Openvpn status on server

  • What needs to be configured on the server side to view the openvpn clients on the status page?  It just shows "No Management Daemon" under remote host on the client table.



  • Rebel Alliance Developer Netgate

    You need to enter a value into the local port field on the client configuration. There is a note on that page which says that, I thought.

  • Just says to set it if you want to bind to a specific port.  So if I have 100 clients each one needs to be a unique port?  It works on the client side if I have a port in the config there, but on the server side nothing listens on the port I specify there and it gives the same error.  Do they have to match in order for it to work?

  • Rebel Alliance Developer Netgate

    If you are on 2.0, servers should be getting a management daemon automatically with no extra configuration. From your initial post, it sounded like you wanted to view the status of an openvpn client instance, not a server instance.

    For servers you shouldn't have to do anything special for it to work.

  • I'm trying to view clients from the server.  The server daemon doesn't show anything under client connections from the server openvpn status page.  That table is blank on the top of the page

    Client connections for Server UDP:1194
    Common Name Real Address Virtual Address Connected Since Bytes Sent Bytes Received

    Under that I have

    OpenVPN client instances statistics
    Name Status Connected Since Virtual Addr Remote Host Bytes Sent Bytes Received
    aethome UDP:51100 down 0 See Note Below No Management Daemon 0 0

    My test client is connected but I can't see anything from the server.

  • Rebel Alliance Developer Netgate

    That second line is for your OpenVPN client instance, not for clients connected to your local OpenVPN server.

    Those should be showing up under that first section. They always show up for me, I've never seen a client connected that didn't show up there.

  • Bother.  I had the server mode set to peer/peer instead of remote access.  That didn't click until I tried to connect a second client.  New to OpenVPN, it's not bad once you get it sorted thru.

    Thanks for all the feedback!

  • Hi,

    i have to agree cubsfan. I set up a testenvironment with Openvpn PKI and 2 Sites. I followed tutorial.

    Testet preshared Key and Certs…all seems to work fine  :)

    On client, mode "peer to peer (ssl/tls)" everythink is ok. statuspage has entry when lokal port is set.

    On Server, if servermode is "peer to peer (ssl/tls)" there is no client shown in OpenVPN status!

    If i switch mode to remote access (ssl/tls) client is visible there.

    Is that a normal behaviour Jimp?


  • Rebel Alliance Developer Netgate

    That is normal, OpenVPN's status function doesn't report peer-to-peer connections in the same way. It's a limitation of OpenVPN, I believe.

  • Ah thank u.

    Nice to know. Is there a difference between these modes? Are there some problems if i use remote access in my case?

    I ask because OpenVPN status on dashboard is a nice feature :)


  • Rebel Alliance Developer Netgate

    It's really a difference between PKI and Shared Key, I thought. you can do site-to-site setups either way, really. Just takes a bit more work to do them with PKI.

  • With Pfsense 2.0 its about one minute more work (generate Ca + Certs -> copy to openvpn Client).

    thats really not much more^^

    there are 2 questions left:

    1. to use auth for TLS pakets is recommeded right? I found nothing about in pfsense book.

    2. engine cryptodev is automaticaly applied if option glxsb is set right?


  • Rebel Alliance Developer Netgate

    For PKI site-to-site you also have to setup client-specific-config entries with iroutes, and custom route statements. It's not all automatic.

    cryptodev isn't active unless you put it in the custom options, I think that is still the case. I should probably add an option for that. If it were automatic, it wouldn't just be keyed on glxsb, there are plenty of other accelerators (Padlock, Hifn, etc).

  • y, ur right i forgot.

    but im not sure about servermode because u dont answer my question. :)

    It's really a difference between PKI and Shared Key, I thought. you can do site-to-site setups either way, really. Just takes a bit more work to do them with PKI.

    plz only consider Serverside :

    "peer to peer (ssl/tls)"  (Openvpn status empty)

    "remote access (ssl/tls)" (Openvpn status works)

    both are with PKI. Its the same configuration with ca and certs, no preshared keys at all. So where is the difference?


  • Rebel Alliance Developer Netgate

    I'm not sure then, I'd have to track down what might be going on behind the scenes then. If you look at the openvpn config (under /var/etc/openvpn/) you might be able to see the difference in the config.

    I don't think the gui in the status even checks peer-to-peer vs remote access.

  • ur right i ll check config.

    "peer to peer (ssl/tls)"  is 1:1 connection

    "remote access (ssl/tls)"  is 1:n connection, so u need to use remote access for 3 sites and more i think, i ll test it.

    good night.

    thx for replies

Log in to reply