Does anyone else agree that VPN has become a nausience in 2.0? - bad coding!
-
Hi everyone,
Everyone has been long waiting for 2.0 and I find it really frustrating that OpenVPN is now much harder and more complex for it's configuration than the v1.2.3. Do you agree with me?
1- For example, certificate generation is in a totally different menu and VPN is somewhere else.
2- There is no place to quickly copy and paste OpenVPN client keys. In fact I don't even know how to copy and past my OpenVPN key. I am talking OpenVPN as a client and not as a server. I would appreciate some input on this one.
3- This whole certificate generation is a mess because what if someone doesn't want to use it and use their own keys, why is the import so hard? why has the dev team removed the simple copy and paste fields from OpenVPN server and client configs?
4- Is there any documentation for it? or is there another good thread like the road warrior VPN thread that has all this covered for version 2.0?I would like to know by show of hands how many people don't like the new way settings are done.
Thanks
-
There is a fine line between constructive criticism and criticism. How about expressing your concerns and mocking something up for the dev team to consider.
Bad code IMO is buggy and inefficient. What you have expressed is a UI that is not to your liking.
-
Fair enough. I am still looking for more feedback like this or different.
My intention is not to mock - I wanted to know if anyone else finds it difficult with changes that did not have to be done in a complex way like this.
Thanks
-
Rather than throwing stones, why don't you write an improvement to the OpenVPN module? Its open source and PHP is fairly straightforward to learn. Considering all the copious, free tech support you've been enjoying from the pfSense developers over the past year, it might be nice for you to give something back for a change instead of biting the hand that feeds you. Just a thought.
-
I find it really frustrating that OpenVPN is now much harder and more complex for it's configuration than the v1.2.3. Do you agree with me?
I've done countless OpenVPN setups on 2.0 and have yet to speak to anyone who would agree with you. All those who were familiar with how things had to be done in 1.2.3 were especially polar opposite of you, they've all been absolutely thrilled with the way things work now. For ~98% of deployments where the certs are local on that firewall, it's drastically easier and faster. It would take me generally 30-45 minutes to do an OpenVPN remote access deployment from scratch on 1.2.3, and that can be done in 5-10 minutes now with the wizard, built in cert handling, and client export. For those who hadn't done such a deployment previously it commonly took hours to figure out for what they can now do in maybe 15 minutes.
For scenarios where you do need to paste in your certs it's two extra steps to import the CA and cert. That's a small minority though. One improvement I've thought of there previously is the ability to add a new cert right in the OpenVPN screens rather than having to go to the cert manager. Patches welcome.
-
But I found this guide very easy for v1.2.3: http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
And no such thing exists for v2.0.
Could you please link the documentation for 2.0 for me and everyone else who is wondering how to work it? (Isn't the DH parameter value no longer needed in 2.0? - I can't see it in Cert Manager).
Regards,
-
I remember trying to get OpenVPN to work in 1.2.3 and it was an incredibly frustrating experience. I did get it to work a few times after countless hours of going through the how to guides so I can understand why some people want to keep things the way they are after going through hoops in getting it to work in the first place. I can honestly say in 2.0 it's alot better and quicker to get one going. Client export package is an absolute must have for OpenVPN. This is something I was using in IPCop with Zerina add-on installed (later project evolved over to IPFire).
I would try using the Wizard to get the feel of how it should be configured and then you can go back change the settings manually. Just make sure you create the users first with the certs so the client export package will work correctly. The defaults should get you up and running in no time. I was having problems trying to get things to work and later found out some old settings leftover from snapshot to snapshot in the config.xml so I had to edit out manually. Once I did that and created via the wizard it worked perfectly.
DH parameters are not needed in 2.0. So you should easily able to import the existing certs in the SYSTEM >> CERT MANAGER.
Darkk
-
But I found this guide very easy for v1.2.3: http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
And no such thing exists for v2.0.
Could you please link the documentation for 2.0 for me and everyone else who is wondering how to work it? (Isn't the DH parameter value no longer needed in 2.0? - I can't see it in Cert Manager).
Regards,
Out of curiosity have you looked in the 2.0 snapshots subforum here? There's 4 stickies at the top of the page dealing with OpenVPN on 2.0 and how to configure it and such. There's also a specific OpenVPN subforum here that when I looked in it had some 2.0 related threads. Chances are your issues have already been dealt with in one of those forums.
