Aside from writing a patch/package to pfsense to allow monitoring of
OpenVPN clients, it seems to me that the easiest solution for finding
the current OpenVPN connections is to write a shell script which you
can call from the Diagnostics > Execute command section of the UI.
Something like this works fine and dandy:
#!/bin/sh
(
echo "status"
sleep 2
echo "quit"
) | telnet localhost 7505
I just uploaded this using the Diagnostics tab of the UI, then logged
in via SSH and moved it to a permanent location and set the script
executable.
Then you can just type it's path and execute it to get the current
client list.
On 7 May 2008, at 11:04, David Meireles wrote:
God point. The clear text problem is the least of your problems,
since that you're not asked for any password when you connect to the
management port. I supose that it could be defined some CIDR range
in the costum options (like: management 192.168.1.1/24 7505), but
not sure about it, and not going to test it now (if the VPN goes
down now, my clients would kill me!!!)
I advised you not to use localhost because I assumed that you would,
like I do, were not the only one accessing the management interface.
In my case, there is another person that has to access the
management to check the client's IP and then VNC it
Qua, 2008-05-07 às 10:25 +0100, Merul Patel escreveu:
Thanks David.
The management interface is easy to setup and use. However it
presents
a gaping security hole if you don't use localhost as you can kill
current VPN connections.
I also read this in the docs for the management interface after
digging around to see if the interface could be secured:
"The management protocol is currently cleartext without an explicit
security layer. For this reason, it is recommended that the
management
interface either listen on localhost (127.0.0.1) or on the local VPN
address. It's possible to remotely connect to the management
interface
over the VPN itself, though some capabilities will be limited in this
mode, such as the ability to provide private key passwords."
(http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html
)
I tested it with two embedded boxes that I have in the wild (1.2RC4
and 1.2RELEASE), and the best thing IMHO is to add the custom option:
management localhost 7505;
And then SSH to the box and telnet localhost 7505. Out of curiousity,
what was the reason you explicitly state not to use localhost?
HTH and I appreciate the very useful pointer you gave.
Merul
On 6 May 2008, at 19:20, David Meireles wrote:
> Hi.
> Add this line in the costum options field of your OpenVPN Server:
>
> management PFSENSE-IP 7505;
>
> then telnet the pfsense host on port 7505 and type status or
help :)
>
> NOTE: In PFSENSE-IP don't use 127.0.0.1!!! Type the LAN address of
> the pfsense host instead
>
>
> Ter, 2008-05-06 às 19:08 +0100, Merul Patel escreveu:
>>
>> Thanks Curtis,
>>
>> Does this work on the embedded version of pfSense? Thought I'd
been
>> pretty diligent about googling pre-posting, but apologies if not.
>>
>> BR
>>
>> Merul
>>
>> On 6 May 2008, at 19:03, Curtis LaMasters wrote:
>>
>> > Enable the management interface or download the Java (All
>> > Platform). There's pretty good information on the management
>> > interface and GUI's for it on the OpenVPN website.
>> >
>> > --
>> > Curtis LaMasters
>> > http://www.curtis-lamasters.com
>> > http://www.builtnetworks.com
>>
>>
>>
---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
