Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Daan Hoogland
This is a potential religious debate, I think it makes the most sense to
try and make the provider optional and let the operator or even the
end-user decide. I see how this is an extra challenge, but does it make
sense?

On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav 
wrote:

> All,
>
> We've historically supported openswan and nowadays strongswan as the VPN
> provider in VR for both site-to-site and remote access modes. After
> discussing the situation with a few users and colleagues I learnt that
> OpenVPN is generally far easier to use, have clients for most OS and
> platforms (desktop, laptop, tablet, phones...)  and allows multiple clients
> in the same public IP (for example, multiple people in the office sharing a
> client-side public IP/nat while trying to connect to a VPC or an isolated
> network) and for these reasons many users actually deploy pfSense or setup
> a OpenVPN server in their isolated network or VPC and use that instead.
>
> Therefore for the point-to-point VPN use-case of remote access [1] does it
> make sense to switch to OpenVPN? Or, are there users using
> strongswan/ipsec/l2tpd for remote access VPN?
>
> A general-purpose VPN-framework/provider where an account or admin (via
> offering) can specify which VPN provider they want in the network
> (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex
> to implement and maintain. Any other thoughts in general about VPN
> implementation and support in CloudStack? Thanks.
>
> [1]
> http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn
>
>
>
> Regards.
>
>
>
>

-- 
Daan


Re: [RESULT][VOTE] Renaming default git branch name from 'master' to 'main' and replace offensive words as appropriate for inclusiveness

2021-06-11 Thread Suresh Anaparti
Hi All,

The default branch has been renamed to 'main' (from 'master'), for the 
following CloudStack project repos.

   - cloudstack 
   - cloudstack-documentation 
   - cloudstack-www 
   - cloudstack-cloudmonkey 
   - cloudstack-kubernetes-provider 
   - cloudstack-ec2stack 
   - cloudstack-gcestack

Next steps, I'll run health checks and see if there are any issues with the 
integrated jobs/systems (Travis CI, Jenkins, etc).

Please run the below cmds to update your existing cloned repos.

git branch -m master main
git fetch origin
git branch -u origin/main main
git remote set-head origin -a


Regards,
Suresh

On 08/06/21, 6:55 PM, "Suresh Anaparti"  wrote:

Hi All,

Here is the update, All the PRs that addressed the inclusive changes 
(changing the default branch name from 'master' to 'main' and replacing some 
offensive words) in the CloudStack repos are accepted/merged. I've created 
INFRA ticket: https://issues.apache.org/jira/browse/INFRA-21978, to rename the 
default branch to 'main' (which should automatically re-target all the 
open/draft PRs against 'master' to 'main'). I'll let you know once renaming is 
done, and the next steps.

Regards,
Suresh

On 11/05/21, 1:12 PM, "Suresh Anaparti"  
wrote:

Hi all,

The vote [1] for renaming default git branch name from 'master' to 
'main' and replace offensive words as appropriate for inclusiveness, in the 
Apache CloudStack project has passed with the following votes:

+1 (PMC / binding)
4 persons (Daan, Gabriel, Rohit, Wei)

+1 (non-binding)
5 persons (David, Rene, Nathan, Hari, Suresh)

+0
1 person (Andrija)

Thank you all for participating. Next steps, I'll close any review 
feedback on the PRs and get them accepted. Once the PRs are accepted, we can 
merge them to 'master' (may be after 4.15.1 release) and will request ASF infra 
(track through new INFRA ticket) to disable pushes to 'master', rename 'master' 
to 'main and set 'main' as the default branch, for all the CloudStack repos.

[1] https://markmail.org/message/n6sbl3vgm7hy77zj


Regards,
Suresh










 



Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Pierre-Luc Dion
Hello,

Daan, I agree we should provide capability to select the vpn solution to
use, the question would be,  should it be a global setting generic for the
whole region or per VPC?
I think it should be a global setting to reduce the requirement complexity
of a region, but per VPC or customer(account or domain) would be ideal.

Hean, the current implementation from PR:2850
 that use strongswan does
support multiple users behind the same public IPs, but I don't recall for
Windows generic clients.
With OpenVPN, can you be connected to multiple VPN tunnels at the same time
? We had the challenge a few times where we needed to be connected to 2
VPCs at the same time.

I think adding support to OpenVPN is a good idea, the more options
available the better Cloudstack will be.

I don't know if 4.15 still uses L2TP from strongswan but we've moved away
from it a while ago because it was not reliable, connection kept
dropping, support only one windows client at a time, issue configuring
clients, no helpful connection logs..

An interesting improvement is made to remote access VPN, would be to
optionally use dns resolution of the VR from VPN clients so a user
connected to the VPN could use hostname to access VMs. I think iptable
currently blocks dns query from the vpn.

