OpenVPN status parser.



  • Just wanting to point this out:

    http://www.devco.net/archives/2005/04/04/openvpn_status_parser_for_php.php

    It requires that we add the following directive to the server config file:

    management (management IP address) (management port number) (text file for management password)

    Example:
    management 172.16.30.1 5555 pass.txt

    Then you take the above link, it grabs the status, and then outputs something like this:

    http://www.devco.net/code/openvpnStatusParser/openvpnstatus-sample.html

    Might be kinda nice to integrate this.  Of course I have all of the free time in the world, but if anyone feels like beating me to it, gracie. ;)



  • so i emailed the developer about his license for the code and this is what he said:

    hey,

    its not specifically stated, but I'm happy with bsd license, it would be nice
    if you credit my site somewhere though but not a requirement either…

    so perhaps i'll try taking a wack on getting this to work w/ pfsense…



  • Played with this a little bit this morning.

    The following tag would need to be recognized in the ovpn section of config.xml:

    
     <management><ip>127.0.0.1</ip>
    <port>5555</port>
    <password>somepasswordhere</password></management> 
    
    

    There would need to be four new elements added to the OpenVPN server page.  The first is a checkbox that is simply a boolean "Enable Management Interface?", the other two greyed out if the checkbox is not check (or completely invisible).  The second asking for the IP address for the management to listen on (with a STRONG warning not to use anything but 127.0.0.1 unless you're sure you know what you're doing), the third would be the port number to listen on (default 5555).  Finally, they need to set an openvpn management password.

    That is sufficient for enabling management.  At boot, those fields need to be parsed for each server, the password written to /var/etc/openvpn_server(x)_management.conf and added to the openvpn config file in this format:

    
    management ip /var/etc/openvpn_server(x)_management.conf
    
    

    That should do it.  That puts us in a position to do management.  The next step is to actually add a management page to the OpenVPN interface.

    I'm attaching a ztelnet pkg. (You'll need to remove.jpg from the filename, for some reason it won't allow me to attach a .tbz).  To install it, you just do pkg_add (pkgname).  I noticed that pfSense doesn't have telnet by default.  This gives it back.  Once the above is done, you can access the interface by telnetting to 127.0.0.1 5555.  It will prompt for the password, and you'll get something like this:

    
    # ztelnet 127.0.0.1 5555
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.
    ENTER PASSWORD:xxxxx
    SUCCESS: password is correct
    >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
    
    

    help will get you a list of commands:

    
    help
    Management Interface for OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr  6 2006
    Commands:
    auth-retry t           : Auth failure retry mode (none,interact,nointeract).
    echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
    exit|quit              : Close management session.
    help                   : Print this message.
    hold [on|off|release]  : Set/show hold flag to on/off state, or
                             release current hold and start tunnel.
    kill cn                : Kill the client instance(s) having common name cn.
    kill IP:port           : Kill the client instance connecting from IP:port.
    log [on|off] [N|all]   : Turn on/off realtime log display
                             + show last N lines or 'all' for entire history.
    mute [n]               : Set log mute level to n, or show level if n is absent.
    net                    : (Windows only) Show network info and routing table.
    password type p        : Enter password p for a queried OpenVPN password.
    signal s               : Send signal s to daemon,
                             s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
    state [on|off] [N|all] : Like log, but show state history.
    status [n]             : Show current daemon status info using format #n.
    test n                 : Produce n lines of output for testing/debugging.
    username type u        : Enter username u for a queried OpenVPN username.
    verb [n]               : Set log verbosity level to n, or show if n is absent.
    version                : Show current version number.
    END
    
    

    and of course status will give you all of the current OpenVPN goings on:

    
    status
    OpenVPN CLIENT LIST
    Updated,Thu Sep 14 11:44:32 2006
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    Tony_Shadwick,208.231.66.99:52385,233143,2916418,Thu Sep 14 11:24:02 2006
    ROUTING TABLE
    Virtual Address,Common Name,Real Address,Last Ref
    8a:56:1b:5c:28:53,Tony_Shadwick,208.231.66.99:52385,Thu Sep 14 11:44:32 2006
    GLOBAL STATS
    Max bcast/mcast queue length,1
    END
    
    

    Then you can kick someone off either by IP or by cn:

    
    kill Tony_Shadwick
    SUCCESS: common name 'Tony_Shadwick' found, 1 client(s) killed
    
    

    BTW, please don't kill Tony Shadwick.  He's a good guy! ;)

    ztelnet-1.0.p3_1.tbz.jpg



  • There would need to be four new elements added to the OpenVPN server page

    imho, remote management/logging settings shouldn't go on the ovpn page at all, but should go on the remote logging page under diagnostics

    the openvpn management from localhost options should be enabled/disabled via a check box on the new openvpn status page (think of how the ipsec page looks) or perhaps they should be on by default so the ovpn status page just works?



  • If it's localhost and nothing but localhost can connect by default, I don't see the harm.

    The reason management should probably go on the ovpn page is the abilty to kick people, but I can see your point about status.  pptp has the ability to list who's on and kick people from it's status page too.



  • Hello,

    just wonder wether someone is actually working on this?

    Regards

    Wolfgang



  • Guess not. :(

    I went awol there for a while, so I know for fact that I'm not. :P


Log in to reply