cad / ovpm Goto Github PK

It's needed to have a password reset command in the cli.

Docs for usage and program api is needed.

Bash completion for cli.

It would be great if we can get it listen on both udp and tcp at the same time.

Important links:

• https://serverfault.com/questions/173307/sharing-an-ip-pool-for-two-openvpn-instances-one-tcp-and-one-udp
• https://unix.stackexchange.com/questions/269967/how-to-make-openvpn-to-listen-both-tcp-and-udp-ports

After collecting metrics, it would be nice to have a quota enforcement feature.

• Admin can set a time or bandwidth based quota on user or server, that will be cleared periodically by duration or on certain date&time or until removed manually.

Adding wildcard options * to the cli would be helpfull in cases like;

• when associating users to a network
• when deleting, updating resources in bulk

etc...

Hello Cad,
After your help, i successfully log on WEBUI, i go to NETWORKS , and create Two ROUTED Networks..

OVPM_Users 10.0.0.1/24
OVPM_Servers 10.0.0.2/24

     No problem to create, but when i go to command line to list these NETWORKS ,  got a error...

root@stargate:/usr/local# ovpm net l
ERRO[0000] assoc users can not be fetched: rpc error: code = Unknown desc = validation error: OVPM_Users can only contain letters and numbers
root@stargate:/usr/local#

So, i go to delete the OVPM_Users and another issue , i can´t delete from WEBUI , maybe because the name OVPM_Users is not ok because contain not allowed char., will try to delete from command line..

Hope It Helps... and im not wrong in the way i use it...

My intention, was create 2 networks and after that, isolate clients on your own network , than create more flexible rules in my firewalll based on networks.

Thanks..!!

group 'nobody' doesn't exist in Ubuntu 17.04 (Zesty Zapus), it causes error and ovpmd is not running.

We need to not allow adding duplicate static IPs to the users.

Right now we are pushing 8.8.8.8 to clients. It should be configurable.

Unit tests are needed.

We need to be able to define which networks on the vpn server host can be accessed by which users.

We need a primitive Web UI for both users and admins.

Admin interface would be capable of doing nearly all the tasks that can be done via CLI.

User interface would enable users to log in, download their .ovpn configurations and maybe download OpenVPN binaries based on the device, OS and architecture detected when they are logged in to the Web UI.

Also, another matter is Port Sharing. It would be nice to use the same port for both HTTP and OpenVPN at the same time.

One approach could be to implement such logic that if the VPN and Web UI is configured to use the same port, it would change the actual Web UI port to something else and use port-share option implicitly to redirect non-VPN traffic to that port.

Also for the web interface and rest API, it would be nice to have auto-renewing let's encrypt.

Notes:

• http://www.vpntutorials.com/tutorials/openvpn-sharing-a-port-with-a-webserver-on-port-80-443/
• https://unix.stackexchange.com/questions/306046/use-openvpn-on-tcp-443-without-it-interfering-with-my-web-server

When adding a ROUTE type network; --cidr flag doesn't work as documented.
It should accept an IPv4 addr, but instead it requires CIDR and if an CIDR is provided with /32 prefix it still doesn't add the provided via hop.

• Adding a static route without specifiying gateway (implicit gateway)

$ ovpm net create --name testnetwork --type ROUTE --cidr 192.168.1.3/32

This will autmatically set vpn server as the gateway for the route.

• Adding a static route with gateway (explicit gateway)

$ ovpm net create --name testnetwork --type ROUTE --cidr 192.168.1.0/24 --via 10.10.100.3

This second use will set the ip address that is specified by the --via flag as the gateway for the route.

It would be better if we can launch and stop the openvpn procces from ovpmd.

Call emit after ovpmd start.

ovpm daemon should handle Interrupt signal and gracefully shutdown itself.

Currently user passwords are stored in plain. It should be kept as a salted hash using one of the strong password hashing algorithms.

It's not ensured at the moment.

Hello Cad,
I just did a clean install on Ubuntu 16.04 LTS from scratch and have no issues at all..!!

      Everything works smooth ..!! 

       After the service start, go to http://myovpm.local.ip:8080 , the site is ok and ask for User/Pass.
       I can´t find this information to Log IN, what is needed to access through webUI ?

