Re: [Openvpn-devel] Re: Interface with GUI agent

[James Yonan]

On Tuesday 06 July 2004 16:58, Mathias Sundman wrote:
> Some more things to consider...
>
> 1. On Windows, if the the service wrapper has started some openvpn
> processes before our gui agent is started, how should find out about
> those processes?
>
> I can think of the following ways:
>
> 1a. Ask the service wrapper via the socket interface that I'm working on
> right now. This will require the service wrapper not only start the
> processes, but keep a table over running processes.

I think it's an important point worth some discussion on whether to (a) put 
all the "intelligence" in the GUI applet and have the service wrapper just be 
a basic proxy to an admin-privileged CreateProcess, or (b) write a portable 
service wrapper that's designed to run on all the OSes which OpenVPN 
currently supports, and which would do all the "under-the-hood" work in 
starting/stopping/managing of different OpenVPN processes, and the GUI applet 
would do nothing more than export the control interface of the portable 
service wrapper to a platform-specific, lightweight GUI.

(a) is probably simpler to develop, but (b) may be a better solution long-term 
because it handles the management interface in a portable way, and makes the 
GUI itself (which probably needs a separate admin module for Win32, YaST, X, 
http, etc.) as lightweight and stateless as possible.

Now the way I would implement (b) is to design as much of the "portable 
service wrapper" code as is possible without actually coding any function 
calls to create windows or dispatch window messages or do any GUI stuff 
directly.  The service wrapper would take care of instantiating OpenVPN 
processes, managing the 127.0.0.1 port pool to communicate with the 
processes.

Now the GUI applet itself becomes very simple and stateless, it only needs to 
connect to the service wrapper, and any window message corresponding to a 
user mouse action gets encoded into a simple command that gets sent to the 
service wrapper.

I agree that this is a more complicated problem to solve because now we have 
the service wrapper which is talking to the individual OpenVPN processes, and 
we have the GUI applet talking to the service manager.

But long term (IMHO) this gives us great flexibility to easily port the GUI 
applet to other interfaces, such as even http.  It would be very cool, for 
example, if with a little bit of php programming, you could control your 
OpenVPN instances via a web interface for example.  You wouldn't need to 
rewrite a huge program which deals with all the details of 
starting/stopping/managing the pool of OpenVPN processes, because that 
program would already exist as the cross-platform service wrapper daemon.

> 1b. Scan a defined directory for config files, and require the config
> files to have a management option. Then we can try connecting to the
> specified tcp port to find if there is a running ovpn process.

No, I don't think people should explicitly put the management option in their 
config files.

> 1c. Query the system for processes with the name "openvpn", and which
> sockets this process has opened. Then we could try connecting to those
> ports to find the management socket.

I don't like the idea of querying the system for "openvpn" processes (for one 
there's no portable API for querying the system for processes).  I would 
rather see the manager deal with managing a pool of local ports.

> I dislike 1b because it would complicate for the user, that he has to have
> the management option in his config-file. If using 1a that is handled
> automaticly by the gui or service wrapper.

I agree, the management option is something that should be programmatically 
placed on the command line by the program which does the CreateProcess to 
start the OpenVPN instantiation on a given config file.

> The drawback with 1a is, how do we handle the same thing on unix? There
> could be situations where we would like start the vpn before a gui agent
> here to. Are we back to what Jan K said, we need a "service wrapper" for
> unix to, that can run at al ltime as a deamon and keep track of our
> openvpn processes? It would require some extra work writing this deamon
> to, but it would give us a consistent way of starting openvpn processes
> from a gui agent regardless of the platform.

I'm not sure that we need to add the complexity of a service wrapper on unix, 
because most unix users take it as a matter of course that touching the 
network configuration requires root privileges.

I think it's fair to say that root is required, and if someone _really_ wants 
to control tunnels from non-root, then they must SUID the binary, or change 
the permissions on the tun/tap device node.

>
>
>
> 2. How should the service wrapper know which configs to launch at
> start-up? To maintain backwords-compatibility it should launch all config
> files in the config folder. However the gui agent should be able to
> handle both processes started at boot-time and other that is 

[Openvpn-devel] Re: Interface with GUI agent

[James Yonan]

On Tuesday 06 July 2004 04:25, Mathias Sundman wrote:
> On Tue, 6 Jul 2004, Jan Kiszka wrote:
> > If it's not a windows specific problem, then I suppost it's best to
> > add the functionallity in the openvpn binary so we get the
> > portability.
> 
>  I don't think the openvpn binary needs to know about this.  But the
>  service wrapper probably needs a second mode of operation, where
>  instead of getting its config files by scanning a directory, it
>  listens on a local socket for a command from the GUI to start an
>  openvpn.exe instance.
> >>>
> >>> Then don't forget that we will need a similar wrapper for unix as
> >>> well...

I'm not sure that we really need a wrapper for unix, because most unix users 
will control OpenVPN by:

(1) editing config files and starting from /etc/init.d, or
(2) using some sort of GUI-based admin tool such as YaST

and both of these methods are traditionally done as root.

> >> Why do we need a wrapper in unix? Can't the openvpn binary be run as a
> >> normal user in unix?
> >>
> >> If we need root-privs, what's wrong with installing openvpn as suid
> >> root and have it drop its privs after start-up?

Not a big problem, though some might prejudice a package which requires SUID.

> > Yes, this will work. But I'm afraid - maybe I'm wrong - that the GUI will
> > then have to be implemented quite differently on Windows and Unix. On
> > Windows, we would open a socket and both send the commands over it and
> > receive the status. On Unix, we would first start the process and then
> > connect to a socket for status information (BTW, which socket would then
> > be used when multiple instances of openvpn are running?).

Should the unix GUI be written for generic X, or should we develop admin 
modules for specific distros such as YaST?

I would go for the latter, because it will make the interface fit more 
seamlessly into a distribution's existing admin infrastructure.

> Yes and No. The way the GUI starts an openvpn process will have to
> implemented in diffrent ways for unix and windows. On Windows it will open
> a socket to the service wrapper and tell it to start an openvpn process
> with a specific config. On unix it will launch the openvpn process itself.
> This is not many lines of code so I think it can be handled with ifdefs
> quite cleanly.
>
> Then when the openvpn process has been started the gui connects to a
> socket that openvpn is listening on to receive status or send other
> commands that we can think of.
>
> The socket each openvpn process is listening on should be specified in the
> config-file with an option like "management 127.0.0.1 6001", where 6001 is
> the TCP port number. So each process should be listening on a unique port.
>
> A perhaps cleaner way is that the gui adds the manangement option when it
> starts the openvpn process, so the user don't have to bother setting the
> correct management option in his config-files.

I agree.  This is sort of like the way the current service wrapper passes 
--service to each OpenVPN process.

So the system-tray GUI manages a pool of 127.0.0.1 ports and allocates them to 
OpenVPN processes.

James