OpenVPN GUI remote networks field is confusing with lots of remote networks

pete35 · Oct 11, 2017, 2:35 PM

Hi,

in my OpenVPN GUI the remote networks field are about 30 remote networks, as a comma-separated list.

It is really hard to maintain and sometimes confusing, as the field is so small and there is no free view to all of the entries at once.

Is it possible to have a variable vertical boxed list like an Alias for this field?

Pfsense is full of variable lists. I know i can simplify this with a Routing Protocol, but this would

add additional packages and so on.

Thanks!

johnpoz · Oct 11, 2017, 6:25 PM

So there is no way to do a summary of these remote networks?

Example if you had 192.168.0,.1,.2 and 192.168.3.0/24 you could just use 192.168.0/22

None of the remote networks are next to each other? If you used 192.168 on your side and 172.16-31 on the other side you could just use 1 entry summary ;) Or use 192.168.0/17 on side and 192.168.128/17 on the other..

luckman212 · Oct 12, 2017, 4:37 AM

or… use some commandline tools

printf "192.168.4.0/24,10.10.10.0/22,192.168.161.224/29,10.0.10.32/27" | tr ',' '\n' >networks.txt

make your edits in your comfortable text editor of choice, then

cat networks.txt | tr '\n' ','

pete35 · Oct 12, 2017, 10:00 AM

I removed some of the remote networks by aggregating, thanks to johnpoz, but this field is much too small for reliable work.
Editing it outside the gui is really better, but my intention was to improve the gui at this field.
Should be easy to do, as lots of good lists are available within pfsense.

Thanks!

johnpoz · Oct 12, 2017, 10:07 AM

Nothing wrong with ability to use alias there… That would make editing easier sure.

Put in feature request on https://redmine.pfsense.org/

Post a bounty also another option.. Or you could even write the code yourself and submit it.

jimp · Oct 12, 2017, 1:06 PM

You could also put the routes in the advanced box manually if you prefer

route x.x.x.0 255.255.255.0;
route x.x.y.0 255.255.255.0;
route x.x.z.0 255.255.255.0;
[...]

robi · Oct 14, 2017, 8:49 PM

@johnpoz:

Nothing wrong with ability to use alias there… That would make editing easier sure.

Put in feature request on https://redmine.pfsense.org/

Already there, since 5 years originally by Phil Davis, added again by me about 1 year ago:
https://redmine.pfsense.org/issues/2668
https://redmine.pfsense.org/issues/6754

With the real power of aliases being nested, it would be awesome…

Derelict · Oct 14, 2017, 9:06 PM

It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

robi · Oct 15, 2017, 7:10 AM

@Derelict:

It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

Including a function to check if the alias being changed is present in any OpenVPN configuration, bounce only VPNs affected by that certain alias. 8)

Derelict · Oct 15, 2017, 7:55 AM

And so on and so on.

The real answer is a solid design and supernetting into OpenVPN with CSOs.

I would rather see something like some smarts to change from the text field to a textarea if there are more than x commas than a bunch of alias hackery.

But that's just my opinion.

johnpoz · Oct 15, 2017, 9:35 AM

@Derelict:

It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

Whey is that exactly? Why would a alias that consisted of networks ever need to be resolved? And why would the resolution of fqdn in the aliases have anything to do with the vpn being up or down? Not understanding what the 2 have to do with each other..

Yes stuff in alias table gets resolved every 5 minutes. What would the resolution of aliases have to do with IPs and networks in alias used for vpn remote networks? I could see changing the alias sure.. Since that would be the same as changing the remote networks in the currently.

jimp · Oct 15, 2017, 1:14 PM

@johnpoz:

@Derelict:

It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

Whey is that exactly? Why would a alias that consisted of networks ever need to be resolved? And why would the resolution of fqdn in the aliases have anything to do with the vpn being up or down? Not understanding what the 2 have to do with each other..

Yes stuff in alias table gets resolved every 5 minutes. What would the resolution of aliases have to do with IPs and networks in alias used for vpn remote networks? I could see changing the alias sure.. Since that would be the same as changing the remote networks in the currently.

If you edit the alias and save it, the VPN would have to be reset, which is counterintuitive if you don't remember that the alias is used on that VPN, for example.
Also you can use hostnames in network aliases they just get a /32 mask, so they would still have to be hooked into the same process.
And if a hostname resolved to a new address, that means the contents of the alias changed, which means that the VPN needs to be restarted to pick up the contents of the alias to use for routes.

It isn't like pf where the changes can be picked up automatically on-the-fly, since OpenVPN has to manage its own routes internally.

pete35 · Oct 15, 2017, 4:12 PM

My main point is, that the field is too small for lots of networks
as that comma-separated field is a constant reason for false entries.

A large field list, as it exists for the alias function, will make it better. I understand that an alias
will make more waves to the whole system, but this is not needed to reduce the errors.

Jimp gives a good solution, thanks for that, just enter the routes into the advanced box.

Thanks!

johnpoz · Oct 15, 2017, 8:31 PM

Thanks jimp.. But I was more just thinking of it as a openvpn section under the alias section for remote networks. Where you would put networks.. You sure wouldn't put in a fqdn for a remote network even it could resolve to a /32.. To me that is not a remote network.

But I guest you could put in a host route to /32 - so guess valid point there.

Thanks for the detailed info as always - to shoo away the cobwebs of my brain not thinking that early in the morning ;)

jimp · Oct 16, 2017, 1:00 PM

I'd be in favor of making those network boxes larger in some way. At least longer. The problem with making it a textarea is that people will, inevitably, think that putting entries on new lines instead of using commas is the way it works.

It would be great if we could have multiple rowhelper style controls on a page but currently only one is possible.

robi · Oct 24, 2017, 9:33 AM

@jimp:

@johnpoz:

@Derelict:

It would also mean that changing an alias would have to bounce your VPN - including hostname resolution that happens every 5 minutes (by default) if any of the aliases require resolution.

Whey is that exactly? Why would a alias that consisted of networks ever need to be resolved? And why would the resolution of fqdn in the aliases have anything to do with the vpn being up or down? Not understanding what the 2 have to do with each other..

Yes stuff in alias table gets resolved every 5 minutes. What would the resolution of aliases have to do with IPs and networks in alias used for vpn remote networks? I could see changing the alias sure.. Since that would be the same as changing the remote networks in the currently.

If you edit the alias and save it, the VPN would have to be reset, which is counterintuitive if you don't remember that the alias is used on that VPN, for example.
Also you can use hostnames in network aliases they just get a /32 mask, so they would still have to be hooked into the same process.
And if a hostname resolved to a new address, that means the contents of the alias changed, which means that the VPN needs to be restarted to pick up the contents of the alias to use for routes.

It isn't like pf where the changes can be picked up automatically on-the-fly, since OpenVPN has to manage its own routes internally.

For such cases I would just simply put a small waring in the alias edit page: "Warning: this alias is being used in the 'name-of-the-OpenVPN-instance' OpenVPN configuration. After changing values here it is recommended to to restart 'name-of-the-OpenVPN-instance'".

So I wouldn't restart any VPN automatically, just notify the user that the alias affects OpenVPN also - and let the user decide if he/she wants to restart it (to prevent interruptions for cases when pfSense itself is being managed via the OpenVPN connection).
The warning bar at the top could also be used for this after changing the alias, reminding the user that OpenVPNs restarting is due, even if he/she moves away from the aliases config page.