Roadmap#
This document roughly describes the plans for the development of the VPN project.
If you work in Research & Education, and you’d like to have something added, removed, changed, or change the priority, please contact us on eduvpn-support@lists.geant.org and make your case.
Server#
We currently have no timeline for a 4.x release, nor for the EOL of 3.x.
3.x#
See Projects and the issue tracker of vpn-user-portal and vpn-server-node respectively.
4.x#
Our plans for a 4.x release involve potentially breaking changes that are impossible, or very difficult to deploy in the current 3.x release.
These are some ideas, nothing is set in stone:
- APIv4
- Drop OpenVPN
- Store all server/profile configuration in the database
- Allow Administrators to configure VPN profiles via Web
- Allow βUser Definedβ VPNs
- Remove OAuth based “Secure Internet”, but use SAML/OpenID Connect (federation) instead
- Simplify Node Communication way (WIP)
- Clean up Authentication Modules (WIP)
- Make “Live Permissions” work for all authentication modules
- Native OpenID Connect support
Drop OpenVPN#
Supporting both WireGuard and OpenVPN has been necessary since we first introduced WireGuard support. The main reason for this was that WireGuard does not support WireGuard over TCP. With the implementation of ProxyGuard this problem has been mostly resolved.
As WireGuard is a much simpler protocol, OpenVPN’s server and client configuration is extremely complex to get right, it seems like a good idea to drop OpenVPN as soon as there are no longer any use cases requiring OpenVPN.
Furthermore, this will allow us to Simplify Node Communication.
Simplify Node Communication#
In 3.x the communication between controller and node(s) is two way. The controller will talk to the node(s) to register/delete WireGuard client configurations, and to retrieve the list of connected VPN clients. It is also used to disconnect OpenVPN clients that are no longer allowed to be connected.
The node(s) on their turn talk to the controller to retrieve the VPN server configuration, i.e. the WireGuard and OpenVPN server configuration files, and to ask the controller whether or not a connecting OpenVPN client is allowed on every connect.
In order to facilitate this, the controller talks to the node(s) using HTTPS
over an mTLS secured channel. The node(s) talk to the controller over HTTPS
with a node key that needs to be configured in all node(s). We also need a
hacky localhost Apache virtual host to make this work on single server
deploys.
When we drop OpenVPN, the node(s) no longer need to talk to the controller on each VPN client connection, and we can simply push the WireGuard configuration to the node(s) using the existing mTLS secured connection. Using netlink we can then configure everything as needed. There is no longer a need for vpn-server-node, nor wireguard-tools to configure the WireGuard interface on the server.
Coincidentally this allows use to forgo any “apply changes” step, changes in the controller configuration can be automatically pushed to all node(s), which also opens the door for “User Defined VPNs”.
Authentication Modules#
We currently have many authentication modules, including some duplicates:
| Authentication Type | Module Name/Validator | Web Server |
|---|---|---|
| SQL | DbCredentialValidator |
No |
| LDAP | LdapCredentialValidator |
No |
| RADIUS | RadiusCredentialValidator |
No |
| SAML | PhpSamlSpAuthModule |
No |
| Client Certificates | ClientCertAuthModule |
Yes |
| OpenID Connect | OidcAuthModule |
Yes |
| SAML | ShibAuthModule |
Yes |
| SAML | MellonAuthModule |
Yes |
This counts 3, three, modules for SAML, which seems excessive. Unfortunately they all have their weaknesses and strengths.
The idea is to at the very least consolidate all “Web Server” authentication
modules, i.e. the ones that use Apache for authentication and then provide
essentially the REMOTE_USER HTTP header to the application which contains the
user identity. It is slightly more complicated as there are also permissions,
and logout, but there is quite a bit of overlap.
Clients#
- Allow VPN clients to override “Split Tunnel” / “Full Tunnel” / “Block LAN”
- Allow VPN clients to override Tunnelcrack/Tunnelvision mitigation
- Better support for Managed Devices
- Do server version check in eduVPN apps
- Warn when server is not up to date
- Warn users when using eduVPN app in case the server they use is not officially registered
- WireGuard over TCP