Open garrett opened 2 years ago
Does this mean VPN's created by networkmanager? Interestingly networkmanager shows my wireguard vpn under "Wireguard" and openvpn under "VPN"
Yes, It'd be nice for Cockpit to be able to create and manage VPNs.
You're right that a good first step is to at least show that they exist (they do exist as another network currently, as you demonstrate @ https://github.com/cockpit-project/cockpit/issues/16948#issuecomment-1039289225) and we should visually tag them somehow as such.
Hi! I'm interested on make contributions from Newtork views. I'm currently working on NetDevOps, but recently met cockpit. I keep an eye on that thread. In June I finish exams from university and I will have time for contributions!
@gil-obradors: That's great!
If you happen to know about IRC and how to use that with an IRC client, we're on #cockpit on irc.libera.chat and generally are most active during European "business" hours. (Monday through Friday, central European time.) Although people hang out at all times of the day and even on the weekend and might reply at other times too... but standard hours are best for conversations.
There's also a web-based way of joining and chatting with us using your browser at this link: https://kiwiirc.com/nextclient/irc.libera.chat/#cockpit (Although you do have to become a registered user to actually join the channel. Libera has info about how to do that @ https://libera.chat/guides/registration)
When you do have the time (I suppose in June?), please drop by and we'd be happy to help.
We also have contribution guidelines and documentation on our website @ https://cockpit-project.org/external/wiki/Contributing.html, which also includes how to set up your system to work on Cockpit: https://cockpit-project.org/external/source/HACKING.html
Thanks @garrett ! I will be full-free after 18 of June. From now, in some idle times I'm going to study all the documentation,thanks for links. I'm amazed at that wonderful on demand architecture. I want to play on it! We're in touch!
I'm trying to integrate Wireguard and OpenVPN
A basic object to generate this kind of vps via dbus and NetworkManager ( by python):
# Creating vpn interface with python dbus : wireguard and openvpn
import uuid
from pydbus import SystemBus, Variant
bus = SystemBus()
remote_object = bus.get("org.freedesktop.NetworkManager",
"/org/freedesktop/NetworkManager/Settings")
wg = {"connection": {'id': Variant("s", "wg1"),
'type': Variant("s", "wireguard"),
'interface-name': Variant("s", "wg1"),
'autoconnect': Variant("b", True),
'uuid': Variant("s", str(uuid.uuid4()))},
"wireguard": {"peers": Variant('aa{sv}',
[{'public-key': Variant("s", "vFapZXxbhQEhqTSV883VSCd6J+xs0FBihpg4wQCl4BA="),
'endpoint': Variant('s', "192.168.2.1:13238"),
'allowed-ips': Variant('as', ['192.168.50.0/24'])}]),
"private-key": Variant("s", "KImII0Ti4tRZjYIlzWVYZKsTr+h/i3/79Z+CPr0YWF4=")},
"ipv4": {'address-data': Variant('aa{sv}', [{'address': Variant('s', '192.168.50.2'),
'prefix': Variant('i', 24)}]),
'addresses': Variant('aau', [[36874432, 24, 20097216], ]),
'gateway': Variant('s', "192.168.50.3"),
'dns': Variant('au', [16843009, ]),
'method': Variant("s", "manual")}}
openvpn = {'connection': {'autoconnect': Variant('b', True),
'id': Variant('s', 'Connexió VPN'),
'type': Variant('s', 'vpn'),
'metered': Variant('i', 2),
'uuid': Variant('s', str(uuid.uuid4()))
},
'vpn': {'data': Variant('a{ss}',
{'ca': '/home/gil/openvpn_ssl/rootCACert.pem',
'connection-type': 'password',
'dev-type': 'tun',
'password-flags': '1',
'proto-tcp': 'yes',
'remote': '192.168.2.1:1194:tcp',
'username': 'prova'
}),
'secrets': Variant('a{ss}', {"password": "contrasenya"}),
'service-type': Variant('s', 'org.freedesktop.NetworkManager.openvpn')},
}
And for create interface
remote_object.AddConnection(wg)
remote_object.AddConnection(openvpn)
I will start with Wireguard because it's more easy. OpenVPN have a lot of options to deal.
