OpenVPN
UI showing green connected status despite not beeing able to create a route
When you start the open vpn gui without administrator priviliges (which is the default) creating the new routes / ip forward entries, fails, but the tray icon turns green, which is suggesting that everything is fine. I suggest turning it to red when not beeing able to create routes.
(Version openvpn-install-2.3.9-I601-x86_64)
Sounds like a good idea. I don't know how easy it is for the GUI to detect failures at the OpenVPN end - they're fairly loosely coupled.
Anyways, this is somewhat related to changes proposed in pull request https://github.com/OpenVPN/openvpn-gui/pull/6. Could you test the installers listed in the comments on that page and report back in there?
I installed the new version (mentioned above) which starts with admin privilidges as default, even when you remove the start as an administrator from the compatibility section in windows open-vpn is still started with admin privilidges which is a good thing.
This fixed the bug imho, however i still think the color should go red instead of green on a failure like this, but as you said i dont know if the interfaces between UI and Service allowing those type of thing, if i've time i gonna read myself into the code.
When the route command fails the state is still reported by openvpn.exe as "CONNECTED,SUCCESS..". This needs to change to make the GUI reliably to report the error to the user. Currently, route errors are hidden in some error messages which are not easy to parse from the GUI end.
Selva
Can we do something about this in openvpn core, so that the GUI can be report route errors? Currently when we get CONNECTED,SUCCESS we turn the icon green. If we get CONENCTED,ERROR we keep it amber and the state as "connecting.." even if the initialization sequence completes.
So route errors can still be treated as non-fatal but we want to get CONNECTED,ERROR in such cases.
Hi,
On Fri, Jul 06, 2018 at 08:25:02AM -0700, Selva Nair wrote:
Can we do something about this in openvpn core, so that the GUI can be report route errors? Currently when we get CONNECTED,SUCCESS we turn the icon green. If we get CONENCTED,ERROR we keep it amber and the state as "connecting.." even if the initialization sequence completes.
So route errors can still be treated as non-fatal but we want to get CONNECTED,ERROR in such cases.
I still wonder why IPv4 route addition failures are considered non-fatal...
But this aside ("it has always been that way", before I got involved), I can have look into how this signalling is done.
gert
-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
Hi,
Copying the devel list as a reminder that "we" have been asking for this change for a long time :)
On Fri, Jul 6, 2018 at 2:48 PM, Gert Doering [email protected] wrote:
Hi,
On Fri, Jul 06, 2018 at 08:25:02AM -0700, Selva Nair wrote:
Can we do something about this in openvpn core, so that the GUI can be report route errors?
Currently when we get CONNECTED,SUCCESS we turn the icon green. If we get
CONENCTED,ERROR we keep it amber and the state as "connecting.." even if
the initialization sequence completes.
So route errors can still be treated as non-fatal but we want to get CONNECTED,ERROR in such cases.
I still wonder why IPv4 route addition failures are considered non-fatal...
As failure in test_routes is considered an error (waiting for TAP to come up.., though not fatal) and leads to CONNECTED,ERROR, I guess that CONNECTED,SUCCESS would imply the TUN/TAP is up and has got its on-link route to the vpn subnet.
But this aside ("it has always been that way", before I got involved), I can have look into how this signalling is done.
To make all route errors propagate to initilaization_sequence_completed() one needs to return errors back up from a deep call chain:
check_add_routes_dowork -> check_add_routes_action -> do_route-> add_routes->etc.. Each of those calls returns void right now..
Selva
Hi,
On Fri, Jul 6, 2018 at 3:24 PM, Selva Nair [email protected] wrote:
Hi,
Copying the devel list as a reminder that "we" have been asking for this change for a long time :)
On Fri, Jul 6, 2018 at 2:48 PM, Gert Doering [email protected] wrote:
Hi,
On Fri, Jul 06, 2018 at 08:25:02AM -0700, Selva Nair wrote:
Can we do something about this in openvpn core, so that the GUI can be report route errors?
Currently when we get CONNECTED,SUCCESS we turn the icon green. If we get
CONENCTED,ERROR we keep it amber and the state as "connecting.." even if
the initialization sequence completes.
So route errors can still be treated as non-fatal but we want to get CONNECTED,ERROR in such cases.
+1 to routing errors causing CONNECTED,ERROR (I didn't even know that was possible). This confuses many Tunnelblick users.
I'd be happy for routing errors to cause a FATAL error as long as the errors weren't caused by "route already exists" or something like that. But I assume that's too much trouble.
Best regards,
Jon
So, OpenVPN core can now do this, thanks to @selvanair
commit e04c253618ce2a1bb0996a67b81af891e8607fa9 (master) commit 705a08ee5adcc74d51bc096592d561f35dc8661a (release/2.6) Author: Selva Nair Date: Wed Jan 4 21:27:18 2023 -0500
Propagate route error to initialization_completed()
now, GUI authors to the rescue :-)
(Note: Tunnelblick won't benefit from it yet, as the route add bits for MacOS X do not differenciate between error and route already exists error - so both would be declared an error! - and Selva decided to be more cautious and do not report route addition errors on platforms that do not know the difference)