OpenVPN

Ed Russell wrote:
> 	I hope this question has not been asked and answered 1,000,000
> times....  I have searched the archives and haven't found much so here goes.
> I have an OpenVPN server running on a redhat 6.2 box.  It works perfectly
> and I am able to look at the log files to determine if the tunnels are up
> and for how long etc etc etc.  What I was wondering if someone has found a
> way to have a type of status page be available via a web browser or some
> such mechanism.  I have came across a status viewer in the archives
> (although the URL seems dead) but it was built for XP.  Is such an animal
> possible?  The reason why I am asking is a client has asked to be able to
> see the status of the VPN (who is connected, what tunnels are live etc) and
> they do not want to log into the system (for that matter I don't want to let
> them) and getting them to do CLI would be like pulling teeth.  My apologizes
> in advance if this has been asked before.
> 
> 
> 
> ---------------------------------------------------
> 
>  Talk is cheap since supply always exceeds demand.
> 
> ---------------------------------------------------
>  
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users



if in server mode, perhaps a small perl script to parse the openvpn status file and generate a nice html table of connected users?  i was just thinking about that, but i haven't had the time to do so lately......maybe someone else has already conjured one up!


_Terry

>	I hope this question has not been asked and answered 1,000,000
>times....  I have searched the archives and haven't found much so here
goes.
>I have an OpenVPN server running on a redhat 6.2 box.  It works perfectly
>and I am able to look at the log files to determine if the tunnels are up
>and for how long etc etc etc.  What I was wondering if someone has found a
>way to have a type of status page be available via a web browser or some
>such mechanism.  I have came across a status viewer in the archives
>(although the URL seems dead) but it was built for XP.  Is such an animal
>possible?  The reason why I am asking is a client has asked to be able to
>see the status of the VPN (who is connected, what tunnels are live etc) and
>they do not want to log into the system (for that matter I don't want to
let
>them) and getting them to do CLI would be like pulling teeth.  My
apologizes
>in advance if this has been asked before.

I wrote the status viewer I believe you refer to above. The link shouldn't
be down (http://www.mertech.com.au/?=OpenVPNStatusViewer). Currently the
program is only for windows as you said. 

You could however set the program up on his/her computer, then share (using
samba) the status file on your redhat box. After that, all you have to do is
point the status viewer to the shared status file.

Hope this helps,

Jonathan Merriweather

Terry L. Inzauro wrote:

> if in server mode, perhaps a small perl script to parse the openvpn
> status file and generate a nice html table of connected users?  i was
> just thinking about that, but i haven't had the time to do so
> lately......maybe someone else has already conjured one up!
> 

I have a bash/sed/awk script that does exactly this.  It is probably
very amateurish because I'm an amateur coder, but anyone is welcome to
it.  I just have it run from cron every 1 minute and it updates a file
in /var/www.

I stuck it at http://www.sleepygeek.com for anyone who wants it.


-Nathan

Nathan Barham wrote:
> Terry L. Inzauro wrote:
> 
> 
>>if in server mode, perhaps a small perl script to parse the openvpn
>>status file and generate a nice html table of connected users?  i was
>>just thinking about that, but i haven't had the time to do so
>>lately......maybe someone else has already conjured one up!
>>
> 
> 
> I have a bash/sed/awk script that does exactly this.  It is probably
> very amateurish because I'm an amateur coder, but anyone is welcome to
> it.  I just have it run from cron every 1 minute and it updates a file
> in /var/www.


For anyone's info, I have re-vamped the above mentioned script to work
for both versions of the status log, so it will now work for those who
are using status_version 2 in their server configs.

All it does is parse either version of the status log to create a simple
html page from the contents.  It also has a few variables availabe for
you to choose your own html colors etc.

My goal in writing it was to make it easy to check the VPN server status
in a browser, and to do so using basic tools like sed, awk and cron so
nothing else (php for example) needs to be installed or configured.

It's available at my very sparse website http://www.sleepygeek.com.
There is a sample of the html output for the curious.  I know it's not
high art, but if it seems useful to anyone I will gladly try to maintain
it over future iterations of the log file and keep it available.
Feedback is welcome.

- Nathan

On Wed, May 18, 2005 at 04:01:27PM -0700, Nathan Barham wrote:

> It's available at my very sparse website http://www.sleepygeek.com.
> There is a sample of the html output for the curious.  I know it's not
> high art, but if it seems useful to anyone I will gladly try to maintain
> it over future iterations of the log file and keep it available.
> Feedback is welcome.

