foris-controller-openvpn_client-module issueshttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues2023-06-15T18:54:29+02:00https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/21Conditionally allow traffic from Guest network through VPN client2023-06-15T18:54:29+02:00Martin MatějekConditionally allow traffic from Guest network through VPN clientGuest network does not work while device is acting as VPN client.
It is because there is no forwarding rule in firewall, so traffic from guest network cannot go trough default route (vpn).
However, simple forwarding traffic from guest ...Guest network does not work while device is acting as VPN client.
It is because there is no forwarding rule in firewall, so traffic from guest network cannot go trough default route (vpn).
However, simple forwarding traffic from guest net to VPN clients zone is not the right approach.
It would be better to allow only forwarding to wan and conditionally allow forwarding from Guest network to VPN clients.
Original issue: turris/os/packages#805https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/19OpenVPN client configuration server address override2021-07-16T11:54:26+02:00Jan BetikOpenVPN client configuration server address overrideThe user interface does offer to override the server address in the generated client configuration file but the input field accepts only the IP address. In my opinion, it would be useful to let the user type also the DNS name if any is p...The user interface does offer to override the server address in the generated client configuration file but the input field accepts only the IP address. In my opinion, it would be useful to let the user type also the DNS name if any is provided by the ISP or dynamic DNS or the user runs its domain.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/18Add possibility to configure dns servers push2021-02-10T18:13:36+01:00Michal HruseckyAdd possibility to configure dns servers pushThere might be situations when you want to disable pushing of DNS server from VPN server. Currently it doesn't work at all, once we merge turris/turris-os-packages!636 it will be configurable.There might be situations when you want to disable pushing of DNS server from VPN server. Currently it doesn't work at all, once we merge turris/turris-os-packages!636 it will be configurable.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/17Add possibility to disable NAT2020-11-27T01:51:46+01:00Karel KociAdd possibility to disable NATAt the moment VPN client expects that configuration is for just one client (single IP) and to allow access to VPN to every device in LAN it needs to provide NAT. This is correct but if VPN client in reality correctly configures routing f...At the moment VPN client expects that configuration is for just one client (single IP) and to allow access to VPN to every device in LAN it needs to provide NAT. This is correct but if VPN client in reality correctly configures routing for LAN then NAT is going to break that. Allowing to disable this makes a lot of sense and allows simple usage even for more advanced deployments.
It would be interesting to autodetect routing and disable NAT automatically. This could be achieved by route script that would disable NAT when some appropriate route is detected (question is which route should we check for).
This is needed for site-to-site scenarios.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/15Allow disable of gateway route push2020-11-27T10:59:43+01:00Karel KociAllow disable of gateway route pushOpenVPN server can push gateway route to client although in most cases clients want that there are use cases (if you for example have multiple clients) when it makes sense to choose.
This should be possible with option:
```
pull-filter ...OpenVPN server can push gateway route to client although in most cases clients want that there are use cases (if you for example have multiple clients) when it makes sense to choose.
This should be possible with option:
```
pull-filter ignore "redirect-gateway"
```https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/14Check and override options that could be potentially harmful to router2020-11-26T09:53:34+01:00Karel KociCheck and override options that could be potentially harmful to routerAlthough it is not likely it is possible to set log file and other options that could damage router. This is not about security but rather about destruction of device. In short there should be the only way how OpenVPN client could harm d...Although it is not likely it is possible to set log file and other options that could damage router. This is not about security but rather about destruction of device. In short there should be the only way how OpenVPN client could harm device and that is by writing too much to MMC.
* [ ] search openvpn documentation for options that can lead to writes to drive
* [ ] overwrite those options to sensible values (such as `/dev/null` or `/tmp/*`)https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/13Client state2020-11-26T09:49:59+01:00Karel KociClient stateWe can use status file provided by openvpn daemon to see state of VPN. This is required to better report state of VPN client. We are interested in info such as if daemon is running, connection to server is established and more.
It would...We can use status file provided by openvpn daemon to see state of VPN. This is required to better report state of VPN client. We are interested in info such as if daemon is running, connection to server is established and more.
It would be also beneficial to get error message if client fails. That is for example if user has invalid config or server is down and such.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/8Add site-to-site support2020-10-13T12:27:43+02:00Martin PrudekAdd site-to-site supportCounterpart of turris/reforis/reforis-openvpn#20
It would be nice to have an option to automatically create OpenVPN interface and add that interface to `LAN` zone so that full site-to-site VPN can be established.
We assume that the ser...Counterpart of turris/reforis/reforis-openvpn#20
It would be nice to have an option to automatically create OpenVPN interface and add that interface to `LAN` zone so that full site-to-site VPN can be established.
We assume that the server supports this option and pushes routes for their networks.
The client would either
- masquerade all traffic passing through VPN interface behind VPN inteface address (adding the interface to `WAN` zone might be enough)
- not masquerade traffic passing through VPN interface and expect the server to know the route back here (done using `--client-config-dir` and `--iroute` options)
It is possible to walk through the whole process manually right now - e.g. [using LuCI](https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci).https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/7Allow setting/unsetting use this connection only for resources on its network2021-08-24T11:57:07+02:00Martin MatějekAllow setting/unsetting use this connection only for resources on its networkFollowup of #4
It would be nice to include api to enable/disable:
* "use this connection only for resources on its network" for particular vpn connection, i.e. do not route all traffic via vpn
Similar to NetworkManager configuration
!...Followup of #4
It would be nice to include api to enable/disable:
* "use this connection only for resources on its network" for particular vpn connection, i.e. do not route all traffic via vpn
Similar to NetworkManager configuration
![openvpn-client-use-this-connection-only-for-its-network](/uploads/af42362743eaba40f4c055b8cdf74f8a/openvpn-client-use-this-connection-only-for-its-network.png)