Cheers,

On Fri, Jun 11, 2021 at 5:58 AM Hean Seng  wrote:

> If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is  no
> much different , or even current one is gpod.  Only only time setup at
> router.  However if considering of Mobile Client, OpenVPN is more
> complicated.
>
> The only concern now is multiple people in the same public IP need to
> access the VPN.  And this consideration will be OpenVPN or Wireguard to
> handle this requirement.   And for this purpose of multiple people in same
> public ip need to access to VPN, then  we will have  think of usability and
> easy installation of VPN client.
>
> We are using OpenVPN for more then 5 years, but always  there is new PC
> need to configure VPN Client, windows , android, ios, it is painful ( we
> are not using access server) .
>
> Currently we test on WireGuard, just forgot about performance or
> whatsoever, just the conveniences of implementation,  that is very great
> and easy for client installation ,  even mobile client on phone or tablet.
>
>
>
>
> On Fri, Jun 11, 2021 at 5:04 PM Daan Hoogland 
> wrote:
>
> > This is a potential religious debate, I think it makes the most sense to
> > try and make the provider optional and let the operator or even the
> > end-user decide. I see how this is an extra challenge, but does it make
> > sense?
> >
> > On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav 
> > wrote:
> >
> > > All,
> > >
> > > We've historically supported openswan and nowadays strongswan as the
> VPN
> > > provider in VR for both site-to-site and remote access modes. After
> > > discussing the situation with a few users and colleagues I learnt that
> > > OpenVPN is generally far easier to use, have clients for most OS and
> > > platforms (desktop, laptop, tablet, phones...)  and allows multiple
> > clients
> > > in the same public IP (for example, multiple people in the office
> > sharing a
> > > client-side public IP/nat while trying to connect to a VPC or an
> isolated
> > > network) and for these reasons many users actually deploy pfSense or
> > setup
> > > a OpenVPN server in their isolated network or VPC and use that instead.
> > >
> > > Therefore for the point-to-point VPN use-case of remote access [1] does
> > it
> > > make sense to switch to OpenVPN? Or, are there users using
> > > strongswan/ipsec/l2tpd for remote access VPN?
> > >
> > > A general-purpose VPN-framework/provider where an account or admin (via
> > > offering) can specify which VPN provider they want in the network
> > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more
> > complex
> > > to implement and maintain. Any other thoughts in general about VPN
> > > implementation and support in CloudStack? Thanks.
> > >
> > > [1]
> > >
> >
> http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn
> > >
> > >
> > >
> > > Regards.
> > >
> > >
> > >
> > >
> >
> > --
> > Daan
> >
>
>
> --
> Regards,
> Hean Seng
>


Re: Meet the CloudStack Community: Who is NEXT?

2021-06-11 Thread Slavka Peleva
Hi Ivet, all,

The video with Gabriel was great! I hope these people don't get mad at
me for involving them in this, but I'll be happy to hear something
from Rohit, Daan or Andrija (mixed with his sense of humor) :)

Best regards,

Slavka


On Fri, Jun 11, 2021 at 11:30 AM Ivet Petrova 
wrote:

> Hello all, and Happy Friday!
>
> I hope you are ready for the upcoming weekend. You have seen a few videos
> on the ACS channel which are under the Meet the Community Series.
> To make this videos more interesting for the community, I wanted to ask
> all of you: Who will you nominate for the next videos on the channel?
> If you think that you know a community member, who is inspiring and will
> share a great story, please nominate him for the video series!
>
> Look forward to hear your opinion!
>
> Kind regards,
>
>
>
>
>


Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Gabriel Bräscher
I understand that OpenVPN is a great option and far adopted.
I am  ++1 in allowing Users/Admins to choose which VPN provider suits them
best; creating an offering (or global settings) that would allow setting
which VPN provider will be used would be awesome.

I understand that OpenVPN is a great option and far adopted; however, I
would be -1 if this would impact on removing support for Strongswan --
which from what I understood is not the proposal, but saying anyway to be
sure.

Thanks for raising this proposal/discussion, Rohit.

Cheers,
Gabriel.


Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion 
escreveu:

