Start/stop of OpenVPN interfaces with ifup/ifdown

Dan Williams dcbw at redhat.com
Mon Jan 14 22:51:47 UTC 2008


On Mon, 2008-01-14 at 16:12 -0500, David Hollis wrote:
> On Mon, 2008-01-14 at 14:40 -0600, Steven Pritchard wrote:
> 
> > It was brought up at the time, but everyone was saying NetworkManager
> > was going to take over the world, so making ifup/ifdown work didn't
> > seem like a terribly high priority.  NetworkManager-openvpn has been
> > around for a while...
> > 
> 
> 
> Though it seemed abandoned at some point in time and the last time I
> checked, it didn't support some options that I use in my config namely
> 'tls-auth/tls-remote'.
> 
> Maybe it's interface needs some simple option to add 'custom' name/value
> pairs that get passed to the openvpn program to allow for future
> enhancements or local customizations and such.

That's part of the problem.  OpenVPN has so many options that adding
everything to a dialog really isn't going to work.  That may be a
symptom of OpenVPN's feature-creep and attempt to work in every
conceivable situation, which makes it less and less easy to actually set
up, but I digress. (note also vpnc 0.4's addition of
application-version, no-encryption, pfs, natt-mode, etc).  There are so
many obscure options that at least one person needs that there's no way
either OpenVPN or vpnc will ever Just Work for the user.  They basically
require a sysadmin or somebody who really knows what they are doing to
set up the VPN for them, which sucks.

That said, allowing options not handled in the GUI bits to be added is
probably the something that should be done; but it needs to be done in
such a way that if the option is sanely added to the GUI later on, that
it supersedes the custom-option-entry bit.  I'm also a bit reluctant to
take out the option filter/validator for VPN methods that don't support
config-on-stdin, because passing random text on the command line is a
security risk.  About the last thing we want to be doing is executing a
root process with random arguments entered by some trojan that stuffed
values into GConf.

Dan







More information about the fedora-devel-list mailing list