OPENVPN Internals - Access to Config and Status info in command line

trueno · Sep 14, 2019, 4:25 PM

Does anyone know (A) where the openvpn config files reside on the pfSense firewall (via command-line/shell access) and (B) how to get status information on client connectivity from the command line (shell)?
Thanks.

trueno · Sep 14, 2019, 4:33 PM

OK. Since I found one answer I'll provide that the server config info is in /var/etc/openvpn/.

Still trying to figure out if it is possible to get access to the servers from within the pfSense shell to be able to extract live state information regarding the clients. Back in the olden days, there was a particular port that OpenVPN would listen on for telnet and once a connection was established certain commands could be executed to extract the status info. I believe this was called the "management portal" or some such thing.

trueno · Sep 14, 2019, 4:46 PM

More info:
https://openvpn.net/community-resources/how-to/
search down for:
management localhost 7505

I am curious if I can get access to this management interface through pfSense because I want to connect status and other information for external processing and data capture.

I have found this line in the openvpn server config files but do not know how to use it yet but suspect it will help me achieve what I want to achieve:

management /var/etc/openvpn/server1.sock unix

It appears to be an internal socket through which I can communicate with the management process.

Still looking...

trueno · Sep 14, 2019, 5:18 PM

Seems trying to execute OpenVPN management commands to this socket results in permission denied. eg:

[2.4.2-RELEASE][admin@xxx-central-noc.xxxxxxx.com]/root: /var/etc/openvpn/server1.sock help
/var/etc/openvpn/server1.sock: Permission denied.
[2.4.2-RELEASE][admin@xxx-central-noc.xxxxxxx.com]/root:

trueno · Sep 14, 2019, 5:23 PM

Bingo:

Just telnet to the socket:

[2.4.2-RELEASE][admin@xxx-central-noc.xxxxxxx.com]/root: telnet /var/etc/openvpn/server1.sock
Trying /var/etc/openvpn/server1.sock...
Connected to /var/etc/openvpn/server1.sock.
Escape character is '^]'.

INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
Commands:
auth-retry t : Auth failure retry mode (none,interact,nointeract).
bytecount n : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
forget-passwords : Forget passwords entered so far.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.

stephenw10 · Sep 14, 2019, 5:31 PM

What info do you need that isn't shown in the gui?

You should upgrade from 2.4.2 when you can.

Steve

trueno · Sep 14, 2019, 5:35 PM

I need the info from the GUI but need it as text. I figured out how to get the info I want from the "status" keyword after connecting to the management socket. Specifically, I want route and client connection info. I have a routine I will use to pull this info automatically and post-process it later to create host tables and other structures for a lot of other systems in my network.

stephenw10 · Sep 14, 2019, 5:36 PM

Fair enough.