> Hello,
>
> Daan, I agree we should provide capability to select the vpn solution to
> use, the question would be,  should it be a global setting generic for the
> whole region or per VPC?
> I think it should be a global setting to reduce the requirement complexity
> of a region, but per VPC or customer(account or domain) would be ideal.
>
> Hean, the current implementation from PR:2850
>  that use strongswan does
> support multiple users behind the same public IPs, but I don't recall for
> Windows generic clients.
> With OpenVPN, can you be connected to multiple VPN tunnels at the same time
> ? We had the challenge a few times where we needed to be connected to 2
> VPCs at the same time.
>
> I think adding support to OpenVPN is a good idea, the more options
> available the better Cloudstack will be.
>
> I don't know if 4.15 still uses L2TP from strongswan but we've moved away
> from it a while ago because it was not reliable, connection kept
> dropping, support only one windows client at a time, issue configuring
> clients, no helpful connection logs..
>
> An interesting improvement is made to remote access VPN, would be to
> optionally use dns resolution of the VR from VPN clients so a user
> connected to the VPN could use hostname to access VMs. I think iptable
> currently blocks dns query from the vpn.
>
> Cheers,
>
> On Fri, Jun 11, 2021 at 5:58 AM Hean Seng  wrote:
>
> > If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is  no
> > much different , or even current one is gpod.  Only only time setup at
> > router.  However if considering of Mobile Client, OpenVPN is more
> > complicated.
> >
> > The only concern now is multiple people in the same public IP need to
> > access the VPN.  And this consideration will be OpenVPN or Wireguard to
> > handle this requirement.   And for this purpose of multiple people in
> same
> > public ip need to access to VPN, then  we will have  think of usability
> and
> > easy installation of VPN client.
> >
> > We are using OpenVPN for more then 5 years, but always  there is new PC
> > need to configure VPN Client, windows , android, ios, it is painful ( we
> > are not using access server) .
> >
> > Currently we test on WireGuard, just forgot about performance or
> > whatsoever, just the conveniences of implementation,  that is very great
> > and easy for client installation ,  even mobile client on phone or
> tablet.
> >
> >
> >
> >
> > On Fri, Jun 11, 2021 at 5:04 PM Daan Hoogland 
> > wrote:
> >
> > > This is a potential religious debate, I think it makes the most sense
> to
> > > try and make the provider optional and let the operator or even the
> > > end-user decide. I see how this is an extra challenge, but does it make
> > > sense?
> > >
> > > On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav <
> rohit.ya...@shapeblue.com>
> > > wrote:
> > >
> > > > All,
> > > >
> > > > We've historically supported openswan and nowadays strongswan as the
> > VPN
> > > > provider in VR for both site-to-site and remote access modes. After
> > > > discussing the situation with a few users and colleagues I learnt
> that
> > > > OpenVPN is generally far easier to use, have clients for most OS and
> > > > platforms (desktop, laptop, tablet, phones...)  and allows multiple
> > > clients
> > > > in the same public IP (for example, multiple people in the office
> > > sharing a
> > > > client-side public IP/nat while trying to connect to a VPC or an
> > isolated
> > > > network) and for these reasons many users actually deploy pfSense or
> > > setup
> > > > a OpenVPN server in their isolated network or VPC and use that
> instead.
> > > >
> > > > Therefore for the point-to-point VPN use-case of remote access [1]
> does
> > > it
> > > > make sense to switch to OpenVPN? Or, are there users using
> > > > strongswan/ipsec/l2tpd for remote access VPN?
> > > >
> > > > A general-purpose VPN-framework/provider where an account or admin
> (via
> > > > offering) can specify which VPN provider they want in the network
> > > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more
> > > complex
> > > > to implement and maintain. Any other thoughts in general about VPN
> > > > implementation and support in CloudStack? Thanks.
> > > >
> > > > [1]
> > > >
> > >
> >
> http://docs.cloudstack.apache.org/en/latest/adminguide/net

Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Rohit Yadav
Thanks all for the feedback so far, looks like the majority of people on the 
thread would prefer OpenVPN but for s2s they may continue to prefer 
strongswan/ipsec for site-to-site VPC feature. If we're unable to reach 
consensus then a general-purpose provider-framework may be more flexible to the 
end-user or admin (to select which VPN provider they want for their network, we 
heard in this thread - openvpn, strongswan/l2tp, wireguard, and maybe other 
providers in future).

Btw, ikev2 is supported now with strongswan with this - 
https://github.com/apache/cloudstack/pull/4953

My personal opinion: As user of most of these VPN providers, I personally like 
OpenVPN which I found to be easier to use both on desktop/laptop and on phone. 
With openvpn as the default I imagine in CloudStack I could enable VPN for a 
network and CloudStack gives me an option to download a .ovpn file which I can 
import in my openvpn client (desktop, phone, cli...) click connect to connect 
to the VPN. For certificate generation/storage, the CA framework could be used 
so the openvpn server certs are the same across network restarts (with 
cleanup). I think a process like this could be simpler than what we've right 
now, and the ovpn download+import workflow would be easier than what we'll get 
from either strongswan/current or wireguard. While I like the simplicity of 
wireguard, which is more like SSH setup I wouldn't mind doing setup on 
individual VMs (much like setting up ssh key) or use something like TailScale.


Regards.


From: Gabriel Bräscher 
Sent: Friday, June 11, 2021 19:28
To: dev 
Cc: users 
Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

I understand that OpenVPN is a great option and far adopted.
I am  ++1 in allowing Users/Admins to choose which VPN provider suits them
best; creating an offering (or global settings) that would allow setting
which VPN provider will be used would be awesome.

