The Omada VPN server setup should be FAR more accessible
The Omada VPN server setup should be FAR more accessible
First of all I have no idea why with the controllers (OC200/300 etc) running at all times is not working as a possible DDNS connector that updates the local ip.
Secondly the vpn server and client setup should have an almost automatic configurator for a quick setup and for people that just want to run a split tunnel to their house!
fritzbox's cheap routers do BOTH points and its embarasing! The router is advertized as a VPN ROUTER!
The Omada SDN interface is so good and has so much information.
The DDNS interface should be interactive with the VPN Setup page.
You open the VPN page and setup a server and instead of the static ip (that most people dont have) you input on of the already setup DDNS profiles!
I mean optimaly you should have your own DDNS service that you profile with the Omada controllers.
Are there any real plans to make the VPN experience easier? (pkey generator for clients etc)
I get that many people want to customize their vpn server and client settings completely but most people just want to setup access to their home the simple way.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
+1
A simple fix would be to add hostname and/or ddns support to openvpn server and client policy.
as client, omada accepts only ip (while l2tp and pptp accept hostname, oddly inconsistent)
and as server, the .ovpn generated will include "remote <ip> <port>" by default with no way to change this, only edit manually afterwards.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @Xarishark
Thanks for posting your insights in our business forum.
To your first description, I don't think you understand what controller plays in this SDN. Why would a non-NAT device sync with the DDNS server? It's the router's job and config is saved to the router to update in intervals. If you don't mean this, please specify in another way. I find it hard to understand this sentence.
To your second description, do you have an idea about what brands support a one-click VPN setup for client-to-site? This might be helpful for me to write feedback. Please don't mention open-source firmware which is not informational. Frizbox is not one of our competitors and not very helpful in the feedback.
Most would work in this configuration way, the old and traditional way. If you say OVPN, yes, that is designed to export and import config from the beginning of it. I mean, L2TP and other types, it works that way.
Then this brings up the next question, what VPN do you want to optimize? (If you look at our home products, it's the same or similar. I personally use ASUS with Merlin and some other our products in my home. Merlin is pretty much the same, too, like Omada. Requiring the manual config most of the time. DDNS is separate from the VPN.)
To your DDNS suggestion, because you use a VPN, and you don't have a static IP address, and this is the reason why you come to use DDNS. This feature is always a standalone. DDNS is meant to fix the problem where you don't have a static IP address. It does not mean it is bound to the VPN. What if you want to use a service and a port, is this supposed to bind to the port forwarding as well? This does not make sense from the design or network model but only from your perspective of ease of use.
There might be a plan to optimize the WG where you can import settings which is greatly helpful to the flexibility.
And in your #3 post, I found nothing on OVPN to scan QR and import the config.. I think you might use something else. It's more like a different software and not the traditional way to use the VPN.
Let me be honest with you, most commercial or business use still keeps this manual config instead of automated import. We target the small and middle business users and this is good enough for them. I totally understand people want to keep up to date and always want the best and latest for their products, things, and other aspects. But I truly hope that you can understand that not all proposals will be accepted or considered valuable.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A
I have used ASUS as well before switching over to Omada, in their stock firmware exists a relationship between ddns and vpn,
the generated .ovpn uses the router's configured ddns, this is completely transparent.
With Omada there is no way to edit/choose this, except manually editing the file afterwards.
also in newer versions, you can enable letsencrypt via the ddns page, to get an external certificate automatically.
in Omada situation there is no need for an ssl certificate for the router itself, but the controller itself does not support letsencrypt, which could be very useful.
i can imagine that a lot of people just run it selfsigned because they can't be bothered to deal with this.
- Copy Link
- Report Inappropriate Content
Hi @NinjaMonkey
Thanks for replying to my post.
I am mentioning ASUS as evidence to illustrate that most routers would require a manual setup and export and import to clients or config on clients. I did not use DDNS and OVPN on ASUS. But configuration is manual and exported manually. I was answering his thoughts and insights.
