foris-controller-openvpn_client-module issueshttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues2022-06-13T13:25:43+02:00https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/22Use VPN native DNS server to avoid DNS leaks2022-06-13T13:25:43+02:00Martin MatějekUse VPN native DNS server to avoid DNS leaksUpon activation, VPN client will successfully create it's own `resolv.conf.vpn.<my_vpn_connection>.conf` file with preferred DNS resolver.
DNS switching might work automatically on upstream OpenWrt with dnsmasq as default resolver, see ...Upon activation, VPN client will successfully create it's own `resolv.conf.vpn.<my_vpn_connection>.conf` file with preferred DNS resolver.
DNS switching might work automatically on upstream OpenWrt with dnsmasq as default resolver, see https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/
However, unlike upstream OpenWrt, Turris OS is using Kresd as DNS resolver, so default resolv conf file (`/tmp/resolv.conf.d/resolv.conf.auto`) will be used instead of the vpn specific `resolf.conf`, which leads to DNS leaks.
We need to figure out how to switch the resolv files upon VPN client startup and shutdown. The `resolv.conf.vpn.<my_vpn_connection>.conf` file is created by the openvpn hotplug scripts, so perhaps we could adjust these scripts to switch DNS resolvers.
For example (crude idea):
```
# up
mv resolv.conf.auto resolv.conf.auto.bkp
ln -s resolv.conf.vpn.myvpn resolv.conf.auto
/etc/init.d/resolver restart
# down
rm resolv.conf.auto
/etc/init.d/resolver restart
```https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/21Conditionally allow traffic from Guest network through VPN client2023-06-15T18:54:29+02:00Martin MatějekConditionally allow traffic from Guest network through VPN clientGuest network does not work while device is acting as VPN client.
It is because there is no forwarding rule in firewall, so traffic from guest network cannot go trough default route (vpn).
However, simple forwarding traffic from guest ...Guest network does not work while device is acting as VPN client.
It is because there is no forwarding rule in firewall, so traffic from guest network cannot go trough default route (vpn).
However, simple forwarding traffic from guest net to VPN clients zone is not the right approach.
It would be better to allow only forwarding to wan and conditionally allow forwarding from Guest network to VPN clients.
Original issue: turris/os/packages#805https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/20Do not activate OpenVPN client connection right after adding config2022-01-25T16:16:43+01:00Martin MatějekDo not activate OpenVPN client connection right after adding configNew openvpn client connection is marked as enabled and immediately started after adding (after openvpn restart).
https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/blob/master/foris_controller_backend...New openvpn client connection is marked as enabled and immediately started after adding (after openvpn restart).
https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/blob/master/foris_controller_backends/openvpn_client/__init__.py#L90
This is quite dangerous, because adding new vpn client config could make router inaccessible without simple way to disable such vpn client.
It could be done either by malformed config, overlapping addresses range on vpn client's LAN and vpn server's LAN or just unexpected behaviour (see turris/os/packages#823).
It would be safer to make activation of vpn client into two steps:
1. upload client config
2. activate vpn client connectionhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/19OpenVPN client configuration server address override2021-07-16T11:54:26+02:00Jan BetikOpenVPN client configuration server address overrideThe user interface does offer to override the server address in the generated client configuration file but the input field accepts only the IP address. In my opinion, it would be useful to let the user type also the DNS name if any is p...The user interface does offer to override the server address in the generated client configuration file but the input field accepts only the IP address. In my opinion, it would be useful to let the user type also the DNS name if any is provided by the ISP or dynamic DNS or the user runs its domain.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/18Add possibility to configure dns servers push2021-02-10T18:13:36+01:00Michal HruseckyAdd possibility to configure dns servers pushThere might be situations when you want to disable pushing of DNS server from VPN server. Currently it doesn't work at all, once we merge turris/turris-os-packages!636 it will be configurable.There might be situations when you want to disable pushing of DNS server from VPN server. Currently it doesn't work at all, once we merge turris/turris-os-packages!636 it will be configurable.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/17Add possibility to disable NAT2020-11-27T01:51:46+01:00Karel KociAdd possibility to disable NATAt the moment VPN client expects that configuration is for just one client (single IP) and to allow access to VPN to every device in LAN it needs to provide NAT. This is correct but if VPN client in reality correctly configures routing f...At the moment VPN client expects that configuration is for just one client (single IP) and to allow access to VPN to every device in LAN it needs to provide NAT. This is correct but if VPN client in reality correctly configures routing for LAN then NAT is going to break that. Allowing to disable this makes a lot of sense and allows simple usage even for more advanced deployments.
