UI overhaul

Post your feature requests for OpenVPN Access Server here.
Post Reply
woutervddn
OpenVpn Newbie
Posts: 2
Joined: Fri Aug 04, 2017 9:14 am

UI overhaul

Post by woutervddn » Fri Aug 04, 2017 9:36 am

So, we've been using OpenVPN AS at our Startup for the last year or so.
I'm the one that picked OpenVPN because it was the best self-hosted, secure, modular, scriptable,... option out there.

But everytime I come near it I feel like I'm tunneling back to 1999.
The website, the forums, the AS management panel, the app (& the lack thereof on Linux).

When I Google VPN, the OpenVPN website is the first to show up (after the ads), the second one is https://www.pcmag.com/article2/0,2817,2403388,00.asp and OpenVPN is just not in it. Most of them in there, however, are using OpenVPN internally.

To me, the reason for this is obvious: OpenVPN as a solution (rather than a server deamon) is nowhere near ready for 2017.
The website use Joomla with PHP 5.4.36 which had is End Of Life in September 2015. It's not responsive, performance on mobile is bad and it makes Windows XP look modern. I can only hope that the Joomla at least has security updates.

While using a more up to date version of PHP the phpBB forum is in need of a UI refresh as well.

And the exact same thing goes for the AS interface & apps.
I'm finding it increasingly hard to keep defending AS as the best solution for our company.

I'm pretty sure the licences do not represent the bulk of the money coming in, but AS sales would definitely benefit from a side that a sysadmin isn't afraid to forward to the person responsible for finance.

All in all, the forum style doesn't bother me so much, most of us on here are sysadmins or developers anyhow. But we pay for our AS licenses which in my eyes makes it payed software. Having a great user experience would make it so that our employees might actually want to use it. And I for one would rather spend my money with the guys who build the underlaying service than those using it with a neat UI on top of it.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3341
Joined: Fri Jun 03, 2016 1:17 pm

Re: UI overhaul

Post by TinCanTech » Fri Aug 04, 2017 12:03 pm

woutervddn wrote:When I Google VPN, the OpenVPN website is the first to show up (after the ads), the second one is https://www.pcmag.com/article2/0,2817,2403388,00.asp and OpenVPN is just not in it.
Openvpn is not a VPN service provider it is a program ..

Openvpn do provide a VPN service here:
https://www.privatetunnel.com/home/?referral=OPENVPN

woutervddn
OpenVpn Newbie
Posts: 2
Joined: Fri Aug 04, 2017 9:14 am

Re: UI overhaul

Post by woutervddn » Wed Aug 16, 2017 8:04 am

I'm not looking for VPN service provider per se.
What I need is a way to get office machines on the same network so remote workers can access our shared file-system.

Ease of use for management activities has a huge impact on the impact is has on whoever is managing it.
I consider OpenVPN AS as a service that offers this (although it is self hosted, yearly recurring licences make it a service in my book).

chilinux
OpenVPN User
Posts: 15
Joined: Thu Mar 28, 2013 8:31 am

Re: UI overhaul

Post by chilinux » Thu Aug 17, 2017 12:02 am

woutervddn wrote:I'm the one that picked OpenVPN because it was the best self-hosted, secure, modular, scriptable,... option out there.
Those seem like good criteria when looking for a VPN solution. What exactly changed such those would not continue to be the top priority?
woutervddn wrote:But everytime I come near it I feel like I'm tunneling back to 1999.
So, every time you use TCP/IP does the complete lack of UI cause you to feel like you are back in the 1980s? How often are you exposed to the OpenVPN UI?
woutervddn wrote:The website, the forums, the AS management panel, the app (& the lack thereof on Linux).
The look of the website and the forums clearly has not been a top area of focus. I prefer that they focus on the product than on the marketing.

Other products which have a better-looking management panel make use of javascript/ajax which add complexity and increases the exposure surface to cross-site scripting attacks or other security issues.

For Linux, AS provides OpenVPN profiles which work fine with the OpenVPN support in Network Manager. Given NM is provided by almost every distribution, there is not the same need for another app as there is for Windows and Mac OS X where the OS doesn't already have an OpenVPN client directly packaged as part of the OS. Also, because the Linux Standard Base effort failed, it is hard to distribute any sort of universal Linux app. RPM/dpkg are both designed well to publish an application to a specific version of a specific distribution but neither is designed with a universal package in mind. Someday Flatpak (or possibly Snaps) will address this but neither are in popular use today.
woutervddn wrote:When I Google VPN, the OpenVPN website is the first to show up (after the ads), the second one is https://www.pcmag.com/article2/0,2817,2403388,00.asp and OpenVPN is just not in it. Most of them in there, however, are using OpenVPN internally.
PCMag is owned by Ziff Davis which I believe to not be unbias in what it decides to include in their content. I find it very telling that the page you link to has "this site may earn affiliate commissions from the links on this page." I also find it telling (and troubling) that AnchorFree Hotspot Shield is still listed with an editor's rating of "good."

