Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PiVPN Added #357

Merged
merged 3 commits into from
Mar 12, 2023
Merged

PiVPN Added #357

merged 3 commits into from
Mar 12, 2023

Conversation

OckhamOdyssey
Copy link
Contributor

Application name / category

PiVPN

Source URL

https://github.com/pivpn/pivpn

why it is awesome

Awesome and simply management tool for OpenVPN and Wireguard. It's design for the Raspberry Pi but can be used on any system.

Copy link
Contributor

@kokomo123 kokomo123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me

@nodiscc
Copy link
Collaborator

nodiscc commented Oct 9, 2022

curl | bash

Software that uses this installation method used to be rejected under the previous maintainer (https://github.com/awesome-foss/awesome-sysadmin/pulls?q=is%3Apr+pivpn+is%3Aclosed). This guideline was never written down but I don't want to change the way the list is maintained right now (it's currently on minimal maintenance mode awesome-selfhosted/awesome-selfhosted#2482, I'm just doing some cleanup).

I know I would personally never use this method (I understand it's just a matter of downloading the install script first, inspecting it, then running it, but then the documentation should mention it explicitly).

This is more of an open question, what guidelines should be added to keep the list high quality? From the past list of issues I remember these ideas:

  • the program must be mature enough (e.g. old enough to be in Debian Stable)
  • usable in a professional setup
  • have a decently sized community of users or contributors
  • no curl | bash
  • ...?

Feedback welcome.

@jadolg
Copy link

jadolg commented Oct 11, 2022

IMO the curl | bash thing is a bit arbitrary.
There are other installation methods listed right there and it's not like you can't read what you are installing if you actually want to.
I know you "should not" just curl | bash for security reasons, but most people (even being able to read what they are going to execute) are not going to analyze a thing.

This was referenced Oct 13, 2022
@kokomo123
Copy link
Contributor

kokomo123 commented Oct 14, 2022

I'd say pivpn is fit to be in this list, but as jadolg has described, people might not analyze it thoroughly and just curl bash whatever they want. So it's hard to know in this case.
EDIT: Here are my suggestions. The software must have alternate installation methods, and not just a curl bash script.

@xrat
Copy link

xrat commented Oct 14, 2022

I'd like to add a reminder to the discussion of list quality, namely the distinction of sysadmin vs. superuser vs. beginner. At least 1 of these is supposed to know the implications of curl | bash.

@nodiscc
Copy link
Collaborator

nodiscc commented Dec 11, 2022

distinction of sysadmin vs. superuser vs. beginner

In my opinion this list should stay a resource intended for professional sysadmins, or at least people striving to implement setups of professional quality.

you "should not" just curl | bash for security reasons, but most people are not going to analyze a thing.

Which is a huge no-go in professional environments (not analyzing what's being run). Hence software for which curl | bash is the only documented installation method should not be included, in my opinion.

Other opinions regarding criteria for inclusion are welcome (see comments above).

@nodiscc nodiscc mentioned this pull request Dec 11, 2022
11 tasks
@nodiscc
Copy link
Collaborator

nodiscc commented Dec 11, 2022

Related #429

@xrat
Copy link

xrat commented Dec 12, 2022

Hence software for which curl | bash is the only documented installation method should not be included, in my opinion.

I understand your point of view, and I do not disagree, however, as a professional sysadmin I am quite able to appreciate installation instructions based on a (furthermore likely well-tested) shell script. In fact, it so happened that I got notice of PiVPN thanks to this pull request. I reviewed its install.sh and went with it. I have to say, though, that its 3k lines is not a trivial perusal.

Concluding, while I personally don't mind curl | bash, I agree it should not be the only documented installation method.

@OckhamOdyssey
Copy link
Contributor Author

I don't understand why not accept the PR just because they document the curl | bash. PiVPN is secure by default and have pretty good scripts to manage the clients certifications, specially for large number of users. They have the git clone option.

but most people (even being able to read what they are going to execute) are not going to analyze a thing.

If we are going to follow that logic, thinking in the very beginners users, we should delete so many programs of the list because the documentation doesn't say "remember to check the code before executing".

@nodiscc
Copy link
Collaborator

nodiscc commented Jan 6, 2023

The criteria from OpenSSF Best Practices are good indicators of quality in FOSS projects. You can see a list of projects and their scores at https://bestpractices.coreinfrastructure.org/en/projects.

