The session manager keeps track of all the currently running VPN tunnels. This is the primary front-end interface for managing VPN tunnels. This manager will also proxy metod calls and signals from the independent VPN backend client processes to listening user front-end processes.
node /net/openvpn/v3/sessions {
interface net.openvpn.v3.sessions {
methods:
NewTunnel(in o config_path,
out o session_path);
FetchAvailableSessions(out ao paths);
FetchManagedInterfaces(out as devices);
LookupConfigName(in s config_name,
out ao session_paths);
LookupInterface(in s device_name,
out o session_path);
TransferOwnership(in o path,
in u new_owner_uid);
signals:
Log(u group,
u level,
s message);
SessionManagerEvent(o path,
q type,
u owner);
properties:
};
};
This starts a new VPN backend client process for a specific VPN configuration profile. This does not start the connection, it just starts a privileged client process and awaits further instructions. When this method call returns with a session path, it means the backend process have started.
Direction | Name | Type | Description |
---|---|---|---|
In | config_path | object path | A string containing the D-Bus object path of the VPN profile |
Out | session_path | object path | A string containing a unique D-Bus object path to the created VPN session |
This method will return an array of object paths to session objects the caller is granted access to.
Direction | Name | Type | Description |
---|---|---|---|
Out | paths | object paths | An array of object paths to accessible session objects |
This method will return an array of strings containing the virtual network interfaces the session manager is handling. Only interfaces the calling user is granted access to manage will be returned.
Direction | Name | Type | Description |
---|---|---|---|
Out | devices | strings | An array of strings of interface names |
This method will return an array of paths to session objects the caller is granted access to, which where started with the configuration profile name provided to the method. The profile name in the session object will not change if it is changed in the configuration manager after the session has started.
Direction | Name | Type | Description |
---|---|---|---|
In | config_name | string | String containing the configuration profile name to lookup |
Out | config_paths | object paths | An array of object paths to accessible sessions objects |
This method will return the D-Bus path to session object related to the virtual network interface name being looked up. This method will also return paths to interfaces not managed by the user.
Direction | Name | Type | Description |
---|---|---|---|
In | device_name | string | String containing the interface name to lookup |
Out | session_path | object path | An object path to the session managed by the session manager |
This method transfers the ownership of a session to the given UID value. This
feature is by design restricted to the root account only and is only expected
to be used by openvpn3-autoload
and similar tools.
This method is also placed in the main session manager object and not the session object itself by design, to emphasize this being a special case feature. This also makes it easier to control this feature in the D-Bus policy in addition to the hard-coded restriction in the session manager code.
Direction | Name | Type | Description |
---|---|---|---|
In | path | object path | Session object path where to modify the owner property |
In | new_owner_uid | unsigned int | UID value of the new session owner |
Whenever the session manager want to log something, it issues a Log signal which carries a log group, log verbosity level and a string with the log message itself. See the separate logging documentation for details on this signal.
This signals is sent each time there is a change in regards to active VPN sessions on the system. This is a broadcast signal which is sent to all users on the system containing a bare minimum of details of the related VPN session object.
Name | Type | Description |
---|---|---|
path | object path | D-Bus object path to the session this signal relates to |
type | uint16 | SessionManager::EventType of the change type |
owner | uint32 | UID of the owner of the session object |
For details, see src/sessionmgr/sessionmgr-events.hpp
.
| Name | Value | Description | |-------------- -|-------|------------------------------------------------------------------------| | UNSET | 0 | Should not be used, identifies an uninitialised object or an error | | SESS_CREATED | 1 | A new VPN session was created. It might not yet be started. | | SESS_DESTROYED | 2 | An existing session object was destroyed, the session was disconnected |
node /net/openvpn/v3/sessions/${UNIQUE_ID} {
interface net.openvpn.v3.sessions {
methods:
Connect();
Pause(in s reason);
Resume();
Restart();
Disconnect();
Ready();
AccessGrant(in u uid);
AccessRevoke(in u uid);
UserInputQueueGetTypeGroup(out a(uu) type_group_list);
UserInputQueueFetch(in u type,
in u group,
in u id,
out u type,
out u group,
out u id,
out s name,
out s description,
out b hidden_input);
UserInputQueueCheck(in u type,
in u group,
out au indexes);
UserInputProvide(in u type,
in u group,
in u id,
in s value);
signals:
AttentionRequired(u type,
u group,
s message);
StatusChange(u code_major,
u code_minor,
s message);
Log(u group,
u level,
s message);
properties:
readonly u owner;
readonly t session_created;
readonly au acl;
readwrite b public_access;
readonly s status;
readonly a{sv} last_log;
readonly a{sx} statistics;
readwrite b dco;
readonly s device_path;
readonly s device_name;
readonly o config_path;
readonly s config_name;
readonly s session_name;
readonly u backend_pid;
readwrite b restrict_log_access;
readwrite b receive_log_events;
readwrite u log_verbosity;
};
};
This method is to check if the backend VPN client is ready to connect. If it is ready, it will return immediately. If it is not, it will return with a D-Bus error exception providing the reason it is not ready. Most commonly it needs some input from the user, such as user credentials or some challenge token not already provided in the configuration.
