-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
networking: VPN support #16992
Comments
Does this mean VPN's created by networkmanager? Interestingly networkmanager shows my wireguard vpn under "Wireguard" and openvpn under "VPN" |
Yes, It'd be nice for Cockpit to be able to create and manage VPNs. You're right that a good first step is to at least show that they exist (they do exist as another network currently, as you demonstrate @ #16948 (comment)) and we should visually tag them somehow as such. |
Hi! I'm interested on make contributions from Newtork views. I'm currently working on NetDevOps, but recently met cockpit. |
@gil-obradors: That's great! If you happen to know about IRC and how to use that with an IRC client, we're on #cockpit on irc.libera.chat and generally are most active during European "business" hours. (Monday through Friday, central European time.) Although people hang out at all times of the day and even on the weekend and might reply at other times too... but standard hours are best for conversations. There's also a web-based way of joining and chatting with us using your browser at this link: When you do have the time (I suppose in June?), please drop by and we'd be happy to help. We also have contribution guidelines and documentation on our website @ https://cockpit-project.org/external/wiki/Contributing.html, which also includes how to set up your system to work on Cockpit: https://cockpit-project.org/external/source/HACKING.html |
Thanks @garrett ! I will be full-free after 18 of June. |
I'm trying to integrate Wireguard and OpenVPN A basic object to generate this kind of vps via dbus and NetworkManager ( by python):
And for create interface
I will start with Wireguard because it's more easy. OpenVPN have a lot of options to deal. Points to discuss:
Hands on! |
Cool! Thanks for doing all the research!
For this we usually use packagekit, other pages have an option to install the required dependency if it's missing. There is a dialog for this in
Something which should maybe first require a change is how we show network interfaces, if I enable my wireguard vpn named dedi I don't really see that it's a VPN and what type. As far as I understand for wireguard is it's own interface type so that should be possible to show: Thinking a bit further ahead, how would one edit a VPN in the future? Should it even be done through interfaces and not in a separate section. And for example
That should be possible with I think the wireguard android app is probably a good UI to look at for inspiration, It contains some more optional fields. |
Thanks @jelly for your time! As do you know cockpit in deep, in OpenVPN scenario We need files with keys. Is there any solution better than specify the file path of the system? ( this implies having transfered the file before, Wireguard is more frendly in that... ) I'm on it! I have work quite advanced... maybe this weekend I can take it out of the oven 🍖 About networking vpn layout page... may be @garrett could you show de way... There are many possibilities:
I don't care what we decide, I'm not very good at UI but I have time 😄 |
Do you mean the remote or the local system? We do have |
I think that Add VPN button with a dropdown menu is reasonable. I'm not really a fan of that pattern, but it sure beats tossing a ton of various VPN buttons on the page. We could just have add VPN with a selector too. However, the dialogs are pretty huge, especially the PPoE one:
BTW: It's looking great! I love the progress on this! 👍 |
Thanks for comments @garrett and @jelly ! With everything we have discussed...here the result: I would put some tooltips/texthelpers/palceholders...for example in wireguard endpoint, network manager waits for <IP: HOST> format. How do you see it? If looks fine, I continue with openvpn.... and maybe fortinetSSL? It doesn't comes by default like WireGuard, but it's an installable plugin like openvpn. Have nice init(week)! |
Looks good, I think it makes sense to to first make a PR for just the wireguard functionality and then in future PR's add other VPN solutions. I do wonder if we don't need a separate section for your existing VPN profiles (from networkmanager). As how else does one activate/de-activate and edit existing profiles? |
And if that's the case, then the add VPN button would go there. |
Thanks for these changes! Main network pageWireguard should go to the right (which is the most default for the header actions), and shouldn't be primary (it should be secondary, like the rest). Wireguard should use an auto-install on add, if it's not installed already. If auto-install isn't possible (like on an OStree installation) and it isn't already installed, then it shouldn't show up. Similar for other VPN types. Headings should also be sentence case, so it should say "VPN interfaces" (lowercase i). Shouldn't FortiSSLVPN be "FortiClient"? https://www.fortinet.com/support/product-downloads Details pageWe might want to indicate if it's a VPN interface somewhere in the details as well. Perhaps "VPN: wg0" |
OK :) I notice that through install_dialog and
But How We deal with distributions that need to activate other repositories (RHEL,Centos...)? |
Can be an acceptable work around focus on Ubuntu / Debian / Fedora for self-install behavior on ADD Wireguard. |
I personally don't want to recommend adding an EPEL repo as official instructions, I think we should only enable it on modern systems which have it. What we require for wireguad in cockpit should be the following:
Yes, we don't show anything for things we don't support, it's acceptable to require a modern kernel for this feature and we need NetworkManager > 1.16. So in short, I guess we want to install wireguard-tools? And then allow users to configure wireguard? |
Hi! Working on it. This is the current scenario:
Questions:
This setting is hiiden by default. But can be shown with -show-secrets :
I have inspected the function that loads network-manager dbus tree to frontend but wireguard object like cockpit/pkg/networkmanager/interfaces.js Line 480 in b971699
Public key value is not stored and not showed in NetworkManager.