I understand that OpenVPN is a great option and far adopted; however, I
would be -1 if this would impact on removing support for Strongswan --
which from what I understood is not the proposal, but saying anyway to be
sure.

Thanks for raising this proposal/discussion, Rohit.

Cheers,
Gabriel.


Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion 
escreveu:

> Hello,
>
> Daan, I agree we should provide capability to select the vpn solution to
> use, the question would be,  should it be a global setting generic for the
> whole region or per VPC?
> I think it should be a global setting to reduce the requirement complexity
> of a region, but per VPC or customer(account or domain) would be ideal.
>
> Hean, the current implementation from PR:2850
>  that use strongswan does
> support multiple users behind the same public IPs, but I don't recall for
> Windows generic clients.
> With OpenVPN, can you be connected to multiple VPN tunnels at the same time
> ? We had the challenge a few times where we needed to be connected to 2
> VPCs at the same time.
>
> I think adding support to OpenVPN is a good idea, the more options
> available the better Cloudstack will be.
>
> I don't know if 4.15 still uses L2TP from strongswan but we've moved away
> from it a while ago because it was not reliable, connection kept
> dropping, support only one windows client at a time, issue configuring
> clients, no helpful connection logs..
>
> An interesting improvement is made to remote access VPN, would be to
> optionally use dns resolution of the VR from VPN clients so a user
> connected to the VPN could use hostname to access VMs. I think iptable
> currently blocks dns query from the vpn.
>
> Cheers,
>

 

> On Fri, Jun 11, 2021 at 5:58 AM Hean Seng  wrote:
>
> > If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is  no
> > much different , or even current one is gpod.  Only only time setup at
> > router.  However if considering of Mobile Client, OpenVPN is more
> > complicated.
> >
> > The only concern now is multiple people in the same public IP need to
> > access the VPN.  And this consideration will be OpenVPN or Wireguard to
> > handle this requirement.   And for this purpose of multiple people in
> same
> > public ip need to access to VPN, then  we will have  think of usability
> and
> > easy installation of VPN client.
> >
> > We are using OpenVPN for more then 5 years, but always  there is new PC
> > need to configure VPN Client, windows , android, ios, it is painful ( we
> > are not using access server) .
> >
> > Currently we test on WireGuard, just forgot about performance or
> > whatsoever, just the conveniences of implementation,  that is very great
> > and easy for client installation ,  even mobile client on phone or
> tablet.
> >
> >
> >
> >
> > On Fri, Jun 11, 2021 at 5:04 PM Daan Hoogland 
> > wrote:
> >
> > > This is a potential religious debate, I think it makes the most sense
> to
> > > try and make the provi

Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Pierre-Luc Dion
Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or
strongswan/ikev2 ?

Because l2tp became complicated to configure on native vpn clients on some
OSes, kind of deprecated remote management VPN, compared to IKEv2.
I'm a bit concerned about OpenVPN for the clients, what if binaries become
subscription based availability or become proprietary ?

For sure we need the option to select what type of VPN solution to offer
when deploying a cloud.

>From my perspective I cannot use/offer OpenVPN as a solution to my
customers because it involves forcing them to download third party software
on their workstations and I don't want to be responsible for
a security breach on their workstation because of a requirement for 3rd
party software that we don't control.



On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav 
wrote:

