tl;dr - anything that lets me selectively put a message in front of my
users is great. Yes please.
The number one problem my users come across is expired certs. Nobody reads
logs until they're forced to.
A notif mechanism like you're describing would be great.
With that I can set up scripts that push notices when someone is
connected + within some amount of expiry, and instructions on what to do.
But there's also those users that almost never connect. I dream of having
GUI clients changing their text/icons and/or refusing to even attempt to
connect, with an explicit warning of "your cert is expired", rather than
connections failing 'silently' when they use the VPN for the first time in
forever. A user complaint of "it says my cert is expired, what do I do?"
is much easier to handle than "is the vpn broken? it worked yesterday!"
95% of the time it's certs, but I still have to triage it more fully for
the times it's not.
So IMO, 1-2 are fundamental, 3-5 are
wishlist/consideration/extensions/ideas, use or ignore as you see fit:
* Make the ability for receiving messages on a client as described.
Enabled by default, maybe selectively disable-able because someone will
think it's spammy, but I'd almost suggest not allowing it.
* Make the ability to send a user a message via management. Enabled by
default, maybe selectively disable-able as a safety mechanism / make
someone "key the mic to speak."
* Make the ability to 'wall' a message out to all connected users in one
command, e.g. 'wall "server going down in 5 mins"' or something like that.
* Make the ability to 'post' a message for some amount of time, e.g.
'wallpost 60m "server going down at 1700"' Sending a message gets someone
who is connected now, but misses the user who connects 2m after I go
through the list of users and I stop looking. So, this would hang around
and pop a message to everyone connected now, plus each new connection, for
the next 60m.
* Add an option ala --[no-]use-expired-certs. When true, proceed like you
do today; when false, if certs are expired, have the client feed itself a
message via this mechanism to popup that your certs are expired, so a user
knows right away what's wrong. It'd be a spammy option if it tried to tell
you what to do, so I'm keeping the idea simple and generic.
Thanks for considering.
On Sun, Dec 20, 2020 at 10:55 AM Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> I find myself looking for a mechanism by which I could send informational
> messages ("your cert expires in two weeks, go refresh!" - "your openvpn
> client needs an upgrade") from the openvpn server to incoming clients.
>
> Of course this should work with all connecting clients, that is, "text
> clients", windows GUI, Tunnelblick, iOS Connect, Android.
>
> As far as I am aware, there is no such mechanism today.
>
> Do we want to make one?
>
>
> From the server / openvpn core side, it could be something totally trivial:
>
> push "info-msg hey there!"
>
> ... and the client would then either print this on the console
> (if !management) or dump it to management, where the GUI/Tunnelblick
> could pick it up and create a popup window.
>
> What do you think?
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never
> doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
