Have anyone manage to build in main a working openvpn-openssl package since kernel 6.12.55?
Every build I have tried after kernel 6.12.55 the package is always in the manifest list but it doesn't exist in the build, there are no traces of it in the log, it doesn't start or can't be found in any operational report anywhere in the working router (all routers).
But it is listed as installed in the software list!?
And the etc/openvpn dir is nowhere to be found so there is no where to put the config file anymore?
For main/ master branch you need luci-proto-openvpn.
It has become a protocol which you configure on the interface.
It was a bumpy switch but it sort of works now.
I have no time to dig in to the details of these changes right now. But as far as I can see right now, openvpn will now be its own free standing interface instead of the old tun device integrated in a interface.
So that means the openvpn interface will from now on also be its own interface instead in defined firewall zone and normal firewall zone rules apply for data between the different interfaces?
Unfortunately not
It was requested that if you use the GUI e.g. to set dev tun1 it would set the l3 device on the interface but last time I checked that was still not working/implemented.
But if you use a config file then the interface does not read the config file for your device so you have to either add an extra interface with unmanaged protocol and set the device there and use that interface for the firewall (which then can also be used for PBR) or create a firewall zone and add the device you are using (e.g. tun1) to that firewall zone.
I will do a write up for setting it up when I have time
P.S. Can you adapt the title to show it is only in Main/Master branch?
In my case it seems the best way to embrace this change is to abandon the old server config file I had and to implement the server setup mostly under the network part in my ”setup script” I have made over the years.
But still, I need to understand what is actually needed to get this system up and running first before changing my setup script…
And this is what I’m thinking. I’ve got a script that transforms Gargoyle web UI input into .conf (and keys,certs etc). This could now be simplified as the UI can write directly to uci and it should “just work”?
But we do so much already with creating clients, revoking and blocking certificates etc I don’t know what benefit I would get from hacking up my script into pieces.
Not against the change just not sure it benefits someone with a well established script.
I just feel that the overall positive side effects in the long run probably work better for me if I make the effort now to implement it in my setup script.
In this story there are also the OpenVPN 2.7 upgrade that comes with some new things…
So it isn’t only the placement of the config file.