This recipe shows how an OpenVPN client is managed using the management interface from the server side.
This recipe uses the PKI files created in the first recipe of this chapter. For this recipe, we used the server computer that runs CentOS 5 Linux and OpenVPN 2.1.1. The client was running Windows XP SP3 and OpenVPN 2.1.1. For the server, one should keep the configuration file basic-udp-server.conf from the recipe Server-side routing at hand. For the Windows client, keep the configuration file basic-udp-client.ovpn from the recipe Using an 'ifconfig-pool' block at hand.
- Start the server using the "default" server configuration file:
[root@server]# openvpn --config basic-udp-server.conf - Create a configuration file for the Windows client by adding a line to the
basic-udp-client.ovpnfile:management tunnel 23000 stdinSave it as
example2-9.ovpn. - Transfer the
ca.crt,client2.crt,client2.keyfiles and thetls-authsecret key fileta.keyto the Windows machine using a secure channel, such aswinscpor the PuTTYpscpcommand-line tool. - Start the Windows client on the command-line:
[WinClient]C:> cd \program files\openvpn\config [WinClient]C:> ..\bin\openvpn --config example2-9.ovpn
The OpenVPN client will now ask for a password for the management interface. Pick a good password. After that it will ask for the private key passphrase.
- After the VPN is established, we can connect from the server to the management interface of the OpenVPN client using the 'telnet' program:
[server]$ telnet 192.168.200.3 23000 Trying 192.168.200.3... Connected to 192.168.200.3 (192.168.200.3). Escape character is '^]'. ENTER PASSWORD:[enter management password] SUCCESS: password is correct >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info status OpenVPN STATISTICS Updated,Mon May 17 16:25:45 2010 TUN/TAP read bytes,5217 TUN/TAP write bytes,1036 TCP/UDP read bytes,9294 TCP/UDP write bytes,13028 Auth read bytes,1084 TAP-WIN32 driver status,"State=AT?c Err=[(null)/0] #O=4 Tx=[13,0] Rx=[19,0] IrpQ=[1,1,16] PktQ=[0,1,64] InjQ=[0,1,16]" END signal SIGTERM
- Use Ctrl+] or 'quit' to exit the
telnetprogram.
When the OpenVPN client connects to the server, a special management interface is set up using the directive:
management tunnel 23000 stdin
It has the following parameters:
tunnelto bind the management interface to the VPN tunnel itself. This is useful for testing purposes and some more advanced client setups. On the server side, it is best to always specify127.0.0.1for the management IP- The port
23000on which the management interface will be listening - The last parameter is the password file or the special keyword
stdinto indicate that the management interface password will be specified when OpenVPN starts up. Note that this password is completely unrelated to the private key passphrases or any other user management passwords that OpenVPN uses.
After the management interface comes up, the server operator can connect to it using telnet and can query the client. The client can type the following:
signal SIGTERM
This effectively shuts itself down as if the user has stopped it! This shows how important it is to protect the management interface and its password.
The management interface can also be run on the OpenVPN server itself. In that case, it is possible to list the connected clients, disconnect them, or perform a variety of other OpenVPN administrative tasks.
It is expected that the management interface will become more important in future versions of OpenVPN, both on the client and the server side, as the preferred method for programmatically interacting with the OpenVPN software.
The Chapter 3 recipe Management Interface in which the use of the server-side management interface is explained in more detail.