Points to discuss:
wireguard
on dpkg/rhel system.
Hands on!
I'm trying to integrate Wireguard and OpenVPN
I will start with Wireguard because it's more easy. OpenVPN have a lot of options to deal.
Cool! Thanks for doing all the research!
Points to discuss:
- How to assure system dependencies? Wireguard needs
wireguard
on dpkg/rhel system.
For this we usually use packagekit, other pages have an option to install the required dependency if it's missing. There is a dialog for this in pkg/lib/cockpit-components-install-dialog.jsx
. See for example pkg/metrics/metrics.jsx
if cockpit-pcp
is missing a button is shown to install it. I am not 100% sure how that would work if we have a Add vpn
dropdown, would it then show install wireguard
?
- Networking vpn layout
Something which should maybe first require a change is how we show network interfaces, if I enable my wireguard vpn named dedi I don't really see that it's a VPN and what type. As far as I understand for wireguard is it's own interface type so that should be possible to show:
Thinking a bit further ahead, how would one edit a VPN in the future? Should it even be done through interfaces and not in a separate section.
And for example tun0
for openvpn. (depends on configuration of course)
- Create a pair private key from browser
That should be possible with cockpit.spawn()
we can call the required wg genkey
commands, in the android app this happens if the field is unset iirc. As wireguard supports multiple setups would this support setting it up as VPN server
? Should adding a VPN
open the wireguard port in firewalld
when it is found? (With a checkbox, as the client does not need to open a port, might be a bit tricky UX wise)
I think the wireguard android app is probably a good UI to look at for inspiration, It contains some more optional fields.
Thanks @jelly for your time!
As do you know cockpit in deep, in OpenVPN scenario We need files with keys. Is there any solution better than specify the file path of the system? ( this implies having transfered the file before, Wireguard is more frendly in that... )
I'm on it! I have work quite advanced... maybe this weekend I can take it out of the oven :meat_on_bone:
About networking vpn layout page... may be @garrett could you show de way... There are many possibilities:
I don't care what we decide, I'm not very good at UI but I have time :smile:
Thanks @jelly for your time!
As do you know cockpit in deep, in OpenVPN scenario We need files with keys. Is there any solution better than specify the file path of the system? ( this implies having transfered the file before, Wireguard is more frendly in that... )
Do you mean the remote or the local system? We do have FileAutoComplete
which is used in for example cockpit-podman
to select a container path on the host.
I think that Add VPN button with a dropdown menu is reasonable. I'm not really a fan of that pattern, but it sure beats tossing a ton of various VPN buttons on the page.
We could just have add VPN with a selector too. However, the dialogs are pretty huge, especially the PPoE one:
BTW: It's looking great! I love the progress on this! :+1:
Thanks for comments @garrett and @jelly !
With everything we have discussed...here the result:
I would put some tooltips/texthelpers/palceholders...for example in wireguard endpoint, network manager waits for
If looks fine, I continue with openvpn.... and maybe fortinetSSL? It doesn't comes by default like WireGuard, but it's an installable plugin like openvpn. I have in mind to check if vpn-provider is available when the modal is loading. If not present, will show a button to install it like others sites from cockpit.
Have nice init(week)!
Looks good, I think it makes sense to to first make a PR for just the wireguard functionality and then in future PR's add other VPN solutions.
I do wonder if we don't need a separate section for your existing VPN profiles (from networkmanager). As how else does one activate/de-activate and edit existing profiles?
I do wonder if we don't need a separate section for your existing VPN profiles (from networkmanager). As how else does one activate/de-activate and edit existing profiles?
And if that's the case, then the add VPN button would go there.
Like this?
For enable/disable/edit this user-interface is 100% reusable. Courtesy of NM objects :smile:
Thanks for these changes!
Wireguard should go to the right (which is the most default for the header actions), and shouldn't be primary (it should be secondary, like the rest).
Wireguard should use an auto-install on add, if it's not installed already. If auto-install isn't possible (like on an OStree installation) and it isn't already installed, then it shouldn't show up. Similar for other VPN types.
Headings should also be sentence case, so it should say "VPN interfaces" (lowercase i).
