130 replies to this topic

[SpaceRat]

Eh, no.

That is only the case when you have a server that uses username/password (which will be hardcoded in the config file).

You can hardcode cacerts, keys and certificates inside profiles as well.

That's my recommended way, because OpenVPN Connect on Android and Apple requires it that way anyways, so any decent VPN solution with profile creation should support that way out of the box.

And guess what?
I've already considered the case where they are not hardcoded inside the profile but only linked.
The import process would just check for them in the same directory as the config and hardcode them during import.

Besides that, most people don't have a clue how to create an openvpn configuration,

... which brings us back to the reason why we need this plugin.

And if you want to use quotes, I've got one too: "There is never time to do it right, but there is always time to do it over and over again".

Which just proves my point.

You are struggling in thoughts - an employer would call them "excuses" - about things that do not matter yet and probably never will.
On the other hand - and that's just what your quote says - nothing would be carved in stone, it still could (and probably will) be changed later to further enhance things.

It's useless to spend thoughts on intermediate certs, hierarchical certs, blah bla bla.
What we have now (and as I see it here most probably will always have!) is absolutely nothing.

To everybody else reading this:
Read my lips - we won't have any decent (Open)VPN support in any Open*** for years if not never.

Make the next box you buy a Dreambox, they got an OpenVPN-Plugin in Gemini Blue Panel since 2012 or so.
There is absolutely not a single Open*** dev left who cares about real user's world problems.

[WanWizard]

I can't look into your head. All I do is ask "have you considered these points". If the answer is yes, fine, say so, and why haven't you started yet? But if the answer is no, then consider these things before you start.

 

And there is absolutely nothing more to it, you seem to see all sort of barriers that simply aren't there.

[SpaceRat]

As I said a zillion times before:
The barrier is that the E2 GUI part is none of my businesses.

I wouldn't even know where to start in order to get a list of existing OpenVPN profiles on the screen.
I can scan for them, I can parse them to fill a list/dictionary for the listing, but I simply can not write the E2 plugin to get things on the TV screen.

Maybe I should just stop thinking about it. As long as no Open*** distro has a proper OpenVPN plugin, people will continue to pay me for setting up OpenVPN for them
Probably that's the true spirit behind all *ix development: Make things as hard as possible to create jobs for 10 kEUR *ix admins.

[kermith]

Honestly, wouldn't it be better to implement IP tables? I Stream 99 % of the time from the same IP address. I understand that there are routers that handle this but buying new routers is a hassle. IP tables would be cheaper and compatible with all routers.

Sony Z5 Premium

[Erik Slagter]

Then your first step is to request the manufacturer of your settopbox to include iptables in their kernel in their BSP. OpenPLi has no role there.

[kermith]

Oh, didn't know it needed it on kernel level.

Sony Z5 Premium

[Erik Slagter]

Where do think the filtering takes place  Iptables is only a (small) tool that inserts the rule into the kernel. It doesn't do anything functional itself. So there is no use including the tool by itself without kernel support. The tool is already in the feed as far as I know (and always has been).

Edited by Erik Slagter, 12 January 2017 - 19:15.

[SpaceRat]

Honestly, wouldn't it be better to implement IP tables? I Stream 99 % of the time from the same IP address. I understand that there are routers that handle this but buying new routers is a hassle. IP tables would be cheaper and compatible with all routers.

oe-a images for Vu+ have iptables (and ip6tables).

[kermith]

Ok, though it was handed on OS level. Little did I know ;-) I'm in no way an expert and trust your word. Pity it can't be implemented though with boxes that today are so fast with loads of memory.

Sony Z5 Premium

[kermith]

Honestly, wouldn't it be better to implement IP tables? I Stream 99 % of the time from the same IP address. I understand that there are routers that handle this but buying new routers is a hassle. IP tables would be cheaper and compatible with all routers.

oe-a images for Vu+ have iptables (and ip6tables).

Open ATV?

Sony Z5 Premium

[Erik Slagter]

The Linux kernel IS the Operating System (although many people tend to include the complete environment of filesystem and tools into that definition).

As far as I know VU+ also enabled iptables in our kernels (BSP), so... did you already try it?

[kermith]

No, do I need a plugin for it?

Sony Z5 Premium

[WanWizard]

There isn't one afaik (because there was never iptables support) so you have to install iptables, add some rules, and see what happens.

[WanWizard]

p.s. I checked a long time ago, and at that time there were missing modules, like conntrack. I don't think that has been addressed, also don't see packages for libnetfilter, that conntrack uses.

[SpaceRat]

oe-a images for Vu+ have iptables (and ip6tables).

Open ATV?

OpenATV, OpenHDF, OpenViX, OpenSpa, OpenBH, OpenMips, OpenEight, OpenDroid, EGAMI, ...

Basically any distro with "Open" in the name that isn't OpenPLi (or OpenRSi) is an oe-a distro nowadays.

 

No, do I need a plugin for it?

There is an ancient "firewall" plugin, as the ancient DM800 came with IPTables enabled (But that had to be removed in order to enable more important features, "more important" as just having iptables doesn't make an E2 box a good border device.
I doubt it is good for anything though.

You preferably follow some more sophisticated tutorials for manual setup on Debian, but you most probably have to adjust the way to get the rules loaded on reboot.

I doubt the limited support for /etc/network/interfaces in busybox allows up, down, pre-up and so on actions inside it:

iface eth0 inet6 static
        pre-up ip6tables-restore < /etc/ip6tables.rules

You most likely have to use scripts under the corresponding
/etc/network/if-[down|up|pre-up|post-down].d
directories instead.

[littlesat]

You can also install iptables on openpli...

[Erik Slagter]

p.s. I checked a long time ago, and at that time there were missing modules, like conntrack. I don't think that has been addressed, also don't see packages for libnetfilter, that conntrack uses.

What modules are built is entirely up to what's enabled in the kernel and that is entirely up to the manufacturer. If modules are missing, complain to the manufacturer and have them change the linux kernel config.

 

If you mean the "conntrack" tool, that is another story, that's something OE should build. But frankly, I think you can do really well without this tool for basic filtering.

[Pippin]

Can put rules in init.d and then update-rc.d.

 

OpenVPN can use up/down to set rules.

 

Possibilities... using the owner module one can configure a killswitch for OpenVPN  

At least on OpenATV I have many modules available

[Erik Slagter]

No, do I need a plugin for it?

What do you expect from an iptables plugin? That it reads your mind and creates rules for you? I don't think that will be possible. For entering rules, I don't think a plugin will be very helpful nor handy.

 

On the other hand, if you find some plugin from possibly another image, that does the magic, you can quite possibly just install it and use it, it's only a thin layer between you and the "iptables" command after all.

[kermith]

Haha, I just thought I needed a plugin for it to install the necessary files.

Sony Z5 Premium