T6486: T6379: Rewrite generate openvpn client-config #3747
Conversation
sever-sever
requested review from
dmbaturin,
sarthurdev,
zdc,
jestabro,
c-po and
nicolas-fort
|
👍 |
|
❌ VyOS CLI smoketests failed! |
| parser.add_argument("-a", "--ca", type=str, help='OpenVPN CA cerificate', required=True) | ||
| parser.add_argument("-c", "--cert", type=str, help='OpenVPN client cerificate', required=True) | ||
| parser.add_argument("-k", "--key", type=str, help='OpenVPN client cerificate key', action="store") | ||
| parser.add_argument( |
There was a problem hiding this comment.
Is there a reason not to convert this scripts to the new-style op mode? I think people may want to retrieve OpenVPN client configs through the API.
There was a problem hiding this comment.
The script is not ideal.
For example, if the server listen address is not set, which address should be on the client site (x.x.x.x/None/'replace me')?
For now, it generates x.x.x.x, which is not the address. This is not a good solution for the API where all data must be actual, but if it is OK, we can probably overwrite it.
There was a problem hiding this comment.
I wonder if we should add an argument like strict: book. If it's true, then any incomplete config will result in an exception vyos.opmode.DataUnavailable. If it's false, then the script will output a placeholder, maybe as a commented-out line.
# listen-address is missing from the config
# To make this config usable, add "remote <server address> option, like:
# remote openvpn.example.net
There was a problem hiding this comment.
It is more bug fix.
Can we merge it as it is and refactor it if required in the separate PR?
| help='OpenVPN interface the client is connecting to', | ||
| required=True, | ||
| ) | ||
| parser.add_argument( |
There was a problem hiding this comment.
Those options were more or less direct translations from my really old script that I wrote for use outside of VyOS and then crudely ported to VyOS. At the time explicit options used to make sense, sort of, because certs and keys were stored in files.
But now they are stored in the config, so I think we should remove the explicit CA option and just fetch it from the pki entry.
There was a problem hiding this comment.
But we get them from PKI as completion helper, we do not use this script directly as separate file
it generates from the command
vyos@vyos# run generate openvpn client-config interface vtun20 ca openvpn-ca certificate openvpn-client
Where openvpn-ca and openvpn-client are certificate names from the PKI path
There was a problem hiding this comment.
My point is, the interface already defines which CA to use. There is no reason to ask the user for it separately.
There was a problem hiding this comment.
To be honest, the tls ca is multi-value
vyos@r4# show interfaces openvpn vtun20 tls ca-certificate
ca-certificate ca
+ca-certificate cb
+ca-certificate cc
+ca-certificate cd
[edit]
vyos@r4#
There was a problem hiding this comment.
I wonder if clients should also allow all the same CAs in that case.
There was a problem hiding this comment.
It will be behavior change and should be processed by a separate PR
If I understand correctly, your goal is replacing CLI op-mode to provide client-cert only as an arg
I.e Before:
generate openvpn client-config interface vtun20 ca openvpn-ca certificate openvpn-client
After:
generate openvpn client-config interface vtun20 certificate openvpn-client
This way all CA's will be included from pki ca based on the vtunX configuration
Do we really need it? If yes, it is better to do it in a separate PR
I never used several CA's for a client. Even in theory is it possible to sign a client cert by several CA's?
There was a problem hiding this comment.
Does client mode support multiple CAs? If there are multiple CAs in an organiazation, I suppose the assumption is that the server cert can also be signed with any of them, and thus the client may need to verify the server cert against multiple CAs.
There was a problem hiding this comment.
Let's fix bugs without new options.
The original bugs https://vyos.dev/T6486 and https://vyos.dev/T6379
And both should solved in this change.
This command helps to generate users `.ovpn` files Rewrite `generate openvpn client-config` to use Config() It needs to get the default values as `ConfigTreeQuery` is not supporting default values. Fixed "ignores configured protocol type" if TCP is used Fixed lzo, was used even if lzo not configured Fixed encryption is not parse the dict
|
CI integration 👍 passed! Details
|
|
@Mergifyio backport circinus sagitta |
✅ Backports have been created
|
Change Summary
This command helps to generate users
.ovpnfiles Rewritegenerate openvpn client-configto use Config() It needs to get the default values asConfigTreeQueryis not supporting default values.Fixed "ignores configured protocol type" if TCP is used
Fixed lzo, was used even if lzo was not configured
Fixed encryption does not parse the dict
Types of changes
Related Task(s)
Related PR(s)
Component(s) name
openvpn
Proposed changes
How to test
Configure Openvpn in TCP mode,
Before the fix the proto is UDP, but expected TCP
Generated OpenVPN client config file
After the fix the protocol is correct, encyption with correct maps, lzo not exists:
Smoketest result
Checklist: