openvpn3-linux
openvpn3-linux copied to clipboard
OpenVPN
Added basic libsecret support to autostart + new utility to add and update libsecret passwords
I took a look at https://github.com/OpenVPN/openvpn3-linux/issues/30 I've added basic libsecret password (only) storage and retrieval in openvpn3-autoload
I also wrote some basic documentation on how to use it. I'd like some feedback on the best way to implement this in a way that OpenVPN wants.
Hi,
First of all, thanks a lot for your efforts here. This is really valuable and is a very nice proof-of-concept. But would like to see if we can enhance this further.
First of all, an important detail is that we are going to deprecated openvpn3-autoload in coming releases, in favor of the per-session based openvpn3-session@CONFIG_NAME.service unit files instead. This one uses a different helper program to start sessions, /usr/libexec/openvpn3-linux/openvpn3-systemd - which is also a Python program. And this does also not work well with the openvpn2 command line too (which is also Python).
Currently, we have "session start" logic happening in three places - openvpn2, openvpn3-systemd and openvpn3-autoload. I would like to refactor these into a more unified class (openvpn3.RunSession). This class should have a Start method which does pretty much the the job happening in the various start_tunnel() functions. The RunSession class should be able to be set some optional callback functions for retrieving credentials as well as log and status handlers. Now, the Start method could check the libsecret storage before invoking the callback function.
This does requires quite a bit of refactoring, but if you're willing to dig into this I will be happy to guide you through this. And we can look at doing a similar integration on the C++ side too, so the openvpn3 session-start can also use the same approach.
Speaking of C++. I would like to see openvpn3-secretmanager be implemented in to the openvpn3 command. But I can live with this Python implementation until we have a functional implementation for the "session consumers" of the stored credentials.
Hi, I must have missed the upcoming depreciation of openvpn-autoload, I also see no real issue with integrating a similar system into a unit file. I would agree with incorporating secret-manager into the openvpn3 command, however I have written only very little c++ at all, mostly python and golang - however I'm willing to get into it and work it out.
I am willing to dig into this and would appreciate some guidance - I'm currently reading through the docs to get up to speed on how it all fits together.
@AB49K You can often reach me on the #openvpn-devel IRC channel on libera.chat ; I'm dazo there. I'm willing to help out understanding how all these pieces fits together.
Also: Don't be concerned about the C++ part yet. Lets fix this in the Python code first, and then we'll see how to progress next.