It would be interesting to autodetect routing and disable NAT automatically. This could be achieved by route script that would disable NAT when some appropriate route is detected (question is which route should we check for).
This is needed for site-to-site scenarios.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/16Verify and potentially allow override of DNS setting2021-02-10T18:11:42+01:00Karel KociVerify and potentially allow override of DNS settingOpenVPN server can push DNS server address to their clients. We should verify how we behave if it does that and potentially also allow disable of that.
* [x] verify if DNS setting push works on Turris OS
* [x] if it works allow filter-outOpenVPN server can push DNS server address to their clients. We should verify how we behave if it does that and potentially also allow disable of that.
* [x] verify if DNS setting push works on Turris OS
* [x] if it works allow filter-outhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/15Allow disable of gateway route push2020-11-27T10:59:43+01:00Karel KociAllow disable of gateway route pushOpenVPN server can push gateway route to client although in most cases clients want that there are use cases (if you for example have multiple clients) when it makes sense to choose.
This should be possible with option:
```
pull-filter ...OpenVPN server can push gateway route to client although in most cases clients want that there are use cases (if you for example have multiple clients) when it makes sense to choose.
This should be possible with option:
```
pull-filter ignore "redirect-gateway"
```https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/14Check and override options that could be potentially harmful to router2020-11-26T09:53:34+01:00Karel KociCheck and override options that could be potentially harmful to routerAlthough it is not likely it is possible to set log file and other options that could damage router. This is not about security but rather about destruction of device. In short there should be the only way how OpenVPN client could harm d...Although it is not likely it is possible to set log file and other options that could damage router. This is not about security but rather about destruction of device. In short there should be the only way how OpenVPN client could harm device and that is by writing too much to MMC.
* [ ] search openvpn documentation for options that can lead to writes to drive
* [ ] overwrite those options to sensible values (such as `/dev/null` or `/tmp/*`)https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/13Client state2020-11-26T09:49:59+01:00Karel KociClient stateWe can use status file provided by openvpn daemon to see state of VPN. This is required to better report state of VPN client. We are interested in info such as if daemon is running, connection to server is established and more.
It would...We can use status file provided by openvpn daemon to see state of VPN. This is required to better report state of VPN client. We are interested in info such as if daemon is running, connection to server is established and more.
It would be also beneficial to get error message if client fails. That is for example if user has invalid config or server is down and such.https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/12Enable autostart of vpn clients2021-05-28T11:54:35+02:00Martin MatějekEnable autostart of vpn clientsCurrently vpn client connection is not initiated after router restart, but should be started if there is any enabled vpn client.
Service `openvpn` is not enabled by default, even though it is present in `/etc/services_wanted`. User has ...Currently vpn client connection is not initiated after router restart, but should be started if there is any enabled vpn client.
Service `openvpn` is not enabled by default, even though it is present in `/etc/services_wanted`. User has to run `/etc/init.d/openvpn enable` manually to enable it.
It looks like regression to turris/openwrt#340
## How to reproduce?
1) Clean install of TOS 5.1.4 (HBS at the moment). Tested on Mox and Omnia.
2) Install openvpn packages through reForis.
3) Setup either OpenVPN server or client.
4) Reboot
## Expected behaviour
`openvpn` process is running after reboot
## Actual behaviour
`openvpn` is neither running, nor there are symlinks to openvpn in `/etc/rc.d`.Turris OS 5.2.0https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/11Restart firewall after adding openvpn client config2020-12-05T00:26:58+01:00Martin MatějekRestart firewall after adding openvpn client configTraffic via newly added client won't pass through until firewall is restarted.
Technically router (vpn client) can access LAN inside VPN, but devices behind such router can't.Traffic via newly added client won't pass through until firewall is restarted.