Then do you know any other brands, not open-source firmware, not a home-targeted product that provides the same or similar feature? That's what I need to every feedback you guys proposed. The dev needs to know what our competitors do and the feedback would be more effective. Bringing up home products and open-source firmware would do a thing. I know there are many home users who require the most up-to-date features, but like said before, not every feature or proposal will be considered or pass the evaluation. Think of this from the point of cost, maintenance, possibility(hardware and performance), and necessity.
(BTW, would you accept pay-to-upgrade or annual subscription for firmware if there is better firmware support?)
I am on V5.12.7 Controller. Do you refer to the let's encryt in standalone?
I also hope you understand that sometimes dev would focus on the contract where partners or companies require a certain function. That would be a high priority task than other sources. Some firmware/feature was never released to the public as it is tailored to contract users. There may be a time lag before a feature faces the public if a feature is supported in contract firmware.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A and thank you for taking the time to answer to my post.
Lets focus on the WG experience in conjunction with a good DDNS update service for easy of use.
Let me clarify that I provide IT services to many small to medium size companies of 5~50 employees and literally most of them don't/wont pay for static IP (high cost here in Greece) because its like half the price of the already high ISP sub( I know they should but I cant force them and I have to work with what I have)
For starters as I understand it the controller is the part of the omada SDN experience that pings info back you your servers + manages all the SDN devices. What I meant in the previous post is that if only the controller manages the whole stack and talks back to the omada service then it should check the IP on the router and pass that back to you. Sorry for not being clear enough
So for the DDNS part my request is as follows.
Provide a new "Omada DDNS" service to your clients like Synology, fritz etc already does for free. For example.
That way I can:
1. Login to the omada interface
2. Navigate to the services in my site
3. Select DDNS
4. Instead of the other services just select the Omada DDNS and add just the hostname e.g. xarishark[dot]omada[dot]com
That way your client wont have to sign up for a separate service and make the whole process far better for your clients.
Also add some kind of feedback to the current DDNS page that shows that the DDNS is getting update and is in working order ( a green dot or whatever would be totaly fine)
What my WG VPN DDNS setup entailed before acquiring Omada:
My fritzbox router has a super easy one click config generator (downloads a zip with a QR image and wg*[dot]conf file) that uses its own intergrated DDNS service with the choice if you want to replace that with a static IP or a Hostname .I also have the choice for my synology to do the same thing OR my server to run a container with cloudflare/duckdns DDNS.
For the WG part
Include a easy wg rollout process. I dont mean remove the advanced options. What I would like is:
Open the VPN menu. Create new WG server. Input Server name, generate pKey( already automatic GOOOOOD). Instead of only accepting the WAN static address do the following:
1. Allow for hostname instead of IP (you already do that on SOME other vpn types)
2. Add a button on the right to open a small drop down and select one of the activated DDNS services eg NO-IP currently for me (Thats where your own DDNS service would come in and make the whole process SUPER fast and easy).
What we do now with Omada if we want WG VPN with a DDNS service:
1. Go to supported DDNS service create account create hostname
2. Go to omada DDNS page and login to that DDNS account and add the hostname
3. Go and create NON WG vpn server because hostnames are NOT ACCEPTED currently
4. Manually write the hostname that is already imported to the DDNS omada interface (not big deal but would be awesome to fix)
5. Manually roll out keys and info for each VPN user and manually write their ip space for when they login to the VPN
What the perfect process would go like:
1α. Go to the DDNS settings page in omada (already logged in so the credentials are already there)
1β. Create "Omada DDNS" hostname (controller gets ip from router and passes it to your own DDNS service)
2α. Go to the WG VPN settings page and create server
2β. If there is only one Hostname in the DDNS page then auto select that hostname and generate the pKey (User literally only has to select server Name). Otherwise offer a dropdown with a list of hostnames and an option for manual input OR add a button on the right that opens a list of imported hostnames (most people use one hostname at all times for DDNS anyway)
3α. Go to the WG Peers page and press Create New Peer
3β. Menu asks if you want to auto generate or manually generate the Conf file
3γ. Select auto generate open the same menu as the manual but everything other than Name and Comment is generated automatically.
