This recipe shows how an OpenVPN client is managed using the management interface from the server side.
The network layout used in this recipe is the same as in the Server-side routing recipe. This recipe uses the PKI files created in the first recipe of this chapter. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9. The client was running Windows 7 64 bit and OpenVPN 2.3.10. For the server, keep the server configuration file, basic-udp-server.conf
, from the Server-side routing recipe at hand. For the Windows client, keep the corresponding client configuration file, basic-udp-client.ovpn
, from the previous recipe at hand.
[root@server]# openvpn --config basic-udp-server.conf
basic-udp-client.ovpn
file:management tunnel 23000 stdin
Save it as example2-11.ovpn
.
ca.crt
, client2.crt
, and client2.key
files along with the tls-auth
secret key file, ta.key
, to the Windows machine using a secure channel, such as winscp
or the PuTTY pscp
command-line tool.[WinClient]C:> cd program filesopenvpnconfig [WinClient]C:> ..inopenvpn --config example2-11.ovpn
The OpenVPN client will now ask for a password for the management interface. Pick a good password. After that, it will ask for the private key passphrase.
[server]$ telnet 10.200.0.3 23000 Trying 10.200.0.3... Connected to 10.200.0.3. Escape character is '^]'. ENTER PASSWORD: SUCCESS: password is correct >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info status OpenVPN STATISTICS Updated,Fri Feb 5 18:22:31 2016 TUN/TAP read bytes,21849 TUN/TAP write bytes,451 TCP/UDP read bytes,6571 TCP/UDP write bytes,30172 Auth read bytes,707 TAP-WIN32 driver status,"(null)" END signal SIGTERM
telnet
program.When the OpenVPN client connects to the server, a special management interface is set up using the directive:
management tunnel 23000 stdin
It has the following parameters:
tunnel
parameter to bind the management interface to the VPN tunnel itself. This is useful for testing purposes and some advanced client setups. On the server side, it is best to always specify 127.0.0.1
for the management IP.23000
on which the management interface will be listening.stdin
to indicate that the management interface password will be specified when OpenVPN starts up. Note that this password is completely unrelated to the private key passphrases or any other user management passwords that OpenVPN uses.After the management interface comes up, the server operator can connect to it using telnet and can query the client. The client can type the following:
signal SIGTERM
This effectively shuts itself down as if the user has stopped it! This shows how important it is to protect the management interface and its password.
The management interface can also be run on the OpenVPN server itself. In that case, it is possible to list the connected clients, disconnect them, or perform a variety of other OpenVPN administrative tasks.
It is expected that the management interface will become more important in future versions of OpenVPN, both on the client and the server side, as the preferred method for programmatically interacting with the OpenVPN software.
3.145.167.176