Useing Management Interface Of OpenVPN

虽然有openvpn-web-gui这样的基于证书的web用户管理系统,但是哦我们有了radius以后 就不需要他了 这个时候 ,控制用户断线什么的 就靠OpenVPN的Management Interface就可以了。

在Linux/Windows下面 有这样一个GUI 叫openvpn-control 不过最近的一次版本已经很久没更新了 可以方便的踢人 或者通过SSH端口转发的方式(需要Putty)连接到远程机器上进行管理

见官方截图

此外 还有一个用Python写的 依赖于Apache libapache2-mod-python的CGI程序OpenVPN-Status 由于ModPython不是本重点 请移步

 

不过这一切的前提都是 要先配置好OpenVPN的 Management Interface

如果要监听在127.0.0.1

--management 127.0.0.1 port

监听Unix Socket

--management /path/to/socket unix

监听在tunnel网卡地址

--management tunnel port

--management IP port [pw-file]
Enable a TCP server on IP:port to handle daemon management functions. pw-file, if specified, is a password file (password on first line) or "stdin" to prompt from standard input. The password provided will set the password which TCP clients will need to provide in order to access management functions.

The management interface can also listen on a unix domain socket, for those platforms that support it. To use a unix domain socket, specify the unix socket pathname in place of IP and set port to 'unix'. While the default behavior is to create a unix domain socket that may be connected to by any process, the --management-client-user and --management-client-group directives can be used to restrict access.

The management interface provides a special mode where the TCP management link can operate over the tunnel itself. To enable this mode, set IP = "tunnel". Tunnel mode will cause the management interface to listen for a TCP connection on the local VPN address of the TUN/TAP interface.

While the management port is designed for programmatic control of OpenVPN by other applications, it is possible to telnet to the port, using a telnet client in "raw" mode. Once connected, type "help" for a list of commands.

For detailed documentation on the management interface, see the management-notes.txt file in the management folder of the OpenVPN source distribution.

It is strongly recommended that IP be set to 127.0.0.1 (localhost) to restrict accessibility of the management server to local clients.

see also:

http://openvpn.net/index.php/open-source/documentation/howto.html

http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html

如果只是单纯的踢人下线用nc就搞定了 比如 踢ihipop下线

[bash]echo -e 'kill ihipop \r\n exit' |nc ip port[/bash]

不过OpenVPN的客户端都有一个ping-like的restart机制 而大多是时候 他会把用户名和密码缓存在内存里面 这样的话 虽然用户是断线了 ,到了ping restart的时候 客户端发现自己断线 还会再连上来的。

Author Info :
  • From:Useing Management Interface Of OpenVPN
  • URL:https://blog.ihipop.com/2011/05/2422.html
  • Please Reserve This Link,Thanks!
  • 发表回复

    您的电子邮箱地址不会被公开。 必填项已用 * 标注