Fetch directives from remote (HTTP?) server.

[Clodo]

There are a lot of VPN service based on OpenVPN. All service release .ovpn files to customers, and need to ask to customers to reimport updated version when some directives changes, or simply to update the list of 'remote' servers. Sometime it's an annoying procedure for customers, for example updating DD-WRT routers or Tomato.

Wishlist:
A directive "fetch" that have only one param, an url to fetch.
When OpenVPN process the .ovpn, if this directive exists, try to fetch the url, obtain a list of directives, and simply append to already existing directives.

This features allow servers maintainer to control directives used by customers without need to distribute updated configuration every time.

Just my cents.

[maikcat]

Wishlist:
A directive "fetch" that have only one param, an url to fetch.

and if the url is poisoned somehow (dns poisoning) security goes down the drain....

just my 2 cents

Michael.

[Clodo]

Wishlist:
A directive "fetch" that have only one param, an url to fetch.

and if the url is poisoned somehow (dns poisoning) security goes down the drain....

just my 2 cents

Michael.

Maybe can accept only HTTPS urls with valid certificate.

[maikcat]

Maybe can accept only HTTPS urls with valid certificate.

http://wiki.squid-cache.org/Features/HTTPS

i think the idea of automaticly adding directives to config file will
not scale well...

what about after 10 *automatic* additions of remote directives,
how your client will respond...?

anyway, my personal opinion is that config should be constructed with care..

regards
Michael.

[Clodo]

i think the idea of automaticly adding directives to config file will
not scale well...

what about after 10 *automatic* additions of remote directives,
how your client will respond...?

Sorry but i don't understand well your question.



Think about only a fetching 'remote' directives.
Like:

Code: Select all

remote-fetch https://myserver.com/current-us.txt

Many VPN providers give to customers .ovpn configuration files with many remote directive,
with a sort of very-basic load balancing by using 'remote-random' directive.

I'm thinking about a more serious load-balancing system.

Specify a list of remote directives it's a problem when servers are added or removed,
because need to resend to customers the updated configuration file (any many customers use DD-WRT, Tomato, etc, not user friendly to update frequently).
And there is only a basic (random based) load-balancing.


Specify a DNS name with multiple A records isn't a good solution for me:
- The minimum TTL time is one hour. With issue about caching of many public DNS (like GoogleDNS).
- The list of A records are random, isn't possibile to use a specific preferred order of servers.
- I notice many issue with DNS/OpenVPN, i write a report here.

With a "remote-fetch https://myserver.com/current-us.txt", it's the VPN providers that
can implement a load-balancing monitor, for example by update the remote file by cron,
listing for first the servers with low-load (or high-bandwidth available).


I really wish a feature like that.
I hope we can decide here if is acceptable for OpenVPN community,
after that i will rent a C++ developer to implement and submit it to OpenVPN developers for review.