Development of Let's Connect! / eduVPN 3.0
We expect a release in Q4-2019.
- merge parts of
ShibAuthentication, for 3.0 only php-saml-sp will be supported
- Remove internal API, only keep calls relevant for
- Support multiple (SAML/LDAP) attributes for determining permissions / admin
- Never have the included deploy scripts modify and 'reformat' configuration files, it makes it horrible for the admin to modify the file and loses comments
- "Autoconfig" as much as possible, i.e. do not require (optional)
configuration parameters to be set, e.g.
Apisection, etc. Have good defaults when config is missing
- Fully remove firewall from VPN, should be done in deploy script, or not at all... as the firewall is 'static' anyway now, i.e. the same for all deploys that is totally fine
- Move API discovery to
.well-knownlocation instead of
info.jsonin the web root and ideally part of the software so it can get updates when updating the package(s). Idea.
- implement SVG for the "Stats", drop weird font requirement and GD/ImageMagick? dependency
- Support AND/OR logic for permission attribute(s)
- Find better name for
vpn-server-node, maybe simply
node? LC-vpn? lc-vpn?
- Have a full php-saml-sp audit
- Think about making additional node(s) work independent (for a time) without
- Drop support for CentOS 7, Debian 9, only support:
- Debian >= 10
- RHEL / CentOS >= 8
- Simplify App API, reduce number of calls
- 1 for profile/config discovery?
- 1 to make sure the client is allowed to connect?
- remove some calls no longer relevant
- Reduce the number of steps in the "deploy" scripts, make it easier to perform manual install without needing the deploy script
- Automatically (re)configure OpenVPN processes/restart them when needed with a cronjob?
- Create pseudonym for "Guest" usage, now the (local) identifier is directly
used in the "Guest" identifier. Do something like
hash(salt+user_id)instead and simply log it at 'generation time' so we can always find back the actual user
- Allow API clients to register themselves and use a secret in the future to avoid needing to ask for permission again when the refresh_tokenex expires
nodefunctionality also in portal to have only 1 package
nodepackage when you deploy on multiple machines
nodeAPI to make it a lot simpler, i.e. generate server configs already in the
portal, just put it in the right place
- Write a
nodedaemon that uses TLS
- Optimize "stats" generation and KISS, do not require crazy amounts of memory
- install lc-vpn or whatever it is called package
- restart Apache
- run some kind of 'apply' script to configure / launch OpenVPN
- basic VPN is up!
After that you have to tweak the firewall and enable IP forwarding, but that's it. The rest should be working automatically... I guess one or two firewalld commands should be enough to enable NAT and open udp/1194 and tcp/1194...
- Support MySQL/MariaDB as database next to SQLite?
- Store the (profile) configuration in a database instead of configuration file?
- eduVPN app starts with IdP selector instead of "Secure Internet / Institute Access" buttons, after which the user will see what is available for them