God point. The clear text problem is the least of your problems, since that you're not asked for any password when you connect to the management port. I supose that it could be defined some CIDR range in the costum options (like: management 192.168.1.1/24 7505), but not sure about it, and not going to test it now (if the VPN goes down now, my clients would kill me!!!)
I advised you not to use localhost because I assumed that you would, like I do, were not the only one accessing the management interface. In my case, there is another person that has to access the management to check the client's IP and then VNC it Qua, 2008-05-07 às 10:25 +0100, Merul Patel escreveu: > Thanks David. > > The management interface is easy to setup and use. However it presents > a gaping security hole if you don't use localhost as you can kill > current VPN connections. > > I also read this in the docs for the management interface after > digging around to see if the interface could be secured: > > "The management protocol is currently cleartext without an explicit > security layer. For this reason, it is recommended that the management > interface either listen on localhost (127.0.0.1) or on the local VPN > address. It's possible to remotely connect to the management interface > over the VPN itself, though some capabilities will be limited in this > mode, such as the ability to provide private key passwords." > (http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html > > ) > I tested it with two embedded boxes that I have in the wild (1.2RC4 > and 1.2RELEASE), and the best thing IMHO is to add the custom option: > > management localhost 7505; > > And then SSH to the box and telnet localhost 7505. Out of curiousity, > what was the reason you explicitly state not to use localhost? > > HTH and I appreciate the very useful pointer you gave. > > Merul > > On 6 May 2008, at 19:20, David Meireles wrote: > > > Hi. > > Add this line in the costum options field of your OpenVPN Server: > > > > management PFSENSE-IP 7505; > > > > then telnet the pfsense host on port 7505 and type status or help :) > > > > NOTE: In PFSENSE-IP don't use 127.0.0.1!!! Type the LAN address of > > the pfsense host instead > > > > > > Ter, 2008-05-06 às 19:08 +0100, Merul Patel escreveu: > >> > >> Thanks Curtis, > >> > >> Does this work on the embedded version of pfSense? Thought I'd been > >> pretty diligent about googling pre-posting, but apologies if not. > >> > >> BR > >> > >> Merul > >> > >> On 6 May 2008, at 19:03, Curtis LaMasters wrote: > >> > >> > Enable the management interface or download the Java (All > >> > Platform). There's pretty good information on the management > >> > interface and GUI's for it on the OpenVPN website. > >> > > >> > -- > >> > Curtis LaMasters > >> > http://www.curtis-lamasters.com > >> > http://www.builtnetworks.com > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >
