From 005e41902f61ed63b00b7be0a8a05067dbc21c8b Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Thu, 23 Feb 2023 14:17:09 +0100 Subject: Add blog post about the AWS VPN Client --- .../2023/2023-02-23-the-woes-of-awsvpnclient.md | 91 ++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 content/posts/2023/2023-02-23-the-woes-of-awsvpnclient.md (limited to 'content/posts/2023/2023-02-23-the-woes-of-awsvpnclient.md') diff --git a/content/posts/2023/2023-02-23-the-woes-of-awsvpnclient.md b/content/posts/2023/2023-02-23-the-woes-of-awsvpnclient.md new file mode 100644 index 0000000..5178db5 --- /dev/null +++ b/content/posts/2023/2023-02-23-the-woes-of-awsvpnclient.md @@ -0,0 +1,91 @@ +--- +date: 2023-02-23 +title: The Woes of AWSVPNClient +tags: +- Amazon +- AWS +- AWSVPNClient +--- + +For my current `$dayjob` I am required to start using the AWS VPN Client. This +is not a problem per se, however, this piece of software has given me some +particular headaches. In this post, I want to air some frustrations that it has +brought me in the past two days, trying to get this software working properly +on Debian. + +## GNU+Linux Support + +The AWS VPN Client has gotten an official client for GNU+Linux users. Not all +of them, sadly, they specifically support Ubuntu 18.04. I find it important to +note that this is 2 LTS versions behind the current Ubuntu version 22.04. Apart +from that, only Ubuntu is rather limited. Amazon isn't a small company, and +they should be able to support various distributions. + +In general I would recommend to support the upstream distribution, which in +this case would be Debian. This would ensure that it becomes available on +Ubuntu by virtue of it being Debian based. + +That said, only Ubuntu packages wouldn't be a huge problem if not for the next +issue I have with this software... + +## Proprietary Software + +The code for this application is private, and Amazon has no intention to change +this. There's nothing very special about the application, it's just a +proprietary wrapper around OpenVPN, so in my mind I find it hard to believe +that they're trying to "protect" anything sensitive. It feels like a simple +move to instill the idea that you're highly dependent on them. + +If they _were_ to make this software free (as in freedom), packaging could be +done by package maintainers, or really just anyone who feels like doing it. +This would remove a burden on Amazon, and ensure better availability for all +potential users. + +Additionally, it would make debugging issues much easier. Because... + +## Logging + +The logging the application does is pathetic. There's a lot of duplicated logs +that are spammed hundreds of times per second. Tailing your logs can also be +more annoying than it needs to be, since the client rotates which file it logs +to every 1048629 bytes. + +I currently have 30 log files, generated by two sessions. In these log files, +the line `[INF] Begin receive init again` appears 509114 times. Over _half a +million_ times. The total number of log lines in all these log files is 510394, +meaning only 1280 lines are something different. + +Of those 1280 lines, the logs themselves aren't much better. I apparently had +to install `systemd-resolved` in order to fix the following error: + +``` +2023-02-23 10:02:50.870 +01:00 [DBG] CM received: >LOG:1677142970,F,WARNING: Failed running command (--up/--down): external program exited with error status: 1 +>FATAL:WARNING: Failed running command (--up/--down): external program exited with error status: 1 + +2023-02-23 10:02:50.870 +01:00 [DBG] CM processsing: >LOG:1677142970,F,WARNING: Failed running command (--up/--down): external program exited with error status: 1 +2023-02-23 10:02:50.870 +01:00 [DBG] CM processsing: >FATAL:WARNING: Failed running command (--up/--down): external program exited with error status: 1 +2023-02-23 10:02:50.870 +01:00 [DBG] Fatal exception occured +2023-02-23 10:02:50.870 +01:00 [DBG] Stopping openvpn process +2023-02-23 10:02:50.870 +01:00 [DBG] Sending SIGTERM to gracefully shut down the OpenVPN process +2023-02-23 10:02:50.871 +01:00 [DBG] Invoke Error +2023-02-23 10:02:50.871 +01:00 [DBG] DeDupeProcessDiedSignals: OpenVPN process encountered a fatal error and died. Try connecting again. +``` + +It is not particularly clear this fails due to not having `systemd-resolved` +installed and running. The `.deb` provided by Amazon does not even depend on +`systemd-resolved`! + +Another gripe I've had with the logs is their location. It saves these in +`~/.config/AWSVPNClient/logs`. It may seem weird since this path contains a +directory named `.config`, and indeed, this is not a great place to store logs. +The [XDG Base Directory +Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html) +specifies `$XDG_STATE_HOME`, with one explicit example for it being logs. +However, for this to make sense, the application needs to respect the `XDG_*` +values to begin with, which it currently doesn't. + +## All in all + +This software is pretty bad, but if it were free software, at least the users +could improve it to suck less, and easily introduce support for various +additional platforms. Instead, we're just stuck with a piece of bad software. -- cgit v1.1