~fkooman/vpn-documentation

vpn-documentation/ROADMAP.md -rw-r--r-- 3.3 KiB
18165c28François Kooman update repo descriptions/URLs 3 days ago

#What to expect in eduVPN / Let's Connect! 3.x?

We expect to release eduVPN / Let's Connect! 3.x in Q4 of 2021. This will also depend on the eduVPN / Let's Connect! client application that will need to implement the new API.

If you'd like to have something added, removed, changed: please contact us on eduvpn-support@lists.geant.org and make your case!

#High Level Changes

  • WireGuard Support
  • HA/Redundancy for the portal;
  • MySQL/MariaDB/PostgreSQL database support for data storage
  • Removal of all internal 2FA, 2FA only supported when using external authentication sources, e.g. in IdP
  • Guest Usage is gone for now (see below)
  • Much simpler configuration, especially for "multi node" setups
  • Allow limits on number of active OAuth clients and VPN configuration downloads per user

#Ops Changes

  • Runs on Debian >= 11, Fedora >= 34

#Implementation Changes

  • Require at least OpenVPN 2.5
  • OAuth 2.1 draft implementation for API
  • OpenVPN requires now TLS >= 1.3
  • OpenVPN supports now both AES-256-GCM and CHACHA-POLY1305 data cipher. If the server (node) supports hardware accelerated AES, AES is used, otherwise CHACHA-POLY1305.
  • EdDSA (Ed25519) X.509 certificates for OpenVPN
  • New API_V3 for use by eduVPN / Let's Connect! Applications
  • Merge of vpn-user-portal, vpn-server-api and vpn-lib-common in 1 component
  • Switch VPN Daemon to use HTTP(S) instead of TCP socket, implement WireGuard management
  • Support PostgreSQL, MySQL/MariaDB for portal data storage instead of only SQLite
  • New OAuth Token format (EdDSA JWT, perhaps switch to something else still?)

#Work in Progress

  • Implement memcached support for fkooman/secookie
  • VPN Usage stats need to be completely redone, currently only "VPN client use" is available because that was easy
  • Add public CA and public WireGuard key to the discovery files to have an additional trust channel between app and server in addition to Web TLS, or perhaps sign the API responses with a public key mentioned in the discovery files...
  • Keep aggregate logs longer than 30 days, i.e. usage statistics
  • Work on implementing hardware signing of discovery files
  • Keep the WireGuard private key only on the node(s), not on the portal...

#Under Consideration

  • Reimplement 2FA, but only for local user accounts
  • Implement Admin API. e.g. for bulk-configuration downloads for managed clients
  • We removed "conditional 2FA" with the PhpSamlSpAuthentication module, it is 2FA for all, or for none
  • "Expire at night" based on the server's timezone (this is currently implemented, but could be removed if we move this to the client...)
  • Guest Usage has been completely removed for now, need to think how and whether to get this back in a clean way with pseudonyms, don't leak local user identity to guest servers! We MAY keep it out of 3.x and require servers to keep running 2.x until we come up with a better approach...
  • implement PSK per config/user for WireGuard (similar to tls-crypt-v2 with OpenVPN)