OpenVPN ctl is a small GUI script, which seats in the tray and control running OpenVPN processes via management inteface.
What it can do
- Control multiple local openvpn processes at once
- Initiate and terminate connections
- Show desired (on/off) and actual state for all connections
- Request passwords, insertion of cryptographic tokens and so on via dialogs
- Report state change via GUI notifications
- Show log messages from particular daemon
What it cannot do
- Change openvpn configuration file on the fly
- Control openvpn servers
- Control non-local clients (?)
What is nice thing to do
- Use FreeDesktop Secret Service API to store passwords and pins permanently.
- Have internal support for TOTP so onetime passwords can be entered without user interaction
- As openvpn is able to delegate cryptographic operations to managment program, delegate it further to ssh-agent
- Have cli command which just sits on socket and waits for requesting of user feedback. To control openvpn running on remote machine.
Whar is required from openvpn configuration
- All VPNs to be controlled by this daemon should be started at the system startup
- They all should be started with --management option which points to local unix-domain socket in the same directory. VPN name to be shown in menui is derived from the socket basename
- They all should use --management-client-group option to set control group to netdev on debian system
- They should use --management-query-passwords and --management-up-down option
- They may use --management-hold option if it is not desired to start OpenVPN without direct user approval.
- They may use --management-signal option in order to get openvpn disconnected on UI exit
These options are better supplied via openvpn command-line from init script. If so, openvpn config might contain only server and PKI-related configuration, thus allowing to use config, provided by OpenVPN server administartor as is.