Re: [pfSense Support] How to tell current OpenVPN clients

Wed, 07 May 2008 02:25:23 -0700 

Thanks David.
The management interface is easy to setup and use. However it presents a gaping security hole if you don't use localhost as you can kill current VPN connections. 


I also read this in the docs for the management interface after  
digging around to see if the interface could be secured:



"The management protocol is currently cleartext without an explicit  
security layer. For this reason, it is recommended that the management  
interface either listen on localhost (127.0.0.1) or on the local VPN  
address. It's possible to remotely connect to the management interface  
over the VPN itself, though some capabilities will be limited in this  
mode, such as the ability to provide private key passwords."
(http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 
)
I tested it with two embedded boxes that I have in the wild (1.2RC4  
and 1.2RELEASE), and the best thing IMHO is to add the custom option:


management localhost 7505;


And then SSH to the box and telnet localhost 7505. Out of curiousity,  
what was the reason you explicitly state not to use localhost?


HTH and I appreciate the very useful pointer you gave.

Merul

On 6 May 2008, at 19:20, David Meireles wrote:


Hi.
Add this line in the costum options field of your OpenVPN Server:

management PFSENSE-IP 7505;

then telnet the pfsense host on port 7505 and type status or help :)


NOTE: In PFSENSE-IP don't use 127.0.0.1!!! Type the LAN address of  
the pfsense host instead



Ter, 2008-05-06 às 19:08 +0100, Merul Patel escreveu:


Thanks Curtis,

Does this work on the embedded version of pfSense? Thought I'd been
pretty diligent about googling pre-posting, but apologies if not.

BR

Merul

On 6 May 2008, at 19:03, Curtis LaMasters wrote:

> Enable the management interface or download the Java (All
> Platform).  There's pretty good information on the management
> interface and GUI's for it on the OpenVPN website.
>
> --
> Curtis LaMasters
> http://www.curtis-lamasters.com
> http://www.builtnetworks.com


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to