> Thanks all for the feedback so far, looks like the majority of people on
> the thread would prefer OpenVPN but for s2s they may continue to prefer
> strongswan/ipsec for site-to-site VPC feature. If we're unable to reach
> consensus then a general-purpose provider-framework may be more flexible to
> the end-user or admin (to select which VPN provider they want for their
> network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, and
> maybe other providers in future).
>
> Btw, ikev2 is supported now with strongswan with this -
> https://github.com/apache/cloudstack/pull/4953
>
> My personal opinion: As user of most of these VPN providers, I personally
> like OpenVPN which I found to be easier to use both on desktop/laptop and
> on phone. With openvpn as the default I imagine in CloudStack I could
> enable VPN for a network and CloudStack gives me an option to download a
> .ovpn file which I can import in my openvpn client (desktop, phone, cli...)
> click connect to connect to the VPN. For certificate generation/storage,
> the CA framework could be used so the openvpn server certs are the same
> across network restarts (with cleanup). I think a process like this could
> be simpler than what we've right now, and the ovpn download+import workflow
> would be easier than what we'll get from either strongswan/current or
> wireguard. While I like the simplicity of wireguard, which is more like SSH
> setup I wouldn't mind doing setup on individual VMs (much like setting up
> ssh key) or use something like TailScale.
>
>
> Regards.
>
> 
> From: Gabriel Bräscher 
> Sent: Friday, June 11, 2021 19:28
> To: dev 
> Cc: users 
> Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
>
> I understand that OpenVPN is a great option and far adopted.
> I am  ++1 in allowing Users/Admins to choose which VPN provider suits them
> best; creating an offering (or global settings) that would allow setting
> which VPN provider will be used would be awesome.
>
> I understand that OpenVPN is a great option and far adopted; however, I
> would be -1 if this would impact on removing support for Strongswan --
> which from what I understood is not the proposal, but saying anyway to be
> sure.
>
> Thanks for raising this proposal/discussion, Rohit.
>
> Cheers,
> Gabriel.
>
>
> Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion  >
> escreveu:
>
> > Hello,
> >
> > Daan, I agree we should provide capability to select the vpn solution to
> > use, the question would be,  should it be a global setting generic for
> the
> > whole region or per VPC?
> > I think it should be a global setting to reduce the requirement
> complexity
> > of a region, but per VPC or customer(account or domain) would be ideal.
> >
> > Hean, the current implementation from PR:2850
> >  that use strongswan
> does
> > support multiple users behind the same public IPs, but I don't recall for
> > Windows generic clients.
> > With OpenVPN, can you be connected to multiple VPN tunnels at the same
> time
> > ? We had the challenge a few times where we needed to be connected to 2
> > VPCs at the same time.
> >
> > I think adding support to OpenVPN is a good idea, the more options
> > available the better Cloudstack will be.
> >
> > I don't know if 4.15 still uses L2TP from strongswan but we've moved away
> > from it a while ago because it was not reliable, connection kept
> > dropping, support only one windows client at a time, issue configuring
> > clients, no helpful connection logs..
> >
> > An interesting improvement is made to remote access VPN, would be to
> > optionally use dns resolution of the VR from VPN clients so a user
> > connected to the VPN could use hostname to access VMs. I think iptable
> > currently blocks dns query from the vpn.
> >
> > Cheers,
> >
>
>
>
> > On Fri, Jun 11, 2021 at 5:58 AM Hean Seng  wrote:
> >
> > > If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is
> no
> > > much different , or even current one is gpod.  Only only time setup at
> > > router.  However if considering of Mobile Client, OpenVPN i

Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Pierre-Luc Dion
btw, I like the idea of CloudStack offering OpenVPN as a solution !

On Fri, Jun 11, 2021 at 10:40 AM Pierre-Luc Dion 
wrote:

> Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or
> strongswan/ikev2 ?
>
> Because l2tp became complicated to configure on native vpn clients on some
> OSes, kind of deprecated remote management VPN, compared to IKEv2.
> I'm a bit concerned about OpenVPN for the clients, what if binaries become
> subscription based availability or become proprietary ?
>
> For sure we need the option to select what type of VPN solution to offer
> when deploying a cloud.
>
> From my perspective I cannot use/offer OpenVPN as a solution to my
> customers because it involves forcing them to download third party software
> on their workstations and I don't want to be responsible for
> a security breach on their workstation because of a requirement for 3rd
> party software that we don't control.
>
>
>
> On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav 
> wrote:
>
>> Thanks all for the feedback so far, looks like the majority of people on
>> the thread would prefer OpenVPN but for s2s they may continue to prefer
>> strongswan/ipsec for site-to-site VPC feature. If we're unable to reach
>> consensus then a general-purpose provider-framework may be more flexible to
>> the end-user or admin (to select which VPN provider they want for their
>> network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, and
>> maybe other providers in future).
>>
>> Btw, ikev2 is supported now with strongswan with this -
>> https://github.com/apache/cloudstack/pull/4953
>>
>> My personal opinion: As user of most of these VPN providers, I personally
>> like OpenVPN which I found to be easier to use both on desktop/laptop and
>> on phone. With openvpn as the default I imagine in CloudStack I could
>> enable VPN for a network and CloudStack gives me an option to download a
>> .ovpn file which I can import in my openvpn client (desktop, phone, cli...)
>> click connect to connect to the VPN. For certificate generation/storage,
>> the CA framework could be used so the openvpn server certs are the same
>> across network restarts (with cleanup). I think a process like this could
>> be simpler than what we've right now, and the ovpn download+import workflow
>> would be easier than what we'll get from either strongswan/current or
>> wireguard. While I like the simplicity of wireguard, which is more like SSH
>> setup I wouldn't mind doing setup on individual VMs (much like setting up
>> ssh key) or use something like TailScale.
>>
>>
>> Regards.
>>
>> 
>> From: Gabriel Bräscher 
>> Sent: Friday, June 11, 2021 19:28
>> To: dev 
>> Cc: users 
>> Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
>>
>> I understand that OpenVPN is a great option and far adopted.
>> I am  ++1 in allowing Users/Admins to choose which VPN provider suits them
>> best; creating an offering (or global settings) that would allow setting
>> which VPN provider will be used would be awesome.
>>
>> I understand that OpenVPN is a great option and far adopted; however, I
>> would be -1 if this would impact on removing support for Strongswan --
>> which from what I understood is not the proposal, but saying anyway to be
>> sure.
>>
>> Thanks for raising this proposal/discussion, Rohit.
>>
>> Cheers,
>> Gabriel.
>>
>>
>> Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion <
>> pdion...@apache.org>
>> escreveu:
>>
>> > Hello,
>> >
>> > Daan, I agree we should provide capability to select the vpn solution to
>> > use, the question would be,  should it be a global setting generic for
>> the
>> > whole region or per VPC?
>> > I think it should be a global setting to reduce the requirement
>> complexity
>> > of a region, but per VPC or customer(account or domain) would be ideal.
>> >
>> > Hean, the current implementation from PR:2850
>> >  that use strongswan
>> does
>> > support multiple users behind the same public IPs, but I don't recall
>> for
>> > Windows generic clients.
>> > With OpenVPN, can you be connected to multiple VPN tunnels at the same
>> time
>> > ? We had the challenge a few times where we needed to be connected to 2
>> > VPCs at the same time.
>> >
>> > I think adding support to OpenVPN is a good idea, the more options
>> > available the better Cloudstack will be.
>> >
>> > I don't know if 4.15 still uses L2TP from strongswan but we've moved
>> away
>> > from it a while ago because it was not reliable, connection kept
>> > dropping, support only one windows client at a time, issue configuring
>> > clients, no helpful connection logs..
>> >
>> > An interesting improvement is made to remote access VPN, would be to
>> > optionally use dns resolution of the VR from VPN clients so a user
>> > connected to the VPN could use hostname to access VMs. I think iptable
>> > currently blocks dns query from the vpn.
>> >
>> > Cheers,
>> >
>>
>>

Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Andrija Panic
again my 2 cent(o)s:
- strongswan to stay for S-2-S (supporting IKE2 explicitly now etc) - as it
has been working great (with some recent, multiple-remote subnet issues
resolved, with human-layer-8 problems will continue to exist - i.e.
misconfiguration)
- strongswan (L2TP/IpSec) remote VPN is pain and while universally
supported natively in all OS-es today-  it supports only 1 client behind a
single public IP (a common issue when multiple users/humans sitting in the
same office want to connect to the same VPC via Remote VPC) - no way to
seed routes, either route everything through the tunnel (and have you
internet dropped) or add routes manually (pain)

For remote VPN - I prefer to use what is a:
- de-facto industry standard (whatever that is)
- has great/long-term support on all client devices (desktops and mobiles)

Take a look at all major firewall/VPN concentrator devices, and you will
see what they offer (OpenVPN most of the time)

I understand some might like fancy and brand-new-nothing-simpler--than this
VPN solutions - but we should tryi to keep things within industry standards
IMO and leave fancy and not-yet-long-term-tested solutions out of the
consideration.

OpenVPN, as Rohit explained, has support for exporting you with the
configuration file, which you import and use your username/password - and
this works on all mobile devices and up (desktop OS-es) - and from what I
can see (because have multiple VPNs using myself for various different
customers) - it's 99,99% OpenVPN which is used < this kind information
should bring some "help" while deciding what to use

(btw, I'm not selling OpenVPN, nor preaching for it, nor have I ever "liked
it" for that matter, but it seems to be among the best-supported solutions
in every sense)

Cheers,

On Fri, 11 Jun 2021 at 17:04, Pierre-Luc Dion  wrote:

