foris-controller-openvpn-module issueshttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues2021-04-30T14:19:20+02:00https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/18udp6/tcp6 combined with IPv4 address in client configuration2021-04-30T14:19:20+02:00Lukas Jelinekudp6/tcp6 combined with IPv4 address in client configurationIf a user check _Listen on IPv6_ it generates `proto udp6` or `tcp6` to client configuration files. But `remote` still contains an IPv4 address. This configuration won't work because it can't resolve IPv4 addresses for IPv6 communication...If a user check _Listen on IPv6_ it generates `proto udp6` or `tcp6` to client configuration files. But `remote` still contains an IPv4 address. This configuration won't work because it can't resolve IPv4 addresses for IPv6 communication.
## Steps to reproduce
1. Check _Listen on IPv6_ on the _OpenVPN -> Server Settings_ page.
2. Generate a client configuration on the _OpenVPN -> Client Registration_ page.
3. Download the configuration and use it in an OpenVPN client.
## Expected behavior
Unfortunately, it can't be determined what _Listen on IPv6_ exactly means (whether IPv4 should be used or not). Because of this, there can be two distinct ways how to work with it.
### IPv6 without IPv4
The checkbox should be available only if IPv6 is enabled and working. If checked, it should generate `proto udp6/tcp6` together with an IPv6 address in `remote`.
### IPv4 + IPv6
Another option should be available to choose which protocol to be used. It should generate `proto` and `remote` for the selected protocol.
## Actual behavior
According to the checkbox state, `proto` contains `udp/tcp` or `udp6/tcp6`. Regardless to the checkbox state, `remote` contains an IPv4 address.foris-controller-openvpn-module: IPv6 fixhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/32tls_auth2024-03-07T16:44:16+01:00Štěpán Henektls_authit might be nice to generate tls_auth somehowit might be nice to generate tls_auth somehowŠtěpán HenekŠtěpán Henekhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/31Display list of activelly connected clients2022-12-16T10:31:31+01:00Michal HruseckyDisplay list of activelly connected clientsWould be nice to see whether somebody is currently connected and who it is.Would be nice to see whether somebody is currently connected and who it is.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/29Hosts on LAN seems not to be accessible from VPN clients2022-09-26T17:31:31+02:00Martin MatějekHosts on LAN seems not to be accessible from VPN clientsWe currently use routed VPN (tun) and VPN clients have IP address from different subnet.
For example:
```
LAN: 192.168.1.0/24
VPN: 10.111.111.0/24
```
Actually, hosts on LAN are reachable as packets are routed to the LAN subnet, but fr...We currently use routed VPN (tun) and VPN clients have IP address from different subnet.
For example:
```
LAN: 192.168.1.0/24
VPN: 10.111.111.0/24
```
Actually, hosts on LAN are reachable as packets are routed to the LAN subnet, but from the VPN client's point of view, the host in LAN looks unreachable.
For example: web server on 192.168.1.25 with at least basic firewall, will reject the packets, because of unexpected source IP.
```
10.111.111.2 (client) -> 192.168.1.25:80 (target host)
```
Perhaps 1:1 NAT would help here?https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/28Add option to export/import the OpenVPN server CA and config2022-01-04T17:31:01+01:00Martin MatějekAdd option to export/import the OpenVPN server CA and configrelated to: turris/reforis/reforis-openvpn#30
Add functionality to be able to import or export OpenVPN server config across Turris devices.related to: turris/reforis/reforis-openvpn#30
Add functionality to be able to import or export OpenVPN server config across Turris devices.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/26Server configuration is broken when wrong VPN network address specified2021-05-31T09:06:49+02:00Jan BetikServer configuration is broken when wrong VPN network address specifiedI made a mistake in reForis OpenVPN Server settings, filling the 10.98.1.1 value in the VPN network address field while keeping the VPN network mask field intact. The settings were accepted but the server did not start and the log was fl...I made a mistake in reForis OpenVPN Server settings, filling the 10.98.1.1 value in the VPN network address field while keeping the VPN network mask field intact. The settings were accepted but the server did not start and the log was flooded with
```
May 26 21:18:59 turris openvpn(server_turris)[6363]: Options error: --server directive network/netmask combination is invalid
May 26 21:18:59 turris openvpn(server_turris)[6363]: Use --help for more information.
May 26 21:19:04 turris openvpn(server_turris)[6369]: Options error: --server directive network/netmask combination is invalid
May 26 21:19:04 turris openvpn(server_turris)[6369]: Use --help for more information.
```
messages.