Note that the use of curl | bash is NOT explicitely forbidden by these guidelines. The closest thing I could find is

The project MUST use a delivery mechanism that counters MITM attacks. Using https or ssh+scp is acceptable.

So if we go by this, curl | bash would be acceptable as long as the URL is a HTTPS one. There is another guideline in the silver level criteria that states

The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public.

Of course curl | bash installation scripts imply the absence of cryptographic signatures, but a lot of projects using other installation methods do not provide signatures either, so if we started requiring this, a lot of software currently present in the list would not qualify.

In light of all this, and the other comments here, I don't think curl | bash as recommended installation method automatically makes the software "not awesome". /cc @n1trux

We should still find clear criteria for what is considered "awesome enough" or not. Feedback still welcome.

@nodiscc
Copy link
Collaborator

nodiscc commented Jan 29, 2023

The review in #449 yielded good results, I asked a few questions which resulted in constructive answers from @kosli:

Have you used it? For how long?
Is this in a personal or professional setup?
How many devices do you manage with it?
Biggest pros/cons compared to other solutions?
Any other comments about your use case, things you've found excellent, limitations you've encountered... ?

I am using it since a few weeks in a professional setup and I am very happy and looking into contributing myself as I want to make some features that I need.
Currently I have only 5 routers (PC engines apu boards) in the system, but have ~400 devices running in my own system that I will migrate over time into OpenWISP.a
I accidentally found OpenWISP when I was looking into a new OS for my routers (OpenWRT) and I am very impressed by the feature-rich, well-build platform that can easily be extended.

I think this is the kind of questions we could include in the pull request template.

@nodiscc
Copy link
Collaborator

nodiscc commented Feb 23, 2023

The review in #449 yielded good results, I asked a few questions which resulted in constructive answers

Good results as well in #457 and #453. I'll make a Pull Request to add these questions to the template (done: #459), and move this discussion to a dedicated issue (done #460).

In the mean time @OckhamOdyssey @xrat since you are users of PiVPN, can you please take some time to answer these questions as best you can?

  • Have you used it? For how long?
  • Is this in a personal or professional setup?
  • How many devices/users/services/... do you manage with it?
  • Biggest pros/cons compared to other solutions?
  • Any other comments about your use case, things you've found excellent, limitations you've encountered... ?

Thanks

@xrat
Copy link

xrat commented Feb 23, 2023

Thanks for tagging me, @nodiscc but I am afraid I can't add to the question of awesomeness due to lack of experience with PiVPN:

Have you used it? For how long?

I just installed v4.1.5 once (shortly after release end of Nov 2022), using the Wireguard option. It worked well, but it's a rather small setup with only 2 clients where I never had to tweak anything since then.

Is this in a personal or professional setup?

Professional.

How many devices/users/services/... do you manage with it?

1 server serving 2 clients.

Biggest pros/cons compared to other solutions?

Never tried others.

@OckhamOdyssey
Copy link
Contributor Author

OckhamOdyssey commented Feb 24, 2023

Have you used it? For how long?

Personal: February 2021. Professional: 10 months

Is this in a personal or professional setup?

Both, different environments.

How many devices/users/services/... do you manage with it?

Personal: 5 devices. Professional: we get a peak of almost 300 users once

Biggest pros/cons compared to other solutions?

Command use, effortless. Setup script with great customizable options. The way it manages certificates, gets the status of clients and store the ovpn files are better if you have different sysadmins managing the server. Everything is compared with the Angristan script and manual use, I didn't use any other option.

Any other comments about your use case, things you've found excellent, limitations you've encountered... ?

You also have a command to upgrade the script. Never get a problem. It also automates the creation of static IP addresses, which is great for cybersecurity audits.

@nodiscc nodiscc assigned nodiscc and unassigned xrat and OckhamOdyssey Feb 24, 2023
nodiscc added a commit that referenced this pull request Mar 1, 2023
…wesomeness of projects (#459)

* pull request template: additional questions to help evaluate actual awesomeness of projects

- ref. #357
- ref. #449
- ref. #453
- ref. #457
- ref. awesome-selfhosted/awesome-selfhosted#3217
- ref. #429
- ref. #377
Copy link
Collaborator

@nodiscc nodiscc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks everyone for your valuable input, a new issue has been opened to discuss possible improvements to "awesomeness"/inclusion criteria (#460)

I've added the missing source code link and license/language tags for PiVPN. I'll approve this and merge it in a while, in case someone wants to provide more information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants