Openvpn questions & suggestions

The zip file generated is always {name}-TO-IPFire.zip I dont know how long the name could be but I assume no spaces so paul-vpn-Athens should be valid name so the generated zip would be, paul-vpn-athens-TO-IPFire.zip

Is there a reason the literal “-TO-IPFire” has to be there? (line 2316 in ovpnmain.cgi)
I would much prefer to have a “paul-vpn-athens.zip”

EDIT: it seems I cannot use dash as part of the filename. I thought that’s an acceptable char.

When a new connection is created, “name” and “User’s full name or system hostname” are required. The name appears in the Connection Status but the hostname does not. (The hostname is used to insert values into the vpn sqlite db).

Later on, when I request OpenVPN Connections Logs, the hostname or whatever I typed in that field shows as Connection Name, not the name I used. For best practices, use the same name and system hostname so that it matches the user’s name and the report for the log files.

For consistency, I think {name} should be carried out in all pages/reports.

{name} in Connection Status (ovpnmain.cgi)
{name} in OpenVPN Connections Log (ovpnclients.dat)

I cannot create two profiles “name=bob hostname=AWS-West” and “name=alice hostname=AWS-West” since there will be a duplicate entry in the vpn db for AWS-West. Indeed, I get an error, OpenSSL error 256. (see bug# 11307) I think we should report on {name} connection times.

bob-to-AWS-West         5m 21s
alice-to-AWS-West    2h 4m 14s
1 Like

Hi Erik @ummeegge
can you take a look at my post and comment? if seems it fell through the cracks. Thanks.

Valid characters are A-z, 0-9, ‘.’, ‘_’, and ‘-’ (hyphen, dash, minus).
Why is it flagged as error?

image

The name check in ovpnmain.cgi only allows uppercase and lowercase letters and numbers.

See line 3845 in ovpnmain.cgi where it checks if the name does not only contain lower and upper case letters and numbers

1 Like

I’m fully aware of that line … the question is, why is ipfire excluding those valid characters? Is that by design? To me, a filename, paul-connect-vpn-aws is more readable than paulconnectvpnaws

It could just be by accident that only letters and numbers were selected in which case it is a simple change.

It could be that elsewhere in the cgi code the first - in the -TO-IPFIRE section is used as a seperator. In that case any code change is more complicated.

You will probably have to hunt through the code to see if the connection name is split at the - or not. I don’t know enough about the code to know one way or the other.
I think Erik is busy with other things at the moment so less likely to get a response from him.

Thank you. I will make a change in my cu167/Testing and see if anything breaks.

Nothing broke … I modified line 3845 of ovpnmain.cgi to accept _ (underscore). I was able to create a new profile, paul_connect_aws. I d/l the zip file to my laptop, made a successful connection.

But … as my suggestion in the original post, what is stored in the ovpn database is not paul_connect_aws but the connection name (which is zotac.lan) When I look at the OpenVPN Connections Log, I see an entry for zotac.lan instead of paul_connect_aws.

The ovpnmain.cgi is 6000+ lines long and it is difficult to figure where it stores connection_name instead of name. Later on, the /usr/sbin/openvpn-metrics.dat is able to report on the clients.db

INSERT INTO sessions VALUES('zotac.lan','2022-04-23 15:58:39','2022-04-23 16:09:31',283602,302502);

If I can find how to change the INSERT to

INSERT INTO sessions VALUES('paul_connect_aws','2022-04-23 15:58:39','2022-04-23 16:09:31',283602,302502);

then everything will work. That’s all I have for now.

Hi paul,
sorry for the late replay but there is currently lots of action around.
According to the special characters it seems that you come closer to a possible solution ?
According to the common-name-length INTEGER, i think 64 characters are specified → https://www.ietf.org/rfc/rfc5280.txt .

Regarding to the “Connections Status” from ovpnmain.cgi, the server.conf includes ‘–status-version 1’ which writes the traditional format (default) with fixed parameters → openvpn whereby the “Common Name” comes to play.
The ‘clientsovpn.dat’ uses the indices from the ovpnconfig array (in that case [2]) → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/logs.cgi/ovpnclients.dat to get there the values from.

May this info helps you a step further.

Best,

Erik

Erik,
I appreciate your reply. I know you’re busy with other things. I will take a look at the link you provided.