(No arguments)
This method starts the connection process. This requires that all
credentials needed before contacting the server have been provided. It
is always a good idea to first call the
net.openvpn.v3.sessions.Ready
method first to ensure the backend is
ready to connect.
(No arguments)
This method pauses an on-going VPN connection.
Direction | Name | Type | Description |
---|---|---|---|
In | reason | string | A string used for log purposes primarily, describing why the tunnel was paused |
Resumes a paused VPN connection
(No arguments)
Completely disconnects and reconnects an active VPN connection
(No arguments)
Disconnects a VPN connection. This will shutdown and stop the VPN backend process and the session object will be removed.
(No arguments)
By default, only the user ID (UID) who created the session have access to it. This method used to grant other users access to this session.
Direction | Name | Type | Description |
---|---|---|---|
In | uid | unsigned int | The UID to the user account which is granted access |
This revokes access to a session object for a specific user. Please note that the owner (the user which initiated this session) cannot have its access revoked.
Direction | Name | Type | Description |
---|---|---|---|
In | uid | unsigned int | The UID to the user account which gets the access revoked |
See the net.openvpn.v3.backends.UserInputQueueGetTypeGroup
in
net.openvpn.v3.backends
client documentation for
details. The session manager just proxies this method call to the
backend process.
See the net.openvpn.v3.backends.UserInputQueueCheck
in
net.openvpn.v3.backends
client documentation for
details. The session manager just proxies this method call to the
backend process.
See the net.openvpn.v3.backends.UserInputQueueFetch
in
net.openvpn.v3.backends
client documentation for
details. The session manager just proxies this method call to the
backend process.
See the net.openvpn.v3.backends.UserInputProvide
in
net.openvpn.v3.backends
client documentation for
details. The session manager just proxies this method call to the
backend process.
See the net.openvpn.v3.backends.AttentionRequired
entry in
net.openvpn.v3.backends
client documentation for
details. The session manager just proxies these signals from the
backend process to front-ends subscribing to this signal.
See the net.openvpn.v3.backends.StatusSignal
entry in
net.openvpn.v3.backends
client documentation for
details. The session manager just proxies these signals from the
backend process to front-ends subscribing to this signal.
Whenever a specific session want to log something, it issues a Log signal which carries a log group, log verbosity level and a string with the log message itself. The D-Bus path provided in the signal points at the issuing VPN session. See the separate logging documentation for details on this signal.
Name | Type | Read/Write | Description |
---|---|---|---|
owner | unsigned integer | Read-only | The UID value of the user which did the import |
session_created | uint64 | Read-only | Unix Epoc timestamp of when the session was created |
acl | array(integer) | Read-only | An array of UID values granted access |
public_access | boolean | Read/Write | If set to true, access control is disabled. Only owner may change this property, modify the ACL or delete the configuration |
status | (integer, integer, string) | Read-only | Contains the last processed StatusChange signal as a tuple of (StatusMajor, StatusMinor, StatusMessage) |
last_log | dictionary | Read-only | Contains the last Log signal proxied from the backend process |
statistics | dictionary | Read-only | Contains tunnel statistics |
dco | boolean | Read-Write | Kernel based Data Channel Offload flag. Must be modified before calling Connect() to override the current setting. |
device_path | object path | Read-only | D-Bus object path to the net.openvpn.v3.netcfg device object related to this session |
device_name | string | Read-only | Virtual network interface name used by this session |
config_path | object path | Read-only | D-Bus object path to the configuration profile used |
config_name | string | Read-only | Name of the configuration profile when the session was started |
session_name | string | Read-only | Name of the VPN session, named by the the OpenVPN 3 Core library on successful connect |
backend_pid | uint | Read-only | Process ID of the VPN backend client process |
restrict_log_access | boolean | Read-Write | If set to true, only the session owner can modify receive_log_events and log_verbosity, otherwise all granted users can access the log settings |
receive_log_events | boolean | Read-Write | If set to true, the session manager will proxy log events from the VPN backend process |
log_verbosity | uint | Read-Write | Defines the minimum log level Log signals should have to be sent |
This is essentially a saved StatusChange signal and contains the following references in its dictionary
Name | Type | Description |
---|---|---|
major | uint | StatusMajor reference |
minor | uint | StatusMinor reference |
status_message | string | An optional string containing a more descriptive message of the signal |
This is essentially a saved Log signal and contains the following references in its dictionary
Name | Type | Description |
---|---|---|
log_group | uint | LogGroup reference |
log_category | uint | LogCategory reference |
log_message | string | The log message |
See the properties section in net.openvpn.v3.backends
client documentation for
details. The session manager just proxies the contents of the
statistics
property from the backend process.