Just for the records: I have a similar script.

Note that I have in my config:
client-cert-not-required
username-as-common-name

My cleints use user/pw authentication. User names and passwords are
stored in an Active Directory.
The HTML is built by this script upon request (cgi). The script does
/not/ run on the OpenVPN server. Therefore, I had to set up ssh key
authentication.
You may not need ldapsearch and whois.

Here my script:

------8<----
#!/bin/sh
echo "Content-type: text/html"
echo ""
echo "<html><head><title>Connected OpenVPN users</title></head>"
echo "<body>"
echo "<h1 align=\"center\">Connected OpenVPN users</h1><p>"
echo "<table border=\"1\">"
echo "<tr>"
echo "<th>Internal address</th>"
echo "<th>Login name</th>"
echo "<th>Full name</th>"
echo "<th>Real address</th>"
echo "<th>connected since</th>"
echo "<th>MB to client</th>"
echo "<th>MB from client</th>"
echo "</tr>"
ssh -l ovpnstats openvpnserver cat /var/log/openvpn/status.tcp |\
awk 'BEGIN{FS=","}
  # if $3 is numeric, we have OpenVPN CLIENT LIST
  $3 ~ /[0-9]+/ {
    username[$1]=$1
    since[$1]=$5
    sent[$1]=$3/1024/1024
    received[$1]=$4/1024/1024
  }
  # if $1 starts with 10.0.1. (our VPN addresses), we have ROUTING TABLE
  $1 ~ /^10\.0\.1\./ {
    if(username[$2] == $2) {
      print "<tr><td>"$1"</td><td>"$2"</td><td>"
      system("ldapsearch -LLL -h ldapserver -x -b \
        \"bind DN\" -D \"ldapuser\" \
        -w ldappassword sAMAccountName="$2" name | grep ^name: | \
        sed s/^name://g")
      ipaddr=substr($3,0,index($3,":")-1)
      print "</td><td><a href=\"/cgi-bin/whois/whois.cgi?search="ipaddr"\"> \
        "ipaddr"</a></td>"
      print "<td>"since[$2]"</td>"
      print "<td>"received[$2]"</td>"
      print "<td>"sent[$2]"</td>"
    }
}'
echo "</table>"
echo "<hr>`date`"
echo "</body></html>"
------8<----

I'm really a poor coder, so feel free to adapt this to your needs.

Rainer

Hi folks

I want to open a vpn tunnnel form a W2K client through GPRS to the 
server. There was a thread a while ago on this subject but did not come 
to a conclusive state. I observe that as soon as the Openvpn routes get 
pushed the default route is lost  and of course the underlying protocol 
does not work anymore.

Connections over a traditional line work fine.

Server is 2.0 On Suse 8.2 compiled from source, client is the actual 
WinDoze GUI distro in non admin mode (service).

here is the log:

