Modify

Opened 7 years ago

Last modified 5 years ago

#911 confirmed enhancement

It could be good to optionally start the OpenVPN management port

Reported by: JonTheNiceGuy <jon@…> Owned by:
Priority: normal Milestone: Firmware 2.3
Component: fon-plugin-openvpn Version: 2.3.6.1 (Gari jr.)
Severity: normal
Cc: Hardware: both

Description

This would be enabled either in the config file with this:

option 'management' '0.0.0.0 1195'

Or, given another ticket I filed today, in the init.d script as follows:

// Something to check out whether the device is running in TCP, UDP or BOTH
if [ -z $TCP ]
then
  $ARGS_T="$ARGS_T --management '0.0.0.0 1195'
fi
if [ -z $UDP ]
then
  $ARGS_U="$ARGS_U --management '0.0.0.0 1196'
fi

Attachments (0)

Change History (7)

comment:1 Changed 7 years ago by matthijs

Thanks for your suggestions! Could you expand a bit about why this would be useful, what options it would add and how it would work after enabling the port?

comment:2 Changed 7 years ago by JonTheNiceGuy <jon@…>

Enabling this option will activate a TCP port, bound to the IP address and port specified in the option.

Connections to that port (which incidentally, probably shouldn't be the 0.0.0.0 address, in hindsight) will allow you to see real-time the activity on the OpenVPN service, plus allow you to dynamically kill or send other commands to the remote client.

I have used this exclusively to debug issues when connecting to the OpenVPN service on my Fon box.

comment:3 Changed 7 years ago by matthijs

Is there any authentication on that port?

comment:4 Changed 7 years ago by JonTheNiceGuy <jon@…>

Yes. Here is the relevant line from the documentation.

--management IP port [pw-file]
    Enable a TCP server on IP:port to handle daemon management functions. pw-file, if specified, is a password file (password on first line) or "stdin" to prompt from standard input. The password provided will set the password which TCP clients will need to provide in order to access management functions.

    The management interface can also listen on a unix domain socket, for those platforms that support it. To use a unix domain socket, specify the unix socket pathname in place of IP and set port to 'unix'. While the default behavior is to create a unix domain socket that may be connected to by any process, the --management-client-user and --management-client-group directives can be used to restrict access.

    The management interface provides a special mode where the TCP management link can operate over the tunnel itself. To enable this mode, set IP = "tunnel". Tunnel mode will cause the management interface to listen for a TCP connection on the local VPN address of the TUN/TAP interface.

    While the management port is designed for programmatic control of OpenVPN by other applications, it is possible to telnet to the port, using a telnet client in "raw" mode. Once connected, type "help" for a list of commands.

    For detailed documentation on the management interface, see the management-notes.txt file in the management folder of the OpenVPN source distribution.

    It is strongly recommended that IP be set to 127.0.0.1 (localhost) to restrict accessibility of the management server to local clients. 

Given this, it may be worth either

1) Having a "management password" just for OpenVPN or 2) If we can extract the Fonera Management Password from anywhere (unlikely, but maybe...) perform

echo "fonpassword" | openvpn -switch -switch

That said, to control this management port is done in cleartext - we probably shouldn't have the default admin password going into that.

I think I'm more and more writing myself into a corner where it's not appropriate to have this as a default, and maybe have it as an emergency-only option.

comment:5 Changed 7 years ago by matthijs

  • Hardware changed from 2.0n (FON2300) to both
  • Milestone set to Firmware 2.3
  • Severity changed from unknown to normal
  • Status changed from new to confirmed

An option in the webinterface to enable this might make sense, being disabled by default.

I don't think we have the plain text password anywhere, and as you suggest a separate password would probably make sense anyway.

comment:6 Changed 5 years ago by matthijs

I've had another look at this ticket, but I think we'll leave this unimplemented for now. I could have a stab at it, but I'm afraid that this will be confusing for novice users and not so trivial to get completely right (i.e., on which interfaces and ports should this listen, which password should this use, if any, etc.).

comment:7 Changed 5 years ago by matthijs

I did have a look at the documentation: http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html

And it does seem like this would be useful to enable at some point. In particular, there does not seem to be any command available that would interfere with the OpenVPN configuration done by the Fonera (i.e., you can't change the IP range, or something like that). One thing that could be a bit problematic is that the OpenVPN daemon can be killed through the management interface, but if that happens, the user will just have to reboot the Fonera to restart OpenVPN again...

Add Comment

Modify Ticket

Action
as confirmed The ticket will remain with no owner.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.