Hi,

On Fri, Feb 9, 2018 at 3:33 AM, Samuli Seppänen <sam...@openvpn.net> wrote:
> Il 09/02/2018 07:41, Илья Шипицин ha scritto:
>>
>>
>> 2018-02-08 20:40 GMT+05:00 Selva Nair <selva.n...@gmail.com
>> <mailto:selva.n...@gmail.com>>:
>>
>>     Hi,
>>
>>     On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen <sam...@openvpn.net
>>     <mailto:sam...@openvpn.net>> wrote:
>>     > Il 07/02/2018 21:58, David Sommerseth ha scritto:
>>     >> On 07/02/18 20:32, Илья Шипицин wrote:
>>     >>> After auth-token were introduced, when user press "Reconnect",
>>     it leads to
>>     >>> auth fail (saved password is forgotten), we run about 1000
>>     users, nobody
>>     >>> complains.
>>     >>
>>     >> This is actually expected, I'd say - but smells like a bug on the
>>     server side
>>     >> authentication.
>>     >>
>>     >> Selva may correct me if I'm wrong, but my understanding of it
>>     when clicking
>>     >> "Reconnect", the local OpenVPN process which caches the
>>     auth-token is stopped
>>     >> and a new OpenVPN process is started.  The client should in this
>>     case ask for
>>     >> username/password again.  So in this case, the server side should
>>     treat this
>>     >> connection as a fresh connection with no initial state.
>>     >>
>>     >> The step of stopping the local client and starting a new and
>>     fresh one is
>>     >> definitely not a bad feature to have on clients.
>>     >>
>>     >>> It looks like nobody uses that button.
>>     >>>
>>     >>> So, I asked several users, they confirmed they do not use Reconnect.
>>     >>
>>     >> This is no good argument for me.  This is one specific setup with
>>     1000 users.
>>     >> It would be more valuable with 50 different setups having 20
>>     users each.  Your
>>     >> conclusion is based on a very homogeneous environment.
>>     >
>>     > I agree. I also agree that the underlying problem should be fixed.
>>     >
>>     > That said, Ilya's message was sent to both openvpn-users and
>>     > openvpn-devel and nobody has screamed "do not remove the Reconnect
>>     > button" :). The only additional thing we can do is post a message
>>     to the
>>     > forums. As usual, the only sure way to get feedback (read: complaints)
>>     > is to release the changes in an official build/installer.
>>
>>     Only recently we added a reconnect item to the menu (earlier it was
>>     only available as a button in the status window) for ease of doing
>>     reconnects and based on user requests -- though I can't now find who
>>     asked for it.
>>
>>
>> it is interesting.
>>
>>
>>
>>     I wouldn't take lack of response on the user's list as an indication
>>     that no one uses it. In fact its very handy -- how else will you
>>     restart a connection after editing the config file? Disconnect and
>>     connect again? That would close the status window and lose all
>>
>>
>> yes. disconnect and connect again.
>>
>>
>>
>>     messages in it and also takes a number of mouse clicks because of the
>>     way tray popup menu behaves.
>>
>>     Anyway the purported reason to remove it is totally bogus. Its like
>>     auth-token cant cope with SIGHUP, so let's remove that signal.
>>
>>
>> no, that is wrong interpretaion.
>> I actually meant
>>
>> "it is broken" --> "users do not complain" --> "users do not care" -->
>> "other buttons will keep their places" --> "let us remove unused button"
>>
>>
>>
>>     Finally, I'm an user too and I use that button all the time, though
>>     mostly for testing. If that counts as a dissenting voice.
>>
>>
>>
>> yes, I also meant that. it is "designed by developers for themselves" :)
>> same as "edit config" menu item.
>> developers need edit config all the time and reconnect. but do users do
>> same things as well ?
>>
>>
>> as for "edit config", I'd like to keep it. it's removal will change menu
>> order, people will click at wrong items.
>>
>
> This discussion has actually been pretty interesting in the context of
> "how to get [some] VPN providers[1] to join OpenVPN-GUI development".
> We'd almost certainly need the capability to easily modify the GUI
> interface to suit their particular use-cases. Like removing buttons
> their users don't need. At the moment we don't have anybody willing to
> do such refactorings, nor any idea if any VPN provider would be
> interested anyways.

This has been a one-of-a-kind discussion so let's not generalize based
on that. Asking to remove a functionality requires stronger
justification than asking for fix or additional features. This
suggestion to remove the reconnect button was based on a wrong premise
--- that it deletes users saved password whereas the real culrpits are
(i) auth-token handling and (ii) the GUI wiping saved password on some
errors. On top of that when the reason given is something like it
misbehaves in some situations but none of our users have ever
complained which means they never use it, so it must go is bizarre.
Naturally, developers would be sceptic about such requests.

What I've learned from this is that (i) some operators with largish
user-base do use OTP (nice) (ii) we should fix auth-token and (iii) do
not forget saved password on authentication error. When I implemented
save-passwords I thought user-auth error user will anyway require
retyping the password, so it would be nice to clear it for them. But,
I should have known better. Let's change that so that GUI will never
clear password except on explicit user action.

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to