search

OpenVPN / openvpn3-indicator

Simple GTK indicator GUI for OpenVPN 3 Linux
https://github.com/OpenVPN/openvpn3-indicator
GNU Affero General Public License v3.0
24 stars 2 forks source link

Imported config is not persisted across reboots #8

Closed MartinLoeper closed 2 months ago

MartinLoeper commented 2 months ago

Cool project!

Just one thing is not working as expected in my setup: I have to import the config again after each OS reboot. Where is the imported config stored? Is this by-design?

grzegorz-gutowski commented 2 months ago

The config is stored by openvpn3-linux (openvpn3-indicator is just a middle-man). In my case it stores configs in /var/lib/openvpn3.

dsommers commented 2 months ago

To fill some gaps .... openvpn3-indicator uses a D-Bus interface to the net.openvpn.v3.configuration service (provided by the openvpn3-service-configmgr process). This service will store configurations to disk when marked as "persistent" when the Import() D-Bus method is called. The standard directory for that is /var/lib/openvpn3/configs. But the openvpn3-service-configmgr must also be started with the --state-dir argument, which points need to point at that directory.

The openvpn3-service-configmgr is automatically starting and stopping, as needed. When it only need to care for persistent configurations, it will stop running after a few minutes if nobody is interacting with it. If someone has imported a non-persistent configuration, this process will not stop running automatically until this configuration is deleted. It's the D-Bus "master daemon" which is responsible for the auto-starting openvpn3-service-configmgr (as defined in /usr/share/dbus-1/system-services/net.openvpn.v3.configuration.service).

MartinLoeper commented 2 months ago

Thanks for the additional info @grzegorz-gutowski and @dsommers.

I found the issue with openvpn3-linux:

I am using NixOS which packages (a) the wrong version of openvpn3 -> you should mention that it works with v21+ only and (b) sets localstatedir to a read-only directory inside the nix store.

After passing --localstatedir to the configure script and creating /var/lib/openvpn3 using systemd tmpfiles everything works as expected.

For reference: The v21 version of openvpn3 is available via NUR

dsommers commented 2 months ago

@MartinLoeper Thanks for the feedback.

NixOS is not a distro we've put energy into officially supporting in the main openvpn3-linux project so far, so there might be some corner cases we're not fully aware of. I would like to collaborate with NixOS package maintainers so we can consider it officially supported. But then I need someone to collaborate with and who can own NixOS related issues and test fixes.

MartinLoeper commented 2 months ago

I see. Unfortunately that is not something I can assist you guys with since I am no python dev. I only just put together the package for openvpn-indicator on NUR.

Since our company has mostly arch and debian users the current state is totally fine. Thanks for all of your efforts here and in upstream repos @dsommers

grzegorz-gutowski commented 2 months ago

@dsommers Perhaps it is also reasonable for openvpn3-indicator to check the version of openvpn3 installed in the system, and somehow notify users when it is out of date.

grzegorz-gutowski commented 2 months ago

@MartinLoeper Thanks for the packaging! Currently the packages for ubuntu and fedora are published automatically with each commit. Perhaps I could publish a package in nur in a similar way.

dsommers commented 2 months ago

@grzegorz-gutowski That should be fairly easy; there's a version property in the main service object which contains a version string.

But I haven't dug into the code deep enough to fully spot if there are any features you use depending on a specific OpenVPN 3 Linux release. If you use the openvpn3 Python module, that should not depend on any features unavailable in the D-Bus services. That said, v21 did pull in several bugfixes so might just be that the openvpn3 module in v20 or older are just buggy. "Configuration tags" is also a new v21 feature; not sure if you explicitly use that.

MartinLoeper commented 2 months ago

I have an example why v20 is not working as the config import was not working when I was packaging openvpn3-indicator with openvpn3-linux v20:

dsommers commented 2 months ago

@grzegorz-gutowski Perhaps this could be improved a bit?

First of all system_tag is not required (it defaults to None in v21)

What if you put all the arguments in a dict, and when you detect v21, you can add the system_tag argument too ... and then you could set it to a simple identifier easy to use for openvpn3-indicator.

Simple example:

args = {"cfgname": name, "cfg": config_description, "single_use": False, "persistent": True}
if detect_v21():
    args["system_tag"] = "ovpn3indicator"

self.config_manager.Import(**args)

This gives the advantage of working with older versions and to be able to filter out configurations imported via openvpn3-indicator:

  $ openvpn3 configs-list --filter-tag system:ovpn3indicator

Configuration tags starting with system: are "hidden" in the lists of tags, and only the Import() is allowed to add such tags via thesystem_tag argument.

dsommers commented 2 months ago

I've just pushed out pull-req #10 as one way to solve it.