1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
==============
openvpn3-linux
==============
------------------------
OpenVPN 3 Linux Overview
------------------------
:Manual section: 7
:Manual group: OpenVPN 3 Linux
DESCRIPTION
===========
OpenVPN 3 Linux is an OpenVPN platform which builds on capabilities available
on newer Linux distributions. Compared to the more classic OpenVPN 2.x
generation, OpenVPN 3 Linux covers many more aspects of the VPN configuration
and session life-cycle.
To quickly compare them, OpenVPN 2.x is a single process which is responsible
for a single VPN session. There are no configuration or session management
in OpenVPN 2.x itself, it depends on the systemd openvpn-client@.service and
openvpn-server@.service unit files, the Network Manager OpenVPN plug-in or
other third-party management tools.
OpenVPN 3 Linux provides full configuration and session management in addition
to the VPN tunnel itself. For example, it has built in privilege separation
and execution models, for improved process security. This allows unprivileged
users to start their own VPN sessions and manage them themselves. VPN
configuration files can be shared with other users on the system or kept
private.
Through this privilege separation model, network configuration aspect of
the VPN tunnel is split out into its own process which runs with as few
privileges as possible. In practice that means it can only to network
configuration changes. This network configuration service is also capable
of setting up the DNS resolver out-of-the-box. For OpenVPN 2.x to do that,
it would need to run additional scripts or use specific plug-ins to trigger
such updates on the system.
With this architecture, OpenVPN 3 Linux is split up into several services
running independently of each other. These services are referred to as
*backend services*. The interaction with these services happens through
what is referred to as a *user front-end*.
USER FRONT-ENDS
===============
There are several user front-ends tools which is used to interact with the
various components of OpenVPN 3 Linux.
* ``openvpn2``
This aims to be fairly similar to the more classic ``openvpn``\(8)
command line, with the exception that it only processes client related
options.
* ``openvpn3``
This is the main utility for managing all the features available in
OpenVPN 3 Linux and has a different user interface than ``openvpn2``\(1)
or ``openvpn``\(8). On systems with the bash-completion integration
installed, almost every command, option and argument used by
``openvpn3`` will get auto-completion help.
* ``openvpn3-admin``
This utility is mostly targeting system administrators and provides
interfaces to do some management of the various OpenVPN 3 D-Bus
services. See ``openvpn3-admin``\(8) for more details.
* ``openvpn3-session@.service`` (``openvpn3-systemd``)
VPN sessions can be started and managed directly via ``systemctl``\(1)
by using the ``openvpn3-session@.service`` service unit. This also
enables VPN sessions to be started automatically during system boot.
This service unit uses a helper utility, ``openvpn3-systemd``\(1)
which works as a glue layer between the OpenVPN 3 Linux services and
``systemd``
In addition, a Python 3 module is also available making it possible to write
your own OpenVPN 3 front-ends with little extra efforts. Both ``openvpn2``
and ``openvpn3-systemd`` are Python 3 scripts which makes use of this
OpenVPN 3 Python module.
OPENVPN 3 D-BUS SERVICES
========================
The front-end interfaces talks to services which are started automatically
when needed and usually stops running if they are not in use. There are
several services, where each service only is responsible for a fairly small
set of features.
* **Configuration Manager** (``openvpn3-service-configmgr``)
This provides a service which only takes care of managing VPN
configuration profiles for all users on the system. It has a built in
Access Control List mechanism, which ensures only users granted access
can access the information they need.
D-Bus name: *net.openvpn.v3.configuration*
* **Session Manager** (``openvpn3-service-sessionmgr``)
This service takes care of managing running OpenVPN sessions on the
system. This has also its own set of Access Control List mechanisms,
where users on the system can be granted access to VPN sessions
started by other users. The default behaviour is to only let the
user starting a VPN session manage and access it.
D-Bus name: *net.openvpn.v3.sessions*
* **VPN Client Backend** (``openvpn3-service-client``)
This is the core VPN client. There will be running one such process
per active VPN session.
D-Bus name: *net.openvpn.v3.backends.be${PID}*
* **VPN Backend Starter** (``openvpn3-service-backendstart``)
This is a helper service which is used by the Session Manager to start
a new VPN backend service. When a client profile is requested started,
it will start an ``openvpn3-service-client`` process per VPN session.
D-Bus name: *net.openvpn.v3.backends*
* **Network Configuration** (``openvpn3-service-netcfg``)
This is the most privileged D-Bus service, and is used by the
Backend VPN Client processes. This is responsible for creating and
manage virtual network interfaces, configure IP addresses, routes in
addition to handling the DNS setup.
D-Bus name: *net.openvpn.v3.netcfg*
* **Logging** (``openvpn3-service-log``)
This is responsible to receive log events from all the services above
and ensure they get logged properly. Whether that is to a terminal, a
log file or syslog, depends on the configuration. The default is
to start this service using the syslog integration.
D-Bus name: *net.openvpn.v3.log*
All of these services above are D-Bus services which is available on the
system bus. They are all automatically started when needed.
D-BUS POLICY
============
D-Bus enforces usage of a policy which defines who can access which D-Bus
service and which features, objects and properties provided by a D-Bus service.
The default OpenVPN 3 Linux policy is placed in several files prefixed
``net.openvpn.v3`` in ``@DBUS_SYSTEM_POLICYDIR@``. The default policy
provided by OpenVPN 3 Linux allows all users on the system to load, start
and manage their own OpenVPN configuration profiles and VPN sessions.
All the D-Bus services will start automatically when their services are
requested by a front-end. Each service has their own D-Bus service definition,
which can be found in ``@DBUS_SYSTEM_SERVICEDIR@/net.openvpn.v3.*.service``.
When an OpenVPN 3 Linux D-Bus service has been idle for a certain time and
it does not need to preserve any data kept in memory, it will automatically
stop running. See the man page for each service to see default idle time.
COMPATIBILITY WITH OPENVPN 2.x
==============================
OpenVPN 3 is mostly compatible with most of the client options found in
OpenVPN 2.x. But there are some important details where it differs.
* No TAP support
OpenVPN 3 does not support TAP interfaces, only TUN interfaces. This is
by design, as all OS platforms which provides a VPN API (Apple iOS,
macOS, Android, Microsoft Universal Windows Platform) does only support
TUN interfaces.
* ``--fragment`` is not supported
While the use-cases for this feature is acknowledged, it is not
considered an easy feature to implement and it is being worked on
alternatives which gives a reasonably equivalent user experience without
using ``--fragment`` where this will be automatically configured. If it
turns out an alternative approach is impossible, this feature might be
implemented in the end.
* Currently no PKCS#11 support
This is a bigger task which will be worked on later, but it will attempt
to integrate better on the overall Linux platform instead of providing
an OpenVPN specific implementation.
These are the most obvious features users will notice. This list might be
extended as we receive more feedback.
SEE ALSO
========
``openvpn2``\(1)
``openvpn3``\(1)
``openvpn3-admin-init-config``\(8)
``openvpn3-service-backendstart``\(8)
``openvpn3-service-client``\(8)
``openvpn3-service-configmgr``\(8)
``openvpn3-service-log``\(8)
``openvpn3-service-netcfg``\(8)
``openvpn3-service-sessionmgr``\(8)
``openvpn3-systemd``\(8)
|