Shouldn't FortiSSLVPN be "FortiClient"? https://www.fortinet.com/support/product-downloads
We might want to indicate if it's a VPN interface somewhere in the details as well. Perhaps "VPN: wg0"
OK :)
I notice that through install_dialog and manifest.json
We can install the package on Ubuntu,Debian,Fedora,Arch...
https://github.com/cockpit-project/cockpit/blob/3f5d4c87ef6090cb3174c402a6b64ba9e0c6723d/pkg/lib/cockpit-components-install-dialog.jsx#L55
But How We deal with distributions that need to activate other repositories (RHEL,Centos...)? https://www.wireguard.com/install/
Can be an acceptable work around focus on Ubuntu / Debian / Fedora for self-install behavior on ADD Wireguard. And for distributions that do not serve wireguard on main stream, show a message asking for manual install?
OK :)
I notice that through install_dialog and
manifest.json
We can install the package on Ubuntu,Debian,Fedora,Arch...But How We deal with distributions that need to activate other repositories (RHEL,Centos...)? https://www.wireguard.com/install/
I personally don't want to recommend adding an EPEL repo as official instructions, I think we should only enable it on modern systems which have it. What we require for wireguad in cockpit should be the following:
wg genkey
then we need wireguard-tools
and we can use the install_dialog
with manifest for it.Can be an acceptable work around focus on Ubuntu / Debian / Fedora for self-install behavior on ADD Wireguard. And for distributions that do not serve wireguard on main stream, show a message asking for manual install?
Yes, we don't show anything for things we don't support, it's acceptable to require a modern kernel for this feature and we need NetworkManager > 1.16.
So in short, I guess we want to install wireguard-tools? And then allow users to configure wireguard?
Hi! Working on it.
This is the current scenario:
Questions:
Can a user-admin see private key configured in connection? Yes, for me. In NM you can. But I have not found how to get this key-value because is protected.
➜ ~ nmcli connection show wg1 | grep wireguard
connection.type: wireguard
wireguard.private-key: <hidden>
wireguard.private-key-flags: 0 (cap)
wireguard.listen-port: 0
wireguard.fwmark: 0x0
wireguard.peer-routes: sí
wireguard.mtu: 0
wireguard.ip4-auto-default-route: -1 (default)
wireguard.ip6-auto-default-route: -1 (default)
This setting is hiiden by default. But can be shown with -show-secrets :
➜ nmcli -show-secrets connection show wg1 | grep wireguard
connection.type: wireguard
wireguard.private-key: ULQiG2CUuR4/BpYlXj081Y12xYApQ/1b0fBEsUosl30=
wireguard.private-key-flags: 0 (cap)
wireguard.listen-port: 0
wireguard.fwmark: 0x0
wireguard.peer-routes: sí
wireguard.mtu: 0
wireguard.ip4-auto-default-route: -1 (default)
wireguard.ip6-auto-default-route: -1 (default)
I have inspected the function that loads network-manager dbus tree to frontend but wireguard object like connection
,ipv4
,ipv6
isn't present ( and then wireguard.private-key not too)
https://github.com/cockpit-project/cockpit/blob/b971699bfb1311db6420d1b2aefcea1014c7531c/pkg/networkmanager/interfaces.js#L480
Can an user-admin see public key configured in connection, after being configured?
Public key value is not stored and not showed in NetworkManager.
I see that wg
tool wich comes with wireguard-tools
give you public key of an interface configured. Need to investigate more how to retrive it... maybe can be found inside /proc
as general for all distributions... any idea?
How does the project deal with this fields that a newbie-admin may be fall configuring them. Tooltips,comments, or nothing because Network Manger will bring the error message?
- New section with Interface Vpn if any detected.
- Add wireguard button conditional to having kernel >= 5.6
- Generate Keys button conditional to have installed wireguard-tools. Distributions without this package will not be able to auto-generate. Need to manual typing.
Questions:
- Can a user-admin see private key configured in connection? Yes, for me. In NM you can. But I have not found how to get this key-value because is protected.