Documentation on 2.0 is lacking but from a development perspective why write documentation on a release that hasn't happened yet and may be subject to change? So they write up documentation on how to work around a bug in OpenVPN, two weeks later they fix the bug and the workaround is not only no longer needed but it may break the system in itself now. Now they have to go back and edit the documentation again. That's what the forums are for, to post bugs and find workarounds and to figure out how to do something until the release is finalized. Plus if they take time out to create and update public documentation with every bug and fix that's going to push out the release even farther.
-
There isn't a general update to the other documentation yet, it's close enough to 1.2.3, especially with the wizard for the most common setup, that you can figure it out with what's there for 1.2.3. It'll come with time (or when some non-core folks would like to help contribute).
Isn't the DH parameter value no longer needed in 2.0? - I can't see it in Cert Manager).
http://lmgtfy.com/?q=dh+parameters+2.0+site%3Adoc.pfsense.org
-
Working with OpenVPN over the past month again my input is that:
Please bring back the copy and paste of keys and certs in the same page where I create the OpenVPN server.
You can keep how it's working now but also allow the old method. Add a scroll down to copy and paste your own key or cert.I never use the same key or cert for another VPN session so the management of keys and certs is really not needed. Now, there maybe some who use it with multiple vpn server ??? but I think the amount of work put into VPN wizard and now distributing it all over the GUI has not really made it any easier.
To the novice user it's still very hard. To the experienced user you have to still go back and check your notes and play a few times until all works.
Regards,
-
@cmb:
I find it really frustrating that OpenVPN is now much harder and more complex for it's configuration than the v1.2.3. Do you agree with me?
I've done countless OpenVPN setups on 2.0 and have yet to speak to anyone who would agree with you. All those who were familiar with how things had to be done in 1.2.3 were especially polar opposite of you, they've all been absolutely thrilled with the way things work now. For ~98% of deployments where the certs are local on that firewall, it's drastically easier and faster. It would take me generally 30-45 minutes to do an OpenVPN remote access deployment from scratch on 1.2.3, and that can be done in 5-10 minutes now with the wizard, built in cert handling, and client export. For those who hadn't done such a deployment previously it commonly took hours to figure out for what they can now do in maybe 15 minutes.
OMG ++++1!
When I migrated to 2.0 and redid my OpenVPN config I couldn't believe how short it was!
I mean I expected to be in front of my computer re configuring it for at least 1hr! 15 Min I was done!
The wizard is so simple and straight forward. It even adds the fw rules for you :) -
It's all about change just like when Microsoft creates a new OS you have to adapt to it. Somethings may have changed and looks a little different, kind of like the start button in old Windows XP, it used to say start now it is just a circle with a windows flag in it.
The OpenVPN is 10 times easier in 2.0, configure one box correctly and you will see. I could configure a 2.0 VPN in 5 or less minutes.You need to read the forums and the documentation on the pfsense website.
What may be nice is an area on the website dedicated to 2.0 documentation and one dedicated to 1.2.3.
All this stuff seems to work great but documentation in usually difficult to find for new users of 2.0.
Here are some 2.0 VPN Roadwarrior setup guides.
http://forum.pfsense.org/index.php/topic,22115.0.html
http://blog.stefcho.eu/?p=492 -
I had absolutely no idea how to do this but after 5 minutes on google i have a step by step video tutorial from youtube.. watched it and i had my RoadWarrior OpenVPN up and working in less than 15 minutes.. so i dont think that it has become too dificult..
http://www.youtube.com/watch?v=odjviG-KDq8
-
Please bring back the copy and paste of keys and certs in the same page where I create the OpenVPN server.
You can keep how it's working now but also allow the old method. Add a scroll down to copy and paste your own key or cert.Patches accepted.
I never use the same key or cert for another VPN session so the management of keys and certs is really not needed. Now, there maybe some who use it with multiple vpn server ??? but I think the amount of work put into VPN wizard and now distributing it all over the GUI has not really made it any easier.
To the novice user it's still very hard. To the experienced user you have to still go back and check your notes and play a few times until all works.
It's not harder. It's harder for you, perhaps, but the system is a lot more powerful and easier for most (and pretty much everyone else agrees it's better). As the old saying goes, you can't please everyone.
What may be nice is an area on the website dedicated to 2.0 documentation and one dedicated to 1.2.3.
You mean like the one we already have? :-)
http://doc.pfsense.org/index.php/Category:2.0All this stuff seems to work great but documentation in usually difficult to find for new users of 2.0.
You mean clicking the blue "?" help icon on every page in the GUI is difficult? :-)