It would be nice to have the IP range check implemented.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/22VPN server is not accessible after transport protocol change2021-03-08T18:22:59+01:00Vojtech MyslivecVPN server is not accessible after transport protocol change### Steps to reproduce
Tried with reForis on MOX in HBT/TOS 5.1.10
1. Setup default (via UDP) and working OpenVPN server.
2. Restart a router to make sure everything works as expected after reboot
3. Go to reforis, exchange trasport pr...### Steps to reproduce
Tried with reForis on MOX in HBT/TOS 5.1.10
1. Setup default (via UDP) and working OpenVPN server.
2. Restart a router to make sure everything works as expected after reboot
3. Go to reforis, exchange trasport protocol to UDP and click save
Now, OpenVPN server becomes inaccessible - it does not listen on UDP anymore and TCP port 1194 is closed by the firewall.
### Recommended solution
The root cause is IMO in _reloading_ the firewall which leads to not applying the rule to open TCP prot (it also let the UDP port open!). Once I _restart_ the firewall manually via ssh, the openvpn server becomes accessible.
Please also verify that the `openvpn` service is restarted after the change in step 3.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/21The server does not make the IPv6 network behind it accessible2020-12-13T03:01:45+01:00Stepan RechnerThe server does not make the IPv6 network behind it accessibleIt is only possible to access the computers behind the server on IPv4, even if they have IPv6 addresses. And it is not possible to access those computers, which have only IPv6 addresses.
Even in reForis at the server configuration, only...It is only possible to access the computers behind the server on IPv4, even if they have IPv6 addresses. And it is not possible to access those computers, which have only IPv6 addresses.
Even in reForis at the server configuration, only the IPv4 VPN network address can be configured.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/19Add ability to configure subnet routed trough host2020-11-27T01:51:52+01:00Karel KociAdd ability to configure subnet routed trough hostBy adding _client-config-dir_ file for given host and by adding `route` and `push route` to server configuration.
This, together with turris/foris-controller/foris-controller-openvpn_client-module#17, should allow site-to-site VPN conne...By adding _client-config-dir_ file for given host and by adding `route` and `push route` to server configuration.
This, together with turris/foris-controller/foris-controller-openvpn_client-module#17, should allow site-to-site VPN connection.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/12foris-controller-openvpn-module: Cleanup firewall rules and interface configu...2020-01-28T14:02:27+01:00Martin Matějekforis-controller-openvpn-module: Cleanup firewall rules and interface configuration after uninstallNetwork interface and firewall zones & rules configuration stay as-is after package removal.
It shouldn't break anything, however it clutters various config files with unused configuration, which could interfere with something else.
re...Network interface and firewall zones & rules configuration stay as-is after package removal.
It shouldn't break anything, however it clutters various config files with unused configuration, which could interfere with something else.
related issue turris/bughunt#40https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/11Preserve user-configured push settings2021-02-10T11:38:28+01:00Vojtech MyslivecPreserve user-configured push settingsWhen a user want to tune OpenVPN server settings, it is possible to edit `/etc/config/openvpn` manually. However, `push` UCI list is rewriten when "save" button is pressed in OpenVPN tab.When a user want to tune OpenVPN server settings, it is possible to edit `/etc/config/openvpn` manually. However, `push` UCI list is rewriten when "save" button is pressed in OpenVPN tab.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/8Tune IPv6 VPN connection2022-12-19T22:34:30+01:00Vojtech MyslivecTune IPv6 VPN connection- [ ] OpenVPN server should listen on both IPv4 and IPv6 by default `proto udp6`/`proto tcp6`
- [ ] OpenVPN client should should not enforce IPv4/IPv6 (turris/foris-controller/foris-controller-openvpn-module#18)
- [x] However, to take ad...- [ ] OpenVPN server should listen on both IPv4 and IPv6 by default `proto udp6`/`proto tcp6`
- [ ] OpenVPN client should should not enforce IPv4/IPv6 (turris/foris-controller/foris-controller-openvpn-module#18)
- [x] However, to take advantage of dual stack connection, one should have to configure DNS name of the router/VPN server (turris/reforis/reforis-openvpn#22)
- [ ] Also check whether some firewall rules is not missing (I am not able to configure working IPv6 VPN server)https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/2generate tls_auth as well2023-05-11T14:49:37+02:00Štěpán Henekgenerate tls_auth as wellhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn-module/-/issues/1add option than connected clients can connect to other connected clients2019-12-17T16:04:37+01:00Štěpán Henekadd option than connected clients can connect to other connected clientsMain openvpn confing
```
"client_to_client", "1"
```
+ it might be necessary to add some fw rules as wellMain openvpn confing
```
"client_to_client", "1"
```
+ it might be necessary to add some fw rules as wellŠtěpán HenekŠtěpán Henek