➜ ~ nmcli connection show wg1 | grep wireguard connection.type: wireguard wireguard.private-key: <hidden> wireguard.private-key-flags: 0 (cap) wireguard.listen-port: 0 wireguard.fwmark: 0x0 wireguard.peer-routes: sí wireguard.mtu: 0 wireguard.ip4-auto-default-route: -1 (default) wireguard.ip6-auto-default-route: -1 (default)
This setting is hiiden by default. But can be shown with -show-secrets :
➜ nmcli -show-secrets connection show wg1 | grep wireguard connection.type: wireguard wireguard.private-key: ULQiG2CUuR4/BpYlXj081Y12xYApQ/1b0fBEsUosl30= wireguard.private-key-flags: 0 (cap) wireguard.listen-port: 0 wireguard.fwmark: 0x0 wireguard.peer-routes: sí wireguard.mtu: 0 wireguard.ip4-auto-default-route: -1 (default) wireguard.ip6-auto-default-route: -1 (default)
I have inspected the function that loads network-manager dbus tree to frontend but wireguard object like
connection
,ipv4
,ipv6
isn't present ( and then wireguard.private-key not too)
Ok, that's a bummer, I also see no wireguard support in GNOME itself but I can import a connection file. This blog post says the DBus API should support it hmmm.
I did find:
And this can be exposed in cockpit with the following patch:
--- a/pkg/networkmanager/interfaces.js
+++ b/pkg/networkmanager/interfaces.js
@@ -972,7 +972,8 @@ export function NetworkManagerModel() {
"org.freedesktop.NetworkManager.Device.Bond",
"org.freedesktop.NetworkManager.Device.Team",
"org.freedesktop.NetworkManager.Device.Bridge",
- "org.freedesktop.NetworkManager.Device.Vlan"
+ "org.freedesktop.NetworkManager.Device.Vlan",
+ "org.freedesktop.NetworkManager.Device.WireGuard"
],
props: {
@@ -992,6 +993,10 @@ export function NetworkManagerModel() {
Carrier: { def: true },
Speed: { },
Managed: { def: false },
+ // WireGuard
+ PublicKey: { },
+ ListenPort: { },
+ FwMark: { },
// See below for "Members"
},
But that doesn't give the information you want for the modal (for editing)
- Can an user-admin see public key configured in connection, after being configured?
Public key value is not stored and not showed in NetworkManager. I see that
wg
tool wich comes withwireguard-tools
give you public key of an interface configured. Need to investigate more how to retrive it... maybe can be found inside/proc
as general for all distributions... any idea?
As shown above it can be retrieved.
- Endpoints must be configured like IP:PORT, and allowed addresses must be a net comma separated.
How does the project deal with this fields that a newbie-admin may be fall configuring them. Tooltips,comments, or nothing because Network Manger will bring the error message?
Patternfly has tooltips and validation so this is something we can add and do in other places in the UI
I think the dialog should use the connection settings API
[jelle@t14s][~/projects/cockpit/main]%busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager/Settings/36 org.freedesktop.NetworkManager.Settings.Connection GetSettings
a{sa{sv}} 5 "connection" 6 "id" s "home" "interface-name" s "home" "permissions" as 0 "timestamp" t 1660570370 "type" s "wireguard" "uuid" s "$UUID" "wireguard" 1 "peers" aa{sv} 1 4 "public-key" s "PUBKEY" "endpoint" s "8.8.8.8:10" "persistent-keepalive" u 25 "allowed-ips" as 1 "10.0.0.0/24" "ipv4" 6 "address-data" aa{sv} 1 2 "address" s "10.200.200.4" "prefix" u 32 "addresses" aau 1 3 339339 32 0 "dns-search" as 0 "method" s "manual" "route-data" aa{sv} 0 "routes" aau 0 "ipv6" 6 "address-data" aa{sv} 0 "addresses" a(ayuay) 0 "dns-search" as 0 "method" s "disabled" "route-data" aa{sv} 0 "routes" a(ayuayu) 0 "proxy" 0
I also see no wireguard support in GNOME itself
It's supposedly a feature in GNOME 43, which has just hit beta.
https://9to5linux.com/gnome-43-alpha-released-to-kick-off-guadec-2022-in-guadalajara-mexico
The upcoming GNOME desktop release also comes with a new Sidebar and the ability to zoom the Week view for GNOME Calendar, support for composite emoji in GNOME Characters, improved handling of VPN connections (especially for WireGuard), more Wayland improvements, and more GTK4 and libadwaita ports.