3δ. On save give the option to download a zip with QR code and . conf file or show the qr code and conf file contents on the screen for copying instead of downloading.
This way you can still do all the advanced tuning you want and create whatever you want but also have the option to one click generate everything and have it still working perfectly!
I create new VPN peers for my clients almost daily and I would love to integrate them in the Omada SDN ( each client will be a separate site on my work Omada account)
That way when not only I can manage ALL MY CLIENTS from one Omada account but when I setup a new client I just have to setup the hardware and add the controller to my work account and setup everything else remotely (already able to do that)
And when they ask me to roll a new VPN peer for the laptop of their new employee ( I get asked to do that daily because of the number of clients I have) I just have to open their Omada site for that office and generate a new WG peer download/copy it and import it to the employees laptop or my deploy it with MS Intune during endpoint creation.
I can totally understand if its not viable economically to create your own free DDNS Service (Synology is a company that sells MOSTLY to companies and provides it tho so I believe that they ARE your competitor as they provide both routers Ap and cameras now and also NAS servers etc)
But the interface of DDNS - VPN server creating - Client config auto generation is a no brainer IMHO. WG server is already super simple.
The first step for the better would be to allow WG to accept a HOSTNAME on the address asap. Everything else I get that needs dev time and if it helps I can create a feature request on the forum to get voted on so you can scope the community response. Would that help you. If you have any questions I would be happy to hear them and answer!
- Copy Link
- Report Inappropriate Content
Hi @Xarishark
Thanks for posting in our business forum.
Xarishark wrote
Hi @Clive_A and thank you for taking the time to answer to my post.
Provide a new "Omada DDNS" service to your clients like Synology, fritz etc already does for free. For example.
That way I can:
1. Login to the omada interface
2. Navigate to the services in my site
3. Select DDNS
4. Instead of the other services just select the Omada DDNS and add just the hostname e.g. xarishark[dot]omada[dot]com
In general, some of the parts you said, we already noticed them. And I have reported it to the dev because it's clearly not full-feathered.
WG does not support export config which is very inconvenient.
WG does not support domain names. I personally noticed that WG would run into issues with DDNS and it seems to be not capable of resolving the domain after a new IP was bound to it. This seems to be a native problem with the WG and requires additional steps to fix this.
QR code is supported in the WG app so I think QR generator in Omada would be a reasonable suggestion, too. Hope this will come true soon. Will feedback this one.
About the DDNS, having some sync status is a wonderful idea. But supporting the free omada[dot].com may not be possible but I'll bring it up to the dev with the "sync" suggestion.
The automatic replacement of the server ip or domain is also a great one.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A thanks for the fast answer!
Everything you said sounds very positive and open to change and I like that a lot!
I hope the devs see our request and push for some change on those matters.
One clarification tho. You said wireguard has a problem with hostnames but I use wireguard with all those other products I mentionted ( Unraid, trunas, synology, fritzbox) and they all use my own personal cloudflare hostname. Do you mind clarifying in the documentation of wireguard where it says that hostnames are not supported?
Because I ONLY use hostnames with it and it works flawlessly.
- Copy Link
- Report Inappropriate Content
Hi @Xarishark
Thanks for posting in our business forum.
I mean you need to specify one line in the WG config to update the DDNS. The article I read before said that WG would only resolve the domain name once when it initiates the connection. If it disconnects, it would not reconnect automatically and require additional lines in the config to let it update or fresh in intervals.
https://git.zx2c4.com/wireguard-tools
https://git.zx2c4.com/wireguard-tools/tree/contrib/reresolve-dns
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 2683
Replies: 20