1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
|
OpenVPN Management Interface Notes
----------------------------------
The OpenVPN Management interface allows OpenVPN to
be administratively controlled from an external program via
a TCP socket.
The interface has been specifically designed for GUI developers
and those who would like to programmatically or remotely control
an OpenVPN daemon.
The management interface is implemented using a client/server TCP
connection, where OpenVPN will listen on a provided IP address
and port for incoming management client connections.
The management protocol is currently cleartext without an explicit
security layer. For this reason, it is recommended that the
management interface either listen on localhost (127.0.0.1)
or on the local VPN address. It's possible to remotely connect
to the management interface over the VPN itself, though some
capabilities will be limited in this mode, such as the ability
to provide private key passwords.
Future versions of the management interface may allow out-of-band
connections (i.e. not over the VPN) and secured with SSL/TLS.
The management interface is enabled in the OpenVPN
configuration file using the following directives:
--management
--management-query-passwords
--management-log-cache
See the man page for documentation on these directives.
Once OpenVPN has started with the management layer enabled,
you can telnet to the management port (make sure to use
a telnet client which understands "raw" mode).
Once connected to the management port, you can use
the "help" command to list all commands.
COMMAND -- echo
---------------
The echo capability is used to allow GUI-specific
parameters to be either embedded in the OpenVPN config file
or pushed to an OpenVPN client from a server.
Command examples:
echo on -- turn on real-time notification of echo messages
echo all -- print the current echo history list
echo off -- turn off real-time notification of echo messages
echo on all -- atomically enable real-time notification,
plus show any messages in history buffer
For example, suppose you are developing a OpenVPN GUI and
you want to give the OpenVPN server the ability to ask
the GUI to forget any saved passwords.
In the OpenVPN server config file, add:
push "echo forget-passwords"
When the OpenVPN client receives its pulled list of directives
from the server, the "echo forget-passwords" directive will
be in the list, and it will cause the management interface
to save the "forget-passwords" string in its list of echo
parameters.
The management client can use "echo all" to output the full
list of echoed parameters, "echo on" to turn on real-time
notification of echoed parameters via the ">ECHO:" prefix,
or "echo off" to turn off real-time notification.
When the GUI connects to the OpenVPN management socket, it
can issue an "echo all" command, which would produce output
like this:
1101519562,forget-passwords
END
Essentially the echo command allowed us to pass parameters from
the OpenVPN server to the OpenVPN client, and then to the
management client (such as a GUI). The large integer is the
unix date/time when the echo parameter was received.
If the management client had issued the command "echo on",
it would have enabled real-time notifications of echo
parameters. In this case, our "forget-passwords" message
would be output like this:
>ECHO:1101519562,forget-passwords
Like the log command, the echo command can atomically show
history while simultaneously activating real-time updates:
echo on all
The size of the echo buffer is currently hardcoded to 100
messages.
COMMAND -- exit, quit
---------------------
Close the managment session, and resume listening on the
management port for connections from other clients. Currently,
the OpenVPN daemon can at most support a single management client
any one time.
COMMAND -- help
---------------
Print a summary of commands.
COMMAND -- hold
---------------
The hold command can be used to manipulate the hold flag,
or release OpenVPN from a hold state.
If the hold flag is set on initial startup or
restart, OpenVPN will hibernate prior to initializing
the tunnel until the management interface receives
a "hold release" command.
The --management-hold directive of OpenVPN can be used
to start OpenVPN with the hold flag set.
The hold flag setting is persistent and will not
be reset by restarts.
OpenVPN will indicate that it is in a hold state by
sending a real-time notification to the management
client:
>HOLD:Waiting for hold release
Command examples:
hold -- show current hold flag, 0=off, 1=on.
hold on -- turn on hold flag so that future restarts
will hold.
hold off -- turn off hold flag so that future restarts will
not hold.
hold release -- leave hold state and start OpenVPN, but
do not alter the current hold flag setting.
COMMAND -- kill
---------------
In server mode, kill a particlar client instance.
Command examples:
kill Test-Client -- kill the client instance having a
common name of "Test-Client".
kill 1.2.3.4:4000 -- kill the client instance having a
source address and port of 1.2.3.4:4000
Use the "status" command to see which clients are connected.
COMMAND -- log
--------------
Show the OpenVPN log file. Only the most recent n lines
of the log file are cached by the management interface, where
n is controlled by the OpenVPN --management-log-cache directive.
Command examples:
log on -- Enable real-time output of log messages.
log all -- Show currently cached log file history.
log on all -- Atomically show all currently cached log file
history then enable real-time notification of
new log file messages.
log off -- Turn off real-time notification of log messages.
log 20 -- Show the most recent 20 lines of log file history.
Real-time notification format:
Real-time log messages begin with the ">LOG:" prefix followed
by the following comma-separated fields:
(a) unix integer date/time,
(b) zero or more message flags in a single string:
I -- informational
F -- fatal error
N -- non-fatal error
W -- warning
D -- debug, and
(c) message text.
COMMAND -- mute
---------------
Change the OpenVPN --mute parameter. The mute parameter is
used to silence repeating messages of the same message
category.
Command examples:
mute 40 -- change the mute parameter to 40
mute -- show the current mute setting
COMMAND -- net
--------------
(Windows Only) Produce output equivalent to the OpenVPN
--show-net directive. The output includes OpenVPN's view
of the system network adapter list and routing table based
on information returned by the Windows IP helper API.
COMMAND -- password and username
--------------------------------
The password command is used to pass passwords to OpenVPN.
If OpenVPN is run with the --management-query-passwords
directive, it will query the management interface for RSA
private key passwords and the --auth-user-pass
username/password.
When OpenVPN needs a password from the management interface,
it will produce a real-time ">PASSWORD:" message.
Example 1:
|
