> 
> Your judgment is totally subjective. What I did suggest is not more
> horrible than the UI to define routes actually, did you read
> thoroughly ?...

Routes is a specific, targeted property that can be done much better
than I've done it.  But trying to put all the available openvpn options
into a table like that isn't, and I think we can do better that that.
We don't *have* to support all the options.  We just have to support the
options that most people use.

> I suggest a listbox in a another panel (like the routes panel) with an
> popup or a text field to specify which option to set in the first
> column , and a second column to set the value. 

If you've got some time to mock it up or prototype, I'm quite happy to
be proved wrong as an addition piece or external utility.  I've run into
quite a few UIs like that in various products (mostly Microsoft
IIS/DHCP/Exchange though) and I have to say, they didn't work well
there.  I have no doubt you could probably do better than IIS 6 though.

> Maybe you and your extended "me" (people you know of) will never add any
> other options in this listobx, but i doesnt mean nobody will.
> 
> Concerning usability, it doesnt makes things nearly unusable for the
> other 90 you know of, since they actually dont need to use any other
> parameters. More, to display the listbox the user would need to press a
> button, like for adding routes.
> 
> Concerning current usability, theres no way to specify missing openvpn
> options people may need.

What options?  Again, I'm happy to find out the options that most people
use and add those options on an as-needed basis.  I've always been
willing to do that, provided I have the time to do so.  If I don't have
the time to do so, I'm quite happy to suggest what should be done to get
that option added.  For example:

https://bugzilla.redhat.com/show_bug.cgi?id=490971

I still don't understand why openvpn can't figure out the renegotiation
interval *by itself*, but that's an example.  I didn't have time to do
the work, but I told Huzaifa what needed to be done and he did it.
That's how the normal open-source process works.

> Objectively we cannot call it "openvpn GUI", but rather an uncomplete
> version of an openvpn GUI.

I don't pretend that NM-openvpn is an "openvpn GUI".  It's a VPN plugin
for NetworkManager that supports openvpn.  It's not supposed to be a
complete GUI for openvpn itself, it's supposed to make the operation of
openvpn in concert with NetworkManager easy to use.

> It is like a ftp, pop3 or http client that doesnt implement the full
> protocol. The only difference is that there is no alternative choice for
> an openvpn GUI integrated to the network manager.

Of course there's a choice; anyone can write an openvpn NM VPN plugin.
That's how open-source works.  But again, I'm also happy to add options
or take patches that add those options to NM-openvpn too.

Dan