Peter,

The setup looks pretty the same as I already had in mind and I (and the
collegue) would really like to give it a try. Personally I would like to
split the expert OpenVPN-project up into three pilots.

1) enable expert mode for server OpenVPN using one textarea (and
checkbox to enable it) on the vpn_openvpn_srv_edit.php page for global
expert settings
2) enable expert mode for client OpenVPN on the same way as in pilot 1
3) enable user expert mode. This is the tricky on for the GUI. It should
be an interface like the "add rules" screen with a name of the client
and another textarea for the expert options

On the short term option 1 would be realisable. Followed by option 2 and
perhaps option 3. It all can be stored into the same Config.xml as it's
used already.

How can we look a little bit further for the solution??

Regards,
Youri

-----Original Message-----
From: Peter Allgeyer [mailto:allgeyer at web dot de] 
Sent: woensdag 21 september 2005 12:52
To: Youri Kersloot
Cc: m0n0wall dash dev at lists dot m0n0 dot ch
Subject: RE: [m0n0wall-dev] OpenVPN on
beta10:missingroutingoptionandsomebugs?

Hi Youri!

Since it's interesting for other peoples, too, I post this to the
developers list, too.

Am Mittwoch, den 21.09.2005, 12:19 +0200 schrieb Youri Kersloot:
> Peter,
> 
> Now we're talking. I have medium PHP skills but a collega of mine is 
> much better in PHP. He agreed to assist if it won't cost him to much 
> of his time (like a week fulltime to implement the expert mode).
> 
> I think with some guidelines from your side what's possible and your 
> point of view how to do (and more important what dont't) the expert 
> mode.
As I said earlier, I'm planning to move the openvpn parameters to an own
file under /var/etc or even /var/etc/openvpn. At the moment the openvpn
daemon is called by /etc/inc/openvpn.inc with a long list of parameters.
It's relativly easy to export these parameters to an own file just like
the mpd daemon does.

Little example, idea from interfaces.inc:

  /* generate ovpn.conf */
  $fd = fopen("{$g['varetc_path']}/ovpn_srv_tun{$i}.conf", "w");

  $ovpnconf = <<<EOD
daemon
user nobody
group nobody
persist-tun
persist-key
keepalive 10 60
status /var/log/openvpn_{$if}{$i}.log 60 writepid
/var/run/ovpn_srv_{$if}{$i}.pid ca /var/db/ovpn_ca_cert_{$if}{$i}.pem
cert /var/db/ovpn_srv_cert_{$if}{$i}.pem
key /var/db/ovpn_srv_key_{$if}{$i}.pem
dh /var/db/ovpn_dh_{$if}{$i}.pem
verb {$bverb}
dev {$if}
port {$port}
max-clients {$maxcli}
server {$server}{$prefix}
cipher {$cipher}
{$duplicate-cn}
{$push_options}
{$expert_options}

EOD;

  fwrite($fd, $ovpnconf);
  fclose($fd);

This is the prework. Afterwards, just write a php page called
vpn_openvpn_expert.php which can be called from vpn_openvpn_srv_edit.php
or vpn_openvpn_cli_edit.php. Another possibility would be to have a
button to enable expert mode and a <textarea> in
vpn_openvpn_{srv,cli}_edit.php where you can add your own openvpn
parameters. Push the parameters into an array and add them to config.xml
like:

<ovpn>
        <server>
            <tunnel>
                <tun_iface>tun0</tun_iface>
                <bind_iface>all</bind_iface>
                <port>1194</port>
                <proto>udp</proto>

                [...]

                <expert>push 10.0.8.0 255.255.255.248</expert>
		<expert>push 10.0.12.0 255.255.255.255</expert>
		<expert>nice 10/expert>
		<expert>fast-io</expert>
            </tunnel>
        </server>
</ovpn>

Keep in mind that there shoul probably an option to have extra
directories for each client configuration for multi-client server
capability. 

Expert parameters aren't parsed nor supported by m0n0wall.

Ciao ...
	... PIT ...


------------------------------------------------------------------------
---
 copyleft(c) by |   _-_     Computers are not intelligent. They only
 Peter Allgeyer | 0(o_o)0   think they are.
---------------oOO--(_)--OOo--------------------------------------------
---