OPENVPN Internals - Access to Config and Status info in command line

  • Does anyone know (A) where the openvpn config files reside on the pfSense firewall (via command-line/shell access) and (B) how to get status information on client connectivity from the command line (shell)?

  • OK. Since I found one answer I'll provide that the server config info is in /var/etc/openvpn/.

    Still trying to figure out if it is possible to get access to the servers from within the pfSense shell to be able to extract live state information regarding the clients. Back in the olden days, there was a particular port that OpenVPN would listen on for telnet and once a connection was established certain commands could be executed to extract the status info. I believe this was called the "management portal" or some such thing.

  • More info:
    search down for:
    management localhost 7505

    I am curious if I can get access to this management interface through pfSense because I want to connect status and other information for external processing and data capture.

    I have found this line in the openvpn server config files but do not know how to use it yet but suspect it will help me achieve what I want to achieve:

    management /var/etc/openvpn/server1.sock unix

    It appears to be an internal socket through which I can communicate with the management process.

    Still looking...

  • Seems trying to execute OpenVPN management commands to this socket results in permission denied. eg:

    [2.4.2-RELEASE][]/root: /var/etc/openvpn/server1.sock help
    /var/etc/openvpn/server1.sock: Permission denied.

  • Bingo:

    Just telnet to the socket:

    [2.4.2-RELEASE][]/root: telnet /var/etc/openvpn/server1.sock
    Trying /var/etc/openvpn/server1.sock...
    Connected to /var/etc/openvpn/server1.sock.
    Escape character is '^]'.

    INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
    Management Interface for OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
    auth-retry t : Auth failure retry mode (none,interact,nointeract).
    bytecount n : Show bytes in/out, update every n secs (0=off).
    echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
    exit|quit : Close management session.
    forget-passwords : Forget passwords entered so far.
    help : Print this message.
    hold [on|off|release] : Set/show hold flag to on/off state, or
    release current hold and start tunnel.
    kill cn : Kill the client instance(s) having common name cn.

  • Netgate Administrator

    What info do you need that isn't shown in the gui?

    You should upgrade from 2.4.2 when you can.


  • I need the info from the GUI but need it as text. I figured out how to get the info I want from the "status" keyword after connecting to the management socket. Specifically, I want route and client connection info. I have a routine I will use to pull this info automatically and post-process it later to create host tables and other structures for a lot of other systems in my network.

  • Netgate Administrator

    Fair enough. ☺

Log in to reply