Opened 3 years ago

Closed 2 years ago

#597 closed TODO (General task list) (wontfix)

Integrate NSSM into OpenVPN

Reported by: Samuli Seppänen Owned by: Samuli Seppänen
Priority: critical Milestone: alpha 2.4
Component: Packaging Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows openvpnserv nssm
Cc: gert@…

Description (last modified by Samuli Seppänen)

The OpenVPN service wrapper for Windows (openvpnserv.exe) is rapidly disintegrating as new Windows versions are released. On Windows 7 it works adequately, but on Windows 8.x and 10 it seems to be broken. There are currently several bug reports related to openvpnserv.exe (e.g. #110, #129, #591, #71).

Instead of improving and fixing openvpnserv.exe we've decided to replace it with a more robust service manager, NSSM. It is already possible to use NSSM with OpenVPN, but the manual configuration steps are too difficult for most "normal" users. Although NSSM has a configuration GUI, it is too generic and thus too complex for our simple use-case of "enabling and disabling OpenVPN connections", where almost all configuration parameter can be deduced and/or hardcoded.

This task consists of two parts:

  1. Write a simplified NSSM configuration GUI tailored for OpenVPN
  2. Integrate the configuration GUI with OpenVPN installers (in openvpn-gui project)

The configuration GUI has some constraints:

  1. Must not increase OpenVPN installer size significantly
    • Rules out most external frameworks/languages such as Python, Perl and Qt.
  2. Must be reasonably fast
    • Rules out PowerShell ShowUI, as importing the ShowUI module takes ages. Documentation on this framework is also very poor, and knowledge of WPF is assumed.
  3. Must have permissions to modify the system
    • Rules out local web applications that don't use ActiveX controls.
  4. All components must bev redistributable
    • Rules out (commercial) frameworks which are not under an open source / public domain license.

In practice C# + WPF seems to be the only reasonable way forward. As most of the GUI is generated programmatically there's no need for a separate GUI definition (XAML) file.

The code for the NSSM configuration GUI for OpenVPN will be hosted here.

Change History (12)

comment:1 Changed 3 years ago by Samuli Seppänen

Earlier discussion and crude GUI layout plans are available.

comment:2 Changed 3 years ago by Gert Döring

Cc: gert@… added

comment:3 Changed 3 years ago by Samuli Seppänen

Description: modified (diff)

comment:4 Changed 3 years ago by Samuli Seppänen

Work on the NSSM configuration GUI for OpenVPN has started:

As the README.md states, the tool does not yet do anything useful. Note that this is the first C# project I've ever written, so all contributions are most welcome! Help would be particularly welcome on the GUI front (WPF or Winforms).

comment:5 Changed 3 years ago by strada

Thanks for working on this!

Maybe the usage of NSSM will also need a change to openvpn-gui. With the current openvpn service there is one service which starts one or multiple openvpn sessions, with NSSM there are multiple services, each one controlling one openvpn session. If openvpn-gui ignores the service and directly controls openvpn-instances, imho no change should be needed.

If openvpn-gui would then also allow to be run without admin-rights to control the tunnels, this would be great :-) The alternative openvpn-mi-gui handles this but complains that the openvpn service is not running if NSSM is used instead - but allows then to control the tunnel if the status window is being opened first...

comment:6 Changed 3 years ago by Samuli Seppänen

OpenVPN-GUI does not use the old service wrapper (ovpnserv.exe) for anything. However, I'm not sure what happens if a certain OpenVPN connection is already running and NSSM or OpenVPN-GUI tries to start it (again)... some additional checks may needed to prevent problems in these cases.

comment:7 Changed 2 years ago by eas2lv

An easy way to use nssm asa drop-in replacement of the service

Currently the only thing the service wrapper does well is to scan the config directory and start openvpn on all configs. Though it fails miserably in keeping track of those processes and restarting them when needed, it does the initial scanning reliably.

So here is my suggestion: just replace the main loop through configs in openvpnserv.c to install nssm for each config found. If nssm is already installed, it would do nothing. That way when a new config is added, the user just restarts the service to get registered with nssm. The service does only this registration and nothing else. A reboot also causes any newly added configs to get resistered.

The log file locations and other parameters will be hard coded exactly as in the present service. Thus this approach becomes a drop-in replacement for the service. Those who need the log files in a different place can use log and log-append in the config as we already do for the service. Or not use the service at all and setup nssm manually.

No GUI is needed as the idea is to recreate the original service's behaviour, but with the sanity of nssm.

comment:8 in reply to:  5 Changed 2 years ago by selvanair

Replying to strada:

If openvpn-gui would then also allow to be run without admin-rights to control the tunnels, this would be great :-) The alternative openvpn-mi-gui handles this but complains that the openvpn service is not running if NSSM is used instead - but allows then to control the tunnel if the status window is being opened first...

An interim quick-fix for MI-GUI's annoying complaint about missing service is to run a dummy service with the name openvpnservice. This can be easily setup using nssm. What I do is to create a BAT file "forever.bat" in C:\Program Files\OpenVPN\bin with this content

@echo off
:loop
timeout /t 60 /nobreak > NUL 2>&1
goto loop

Then install it using nssm:

nssm install openvpnservice "C:\Program Files\OpenVPN\bin\forever.bat"

comment:9 Changed 2 years ago by Gert Döring

abandon this in favour of openvpnserv2?

comment:10 in reply to:  9 Changed 2 years ago by Samuli Seppänen

Replying to cron2:

abandon this in favour of openvpnserv2?

Yes, I'd say so. Using openvpnserv2 saves us, and especially me, a lot of trouble and development time. Plus openvpnserv2 is well-contained and has a small and neat codebase which mostly reuses existing Microsoft-provided C# service classes. This makes openvpnserv2 fairly maintenance-free.

One additional issue with the NSSM approach is that NSSM itself is a Windows (super)service. So trying to install OpenVPN-provided NSSM on top of previous NSSM install might cause odd issues.

comment:11 Changed 2 years ago by selvanair

+1
Though please keep the wiki pages on nssm as that's quite good info for those who want to use it.

comment:12 Changed 2 years ago by Samuli Seppänen

Resolution: wontfix
Status: newclosed

Ok, it seems we have plan then.

Note: See TracTickets for help on using tickets.