Technically router (vpn client) can access LAN inside VPN, but devices behind such router can't.Turris OS 5.2.0https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/10VPN interface has to have a short name2020-11-09T22:22:20+01:00Michal HruseckyVPN interface has to have a short nameThere is a limit in number of characters interface in Linux can have, so we have to shorten our identificator to fit when user uploads VPN configuration with long name.There is a limit in number of characters interface in Linux can have, so we have to shorten our identificator to fit when user uploads VPN configuration with long name.Turris OS 5.1.5Michal HruseckyMichal Hruseckyhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/8Add site-to-site support2020-10-13T12:27:43+02:00Martin PrudekAdd site-to-site supportCounterpart of turris/reforis/reforis-openvpn#20
It would be nice to have an option to automatically create OpenVPN interface and add that interface to `LAN` zone so that full site-to-site VPN can be established.
We assume that the ser...Counterpart of turris/reforis/reforis-openvpn#20
It would be nice to have an option to automatically create OpenVPN interface and add that interface to `LAN` zone so that full site-to-site VPN can be established.
We assume that the server supports this option and pushes routes for their networks.
The client would either
- masquerade all traffic passing through VPN interface behind VPN inteface address (adding the interface to `WAN` zone might be enough)
- not masquerade traffic passing through VPN interface and expect the server to know the route back here (done using `--client-config-dir` and `--iroute` options)
It is possible to walk through the whole process manually right now - e.g. [using LuCI](https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci).https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/9Return certificate name within get_client_config api call2020-11-06T02:11:20+01:00Martin MatějekReturn certificate name within get_client_config api callFilip HronFilip Hronhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/7Allow setting/unsetting use this connection only for resources on its network2021-08-24T11:57:07+02:00Martin MatějekAllow setting/unsetting use this connection only for resources on its networkFollowup of #4
It would be nice to include api to enable/disable:
* "use this connection only for resources on its network" for particular vpn connection, i.e. do not route all traffic via vpn
Similar to NetworkManager configuration
!...Followup of #4
It would be nice to include api to enable/disable:
* "use this connection only for resources on its network" for particular vpn connection, i.e. do not route all traffic via vpn
Similar to NetworkManager configuration
![openvpn-client-use-this-connection-only-for-its-network](/uploads/af42362743eaba40f4c055b8cdf74f8a/openvpn-client-use-this-connection-only-for-its-network.png)https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/6VPN clients firewall setup is broken2020-10-12T16:27:52+02:00Michal HruseckyVPN clients firewall setup is brokenRules created during VPN client setup are broken:
```
-A PREROUTING -i v -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i p -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i n -m comment -...Rules created during VPN client setup are broken:
```
-A PREROUTING -i v -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i p -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i n -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i t -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i u -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i r -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i s -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i _ -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i o -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i f -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i i -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i c -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
-A PREROUTING -i e -m comment --comment "!fw3" -j zone_tr_vpn_cl_prerouting
```Turris OS 5.1.2Michal HruseckyMichal Hruseckyhttps://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/5Support VPN configs with username and password2022-11-03T14:56:35+01:00Michal HruseckySupport VPN configs with username and passwordSome VPN providers provide client configuration that requires username/password. Would be nice to support it. Can be achieved by storing in plaintext file in format `username\npassword` and passing this file to `auth-user-pass` option. N...Some VPN providers provide client configuration that requires username/password. Would be nice to support it. Can be achieved by storing in plaintext file in format `username\npassword` and passing this file to `auth-user-pass` option. Not greatly secured and requires configuration file modification, but can be really useful.
Prerequisity: turris/os/build!352, #22https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/4Generate network interface and firewall rules per client config2020-10-06T00:24:52+02:00Martin MatějekGenerate network interface and firewall rules per client configWith option to have multiple client configs we have to ensure that each client will have it's own tun/tap interface and firewall rules.
Also handle interface names collisions.
It would be nice to include api to enable:
* masquerading
*...With option to have multiple client configs we have to ensure that each client will have it's own tun/tap interface and firewall rules.
Also handle interface names collisions.
It would be nice to include api to enable:
* masquerading
* forward all traffic trough this interfaceTurris OS 5.2.0https://gitlab.nic.cz/turris/foris-controller/foris-controller-openvpn_client-module/-/issues/3Filename sanitation2020-11-10T19:07:48+01:00Michal HruseckyFilename sanitationI tried a client with config named `Server1-TCP80.conf`, but it failed as uci entry is being created named after the configuration file but the uci option can't contain `-` in it's name. Not sure whether this one slipped or whether there...I tried a client with config named `Server1-TCP80.conf`, but it failed as uci entry is being created named after the configuration file but the uci option can't contain `-` in it's name. Not sure whether this one slipped or whether there is more filename checking/mangling needed.