       Man... your project will help a lot of people and it´s better every release.., thank you for your time and knowledge to keep going...  

We need to test CLI as well.

We need to be able to set nat masquerading on the vpn host. This can be achieved through injectin iptables rules to the host.

Show network types in cli.

e.g

$ ovpm net types 
... 
<table of availabe network types with their descriptions>
...

When yum remove ovpm is run. First ensure running ovpmd is stopped.

We need to be able to control OpenVPN process seperately and explicitly.

It would be nice to show currently connected VPN users and their location etc.

One way would be to talk OpenVPN's RPC protocol. The other would be arpsweep.

Notes:

• https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt

  # in server.conf
  management localhost 7505

Write a documentation for the ovpm REST and gRPC APIs. Put it up on the Wiki.

Hello...
Please , i'm expect not bothering you , but the GROUP for ubuntu is nogroup , and reading the code of last version, i suspect was set nobody ;)

Soon, i will do a new ubuntu installation from zero , and i let you know, if everything is ok ;), i will wait this change, but no hurry..!!

Thanks again for this great iniciative :)

I have some ideas for future, based on my actual use... , but basic is the flexibility to configure parameters on server.conf and ccd files..

I not set the vpn as default gateway, instead i configure on ccd for especific "user" routes like below...

I used to fix IP for every user on ccd too...

----------/ccd/cert.cname.jhon.doe.ovpn -----
ifconfig-push 10.0.0.34 255.255.224.0
push "route 10.0.1.10 255.255.255.255"
push "route 10.0.1.15 255.255.255.255"

This way, i just catch traffic from user machine to specific hosts like example above( 10.0.1.10 and 10.0.1.15 ) , everything else goes to users default gateway(local internet).

I have another level of protection, on external firewall, where i create a ip based rule, this is why i use fixed IP on ccd file, i have low users + - 45, and use this another firewall to control access...

I will try to use an iptables on ovpn server machine too , but not yet...

Thankyou One more time and sorry my bad english, im from Brasil. o/

Cya.

Add option to specify initial ip block for the vpn during initialization.

The initial plan is gRPC API is to be only for the CLI and it to listen only on 127.0.0.1 on the same host with the server, which is where the ovpmd runs.

And HTTP REST API to listen on all interfaces and be public.

So this renders us to implement an Authentication Service where the users can get an opaque, Bearer auth token, in exchange for their authentication credentials.

And authentication required operations on the rest of the API will be subject to checks on this token and they will get authorized accordingly.

Add configuration flags for vpn protocol type (udp or tcp) during initialization.

Right now ovpm pushes the vpn server as the default gw for all users. It's better to make it selectable.

Make rpm package and push it to a repo on git tag push.

We need to be able to edit user's attributes from cli.

ns-cert-type server is needed for the OpenVPN clients whose version is below 2.3.

It wouldn't be bad to support LDAP on the auth backend.

It might be nice to see network bandwidth metrics as a graph.

Notes:

• https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt

Find some way to edit usernames.

An INI like configuration file for static options in OVPM would be nice.

We need to sepetate cli with the engine.

When updating a user with static ip address, the command fails.

Right now it's allowed. But it shouldn't be.

Right now ip addresses are assigned dynamically (from range), but it's requested that some users should have static ip adresses.

It would be better to be able to see user's vpn ip address in the cli command vpn user list output .

Right now it gives 500 error.

Hello , i'm really excited with this project , a light in the end of tunnel ;) , Thankyou very much to this iniciative...

I Just do a clean install on a new and updated ubtuntu 16.04 LTS version , and got a little problem...
After install and try to start with systemctl start ovpmd.service , it's not starting, doing a LOG look, i found the ovpmd.service at /usr/lib/systemd/system/ovpmd.service , set o wrong path to ovpmd.
ExecStart=/sbin/ovpmd

On my system is on /usr/sbin/ , after edit the file above, everything works perfect..!

Forgot to say that i install using the Debian/Ubuntu method, adding the repo onubuntu and using apt-get install ovpmd..!

Thanks again..!! i will try now to understand how it works, and if i can set it up to work like i already use on another server ;) Cya.

This option is needed for backup purposes.

When freshly initialized, ovpmd doesn't launch OpenVPN process.

OpenVPN process should be restartable via grpc or rest.