The management interface

This recipe shows how OpenVPN can be managed using the management interface on the server.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks.

For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.10. The first client was running Fedora 20 Linux and OpenVPN 2.3.10. The second client was running Windows 7 64 bit and OpenVPN 2.3.10.

For the server, keep the configuration file example3-1-server.conf from the first recipe of this chapter at hand. For the Linux client, keep the client configuration file example3-1-client.conf from the first recipe of this chapter at hand. For the Windows client, keep the client configuration file example3-2-client2.ovpn from the Enabling client-to-client traffic recipe at hand.

We use the following network layout:

Getting ready

How to do it...

  1. Create the server configuration file by adding a line to the example3-1-server.conf file:
            management tunnel 23000 stdin 
    
  2. Save it as example3-8-server.conf.
  3. Start the server:
    [root@server]# openvpn --config example3-8-server.conf
    

    The OpenVPN server will now first ask for a password for the management interface.

  4. Start the clients using the configuration files from the earlier recipe:
    [root@client1]# openvpn --config example3-1-client.conf
    
  5. Start the Windows client as well:
    How to do it...
  6. After the VPN is established, we can connect from the server to the management interface of the OpenVPN client using the telnet program:
    [server]$ telnet 127.0.0.1 23000
    Trying 127.0.0.1...
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    ENTER PASSWORD:cookbook
    SUCCESS: password is correct
    >INFO:OpenVPN Management Interface Version 1 -- type 'help' for 
            more info
    status
    OpenVPN CLIENT LIST
    Updated,Wed Mar  2 17:57:07 2016
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected 
            Since
    client1,192.168.4.64:50209,7851,8095,Wed Mar  2 17:56:08 2016
    client2,192.168.4.5:50212,11696,7447,Wed Mar  2 17:56:45 2016
    ROUTING TABLE
    Virtual Address,Common Name,Real Address,Last Ref
    00:ff:17:82:55:db,client2,192.168.4.5:50212,Wed Mar  2 17:56:49 
            2016
    1e:b8:95:e5:60:21,client1,192.168.4.64:50209,Wed Mar  2 
            17:56:53 2016
    GLOBAL STATS
    Max bcast/mcast queue length,1
    END
    

    Note that it looks exactly like the status file from the previous recipe.

  7. It is also possible to disconnect a client:
            kill client2 
            SUCCESS: common name 'client2' found, 1 client(s) killed 
     
            status 
            OpenVPN CLIENT LIST 
            Updated,Wed Mar  2 17:58:51 2016 
            Common Name,Real Address,Bytes Received,Bytes Sent,Connected 
            Since 
            client1,192.168.4.64:50209,8381,8625,Wed Mar  2 17:56:08 2016 
            ROUTING TABLE 
            Virtual Address,Common Name,Real Address,Last Ref 
            1e:b8:95:e5:60:21,client1,192.168.4.64:50209,Wed Mar  2 
            17:56:53 2016 
            GLOBAL STATS 
            Max bcast/mcast queue length,1 
            END 
    
  8. Use Ctrl + ] or exit to exit the telnet program.

How it works...

When the OpenVPN server starts, a special management interface is set up using the directive:

management 127.0.0.1 23000 stdin 

The interface is set up with these parameters:

  • The IP 127.0.0.1 to bind the management interface to localhost only.
  • The port 23000 on which the management interface will be listening.
  • The last parameter is the password file or the special keyword stdin to indicate that the management interface password will be specified when OpenVPN starts up. Note that this password is completely unrelated to the private key passphrases or any other user management passwords that OpenVPN uses.

After the management interface comes up, the server operator can connect to it using telnet and can query the server. By typing the following, the operator can disconnect a client:

kill <clientcommonname> 

Note that if the OpenVPN client is configured to reconnect automatically, it will do so after a few minutes.

When comparing the output of the management interface's status command with the status file output shown in the Using the status file recipe from Chapter 2Client-server IP-only Networks, the major difference is the fact that here, the clients' MAC addresses are listed instead of the VPN IP addresses. The OpenVPN does not even need to know the clients' IP addresses, as they can be assigned by an external DHCP server.

There's more...

The management interface can also be run on the OpenVPN clients. See the Management interface recipe in Chapter 2Client-server IP-only Networks.

It is expected that the management interface will become more important in future versions of OpenVPN, both on the client and the server side, as the preferred method to programmatically interact with the OpenVPN software.

See also

  • The Management interface recipe from Chapter 2Client-server IP-only Networks, in which the client-side management interface is explained
  • The Using the status file recipe from Chapter 2Client-server IP-only Networks, where the details of the status file for a TUN-style network are explained
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.58.121