OpenVPN status parser.
Just wanting to point this out:
It requires that we add the following directive to the server config file:
management (management IP address) (management port number) (text file for management password)
management 172.16.30.1 5555 pass.txt
Then you take the above link, it grabs the status, and then outputs something like this:
Might be kinda nice to integrate this. Of course I have all of the free time in the world, but if anyone feels like beating me to it, gracie. ;)
robbyt last edited by
so i emailed the developer about his license for the code and this is what he said:
its not specifically stated, but I'm happy with bsd license, it would be nice
if you credit my site somewhere though but not a requirement either…
so perhaps i'll try taking a wack on getting this to work w/ pfsense…
Played with this a little bit this morning.
The following tag would need to be recognized in the ovpn section of config.xml:
<management><ip>127.0.0.1</ip> <port>5555</port> <password>somepasswordhere</password></management>
There would need to be four new elements added to the OpenVPN server page. The first is a checkbox that is simply a boolean "Enable Management Interface?", the other two greyed out if the checkbox is not check (or completely invisible). The second asking for the IP address for the management to listen on (with a STRONG warning not to use anything but 127.0.0.1 unless you're sure you know what you're doing), the third would be the port number to listen on (default 5555). Finally, they need to set an openvpn management password.
That is sufficient for enabling management. At boot, those fields need to be parsed for each server, the password written to /var/etc/openvpn_server(x)_management.conf and added to the openvpn config file in this format:
management ip /var/etc/openvpn_server(x)_management.conf
That should do it. That puts us in a position to do management. The next step is to actually add a management page to the OpenVPN interface.
I'm attaching a ztelnet pkg. (You'll need to remove.jpg from the filename, for some reason it won't allow me to attach a .tbz). To install it, you just do pkg_add (pkgname). I noticed that pfSense doesn't have telnet by default. This gives it back. Once the above is done, you can access the interface by telnetting to 127.0.0.1 5555. It will prompt for the password, and you'll get something like this:
# ztelnet 127.0.0.1 5555 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. ENTER PASSWORD:xxxxx SUCCESS: password is correct >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help will get you a list of commands:
help Management Interface for OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006 Commands: auth-retry t : Auth failure retry mode (none,interact,nointeract). echo [on|off] [N|all] : Like log, but only show messages in echo buffer. exit|quit : Close management session. help : Print this message. hold [on|off|release] : Set/show hold flag to on/off state, or release current hold and start tunnel. kill cn : Kill the client instance(s) having common name cn. kill IP:port : Kill the client instance connecting from IP:port. log [on|off] [N|all] : Turn on/off realtime log display + show last N lines or 'all' for entire history. mute [n] : Set log mute level to n, or show level if n is absent. net : (Windows only) Show network info and routing table. password type p : Enter password p for a queried OpenVPN password. signal s : Send signal s to daemon, s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. state [on|off] [N|all] : Like log, but show state history. status [n] : Show current daemon status info using format #n. test n : Produce n lines of output for testing/debugging. username type u : Enter username u for a queried OpenVPN username. verb [n] : Set log verbosity level to n, or show if n is absent. version : Show current version number. END
and of course status will give you all of the current OpenVPN goings on:
status OpenVPN CLIENT LIST Updated,Thu Sep 14 11:44:32 2006 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since Tony_Shadwick,18.104.22.168:52385,233143,2916418,Thu Sep 14 11:24:02 2006 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 8a:56:1b:5c:28:53,Tony_Shadwick,22.214.171.124:52385,Thu Sep 14 11:44:32 2006 GLOBAL STATS Max bcast/mcast queue length,1 END
Then you can kick someone off either by IP or by cn:
kill Tony_Shadwick SUCCESS: common name 'Tony_Shadwick' found, 1 client(s) killed
BTW, please don't kill Tony Shadwick. He's a good guy! ;)
robbyt last edited by
There would need to be four new elements added to the OpenVPN server page
imho, remote management/logging settings shouldn't go on the ovpn page at all, but should go on the remote logging page under diagnostics
the openvpn management from localhost options should be enabled/disabled via a check box on the new openvpn status page (think of how the ipsec page looks) or perhaps they should be on by default so the ovpn status page just works?
If it's localhost and nothing but localhost can connect by default, I don't see the harm.
The reason management should probably go on the ovpn page is the abilty to kick people, but I can see your point about status. pptp has the ability to list who's on and kick people from it's status page too.
Wolfgang last edited by
just wonder wether someone is actually working on this?
Guess not. :(
I went awol there for a while, so I know for fact that I'm not. :P