OpenVPN Web Certificate Management Code
Status: Beta
Brought to you by:
rc-flyer
OpenVPN Web GUI This project is a complete web-based management interface to OpenVPN. It shows the complete status of all the current active servers and clients on the server, as well as providing complete management of new servers and clients. Project is being written completely on PHP 5 with openssl and Smarty. The development and test systems being used are: Ubuntu 9.10 CentOS 5.4 Since CentOS is a clone of RedHat Enterprise, there should be no changes from the CentOS instructions when installing on the equivelent RedHat Enterprise system. The current version supports the following functionality: a) view status of openvpn server, either by using the management interface (if configured) or by reading the status file. In both cases, it will get the configuration from the conf file. If used, the status file is refreshed every 60 seconds. If that is not happening, than openvpn server is not running. b) view the list of connected peers. Peers are treated as users there, so we suggest that a peer's information has a name, e-mail and stuff. c) view the basic configuration options of openvpn package. d) view the list of all generated OpenVPN servers, and their clients e) Ability to kill connection with specified user from the web interface f) Ability to reset or restart OpenVPN. Restart doesn't work if not running as root, so use the reset instead. g) Ability to create a Windows installer for client systems This system can be installed on an existing server with pre-existing OpenVPN servers/clients Limitations of management interface: 1) Only password-less managment currently supported. I`m planning to add user/password authorization with manager later 2) If session with manager already opened (e.g. from telnet) second manager session is not possible. This is an OpenVPN limitation. PLUG-INS SUPPORT The plugins are located in /home/openvpn/www/status/plugins. The plug-ins should be placed into the subfolder of plugins folder. The registration of each plug-in is being done from the project's config.inc file. Plug-ins's config.inc declares the following files, of which the plug-in consists: $config['Plugins']['pluginname']['Action']['Name'] = 'What goes into <A> in the top menu'; $config['Plugins']['pluginname']['Action']['Include'] = 'The main PHP file of the plug-in'; $config['Plugins']['pluginname']['Action']['If'] = 'A file to be checked to determine if the tab should be shown'; $config['Plugins']['pluginname']['Action']['Endif'] = 'Any processing after the tab display'; $config['Plugins']['pluginname']['Top Menu']['Label'] = 'What is the text part of <A> in the top menu'; $config['Plugins']['pluginname']['Top Menu']['Tooltip'] = 'What is the tooltip for this <A>'; $config['Plugins']['pluginname']['Top Menu']['Suffix'] = 'What is an optional suffix, adding into <A> after ?Action=$ActionName'; $config['Plugins']['pluginname']['Left']['Menu'] = 'The Smarty template for the left menu'; $config['Plugins']['pluginname']['Left']['Status'] = 'The Smarty template for the status window'; Review the supplied example of the simple system check plug-in, it will tell you the rest of how is the plug-in plugs in :) Caveats If you have pre-existing OpenVPN servers/clients, you will need to update the configuration file to set the OpenVPN status file version to 2: status-version 2 In SmartyValidate, I modified the email validation code because it was not properly validating. Also, I added the following validation criteria: isCheckedNotEmpty Used to check one field only if a checkbox or radio button is checked. isDNSAddress Validate either a DNS entry or IP address isIPNetmask Validate an IP address along with a netmask Notes The basic code was forked from a 5 year old, dorment project called Openvpn-web-gui. The URL for it is: http://openvpn-web-gui.sourceforge.net The Windows executable code was contributed by Alex Samorukov to the original project, and modified to Future Expansion Use the OpenVPN management port instead of the status file I am open to suggestions. Right now, I hope to get a complete OpenSSL management tool integrated into this, the idea being that you can manage all your security certs and configs from one interface. NOTES I was recently working on a Perl script that would SSH to another server and run a sudo command on the remote server that was failing. The error that was received is below. Error: sudo: sorry, you must have a tty to run sudo The reason for this is an update along the way with sudo locked it down further by adding the below line to /etc/sudoers configuration file. In the file, it now has: Defaults requiretty To allow a remote script to login and run a command via sudo simply comment out that line as shown below. # Commented out so remote script can login and run a command without a tty # Defaults requiretty I would suggest making a comment in the sudoers file along with the actual script that is running just in case there is another systems administrator that is tasked with working on this server at a later date. Now when your script runs it will not throw that error and should be able to run the remote command that was initially required. HISTORY 0.0.0 First release, management page only 0.1.0 Second release. Full OpenVPN control, certificate revocation, installation scripts, Windows installation files 0.1.1 Bug fix. Typo in the revocation plugin Updated SystemCheck plugin: Added Version info Added Plugins list Removed PHP OpenSSL function list (use external script instead) Fixed bug where the Win32Installer tab was displayed for a pre-existing vpn Fixed bug where the status page wasn't displaying all data in all situations New Feature - Plugin to email config file, either encrypted or not 0.1.2 New feature - Authentication against either LDAP or PAM now available. PAM authentication is done using an external program, since the pam_auth pecl module which is available for PHP does not work on all systems (ie: CentOS). New feature - Plugin email can now send a link, and requires a password for the user to download the file. Link expires after specified time period (specified in config file). Defaults to email link. Feature change - When entering the DNS for a new server, if the user enters a domain address which is unresolvable, the system will first display a warning. The second time the user hits the Make button, it will build the new server. This is for cases where a DNS entry would be unresolvable internally, but resolvable externally, or not yet set up. Feature change - When attempting to resolve a domain name, it will first use the local DNS settings. If that fails, it will then use the 4.2.2.2 dns server. See the file validate_criteria.isDNSAddress.php to change this behaviour. Currently uses dig, but will use nslookup if dig isn't available. New Feature - All config vars for main system collected into a single file. New Feature - Single configuration file set up in /etc 0.1.3 New Feature - Web-based configuration Will read main config file, but will write it out to /tmp. User will need to move it into /etc Will read/write defaults config file New Feature - Now creates config file for Macs Bug fix - Fixed problem when creating client config for an OpenVPN 2.1 system New Feature - Instructions now displayed before downloading file Instructions are also included in emails Bug Fix - Fixed bug where MSSFIX and FRAGMENT weren't being assigned from the config file on the new server screen Bug Fix/New Feature - Now includes installer for OpenVPN 2.1.1, with ability to install on Windows Vista & Windows 7 Feature Change - Win32Installer tab removed, now is accessable from Servers/clients screen where all other install files are located. Makes the interface a bit more logical New Feature - System Control plugin. Can install, uninstall, start stop and restart individual servers Can start, stop, restart, reload and conditional restart all installed configurations/servers. Code Change - File access for email messages is now separated into a separate file, so that it can more easily be replaced by database routes. New Feature - Added ability to show status of servers which were created on this system but installed on another system. This uses the management interface. New Feature - Added ability to show status of servers which were configured on another system. The conf files must be put into a directory called /home/openvpn/externalConfs and the server status is obtained using the management interface