Feature: Ocserv - cockpit-project/cockpit GitHub Wiki

Goal

Obtain information about the logged-in users in the Openconnect VPN server.

User stories:

  • An IT administrator manages a Fedora server system with openconnect VPN server running as entry point for the company network. He needs to be able to see the logged-in users at any point in time, and when needed to read their VPN settings to assist with any networking issue they have.

Design

[http://people.redhat.com/nmavrogi/screenshot.png ](http://people.redhat.com/nmavrogi/screenshot.png)

Implementation

  • Need to be able to list server status (done)
  • Need to be able to list users (done)
  • Need to be able to obtain detailed per user information
  • Need to be able to disconnect a user
  • Need to be able to BAN a specific IP address
  • Real-time update for user login/logout (e.g., via d-bus signal)
  • Currently ocserv doesn't provide a subsystem for that; making an IPC dbus front-end may help.

Feedback

  • How will an admin initially setup ocserv?
    • A configuration file needs to be edited (/etc/ocserv/ocserv.conf) and after that with systemctl enable.
  • What are the various actions that the admin should be able to perform on the list of users?
    • Kill connection, BAN IP address (blocking a specific user does depend on the backend used - e.g., PAM, so it cannot be part of the web interface unless we integrate with a single backend only)
  • Should we provide a link to documentation on how to configure various clients to connect to this VPN server? Perhaps a simple summary connection settings could be inline in Cockpit?
    • For the majority of the use cases ocserv would work if the authentication method and a network for the VPN is specified. There is rolekit attempt but will be limited to sssd integration. The official documentation is here