> btw, I like the idea of CloudStack offering OpenVPN as a solution !
>
> On Fri, Jun 11, 2021 at 10:40 AM Pierre-Luc Dion 
> wrote:
>
> > Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or
> > strongswan/ikev2 ?
> >
> > Because l2tp became complicated to configure on native vpn clients on
> some
> > OSes, kind of deprecated remote management VPN, compared to IKEv2.
> > I'm a bit concerned about OpenVPN for the clients, what if binaries
> become
> > subscription based availability or become proprietary ?
> >
> > For sure we need the option to select what type of VPN solution to offer
> > when deploying a cloud.
> >
> > From my perspective I cannot use/offer OpenVPN as a solution to my
> > customers because it involves forcing them to download third party
> software
> > on their workstations and I don't want to be responsible for
> > a security breach on their workstation because of a requirement for 3rd
> > party software that we don't control.
> >
> >
> >
> > On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav 
> > wrote:
> >
> >> Thanks all for the feedback so far, looks like the majority of people on
> >> the thread would prefer OpenVPN but for s2s they may continue to prefer
> >> strongswan/ipsec for site-to-site VPC feature. If we're unable to reach
> >> consensus then a general-purpose provider-framework may be more
> flexible to
> >> the end-user or admin (to select which VPN provider they want for their
> >> network, we heard in this thread - openvpn, strongswan/l2tp, wireguard,
> and
> >> maybe other providers in future).
> >>
> >> Btw, ikev2 is supported now with strongswan with this -
> >> https://github.com/apache/cloudstack/pull/4953
> >>
> >> My personal opinion: As user of most of these VPN providers, I
> personally
> >> like OpenVPN which I found to be easier to use both on desktop/laptop
> and
> >> on phone. With openvpn as the default I imagine in CloudStack I could
> >> enable VPN for a network and CloudStack gives me an option to download a
> >> .ovpn file which I can import in my openvpn client (desktop, phone,
> cli...)
> >> click connect to connect to the VPN. For certificate generation/storage,
> >> the CA framework could be used so the openvpn server certs are the same
> >> across network restarts (with cleanup). I think a process like this
> could
> >> be simpler than what we've right now, and the ovpn download+import
> workflow
> >> would be easier than what we'll get from either strongswan/current or
> >> wireguard. While I like the simplicity of wireguard, which is more like
> SSH
> >> setup I wouldn't mind doing setup on individual VMs (much like setting
> up
> >> ssh key) or use something like TailScale.
> >>
> >>
> >> Regards.
> >>
> >> 
> >> From: Gabriel Bräscher 
> >> Sent: Friday, June 11, 2021 19:28
> >> To: dev 
> >> Cc: users 
> >> Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN
> provider
> >>
> >> I understand that OpenVPN is a great option and far adopted.
> >> I am  ++1 in allowing Users/Admins to choose which VPN provider suits
> them
> >> best; creating an offering (or global settings) that would allow se

Re: Meet the CloudStack Community: Who is NEXT?

2021-06-11 Thread Andrija Panic
(me having a sense of humor Slavka? really, come on... I'll pay 10 beers
just to avoid IvetI mean the interview!)

On Fri, 11 Jun 2021 at 16:04, Ivet Petrova 
wrote:

> Thank you Slavka. Great suggestions! Let’s discuss with them.
>
> I am open for other suggestions from community members :)
>
> Kind regards,
>
>
>
>
> On 11 Jun 2021, at 16:11, Slavka Peleva  > wrote:
>
> Hi Ivet, all,
>
> The video with Gabriel was great! I hope these people don't get mad at
> me for involving them in this, but I'll be happy to hear something
> from Rohit, Daan or Andrija (mixed with his sense of humor) :)
>
> Best regards,
>
> Slavka
>
>
> On Fri, Jun 11, 2021 at 11:30 AM Ivet Petrova  >
> wrote:
>
> Hello all, and Happy Friday!
>
> I hope you are ready for the upcoming weekend. You have seen a few videos
> on the ACS channel which are under the Meet the Community Series.
> To make this videos more interesting for the community, I wanted to ask
> all of you: Who will you nominate for the next videos on the channel?
> If you think that you know a community member, who is inspiring and will
> share a great story, please nominate him for the video series!
>
> Look forward to hear your opinion!
>
> Kind regards,
>
>
>
>
>
>
>

-- 

Andrija Panić


Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

2021-06-11 Thread Rohit Yadav
Hi PL,

You can check the ikev2 support in 4.15+ here: 
https://github.com/apache/cloudstack/pull/4953

I think a generic VPN framework-provider feature is probably what we need (i.e. 
to let user or admin decide what VPN provider they want, supporting 
strongswan/ipsec and openvpn) so I'm not trying to defend OpenVPN here but your 
comments on OpenVPN are incorrect. It is widely used (in many projects incl. 
pfSense) and both server/clients are opensource and not proprietary afaik (GPL 
or AGPL license, I'm not sure about platform-specific clients (the GUI ones) 
but I checked the CLI clients are opensource):
https://github.com/OpenVPN/openvpn
https://github.com/OpenVPN/openvpn3

One key requirement for whatever VPN provider we support is that it should be 
free and opensource and available on Debian (for use in the systemvmtemplate) 
and OpenVPN fits that requirement. The package is available on Debian: 
https://packages.debian.org/buster-backports/openvpn

Regards.


From: Pierre-Luc Dion 
Sent: Friday, June 11, 2021 20:10
To: us...@cloudstack.apache.org 
Cc: dev 
Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider

Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or
strongswan/ikev2 ?

Because l2tp became complicated to configure on native vpn clients on some
OSes, kind of deprecated remote management VPN, compared to IKEv2.
I'm a bit concerned about OpenVPN for the clients, what if binaries become
subscription based availability or become proprietary ?

For sure we need the option to select what type of VPN solution to offer
when deploying a cloud.

