OpenVPN 3 Linux v18 (beta)
This release does a larger overhaul on the logging system with a few
additional bug fixes and other improvements.
* Log system changes
In prior releases, the backend VPN client (openvpn3-service-client
processes) sent Log signals (events) to the log service
(openvpn3-service-logger process). If a user wanted to receive
real-time log events, it could easily do so by flipping a boolean
flag in the VPN session, managed by the session manager
(openvpn3-service-sessionmgr process). In this case, the session
manager would also pick up Log events from the VPN client and
forward them.
This architecture had a flaw which meant that if the log forwarding
in the session manager was enabled for a session, anyone could pick
up these log events. And if one of these log listeners turned off
the log forwarding, this would happen for all other listeners at
once. This design also meant that the VPN client process needed to
send Log events to two different destinations; both the logger and
the session manager.
With the change introduced in v18_beta, the VPN client process now
only sends Log events to the logger service. When a user wants to
receive log events now, it needs to call the
net.openvpn.v3.sessions.LogForward() method setting an enable flag
instead of flipping the receive_log_events boolean property directly.
The session manager will now do a proper access control to the caller
and then tell the log service to forward Log events directly to the
program wanting to receive Log events. To disable this forwarding,
the program just calls the same method and unset the enabling flag.
This new architecture also allows multiple log forwarders to run in
parallel without impacting the other listeners. Each forwarding are
now handled independently. And forwarding Log events will no longer
impact the session manager any more.
* Enhancement: openvpn3-as profiles can be started via systemd
In v16_beta a new systemd unit file was introduced to make it
possible to manage VPN sessions via systemd. With v18_beta
this integration has been extended to the openvpn3-as utility
which can download a VPN profile directly from an OpenVPN Access
Server.
When run as root, two new options can be used:
--systemd-start and --owner.
The first one will instruct openvpn3-as to enable the imported
configuration profile to be started automatically during boot.
The --owner takes a username argument, which, when run as root,
will transfer the ownership of this VPN profile to the given
username. When the VPN session is started as root, the session
will automatically also be owned by the given user.
* Bugfix: openvpn3 session-start with web based authentication
The instruction guide to help continue with web based authentication
was misleading and no longer correct. This has been improved and
the console now contains the correct instructions.
* Bugfix: Configuration manager could mangle --verify-x509-name
When importing a configuration file with the --verify-x509-name
option, it would often be misinterpreted when the import was
as a persistent configuration profile.
This has been resolved and the internal on-disk storage format
for persistent configuration profiles has been upgraded to correctly
handle this type of option class, with quoted strings.
<https://github.com/OpenVPN/openvpn3-linux/issues/90>
* Bugfix: openvpn3-service-configmgr could segfault
If the oepnvpn3-service-configmgr could not manage to reach the
net.openvpn.v3.log service (openvpn3-service-logger), it would
segfault resulting in a core dump needlessly. This has been
resolved by adding proper error handling and gracefully exit
with a more reasonable error message.
* Bugfix: Network Configuration state saving failing silently
When the Network Configuration service (openvpn3-service-netcfg)
configuration was to be written to disk and failing, the prior
implementation ignored any errors happening. This has been
improved and the error is now presented to the user if there
is an error saving the configuration file.
* Bugfix: Python based config parser can now handle legacy algorithms
The v17_beta release introduced a --enable-legacy-algorithms flag
to be set on a configuration profile. This worked fine via the
openvpn3 config-manage interface, but the Python parser lacked the
parsing of this option. This has now been implemented, via the
--profile-override option.
* Bugfix: Python based config parser did not accept --auth-nocache
The --auth-nocache is not a feature directly available in OpenVPN 3
Core library. But it does not block a configuration file from
working, so this was put to the internal "ignore list".
* Bugfix: openvpn2 could some times dump spurious error messages
If CTRL-C was performed during the shutdown phase of a VPN session,
where it would typically wait for statistics data to be collected
it, could print various errors about local variables being
unavilable. This has now been improved.
The complete list of changes:
David Schneider (1):
docs: Fix incorrect doc paths in net.openvpn.v3.sessions docs
David Sommerseth (79):
core-extension: Revamp the whole OptionListJSON class
core-extension: Remove the ProfileMergeJSON class
ovpn3cli: Improve session-start tip with URL auth
python: Add support for enable-legacy-algorithms in config parser
python: Extend openvpn3.Configuration class with GetConfigName()
python: Extend openvpn3.Configuration class with SetOwnershipTransfer()
python: Extend openvpn3-as with systemd integration
python: Extend openvpn3-as with --owner
log/proxy: Switch over from RCPtr to std::shared_ptr
log/proxy: Add LogServiceProxyException exception class
log/proxy: Add LogServiceProxy::AttachInterface() helper function
configmgr: Switch over to LogServiceProxy::AttachInterface()
sessionmgr: Switch over to LogServiceProxy::AttachInterface()
netcfg: Switch over to LogServiceProxy::AttachInterface()
client: Switch over to LogServiceProxy::AttachInterface()
addons/aws: Switch over to LogServiceProxy::AttachInterface()
python: Add --auth-nocache to ConfigParser's ignore list
python: Fix spurious errors during disconnect in openvpn2
common: Add error handling to Configuration::File::Save()
dbus: Fix various warnings in connection.hpp
dbus: Fix/improve header inclusion in signal.hpp
client: Add missing include dbus-log.hpp in backend-signal.hpp
log: Fix several spelling errors in comments in logwriter.hpp
log: Remove the openvpn namespace and improve includes in dbus-log.hpp
build: Rework distro/systemd EXTRA_DIST file list
python: Allow --auth-retry to be passed on
tests: Fix incorrect namespace closing in machine-id test
build: Disallow AWS addon builds without OpenSSL
build: Remove hard-coded gio-unix-2.0 include paths
common: Fix missing header include for UID/GID lookups
dbus: Remove the openvpn namespace from DBus related classes
dbus: Extend DBus class with GetUniqueBusName()
dbus: Ensure the D-Bus connection is valid
dbus: Make path.hpp a separate compilation unit
dbus: Free some GError structures in DBusProxy calls
log: Refactor service.hpp to be a separate compilation unit
log: Replace RC/RCPtr based smart pointers with standard C++
log: Make dbus-log.hpp a separate compilation unit
log: Don't log or proxy empty log events
dbus: Extend with DBusSignalProducer::set_object_path()
client: Extend with BackendSignals::SetSessionPath()
client: Extend RegistrationConfirmation D-Bus method with session path
client: Extend BackendSignals with GetSessionPath() method
client: Provide related session path as a property
log: Implement net.openvpn.v3.log.AssignSession
client: Provide session path details to log service
log: Extend D-Bus logging with path filtering
log: Extend LogSender with ProxyStatusChange() method
log: Extend Logger class with LogSender forwarding support
log: Extend log forwarding to also include StatusChange signals
log: Implement base LoggerProxy class
log: Implement ProxyLogEvent method and D-Bus proxy helper class
log: Implement the LogForwardBase helper class
sessionmgr: Tear out the current SessionLogEvent implementation
log: Implement proper access control in LoggerProxy
sessionmgr: Re-implement log forwarding to end-users
log: Re-implement LogForwardBase to request forwarding via session manager
sessionmgr: Fix incorrect #include fencing
ovpn3cli: Re-implement log command with new logging infrastructure
log: Implement LogEvent::RemoveToken()
log: Remove session token from forwarded log events
python: Rework openvpn3.SessionManager for the new logging infrastructure
python: Update openvpn2 to properly disable logging on shutdown
distro/systemd: Disable log forwarding properly on shutdown
build: Install D-Bus policies in ${datadir}/system.d
dbus: Extend DBusSignalProducer with SendTarget() method
log: Extend LogSender::Log() with an optional target address
client: Rework BackendSignals to avoid Log signal duplication
dbus: Extend GLibUtils with CreateEmptyBuilderFromType()
log: Extend LogSender with GetLastLogEvent()
client: Extend internal session object with last_log_line property
sessionmgr: Re-implement last_log session object property
vendor: Upgrade ASIO to 1.22.1
dco: Upgrade to latest ovpn-dco git master
policy: Add a mandatory D-Bus policy for Log and StatusChange signals
docs: Update README with dependencies and distro changes
docs: Improve the net.openvpn.v3.log docs slightly
docs/README: Add info about systemd unit file
docs/README: Fix a few minor details
Jagadeesh Kotra (1):
docs: Fix missing information for net.openvpn.v3.configuration.Import