Hi all,

Background: On my TP-Link TL-WR1043N/ND v1 running OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530), I have just configured a simple VPN server by following the guide at http://wiki.openwrt.org/doc/howto/vpn.openvpn .

Although the VPN is only for very temporary use (while on a short holiday), I still would like some kind of management interface to the OpenVPN server so I can keep an eye on who is connected. It could be done through monitoring /tmp/openvpn.log but this does not give me the option of forcefully disconnecting anyone, for example.

The OpenVPN manual at https://openvpn.net/index.php/open-sour … howto.html states the following:

If I understand correctly, on OpenWrt we don't use the regular OpenVPN config file but rather an uci config file at /etc/config/openvpn which is then somehow translated into something OpenVPN understands. So I will have to translate this "management localhost 7505" into the format of the uci config file.

The problem: I tried to do exactly that, but somehow it's not working. Here is my current config file:

OpenVPN won't even start with this configuration. Here's the logfile:

When I comment out the "option management" line in /etc/config/openvpn, all is well.

I also tried adding a pw-file to the option as follows:

but the same error appears in /tmp/openvpn.log.

As you can see in the first lines of my /etc/config/openvpn, I also tried using a custom config file at /etc/openvpn/custom_config.conf. That config file contained only the following:

In that case OpenVPN starts, but there is still no management interface.

At this point I'm out of ideas, so I would be very grateful if anyone with more experience could point me in the right direction here. Thank you in advance.

(Last edited by Arnie on 24 Apr 2015, 14:32)

Please explain a bit more

"I still would like some kind of management interface to the OpenVPN server so I can keep an eye on who is connected. It could be done through monitoring /tmp/openvpn.log but this does not give me the option of forcefully disconnecting anyone, for example."

I don't use OpenWrt as OpenVPN only as a client and Debian/Centos as OpenVPN server...

So first thing you need is to check source package of OpenVPN to see which options have been removed. OpenWrt package maintainers have to usually cut out functions to create as small packages as possible, so maybe this management interface you mention has also been removed.

I usually monitor vpn server status by just looking at /var/log/openvpn-status.log file.

To disconnect somebody you need to revoke their certificate, and if needed reset openvpn service, and they are gone, permanently. Or you can create permanent or temporaty iptables rules...

Hi valentt,

Thank you for your reply. My only device that I keep on 24/7 is this router, which is why I'm not running the OpenVPN server on a bigger machine. The VPN only serves to allow secure use of POP3 email on a public WiFi anyway, so there is not much special about it.

Your /var/log/openvpn-status.log is equivalent to my /tmp/openvpn.log. They are just in different locations. I am currently using that logfile as a way of monitoring the server.

For removing clients, I could of course use iptables or revoke the certificate. I just thought that the purpose-built management interface would be a nicer way of doing this.

I'm starting to think that the OpenWrt maintainers indeed sliced out the management interface from the package. So my only option would be to compile "stock" OpenVPN and install that to the router (I have my rootfs on a 32 MB USB stick, so there is some space).

(Last edited by Arnie on 25 Apr 2015, 13:27)

A new post to this topic because I have a very similar question. Now I would like to set the link-mtu option for OpenVPN. I know how to do this in a "standard" OpenVPN config file, but I cannot seem to make the setting find its way through OpenWrt's uci layer.

First of all, here is the uci config file for openvpn from /etc/config/openvpn

The part in bold is my attempt at setting the MTU, but it does nothing as evidenced by the OpenVPN logfile:

Does anyone know how I can set link-mtu through uci? Or should I just throw that whole system out of the window and start working with native OpenVPN configuration files, like this guy did?

(Background story: I need to lower the MTU to make the VPN work for clients on a "DS lite" connection. The ISP at my server side only offers IPv4, while some clients only have IPv6 with an AFTR tunnel for IPv4 compatibility. They can connect to the server through AFTR just fine but such a connection chokes after a few kB's at MTU 1500.)

(Last edited by Arnie on 9 May 2015, 13:04)

Ok, I decided to give up on uci and just make a regular openvpn config file. Now all is well. If anyone knows the solution for uci, please let me know nonetheless.

Meanwhile, using a regular openvpn config file also somewhat solves my management console problem. I have the following line in my non-uci custom config file:

The file /tmp/openvpn-status.log now contains a list of connected clients.

(Last edited by Arnie on 11 May 2015, 11:46)

I stumbled on this thread when trying to figure out how to access the openvpn management interface.  My solution is not ideal but it works.

Line in server config file:

management localhost <port> "/etc/config/ovpn/vrp"

<port> obviously gets filled in with the port you want the management console on, and vrp is a text file containing the management interface password - you can name it what you want, place it where you want, or have password-less login if you wish.  I already had this set up so I just replicated it on the router.

I'm using putty, so in my SSH access setup I have added a tunnel.  Under connections - SSH - Tunnels, fill in the following boxes:

Putty tunnel setup:

Source port:  this is the port from which you will access the telnet management interface (pick any open port)
Destination:  localhost:<port>   -- port is the from the openvpn server config file, where the management console is listening

Hit the Add button, then make sure to save the config.  Under forwarded ports on the tunnel page you should see

L<source port>     localhost:<port>

Open the SSH connection and you'll see the welcome banner.  The tunnel is now open, so you can open another putty session and telnet to hostname localhost on port <source port>   -- this is the "source port" from the putty tunnel set up step.

Hit enter and you should see a password prompt, and after entering you have full access to the management console.

Enjoy.

Use underscore (_) instead of dash (-) in UCI configuration, you can see the recognized options in /etc/init.d/openvpn. FYI, management is disabled by default in OpenVPN you need to build your image with CONFIG_OPENVPN_openssl_ENABLE_MANAGEMENT=y.