OpenVPN plugin enhancement and issues

  • Hello,


    I'm glad to see that the openvpn plugin made it back in OMV 1.0 release (I stayed on OMV 0.4 for quite some time because of that). Many thanks to the developpers for their work.


    Default configuration works like a charm but I think there is some room for improvement:


    On routing aspects, by default the script sets for the client to route everything via the VPN (push "redirect-gateway def1 bypass-dhcp"). It would be great to be able to change this behaviour to only route the private subnet toward the VPN (push "route 192.168.x.0 255.255.255.0") while the rest is still routed to the initial default gateway of the client. A flag 'Default route to VPN' in the VPN network section of the OpenVPN plugin webgui which can be enabled/disabled would do the trick.


    When somenone is connected, there is no status tab in the webgui showing connected clients. It would be nice to have an OpenVPN tab in Diagnostics > Services displaying a cat /etc/openvpn/openvpn-status.log to show connected users.


    I've also noticed that the OpenVPN daemon's privileges is set to root. Is there a reason for not using the following options to reduce the OpenVPN daemon's privileges after initialization?
    user nobody
    group nogroup


    Regarding logging, the date format seems to be different than other logs, therefore, when reading OpenVPN logs from Diagnostics > System Logs webgui, the date wrongly shows UNIX EPOC date (01 Jan 1970). I don't know if this is something that can be fixed directly on OpenVPN level or if a workaround can be implemented on OMV to be able to display different kind of date format.


    Thanks.

  • Well, I had a few hours to waste so I tweaked OpenVPN plugin files to achieve the following:


    - Added 'Default Gateway' flag in OpenVPN settings

    If enabled, this directive will configure all clients to redirect their default network gateway through the VPN (push "redirect-gateway def1 bypass-dhcp"). If disabled, a static route to the private subnet is configured on all clients (push "route <subnet> <mask>").


    Note that I'm not a developper and it took me ages to make the openvpn mkconf script to get the subnet part. There might be a better way to do it, but at least it is working.



    - Added an OpenVPN status tab


    OpenVPN tab in Diagnostics > Services shows a cat /etc/openvpn/openvpn-status.log and a cat /etc/openvpn/ipp.txt



    - Fixed log timestamp


    Now time is displayed correctly in the OpenVPN logs from Diagnostics > System Logs



    Note that when log are higher than normal, it seems to break again the timestamp. I didn't fix that.


    - Other update not 'visible'


    Generated config file uncomment the following:
    user nobody
    group nogroup


    It seems more secure to me as it will reduce the OpenVPN daemon's privileges after initialization.


    __________________________________________


    For those interested, I've attached the tweaked files.


    tweaked_openvpn.zip


    To install, first make a backup of original files:

    Code
    cd /
    tar pzvcf omv-openvpn-backup.tgz /var/www/openmediavault/js/omv/module/admin/service/openvpn/Settings.js /usr/share/openmediavault/engined/rpc/openvpn.inc /usr/share/openmediavault/engined/module/openvpn.inc /usr/share/openmediavault/mkconf/openvpn


    To install tweaked files, put first omv-openvpn-tweak.tgz in / then untar and restart omv-engined:

    Code
    cd /
    tar pzvxf omv-openvpn-tweak.tgz
    service openmediavault-engined restart


    Also refresh webgui page.


    To uninstall tweaked files and restore original files:

    Code
    rm /var/www/openmediavault/js/omv/module/admin/diagnostic/service/plugin/OpenVPN.js
    cd /
    tar pzvxf omv-openvpn-backup.tgz
    service openmediavault-engined restart


    Also refresh webgui page.


    If OpenMediaVault Plugin Developers want to include any of those changes in the official OpenVPN plugin, they are welcome to do so.

  • Pollux, can you make a pull request on Github so that your changes can be integrated into the plugin?


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Learned some new things today :thumbsup:
    - created a github account
    - did a fork
    - git clone
    - git commit (twice since I missed something out in the first one)
    - git push
    - git pull


    Hopefully I did everything right ... keep in mind that I am no developper and never used git before today.

  • Hi,


    it would be nice if there were an option to change between tun/tap-mode. Is it possible to integrate in the webgui and the brigde things in the startup-scripts?


    Thanks in advance


    Gammelobst

  • It is probably possible but my developer skill really sucks. Unless official developer is interested in adding this feature, I don't see it coming anytime soon.


    You may want to try the openmediavault-openvpnas plugin, it may offer more tunable options.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!