However, I'm on the latest GNOME OS nightly in GNOME Boxes (Nightly) and I don't see it:
Perhaps it requires something in the stack that isn't in GNOME OS (yet)?
I did try Fedora Silverblue rebased to Rawhide and did install all the wireguard related packages Fedora ships with (wireguard-tools
wgctrl
), just in case. But it doesn't show wireguard either. (It does have an SSH connection as VPN which seems nifty though and PPTP is there too.)
I did a little digging around and found the original PR for GNOME Settings about wireguard creating and editing support — with screenshots — @ https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/1125, but it was closed in favor of https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/1364 which is still open (and marked as WIP).
Here are the screenshots, for comparison (you can tell it's from an older PR as these aren't using the newer libadwaita style):
Meanwhile, GNOME Shell did get support for wireguard toggling in VPNs @ https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1995.
I guess this is what the blog post was talking about? And I guess creating and editing will (eventually) show up in GNOME 44?
Oh and FYI, how I found settings dbus calls was by running sudo busctl monitor > log
and in a different terminal running nmcli con show home
and you can see how they create a new profile with nmcli con import type wireguard file /etc/wireguard/home.conf
.
I also see no wireguard support in GNOME itself
It's supposedly a feature in GNOME 43, which has just hit beta.
https://9to5linux.com/gnome-43-alpha-released-to-kick-off-guadec-2022-in-guadalajara-mexico
The upcoming GNOME desktop release also comes with a new Sidebar and the ability to zoom the Week view for GNOME Calendar, support for composite emoji in GNOME Characters, improved handling of VPN connections (especially for WireGuard), more Wayland improvements, and more GTK4 and libadwaita ports.
Meanwhile, GNOME Shell did get support for wireguard toggling in VPNs @ https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1995.
I guess this is what the blog post was talking about? And I guess creating and editing will (eventually) show up in GNOME 44?
I assume they first added Wireguard support in NetworkManager and importing of profiles. And then gradually support it in GNOME itself \o/
Already being able to toggle it in GNOME Shell is a big win for me :-)
happy to read you! Summing up:
Need to read object Device.Wireguard. We want ListenPort
and PublicKey
I understand with that patch We are able to load proprieties object Device.Wireguard
?
--- a/pkg/networkmanager/interfaces.js
+++ b/pkg/networkmanager/interfaces.js
@@ -972,7 +972,8 @@ export function NetworkManagerModel() {
"org.freedesktop.NetworkManager.Device.Bond",
"org.freedesktop.NetworkManager.Device.Team",
"org.freedesktop.NetworkManager.Device.Bridge",
- "org.freedesktop.NetworkManager.Device.Vlan"
+ "org.freedesktop.NetworkManager.Device.Vlan",
+ "org.freedesktop.NetworkManager.Device.WireGuard"
],
props: {
@@ -992,6 +993,10 @@ export function NetworkManagerModel() {
Carrier: { def: true },
Speed: { },
Managed: { def: false },
+ // WireGuard
+ PublicKey: { },
+ ListenPort: { },
+ FwMark: { },
// See below for "Members"
},
I can't see them...
Need to call GetSecrets for obtain private-key from Wireguard-Instance
I have found that there's a GetSecrets Method for that, and privatekey is stored there.
How Can I call this method from cockpit?
➜ ~ dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager/Settings/13 org.freedesktop.NetworkManager.Settings.Connection.GetSecrets string:"wireguard"
method return time=1661020841.177166 sender=:1.12 -> destination=:1.19778 serial=84779 reply_serial=2
array [
dict entry(
string "connection"
array [
]
)
dict entry(
string "wireguard"
array [
dict entry(
string "peers"
variant array [
array [
dict entry(
string "public-key"
variant string "xq/101tmyY6nM9IgXobQ6MZr5+YK+0gLkFUKjE72cHo="
)
]
]
)
dict entry(
string "private-key"
variant string "0IiqhN9DBmKsXx5mjknRbSgu8wLybzqUsV1+1RwsLnI="
)
]
)
dict entry(
string "ipv4"
array [
]
)
dict entry(
string "ipv6"
array [
]
)
dict entry(
string "proxy"
array [
]
)
]
Or as a workaround, We can call from CLI with cockpit.console...