How does the project deal with this fields that a newbie-admin may be fall configuring them. Tooltips,comments, or nothing because Network Manger will bring the error message? |
Ok, that's a bummer, I also see no wireguard support in GNOME itself but I can import a connection file. This blog post says the DBus API should support it hmmm. I did find: And this can be exposed in cockpit with the following patch:
But that doesn't give the information you want for the modal (for editing)
As shown above it can be retrieved.
Patternfly has tooltips and validation so this is something we can add and do in other places in the UI |
I think the dialog should use the connection settings API
|
It's supposedly a feature in GNOME 43, which has just hit beta. https://9to5linux.com/gnome-43-alpha-released-to-kick-off-guadec-2022-in-guadalajara-mexico
However, I'm on the latest GNOME OS nightly in GNOME Boxes (Nightly) and I don't see it: Perhaps it requires something in the stack that isn't in GNOME OS (yet)? I did try Fedora Silverblue rebased to Rawhide and did install all the wireguard related packages Fedora ships with ( I did a little digging around and found the original PR for GNOME Settings about wireguard creating and editing support — with screenshots — @ https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/1125, but it was closed in favor of https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/1364 which is still open (and marked as WIP). Here are the screenshots, for comparison (you can tell it's from an older PR as these aren't using the newer libadwaita style): Meanwhile, GNOME Shell did get support for wireguard toggling in VPNs @ https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1995. I guess this is what the blog post was talking about? And I guess creating and editing will (eventually) show up in GNOME 44? |
Oh and FYI, how I found settings dbus calls was by running |
I assume they first added Wireguard support in NetworkManager and importing of profiles. And then gradually support it in GNOME itself \o/ Already being able to toggle it in GNOME Shell is a big win for me :-) |
happy to read you!
I can't see them...
Or as a workaround, We can call from CLI with cockpit.console...
|
With:
I do see the ListenPort/PublicKey but only when the device is active, not inactive. So that's not super useful. Probably better to get it from the settings. |
This is possible, see for example: https://github.com/cockpit-project/cockpit/blob/main/pkg/networkmanager/interfaces.js#L774
Haven't tested it myself. |
Thanks Jelly! |
Cool! Feel free to make a draft PR then I can take a look at the code. |
@gil-obradors |
I stopped my work when I ran into trouble trying to recover credentials from Wireguard via d-bus. May be remote commands from shell can be a workaround, but not via d-bus interfaces ( at least when I managed to get ). Some work from screnshoots is here |
@subhoghoshX is working on this topic as Google Summer of Code project. See PR #19024 for a first draft. |
So, this works well. Would be nice to have two things:
|
Thanks for the feedback @mispp. Yes having a PersistentKeepalive is a nice to have in a few situations. Created an issue #19491. I'm not clear about the benefit of having separate text inputs for each allowed-ips. Is having a comma/space separated list of IPs confusing? or is the problem that the width of the input field is too small? In the later case it can be moved to a separate row if PersistentKeepalive is added. We can't fit four fields in a row anyway. |
Benefits I see:
This is definitely not a must. If this is not implemented, can you at least make an example below the textbox? My first try included spaces after comma which got invalidated. Making texbox wider would help. Thanks for making an issue for keepalive. |
One more thing which would be nice and it would make many tools obsolete: adding a download/send configuration for the opposite peer. Think in terms of server (machine running this cockpit) and other peers (road warriors). Configuration for road warriors could be downloaded here in ini Format (like what Android App uses) |
It would be great to have a VPN section on the Networking page.
This should be like the Firewall functionality, where it's exposed on the Networking page yet has additional details on a sub-page.
It could include Wireguard and OpenVPN.
The text was updated successfully, but these errors were encountered: