Support for OpenVPN3

[lstipakov]

This adds optional support for using OpenVPN3 client as an alternative to openvpn2.

Just replacing one client with another will not work:

 - OpenVPN3 doesn't use interactive service, it uses
"agent" service with completely different protocol. OpenVPN GUI
needs to talk to agent using HTTP and JSON.

 - OpenVPN3 management interface realtime notifications must be
explicitly turned on in order for GUI to work.

To enable using openvpn3, one needs to build openvpn-gui with
./configure --enable-ovpn3 option. This also requires json-c library.

To switch betweet openvpn2 and openvpn3, see "OpenVPN Engine"
radiobutton group in Settings -> Advanced dialog.

Management interface - enabled OpenVPN3 client will be added soon
to openvpn3 repo (along with existing "cli" test client). Also agent
service will be opensourced in near future.

[mattock]

Finally open source OpenVPN 3 is moving towards becoming a real alternative to OpenVPN 2. With this PR merged there are not that many blockers in front of having an OpenVPN 3-based open source Windows installer. 👍

[cron2]

Hi,

On Wed, Jan 08, 2020 at 11:44:40PM -0800, Samuli Seppänen wrote: Finally _open source_ OpenVPN 3 is moving towards becoming a real alternative to OpenVPN 2. With this PR merged there are not that many blockers in front of having an OpenVPN 3-based open source Windows installer. :+1:

While this sounds very nice, I'm somewhat wondering what the advantage would be... on Windows, with wintun merged, OpenVPN 2 should be able to do whatever OpenVPN 3 can (and with the same speed) - and more, so "investing quite a bit of work here" to get "less functionality" sounds like a non-optimal tradeoff. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany [email protected]

[mattock]

@cron2 technically you're correct. But getting more people to actually use a fully open source version of OpenVPN 3 is a good thing.

In my opinion the "make OpenVPN 3 a real open source project" part took way too long. Based on GitHub discussions (openvpn3, openvpn3-linux) it is finally gaining some traction. Maybe at some point a non-OpenVPN Inc. developer community will also form around it.

[lstipakov]

on Windows, with wintun merged, OpenVPN 2 should be able to do whatever OpenVPN 3 can (and with the same speed)

The keywords here are should and with the same speed.

Unfortunately this is not the case at the moment. When testing against openvpn3 backend with kernel acceleration, I got up to 1.8Gbit/s with openvpn3 client and 1.2Gbit/s with openvpn2 client (both wintun). As you see, the difference is significant.

I haven't looked deeper into that - it should be indeed possible to make openvpn2 up to speed with openvpn3. There must be something what ASIO does better than openvpn2 event loop.

Besides performance, having openvpn3 as an option in community client will give the openvpn3 project larger exposure, which I think it needs.

[mattock]

@selvanair any thoughts on the actual changes?

[selvanair]

@selvanair any thoughts on the actual changes?

I haven't got a chance to look at this carefully. Will do.

[mattock]

@selvanair if you can do this soonish we could get this out in 2.5.0. Optional OpenVPN 3.x support in the "official" OpenVPN GUI version would be nice imho.

[selvanair]

@selvanair if you can do this soonish we could get this out in 2.5.0. Optional OpenVPN 3.x support in the "official" OpenVPN GUI version would be nice imho.

Everyone is putting me on notice these days, I must be slacking..
I don't have a setup to test this with OpenVPN3 so I can only check that the changes wont break anything. Will do that but I'm not convinced this is ready for merging into master

(i) We won't be distributing the GUI with this enabled in 2.5.0, right?
(ii) Where can one find this "ovpnagent" service referred to here?

Unless we can provide instructions on how to install OpenVPN3 and the agent, I think we could merge this into a development branch and move to master only when ready for community use.

[selvanair]

I haven't tested with OpenVPN3 (could not find any info on how to build the agent) but here are some comments.
We conditionally check the version of openvpn2 on startup (openvpn.exe --version) which is probably okay as this assumes OpenVPN2 is installed even when the engine is set to OpenVPN3.

[selvanair]

We do log on all and state on in OnReady(), so is this required? Looks like this would have no effect except to add some delay.

[selvanair]

If run as admin or if InitServiceIO() fails, we will fall back to starting openvpn2 directly irrespective of the engine setting. It would be better to error out in that case.

More as a side note: The admin check was added when we used to support vista because of an obscure named pipe bug that could have led to a privilege escalation. With vista no longer supported, we should probably get rid of this restriction.

[facboy]

this seems to have atrophied somewhat. it merges on to master relatively easily (some things have been added to the Advanced dialog so it needs moving around), but it doesn't actually work against openvpn3 3.8-master (ie built off github master). ovpnagent logs a PAGE NOT FOUND error.

EDIT: turns out PAGE NOT FOUND is because i disabled OPENVPN_AGENT_START_PROCESS based on a comment on another issue. now ovpnagent successfully receives the request from openvpn-gui but it still doesn't work. openvpn-gui logs nothing in the status window and gives up after a bit.

[facboy]

ok, turns out the part that launches omiclient does not quote some of the file arguments, so on my system this results in it failing to launch.

[facboy]

apart from the indentation lgtm. i suspect there are some line-ending differences with my branch but i'm not sure if that's because there are incorrect line-endings in my branch, or on this branch.

[facboy]

the indentation on these lines is wrong now.

[facboy]

lgtm

[lstipakov]

I've pushed hopefully final version, changes from previous are -

• removed ovpn3-specific code to enable logging
• changed order from "log all on" to "log on all" - this is according to documentation and only supported way by openvpn3

There is a small bug in openvpn3 code - SUCCESS: password is correct string is missing \r\n and due to that OnReady() callback was never called. I've fixed that, hope this will be in openvpn3 master later this week. Meanwhile the fix is available on my repo (lstipakov/openvpn3@972b32d)

diff --git a/manage.c b/manage.c
index 1320b73..cfd96f9 100644
--- a/manage.c
+++ b/manage.c
@@ -272,12 +272,6 @@ OnManagement(SOCKET sk, LPARAM lParam)
                 ManagementCommand(c, c->manage.password, NULL, regular);
                 *c->manage.password = '\0';

-                if (o.ovpn_engine == OPENVPN_ENGINE_OVPN3)
-                {
-                    ManagementCommand(c, "log on all", NULL, regular);
-                    ManagementCommand(c, "state on all", NULL, regular);
-                }
-
                 continue;
             }

diff --git a/openvpn.c b/openvpn.c
index 12be5d6..81d457d 100644
--- a/openvpn.c
+++ b/openvpn.c
@@ -117,8 +117,8 @@ void
 OnReady(connection_t *c, UNUSED char *msg)
 {
     ManagementCommand(c, "state on", NULL, regular);
-    ManagementCommand(c, "log all on", OnLogLine, combined);
-    ManagementCommand(c, "echo all on", OnEcho, combined);
+    ManagementCommand(c, "log on all", OnLogLine, combined);
+    ManagementCommand(c, "echo on all", OnEcho, combined);
     ManagementCommand(c, "bytecount 5", NULL, regular);
 }

[facboy]

lgtm. been running your patched ovpn3 and this for the last few days.

[selvanair]

I have not tested using OpenVPN3, but the changes look sane, and use of OpenVPN 2.0 is not affected as far as I can see.

[lstipakov]

Looks like this is ready for merge (/me looks at @selvanair, @mattock and @cron2).