• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN status parser.

Scheduled Pinned Locked Moved OpenVPN
7 Posts 3 Posters 11.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    Numbski
    last edited by Sep 12, 2006, 2:07 PM

    Just wanting to point this out:

    http://www.devco.net/archives/2005/04/04/openvpn_status_parser_for_php.php

    It requires that we add the following directive to the server config file:

    management (management IP address) (management port number) (text file for management password)

    Example:
    management 172.16.30.1 5555 pass.txt

    Then you take the above link, it grabs the status, and then outputs something like this:

    http://www.devco.net/code/openvpnStatusParser/openvpnstatus-sample.html

    Might be kinda nice to integrate this.  Of course I have all of the free time in the world, but if anyone feels like beating me to it, gracie. ;)

    1 Reply Last reply Reply Quote 0
    • R
      robbyt
      last edited by Sep 14, 2006, 4:23 PM

      so i emailed the developer about his license for the code and this is what he said:

      hey,

      its not specifically stated, but I'm happy with bsd license, it would be nice
      if you credit my site somewhere though but not a requirement either…

      so perhaps i'll try taking a wack on getting this to work w/ pfsense…

      1 Reply Last reply Reply Quote 0
      • N
        Numbski
        last edited by Sep 14, 2006, 4:45 PM Sep 14, 2006, 4:35 PM

        Played with this a little bit this morning.

        The following tag would need to be recognized in the ovpn section of config.xml:

        
         <management><ip>127.0.0.1</ip>
        <port>5555</port>
        <password>somepasswordhere</password></management> 
        
        

        There would need to be four new elements added to the OpenVPN server page.  The first is a checkbox that is simply a boolean "Enable Management Interface?", the other two greyed out if the checkbox is not check (or completely invisible).  The second asking for the IP address for the management to listen on (with a STRONG warning not to use anything but 127.0.0.1 unless you're sure you know what you're doing), the third would be the port number to listen on (default 5555).  Finally, they need to set an openvpn management password.

        That is sufficient for enabling management.  At boot, those fields need to be parsed for each server, the password written to /var/etc/openvpn_server(x)_management.conf and added to the openvpn config file in this format:

        
        management ip /var/etc/openvpn_server(x)_management.conf
        
        

        That should do it.  That puts us in a position to do management.  The next step is to actually add a management page to the OpenVPN interface.

        I'm attaching a ztelnet pkg. (You'll need to remove.jpg from the filename, for some reason it won't allow me to attach a .tbz).  To install it, you just do pkg_add (pkgname).  I noticed that pfSense doesn't have telnet by default.  This gives it back.  Once the above is done, you can access the interface by telnetting to 127.0.0.1 5555.  It will prompt for the password, and you'll get something like this:

        
        # ztelnet 127.0.0.1 5555
        Trying 127.0.0.1...
        Connected to 127.0.0.1.
        Escape character is '^]'.
        ENTER PASSWORD:xxxxx
        SUCCESS: password is correct
        >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
        
        

        help will get you a list of commands:

        
        help
        Management Interface for OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr  6 2006
        Commands:
        auth-retry t           : Auth failure retry mode (none,interact,nointeract).
        echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
        exit|quit              : Close management session.
        help                   : Print this message.
        hold [on|off|release]  : Set/show hold flag to on/off state, or
                                 release current hold and start tunnel.
        kill cn                : Kill the client instance(s) having common name cn.
        kill IP:port           : Kill the client instance connecting from IP:port.
        log [on|off] [N|all]   : Turn on/off realtime log display
                                 + show last N lines or 'all' for entire history.
        mute [n]               : Set log mute level to n, or show level if n is absent.
        net                    : (Windows only) Show network info and routing table.
        password type p        : Enter password p for a queried OpenVPN password.
        signal s               : Send signal s to daemon,
                                 s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
        state [on|off] [N|all] : Like log, but show state history.
        status [n]             : Show current daemon status info using format #n.
        test n                 : Produce n lines of output for testing/debugging.
        username type u        : Enter username u for a queried OpenVPN username.
        verb [n]               : Set log verbosity level to n, or show if n is absent.
        version                : Show current version number.
        END
        
        

        and of course status will give you all of the current OpenVPN goings on:

        
        status
        OpenVPN CLIENT LIST
        Updated,Thu Sep 14 11:44:32 2006
        Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
        Tony_Shadwick,208.231.66.99:52385,233143,2916418,Thu Sep 14 11:24:02 2006
        ROUTING TABLE
        Virtual Address,Common Name,Real Address,Last Ref
        8a:56:1b:5c:28:53,Tony_Shadwick,208.231.66.99:52385,Thu Sep 14 11:44:32 2006
        GLOBAL STATS
        Max bcast/mcast queue length,1
        END
        
        

        Then you can kick someone off either by IP or by cn:

        
        kill Tony_Shadwick
        SUCCESS: common name 'Tony_Shadwick' found, 1 client(s) killed
        
        

        BTW, please don't kill Tony Shadwick.  He's a good guy! ;)

        ztelnet-1.0.p3_1.tbz.jpg

        1 Reply Last reply Reply Quote 0
        • R
          robbyt
          last edited by Sep 18, 2006, 2:45 PM

          There would need to be four new elements added to the OpenVPN server page

          imho, remote management/logging settings shouldn't go on the ovpn page at all, but should go on the remote logging page under diagnostics

          the openvpn management from localhost options should be enabled/disabled via a check box on the new openvpn status page (think of how the ipsec page looks) or perhaps they should be on by default so the ovpn status page just works?

          1 Reply Last reply Reply Quote 0
          • N
            Numbski
            last edited by Sep 18, 2006, 3:08 PM

            If it's localhost and nothing but localhost can connect by default, I don't see the harm.

            The reason management should probably go on the ovpn page is the abilty to kick people, but I can see your point about status.  pptp has the ability to list who's on and kick people from it's status page too.

            1 Reply Last reply Reply Quote 0
            • W
              Wolfgang
              last edited by Feb 11, 2007, 8:40 PM

              Hello,

              just wonder wether someone is actually working on this?

              Regards

              Wolfgang

              1 Reply Last reply Reply Quote 0
              • N
                Numbski
                last edited by Mar 4, 2007, 10:31 PM

                Guess not. :(

                I went awol there for a while, so I know for fact that I'm not. :P

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received