Does pfSense use OpenVPN Management Interface?
-
Hello! I am trying to find reason why it is not possible to override management interface configuration for OpenVPN in pfSense.
Also, I would like to know how can I check runtime configuration of OpenVPN on pfSense.
-
pfSense uses the "FreeBSD" OpenVPN from here : https://openvpn.net/community-downloads/ so it's a vey close to vanilla OpenVPN setup.
What pfSense changes, it that you don't have to create a config file from scratch, the GUI will take care of that.Better yet : if you check that openvpn config file ( its here : /var/etc/openvpn/server1/config.ovpn ) you see that, among the entries that you entered in the GUI, there are other settings that pfSense (the GUI) adds '"behind the screens". Among them is : the access to the management interface.
As you already found out in the ppost you linked, as management socket already exists.
Because ..... that is the way how the Dashboard Server VPN widget 'scans' the OpenVPON server so it can update the dashboard info about a current connections.
So, the answer to :
Does pfSense use OpenVPN Management Interface?
is : yes.
Using the socket that is la ready there, you could also use this access to get information from the running OpenVPN process.
A while back, there were many forum posts in the pfSense OpenVPN section about how to get more info about clients connecting. -
Hello @gertjan!
Thank you very much for clearing out my doubts.
This was troubling me for quite a while that why there's a restriction in changing management interface.Even after adding
management 127.0.0.1 7505
directive using Custom Options, the OpenVPN instance on pfSense always used a UNIX socket. (It opens a UNIX socket with IP address as name)Because ..... that is the way how the Dashboard Server VPN widget 'scans' the OpenVPN server so it can update the dashboard info about a current connections.
This is the crucial information I was missing. I will check the documentation again to confirm if it is already mentioned there. If not, I will open an issue/pull request to add this.
But now, I want to take a dive into the implementation of the "scan client" feature and would like to investigate why usage of TCP ports has been ruled out completely.
It will be really helpful if you can provide links to related code or documentation which can give me a starting point.
Again, thanks a lot. :)