Fri May 27 13:20:37 2005 OpenVPN 2.0 Win32-MinGW [SSL] [LZO] built on 
Apr 17 2005
Fri May 27 13:20:37 2005 IMPORTANT: OpenVPN's default port number is now 
1194, based on an official port number assignment by IANA.  OpenVPN 
2.0-beta16 and earlier used 5000 as the default port.
Fri May 27 13:20:37 2005 LZO compression initialized
Fri May 27 13:20:37 2005 Control Channel MTU parms [ L:1542 D:138 EF:38 
EB:0 ET:0 EL:0 ]
Fri May 27 13:20:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 
EB:23 ET:0 EL:0 AF:3/1 ]
Fri May 27 13:20:38 2005 Local Options hash (VER=V4): '41690919'
Fri May 27 13:20:38 2005 Expected Remote Options hash (VER=V4): '530fdded'
Fri May 27 13:20:38 2005 UDPv4 link local: [undef]
Fri May 27 13:20:38 2005 UDPv4 link remote: 195.65.112.107:35000
Fri May 27 13:20:38 2005 TLS: Initial packet from 195.65.112.107:35000, 
sid=f166aaae 2d726937
Fri May 27 13:20:42 2005 VERIFY OK: depth=1, 
/C=CH/L=Schlieren/O=Ruf_Telematik/OU=SI/CN=RufMobile
Fri May 27 13:20:42 2005 VERIFY X509NAME OK: 
/C=CH/L=Schlieren/O=Ruf_Telematik/OU=SI/CN=openvpn.asp.ruf.ch/emailAddress=openvpn@...
Fri May 27 13:20:42 2005 VERIFY OK: depth=0, 
/C=CH/L=Schlieren/O=Ruf_Telematik/OU=SI/CN=openvpn.asp.ruf.ch/emailAddress=openvpn@...
Fri May 27 13:20:54 2005 Data Channel Encrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Fri May 27 13:20:54 2005 Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Fri May 27 13:20:54 2005 Data Channel Decrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Fri May 27 13:20:54 2005 Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Fri May 27 13:20:54 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 1024 bit RSA
Fri May 27 13:20:54 2005 [openvpn.asp.ruf.ch] Peer Connection Initiated 
with 195.65.112.107:35000
Fri May 27 13:20:55 2005 SENT CONTROL [openvpn.asp.ruf.ch]: 
'PUSH_REQUEST' (status=1)
Fri May 27 13:20:56 2005 PUSH: Received control message: 
'PUSH_REPLY,route 172.27.0.0 255.255.0.0,dhcp-option DNS 
172.27.17.100,route 172.28.0.1,ping 10,ping-restart 120,ifconfig 
172.28.0.6 172.28.0.5'
Fri May 27 13:20:56 2005 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 27 13:20:56 2005 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 27 13:20:56 2005 OPTIONS IMPORT: route options modified
Fri May 27 13:20:56 2005 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option 
options modified
Fri May 27 13:20:56 2005 TAP-WIN32 device [LAN-Verbindung 3] opened: 
\\.\Global\{48BF72AE-81B6-4022-8CD0-9DC419155ACC}.tap
Fri May 27 13:20:56 2005 TAP-Win32 Driver Version 8.1
Fri May 27 13:20:56 2005 TAP-Win32 MTU=1500
Fri May 27 13:20:56 2005 Notified TAP-Win32 driver to set a DHCP 
IP/netmask of 172.28.0.6/255.255.255.252 on interface 
{48BF72AE-81B6-4022-8CD0-9DC419155ACC} [DHCP-serv: 172.28.0.5, 
lease-time: 31536000]
Fri May 27 13:20:56 2005 Successful ARP Flush on interface [318767109] 
{48BF72AE-81B6-4022-8CD0-9DC419155ACC}
Fri May 27 13:20:56 2005 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Fri May 27 13:20:56 2005 Route: Waiting for TUN/TAP interface to come up...
Fri May 27 13:20:57 2005 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Fri May 27 13:20:57 2005 Route: Waiting for TUN/TAP interface to come up...
Fri May 27 13:20:58 2005 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Fri May 27 13:20:58 2005 Route: Waiting for TUN/TAP interface to come up...
Fri May 27 13:21:00 2005 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Fri May 27 13:21:00 2005 Route: Waiting for TUN/TAP interface to come up...
Fri May 27 13:21:01 2005 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri May 27 13:21:01 2005 route ADD 172.27.0.0 MASK 255.255.0.0 172.28.0.5
Fri May 27 13:21:01 2005 Route addition via IPAPI succeeded
Fri May 27 13:21:01 2005 route ADD 172.28.0.1 MASK 255.255.255.255 
172.28.0.5
Fri May 27 13:21:01 2005 Route addition via IPAPI succeeded
Fri May 27 13:21:01 2005 Initialization Sequence Completed
Fri May 27 13:21:17 2005 write UDPv4: No Route to Host (WSAEHOSTUNREACH) 
(code=10065) .........

thanks

Erich

Does your routing issue go away if you configure the tap interface
manually (ip-win32 manual + using the properties window of the tap device)
or via netsh (ip-win32 netsh)?

If the routing issue is solved, but other things are still wonky, a few
add'l questions that might be relevant when using GPRS -- does TCP mode
work? In UDP mode, what does mtu-test determine?

Charles

Charles Duffy wrote:

>Does your routing issue go away if you configure the tap interface
>manually (ip-win32 manual + using the properties window of the tap device)
>or via netsh (ip-win32 netsh)?
>
>If the routing issue is solved, but other things are still wonky, a few
>add'l questions that might be relevant when using GPRS -- does TCP mode
>work? In UDP mode, what does mtu-test determine?
>  
>
Will try to get my hands on that particular HW again to do more testing. 
At the moment it (gut)feels like a conflict between the tap driver and 
the driver for that particular card (Option Fusion)

Thanks

Erich