Closed MartinLoeper closed 2 months ago
The config is stored by openvpn3-linux (openvpn3-indicator is just a middle-man). In my case it stores configs in /var/lib/openvpn3
.
To fill some gaps .... openvpn3-indicator
uses a D-Bus interface to the net.openvpn.v3.configuration
service (provided by the openvpn3-service-configmgr
process). This service will store configurations to disk when marked as "persistent" when the Import()
D-Bus method is called. The standard directory for that is /var/lib/openvpn3/configs
. But the openvpn3-service-configmgr
must also be started with the --state-dir
argument, which points need to point at that directory.
The openvpn3-service-configmgr
is automatically starting and stopping, as needed. When it only need to care for persistent configurations, it will stop running after a few minutes if nobody is interacting with it. If someone has imported a non-persistent configuration, this process will not stop running automatically until this configuration is deleted. It's the D-Bus "master daemon" which is responsible for the auto-starting openvpn3-service-configmgr
(as defined in /usr/share/dbus-1/system-services/net.openvpn.v3.configuration.service
).
Thanks for the additional info @grzegorz-gutowski and @dsommers.
I found the issue with openvpn3-linux:
I am using NixOS which packages (a) the wrong version of openvpn3 -> you should mention that it works with v21+ only and (b) sets localstatedir
to a read-only directory inside the nix store.
After passing --localstatedir
to the configure script and creating /var/lib/openvpn3
using systemd tmpfiles everything works as expected.
For reference: The v21 version of openvpn3 is available via NUR
@MartinLoeper Thanks for the feedback.
NixOS is not a distro we've put energy into officially supporting in the main openvpn3-linux project so far, so there might be some corner cases we're not fully aware of. I would like to collaborate with NixOS package maintainers so we can consider it officially supported. But then I need someone to collaborate with and who can own NixOS related issues and test fixes.
I see. Unfortunately that is not something I can assist you guys with since I am no python dev. I only just put together the package for openvpn-indicator on NUR.
Since our company has mostly arch and debian users the current state is totally fine. Thanks for all of your efforts here and in upstream repos @dsommers
@dsommers Perhaps it is also reasonable for openvpn3-indicator
to check the version of openvpn3
installed in the system, and somehow notify users when it is out of date.
@MartinLoeper Thanks for the packaging! Currently the packages for ubuntu and fedora are published automatically with each commit. Perhaps I could publish a package in nur in a similar way.
@grzegorz-gutowski That should be fairly easy; there's a version
property in the main service object which contains a version string.
But I haven't dug into the code deep enough to fully spot if there are any features you use depending on a specific OpenVPN 3 Linux release. If you use the openvpn3
Python module, that should not depend on any features unavailable in the D-Bus services. That said, v21 did pull in several bugfixes so might just be that the openvpn3
module in v20 or older are just buggy. "Configuration tags" is also a new v21 feature; not sure if you explicitly use that.
I have an example why v20 is not working as the config import was not working when I was packaging openvpn3-indicator with openvpn3-linux v20:
@grzegorz-gutowski Perhaps this could be improved a bit?
First of all system_tag
is not required (it defaults to None
in v21)
What if you put all the arguments in a dict, and when you detect v21, you can add the system_tag
argument too ... and then you could set it to a simple identifier easy to use for openvpn3-indicator.
Simple example:
args = {"cfgname": name, "cfg": config_description, "single_use": False, "persistent": True}
if detect_v21():
args["system_tag"] = "ovpn3indicator"
self.config_manager.Import(**args)
This gives the advantage of working with older versions and to be able to filter out configurations imported via openvpn3-indicator
:
$ openvpn3 configs-list --filter-tag system:ovpn3indicator
Configuration tags starting with system:
are "hidden" in the lists of tags, and only the Import() is allowed to add such tags via thesystem_tag
argument.
I've just pushed out pull-req #10 as one way to solve it.
Cool project!
Just one thing is not working as expected in my setup: I have to import the config again after each OS reboot. Where is the imported config stored? Is this by-design?