This recipe shows how OpenVPN can be managed using the management interface on the server.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks.
For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.10. The first client was running Fedora 20 Linux and OpenVPN 2.3.10. The second client was running Windows 7 64 bit and OpenVPN 2.3.10.
For the server, keep the configuration file example3-1-server.conf
from the first recipe of this chapter at hand. For the Linux client, keep the client configuration file example3-1-client.conf
from the first recipe of this chapter at hand. For the Windows client, keep the client configuration file example3-2-client2.ovpn
from the Enabling client-to-client traffic recipe at hand.
We use the following network layout:
example3-1-server.conf
file:management tunnel 23000 stdin
example3-8-server.conf
.[root@server]# openvpn --config example3-8-server.conf
The OpenVPN server will now first ask for a password for the management interface.
[root@client1]# openvpn --config example3-1-client.conf
telnet
program:[server]$ telnet 127.0.0.1 23000 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. ENTER PASSWORD:cookbook SUCCESS: password is correct >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info status OpenVPN CLIENT LIST Updated,Wed Mar 2 17:57:07 2016 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since client1,192.168.4.64:50209,7851,8095,Wed Mar 2 17:56:08 2016 client2,192.168.4.5:50212,11696,7447,Wed Mar 2 17:56:45 2016 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 00:ff:17:82:55:db,client2,192.168.4.5:50212,Wed Mar 2 17:56:49 2016 1e:b8:95:e5:60:21,client1,192.168.4.64:50209,Wed Mar 2 17:56:53 2016 GLOBAL STATS Max bcast/mcast queue length,1 END
Note that it looks exactly like the status file from the previous recipe.
kill client2 SUCCESS: common name 'client2' found, 1 client(s) killed status OpenVPN CLIENT LIST Updated,Wed Mar 2 17:58:51 2016 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since client1,192.168.4.64:50209,8381,8625,Wed Mar 2 17:56:08 2016 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 1e:b8:95:e5:60:21,client1,192.168.4.64:50209,Wed Mar 2 17:56:53 2016 GLOBAL STATS Max bcast/mcast queue length,1 END
When the OpenVPN server starts, a special management interface is set up using the directive:
management 127.0.0.1 23000 stdin
The interface is set up with these parameters:
127.0.0.1
to bind the management interface to localhost only.23000
on which the management interface will be listening.stdin
to indicate that the management interface password will be specified when OpenVPN starts up. Note that this password is completely unrelated to the private key passphrases or any other user management passwords that OpenVPN uses.After the management interface comes up, the server operator can connect to it using telnet
and can query the server. By typing the following, the operator can disconnect a client:
kill <clientcommonname>
Note that if the OpenVPN client is configured to reconnect automatically, it will do so after a few minutes.
When comparing the output of the management interface's status
command with the status file output shown in the Using the status file recipe from Chapter 2, Client-server IP-only Networks, the major difference is the fact that here, the clients' MAC addresses are listed instead of the VPN IP addresses. The OpenVPN does not even need to know the clients' IP addresses, as they can be assigned by an external DHCP server.
The management interface can also be run on the OpenVPN clients. See the Management interface recipe in Chapter 2, Client-server IP-only Networks.
It is expected that the management interface will become more important in future versions of OpenVPN, both on the client and the server side, as the preferred method to programmatically interact with the OpenVPN software.
18.189.182.211