➜ ~ nmcli --show-secrets -f wireguard.private-key connection show wireguard
wireguard.private-key: 0IiqhN9DBmKsXx5mjknRbSgu8wLybzqUsV1+1RwsLnI=
➜ ~
With:
diff --git a/pkg/networkmanager/interfaces.js b/pkg/networkmanager/interfaces.js
index 277ede9de..4795b681f 100644
--- a/pkg/networkmanager/interfaces.js
+++ b/pkg/networkmanager/interfaces.js
@@ -972,7 +972,8 @@ export function NetworkManagerModel() {
"org.freedesktop.NetworkManager.Device.Bond",
"org.freedesktop.NetworkManager.Device.Team",
"org.freedesktop.NetworkManager.Device.Bridge",
- "org.freedesktop.NetworkManager.Device.Vlan"
+ "org.freedesktop.NetworkManager.Device.Vlan",
+ "org.freedesktop.NetworkManager.Device.WireGuard"
],
props: {
@@ -992,6 +993,8 @@ export function NetworkManagerModel() {
Carrier: { def: true },
Speed: { },
Managed: { def: false },
+ PublicKey: { },
+ ListenPort: { },
// See below for "Members"
},
diff --git a/pkg/networkmanager/network-main.jsx b/pkg/networkmanager/network-main.jsx
index 09402b8be..2949ded6b 100644
--- a/pkg/networkmanager/network-main.jsx
+++ b/pkg/networkmanager/network-main.jsx
@@ -71,6 +71,7 @@ export const NetworkPage = ({ privileged, operationInProgress, usage_monitor, pl
return;
const dev = iface.Device;
+ console.log(iface);
const show_traffic = (dev && (dev.State == 100 || dev.State == 10) && dev.Carrier === true);
plot_ifaces.push(iface.Name);
I do see the ListenPort/PublicKey but only when the device is active, not inactive. So that's not super useful. Probably better to get it from the settings.
- Need to call GetSecrets for obtain private-key from
Wireguard-Instance
I have found that there's a GetSecrets Method for that, and privatekey is stored there. How Can I call this method from cockpit?
This is possible, see for example:
https://github.com/cockpit-project/cockpit/blob/main/pkg/networkmanager/interfaces.js#L774
objpath
resolves to path: "/org/freedesktop/NetworkManager/Settings/29"
for me, so you need to call
client.call("/org/freedesktop/NetworkManager/Settings/29", "org.freedesktop.NetworkManager.Settings.Connection", "GetSecrets")
Haven't tested it myself.
Thanks Jelly! With all this information I can already see an initial feasible version. I will try to put it in the oven this week!
Cool! Feel free to make a draft PR then I can take a look at the code.
@gil-obradors
What is the current status of this issue?
I stopped my work when I ran into trouble trying to recover credentials from Wireguard via d-bus. May be remote commands from shell can be a workaround, but not via d-bus interfaces ( at least when I managed to get ).
Some work from screnshoots is here
@subhoghoshX is working on this topic as Google Summer of Code project. See PR #19024 for a first draft.
So, this works well. Would be nice to have two things:
Thanks for the feedback @mispp. Yes having a PersistentKeepalive is a nice to have in a few situations. Created an issue #19491.
I'm not clear about the benefit of having separate text inputs for each allowed-ips. Is having a comma/space separated list of IPs confusing? or is the problem that the width of the input field is too small? In the later case it can be moved to a separate row if PersistentKeepalive is added. We can't fit four fields in a row anyway.
Benefits I see:
This is definitely not a must. If this is not implemented, can you at least make an example below the textbox? My first try included spaces after comma which got invalidated.
Making texbox wider would help.
Thanks for making an issue for keepalive.
One more thing which would be nice and it would make many tools obsolete: adding a download/send configuration for the opposite peer. Think in terms of server (machine running this cockpit) and other peers (road warriors). Configuration for road warriors could be downloaded here in ini Format (like what Android App uses)
It would be great to have a VPN section on the Networking page.
This should be like the Firewall functionality, where it's exposed on the Networking page yet has additional details on a sub-page.
It could include Wireguard and OpenVPN.