* VPN: OpenVPN: Instances - add new module using the same approach as introduced for IPsec in 23.1. Since we likely can't easily migrate the old cruft, we better focus on offering the correct options for openvpn following upstream documentation.
o add boilerplate
o implement a solution to keep vpnid's unique so device creation for legacy and mvc can function in similar ways.
o add some of the main "helper" options for clients and servers
o Implement certificate logic, selecting a certificate also implies an authority (which we validate)
o hook CRL generation into the exising openvpn_refresh_crls() event
o attach already refactored authentication to new MVC as well, OpenVPN->getInstanceById() is responsible for feeding the data needed during authentication and overwrite generation.
o when in client mode and in need for a username+password combination, flush these to file and link in "auth-user-pass"
o routes (remote) and push routes (local), combine IPv4 and IPv6 for ease of administration,
o keep alive [push] ping-[restart] defined as seperate fields for validation
o add various "push" to client options in Miscellaneous section
o add "auth-gen-token" lifetime for https://github.com/opnsense/core/issues/6135
o allow selection of redirect-gateway type for https://github.com/opnsense/core/issues/6220
o move tls-auth/crypt into separate static keys objects (tab in instances page)
o hook existing events (ovpn_event.py) and make sure they locate the server using getServerById() when needed
o use getInstanceById in openvpn_prepare() to return both legacy as MVC device configuration
o add ovpn_service_control.php for service control [stop|start|restart|configure] and glue this in openvpn_services() via configd
o change openvpn_interfaces() to use isEnabled() method on the model to query if any (legacy/mvc) instances are enabled
o move openvpn_config() from openvpn.inc to widget and extend with MVC instances
o extend ovpn_status.py to parse "instance-" sockets as well, since the filename doesn't explain the role, we're using the status call to figure out the use. uuid's are keys in this case
o server_id type to str in kill_session.py so we can match either legacy or mvc sockets
o hook ExportController to OpenVPN model using getInstanceById() to glue the Client Export utility to both components
o extend connection status with mvc sessions (descriptions)
---------
Co-authored-by: Franco Fichtner <franco@opnsense.org>
Refactor the code to take advantage of the -S behaviour and
also ditch the extra service_control_status() since already
fetched the status ourselves and it's used nowhere else.
Previously it was thought that RENEW/REBIND do not reload properly but
this was eventually about another bug for when the server returns "no
binding" message and subsequently fixed in dhcp6c but not yet released
up to 23.1.8.
Ignore PD RENEW/REBIND as it will be the same value as REQUEST anyway.
3c7fb657e14dfc muted "delete" operations but also "add" which makes
it impossible to see failures like the latest regression fixed in
25e2c0a301e1. Since system_default_route() handles this accordingly
use the same approach here.
No jobs showed up in the cron GUI for development which was a
bit suspicious. The old default seemed to be empty string so
keep that behaviour instead of setting "None".
Cleanup would be better but ifctl is not the place for it (no symmetry).
Maybe in the future we can use output from
# pluginctl -r host_routes
to remove the routes safelty as they don't show if not used.
PR: https://forum.opnsense.org/index.php?topic=33831.0
Do not "leak" state transitions and also always log them to the
gateway log if they aren't being pushed through the rc.syshook
alarm path. While here consolidate the logging into the script
and make 10-dpinger script a stub for the "monitor" facility.
1. The process runs forever to retain proper state, periodically
syncing the configuration data in order to react correctly.
2. Missing gateways are not an issue. They will not alert or stick
to their last verified value.
3. We stop reacting unless a default gatway switch action will follow
or the gateway is part of a gateway group. Triggers are not refined
for now so we just let it run in full processing if a candidate.
4. Emulate the strange monitor alarm output although I don't see the
use for all of this cryptic goo. The alarm state (0, 1) was changed
to reflect the observed transition causing the alarm script to run.
5. Move the action for the script alarm to the script itself. Requires
a bit of backend shuffling as well.
6. Only create one script to watch all monitors. Easier to manage and
to present as service (which can be stopped and started if needed).
While adding noticed that it wasn't added which was due to
ending interation one cycle too early (last word on the line)
so changed the parsing to slightly. Reaching forward with
certain keywords in place is safe, just need to make sure to
skip what we have read then. Same for IPv4 although less
relevant.
"primary" now works like its IPv4 counterpart not using tracking
interface addresses to suggest a different derived listening address.
OTOH "routed" and "scoped" variants are only relevant for services
listening on a particularly connected (functional) address. Its use
is relatively low but better to have these variants than handroll each
required spot.
This should lower the chances of accidental restores when reader processes are active very frequently triggering a restore on a faulty read.
It should be possible to read the configuration while the config is exclusively locked, as these operations may take much more time than the actual write process takes.
After this commit the reader first tries to read unconditionally and if this fails, waits until a lock can be acquired.
To increase visibilty of restore invents, send these to the audit log in stead of the general system log.