>From my perspective I cannot use/offer OpenVPN as a solution to my
customers because it involves forcing them to download third party software
on their workstations and I don't want to be responsible for
a security breach on their workstation because of a requirement for 3rd
party software that we don't control.



On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav 
wrote:

> Thanks all for the feedback so far, looks like the majority of people on
> the thread would prefer OpenVPN but for s2s they may continue to prefer
> strongswan/ipsec for site-to-site VPC feature. If we're unable to reach
> consensus then a general-purpose provider-framework may be more flexible to
> the end-user or admin (to select which VPN provider they want for their
> network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, and
> maybe other providers in future).
>
> Btw, ikev2 is supported now with strongswan with this -
> https://github.com/apache/cloudstack/pull/4953
>
> My personal opinion: As user of most of these VPN providers, I personally
> like OpenVPN which I found to be easier to use both on desktop/laptop and
> on phone. With openvpn as the default I imagine in CloudStack I could
> enable VPN for a network and CloudStack gives me an option to download a
> .ovpn file which I can import in my openvpn client (desktop, phone, cli...)
> click connect to connect to the VPN. For certificate generation/storage,
> the CA framework could be used so the openvpn server certs are the same
> across network restarts (with cleanup). I think a process like this could
> be simpler than what we've right now, and the ovpn download+import workflow
> would be easier than what we'll get from either strongswan/current or
> wireguard. While I like the simplicity of wireguard, which is more like SSH
> setup I wouldn't mind doing setup on individual VMs (much like setting up
> ssh key) or use something like TailScale.
>
>
> Regards.
>
> 
> From: Gabriel Bräscher 
> Sent: Friday, June 11, 2021 19:28
> To: dev 
> Cc: users 
> Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
>
> I understand that OpenVPN is a great option and far adopted.
> I am  ++1 in allowing Users/Admins to choose which VPN provider suits them
> best; creating an offering (or global settings) that would allow setting
> which VPN provider will be used would be awesome.
>
> I understand that OpenVPN is a great option and far adopted; however, I
> would be -1 if this would impact on removing support for Strongswan --
> which from what I understood is not the proposal, but saying anyway to be
> sure.
>
> Thanks for raising this proposal/discussion, Rohit.
>
> Cheers,
> Gabriel.
>
>
> Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion  >
> escreveu:
>
> > Hello,
> >
> > Daan, I agree we should provide capability to select the vpn solution to
> > use, the question would be,  should it be a global setting generic for
> the
> > whole region or per VPC?
> > I think it should be a global setting to reduce the requirement
> complexity
> > of a region, but per VPC or customer(account or domain) would be ideal.
> >
> > Hean, the current implementation from PR:2850
> >  that use strongswan
> does
> > support multiple users behind the same public IPs, but I d

Re: Meet the CloudStack Community: Who is NEXT?

2021-06-11 Thread Rohit Yadav
Thanks for nominating Slavka 😅

(Note to myself: complete the Humour for Dummies book before Ivet reaches out 
to me)

Regards.


From: Andrija Panic 
Sent: Friday, June 11, 2021 21:59
To: users 
Cc: dev@cloudstack.apache.org 
Subject: Re: Meet the CloudStack Community: Who is NEXT?

(me having a sense of humor Slavka? really, come on... I'll pay 10 beers
just to avoid IvetI mean the interview!)

On Fri, 11 Jun 2021 at 16:04, Ivet Petrova 
wrote:

> Thank you Slavka. Great suggestions! Let’s discuss with them.
>
> I am open for other suggestions from community members :)
>
> Kind regards,
>
>
>
>
> On 11 Jun 2021, at 16:11, Slavka Peleva  > wrote:
>
> Hi Ivet, all,
>
> The video with Gabriel was great! I hope these people don't get mad at
> me for involving them in this, but I'll be happy to hear something
> from Rohit, Daan or Andrija (mixed with his sense of humor) :)
>
> Best regards,
>
> Slavka
>
>
> On Fri, Jun 11, 2021 at 11:30 AM Ivet Petrova  >
> wrote:
>
> Hello all, and Happy Friday!
>
> I hope you are ready for the upcoming weekend. You have seen a few videos
> on the ACS channel which are under the Meet the Community Series.
> To make this videos more interesting for the community, I wanted to ask
> all of you: Who will you nominate for the next videos on the channel?
> If you think that you know a community member, who is inspiring and will
> share a great story, please nominate him for the video series!
>
> Look forward to hear your opinion!
>
> Kind regards,
>
>
>
>
>
>
>

--

Andrija Panić

 



Re: Meet the CloudStack Community: Who is NEXT?

2021-06-11 Thread Slavka Peleva
Great to hear that, Rohit, even if you don't complete the book ;) And
Andrija will survive the interview 😇

I can't wait to watch the interviews with you :)

Kind regards,
Slavka