It was reported by several sites (including Ziff Davis' own CNET)[1], back around August 7th, that the Center for Democracy and Technology provided a detailed complaint to the Federal Trade Commission on how AnchorFree Hotspot Shield for Android links with code which is invasive in terms of customer privacy. While Hotspot Shield marketing and privacy policy claims the IP is never logged, code included in the Android app have a very different conflicting privacy policies which include:

Quantcast: "your ZIP code, approximate location (e.g., region, city, ZIP), your browser type, cookie IDs, device identifiers, IP address, websites you may have visited, and advertisements viewed or clicked"

Phunware (previously TapIt): "the manufacturer, model number, the operating system, carrier, the IP address, battery level, wifi connection status information, network status, language, locale, time zone, unique identifiers associated with the device such as the identifier for advertisers, identifier for vendors, unique device identifier, the Android Advertiser ID, International Mobile Equipment Identity (IMEI), and MAC address"

Vungle: "IP Address, Android ID, MAC Address, IFA, UDID, and other unique identifiers; Activities and page views within a single mobile application; Language information, device make and model, device connection, height and width of device, device volume, time zone and city, state-level location information, and operating system type, name, and version; Information about the mobiles apps that a user currently has installed on their device; and Information about the ads an end-user has already been displayed"

By the way, I only know about the inclusion of code from Quantcast, Phunware and Vungle because of the complaint to the FTC. I wasn't able to find that disclosed anywhere in HotSpot Shield's own privacy notice or in the Android application description.

But, while this was reported by ZD on August 7th and "the Best VPN Services of 2017" page you link to was updated on August 14th, it seems AnchorFree's deceptive practices has had no impact on the HotSpot Shield rating! So while the page may get a high Google PageRank, it seems somewhat suspect what criteria ZD chooses for inclusion on the page along with it's method of rating the products.

[1] http://www.zdnet.com/article/privacy-gr ... b-traffic/
woutervddn wrote:To me, the reason for this is obvious: OpenVPN as a solution (rather than a server deamon) is nowhere near ready for 2017.
Ultimately, only Max Eddy (the author of the page you linked to) can say for sure why PrivateTunnel is excluded while Hotspot Shield still is able to earn a good rating. It might be possible you are correct that he felt the UI was too out of date looking for inclusion. My personal perspective is a little more cynical with the belief the "affiliate commissions" may influence the choice for inclusion and rating. But even if the UI is a deciding factor, I would still prefer a company that is transparent and honest with an older looking UI over one that hides dishonest practices behind a shiny UI.
woutervddn wrote:The website use Joomla with PHP 5.4.36 which had is End Of Life in September 2015. It's not responsive, performance on mobile is bad and it makes Windows XP look modern. I can only hope that the Joomla at least has security updates.

While using a more up to date version of PHP the phpBB forum is in need of a UI refresh as well.
I have to admit, the use of EoL PHP on the same server which provides the OpenVPN AS binaries and sha256sum's is disappointing. However, there are cases where distributions are still patching for all known CVE's for a version of PHP which the mainstream providers considered EoL.

I would prefer if the RPMs were signed. At least that way if the web server is compromised, anyone that already installed the GPG key for RPM signing could check if updated RPMs continue to be signed by the associated private key. As it stands right now, if the web server is compromised, the person might be able to modify both the OpenVPN AS RPM and the associated sha256sum to match. The recent issue with updates to the MeDoc accounting program being the method of distribution NotPetya ransomeware should be a wake-up call for the industry.
woutervddn wrote:And the exact same thing goes for the AS interface & apps.
My experience has been that some of the best looking anti-virus applications ended up being the most worthless when it came to meaningful results.

Likewise with enterprise appliances where the only reason you know their black box only allow the good packet through is that they have a powerpoint slide or animated UI graphics that show as much. The degree to which the black box really does what the graphics imply does not always pan out.

Also, while you may feel tunneled back to the 1999 or earlier if you use OpenSSH or PuTTY, I think the security track record for those applications speaks volumes as to where their focus has been.

I would prefer the AS interface continue to avoid making use of javascript/ajax and the primary focus of the apps be on security correctness instead of UI bedazzling.
woutervddn wrote:I'm finding it increasingly hard to keep defending AS as the best solution for our company.
What products are you defending AS against and is looks really the primary deciding factor? If looks are the primary item for consideration, then regardless of what changes with the OpenVPN AS can't another vendor do something to make their product look better? Is being the Rembrandt of all VPN UI's obtainable? And will you still be able to defend AS OpenVPN Connect when another company releases the Andy Warhol of VPN? Or could the race for best UI become a cat and mouse game where UI has to remain a primary focus?
woutervddn wrote:I'm pretty sure the licences do not represent the bulk of the money coming in, but AS sales would definitely benefit from a side that a sysadmin isn't afraid to forward to the person responsible for finance.

All in all, the forum style doesn't bother me so much, most of us on here are sysadmins or developers anyhow. But we pay for our AS licenses which in my eyes makes it paid software. Having a great user experience would make it so that our employees might actually want to use it. And I for one would rather spend my money with the guys who build the underlaying service than those using it with a neat UI on top of it.
I don't work for OpenVPN and do not have any say in if your feature request gets implemented. But as a fan of OpenVPN, I would like to believe that the product may only be a good shoe shine away from being a dominant product. However, I just am not seeing it right now. More often I am seeing one-stop shopping taking place--a company uses company X for their rack mounted servers which happen to also have a VPN solution so they go with company X for that as well. Or a company uses company Y for their network equipment which happens to have a VPN solution so they go with them. As far as a solution to this customer brand loyalty, I currently do not have any advice.

Post Reply