The management interface

This recipe shows how an OpenVPN client is managed using the management interface from the server side.

Getting ready

The network layout used in this recipe is the same as in the Server-side routing recipe. This recipe uses the PKI files created in the first recipe of this chapter. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9. The client was running Windows 7 64 bit and OpenVPN 2.3.10. For the server, keep the server configuration file, basic-udp-server.conf, from the Server-side routing recipe at hand. For the Windows client, keep the corresponding client configuration file, basic-udp-client.ovpn, from the previous recipe at hand.

How to do it...

  1. Start the server using the default server configuration file:
          [root@server]# openvpn --config basic-udp-server.conf
    
  2. Create a configuration file for the Windows client by adding a line to the basic-udp-client.ovpn file:
            management tunnel 23000 stdin 
    

    Save it as example2-11.ovpn.

  3. Transfer the ca.crtclient2.crt, and client2.key files along with the tls-auth secret key file, ta.key, to the Windows machine using a secure channel, such as winscp or the PuTTY pscp command-line tool.
  4. The OpenVPN GUI does not support this particular configuration of the management interface. Therefore, we start the Windows client on the command line:
          [WinClient]C:> cd program filesopenvpnconfig
          [WinClient]C:> ..inopenvpn --config example2-11.ovpn
    

    The OpenVPN client will now ask for a password for the management interface. Pick a good password. After that, it will ask for the private key passphrase.

  5. After the VPN is established, we can connect from the server to the management interface of the OpenVPN client using the telnet program on the server:
          [server]$ telnet 10.200.0.3 23000
    Trying 10.200.0.3...
    Connected to 10.200.0.3.
    Escape character is '^]'.
    ENTER PASSWORD:
    SUCCESS: password is correct
    >INFO:OpenVPN Management Interface Version 1 -- type 'help' 
              for more info
    status
    OpenVPN STATISTICS
    Updated,Fri Feb 5 18:22:31 2016
    TUN/TAP read bytes,21849
    TUN/TAP write bytes,451
    TCP/UDP read bytes,6571
    TCP/UDP write bytes,30172
    Auth read bytes,707
    TAP-WIN32 driver status,"(null)"
    END
    signal SIGTERM
    
  6. Use Ctrl] or quit to exit the telnet program.

How it works...

When the OpenVPN client connects to the server, a special management interface is set up using the directive:

management tunnel 23000 stdin 

It has the following parameters:

  • The tunnel parameter to bind the management interface to the VPN tunnel itself. This is useful for testing purposes and some advanced client setups. On the server side, it is best to always specify 127.0.0.1 for the management IP.
  • The port 23000 on which the management interface will be listening.
  • The last parameter is the password file or the special keyword stdin to indicate that the management interface password will be specified when OpenVPN starts up. Note that this password is completely unrelated to the private key passphrases or any other user management passwords that OpenVPN uses.

After the management interface comes up, the server operator can connect to it using telnet and can query the client. The client can type the following:

signal SIGTERM 

This effectively shuts itself down as if the user has stopped it! This shows how important it is to protect the management interface and its password.

There's more...

The management interface can also be run on the OpenVPN server itself. In that case, it is possible to list the connected clients, disconnect them, or perform a variety of other OpenVPN administrative tasks.

It is expected that the management interface will become more important in future versions of OpenVPN, both on the client and the server side, as the preferred method for programmatically interacting with the OpenVPN software.

See Also

  • The Management interface recipe in Chapter 3Client-server Ethernet-style Networks, explains the use of the server-side management interface in more detail
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.167.176