OpenVPN Web GUI
This project is a complete web-based management interface to OpenVPN. It
shows the complete status of all the current active servers and clients
on the server, as well as providing complete management of new servers
and clients.
Project is being written completely on PHP 5 with openssl and Smarty. The
development and test systems being used are:
Ubuntu 9.10
CentOS 5.4
Since CentOS is a clone of RedHat Enterprise, there should be no changes
from the CentOS instructions when installing on the equivelent RedHat
Enterprise system.
The current version supports the following functionality:
a) view status of openvpn server, either by using the management interface
(if configured) or by reading the status file. In both cases, it will
get the configuration from the conf file. If used, the status file is
refreshed every 60 seconds. If that is not happening, than openvpn server is not running.
b) view the list of connected peers. Peers are treated as users there, so
we suggest that a peer's information has a name, e-mail and stuff.
c) view the basic configuration options of openvpn package.
d) view the list of all generated OpenVPN servers, and their clients
e) Ability to kill connection with specified user from the web interface
f) Ability to reset or restart OpenVPN. Restart doesn't work if not running
as root, so use the reset instead.
g) Ability to create a Windows installer for client systems
This system can be installed on an existing server with pre-existing OpenVPN
servers/clients
Limitations of management interface:
1) Only password-less managment currently supported. I`m planning to add
user/password authorization with manager later
2) If session with manager already opened (e.g. from telnet) second manager
session is not possible. This is an OpenVPN limitation.
PLUG-INS SUPPORT
The plugins are located in /home/openvpn/www/status/plugins.
The plug-ins should be placed into the subfolder of plugins folder. The
registration of each plug-in is being done from the project's config.inc file.
Plug-ins's config.inc declares the following files, of which the plug-in consists:
$config['Plugins']['pluginname']['Action']['Name'] = 'What goes into <A> in the top menu';
$config['Plugins']['pluginname']['Action']['Include'] = 'The main PHP file of the plug-in';
$config['Plugins']['pluginname']['Action']['If'] = 'A file to be checked to determine if the tab should be shown';
$config['Plugins']['pluginname']['Action']['Endif'] = 'Any processing after the tab display';
$config['Plugins']['pluginname']['Top Menu']['Label'] = 'What is the text part of <A> in the top menu';
$config['Plugins']['pluginname']['Top Menu']['Tooltip'] = 'What is the tooltip for this <A>';
$config['Plugins']['pluginname']['Top Menu']['Suffix'] = 'What is an optional suffix, adding into <A> after ?Action=$ActionName';
$config['Plugins']['pluginname']['Left']['Menu'] = 'The Smarty template for the left menu';
$config['Plugins']['pluginname']['Left']['Status'] = 'The Smarty template for the status window';
Review the supplied example of the simple system check plug-in, it will tell
you the rest of how is the plug-in plugs in :)
Caveats
If you have pre-existing OpenVPN servers/clients, you will need to update the
configuration file to set the OpenVPN status file version to 2:
status-version 2
In SmartyValidate, I modified the email validation code because it
was not properly validating. Also, I added the following validation
criteria:
isCheckedNotEmpty Used to check one field only if a checkbox or radio
button is checked.
isDNSAddress Validate either a DNS entry or IP address
isIPNetmask Validate an IP address along with a netmask
Notes
The basic code was forked from a 5 year old, dorment project called
Openvpn-web-gui. The URL for it is:
http://openvpn-web-gui.sourceforge.net
The Windows executable code was contributed by Alex Samorukov to
the original project, and modified to
Future Expansion
Use the OpenVPN management port instead of the status file
I am open to suggestions. Right now, I hope to get a complete OpenSSL
management tool integrated into this, the idea being that you can manage all
your security certs and configs from one interface.
NOTES
I was recently working on a Perl script that would SSH to
another server and run a sudo command on the remote server
that was failing. The error that was received is below.
Error: sudo: sorry, you must have a tty to run sudo
The reason for this is an update along the way with sudo locked
it down further by adding the below line to /etc/sudoers configuration
file.
In the file, it now has:
Defaults requiretty
To allow a remote script to login and run a command via sudo simply
comment out that line as shown below.
# Commented out so remote script can login and run a command without a tty
# Defaults requiretty
I would suggest making a comment in the sudoers file along with the
actual script that is running just in case there is another systems
administrator that is tasked with working on this server at a later
date. Now when your script runs it will not throw that error and
should be able to run the remote command that was initially required.
HISTORY
0.0.0 First release, management page only
0.1.0 Second release. Full OpenVPN control, certificate revocation,
installation scripts, Windows installation files
0.1.1 Bug fix. Typo in the revocation plugin
Updated SystemCheck plugin:
Added Version info
Added Plugins list
Removed PHP OpenSSL function list (use external script instead)
Fixed bug where the Win32Installer tab was displayed for a
pre-existing vpn
Fixed bug where the status page wasn't displaying all data
in all situations
New Feature - Plugin to email config file, either encrypted or not
0.1.2 New feature - Authentication against either LDAP or PAM now available.
PAM authentication is done using an external program,
since the pam_auth pecl module which is available
for PHP does not work on all systems (ie: CentOS).
New feature - Plugin email can now send a link, and requires a password
for the user to download the file. Link expires after
specified time period (specified in config file).
Defaults to email link.
Feature change - When entering the DNS for a new server, if the user
enters a domain address which is unresolvable, the
system will first display a warning. The second time
the user hits the Make button, it will build the new
server. This is for cases where a DNS entry would
be unresolvable internally, but resolvable externally,
or not yet set up.
Feature change - When attempting to resolve a domain name, it will
first use the local DNS settings. If that fails,
it will then use the 4.2.2.2 dns server.
See the file validate_criteria.isDNSAddress.php to
change this behaviour.
Currently uses dig, but will use nslookup if dig
isn't available.
New Feature - All config vars for main system collected into a single
file.
New Feature - Single configuration file set up in /etc
0.1.3 New Feature - Web-based configuration
Will read main config file, but will write it out
to /tmp. User will need to move it into /etc
Will read/write defaults config file
New Feature - Now creates config file for Macs
Bug fix - Fixed problem when creating client config for an
OpenVPN 2.1 system
New Feature - Instructions now displayed before downloading file
Instructions are also included in emails
Bug Fix - Fixed bug where MSSFIX and FRAGMENT weren't being
assigned from the config file on the new server screen
Bug Fix/New Feature -
Now includes installer for OpenVPN 2.1.1, with
ability to install on Windows Vista & Windows 7
Feature Change -
Win32Installer tab removed, now is accessable
from Servers/clients screen where all other
install files are located. Makes the interface
a bit more logical
New Feature - System Control plugin. Can install, uninstall, start
stop and restart individual servers
Can start, stop, restart, reload and conditional restart
all installed configurations/servers.
Code Change - File access for email messages is now separated into
a separate file, so that it can more easily be
replaced by database routes.