[SOLVED]OpenVPN status page is reliant on port 14

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Duxa
DD-WRT User


Joined: 16 Aug 2013
Posts: 191

PostPosted: Wed Jun 08, 2022 20:43    Post subject: [SOLVED]OpenVPN status page is reliant on port 14 Reply with quote
Hi all, it appears that OpenVPN server management has to be set to port 14 in order for logs and status to show up under Status -> OpenVPN page.



if port is changed to any other port
management localhost 16
then its blank (from googling it looks like this issue is as old as 2013, possibly even older https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=759348)



However, I have been using port 14 for something else for years.

So question is 2 fold:

1) Is it possible in future to surface this configuration (port logs are read on by the GUI)?

2) Is it possible to configure this through "Additional Config"? Currently I can change management port through this field. But I dont seem to see a way to make the Status page read from that new changed port.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Jun 09, 2022 7:04    Post subject: Reply with quote
Since the beginning of times the DDWRT OpenVPN Status Page has been querying the management interface of the Open VPN Server on port 14 and the OpenVPN Client on port 16.
So better not use those ports elsewhere.

In the openvpn.conf the management interface is, of course, set accordingly.
You can override this in the additional config but you can not set the GUI to query another port that is fixed so the OpenVPN status page is blank.

However you can query the management interface from CLI, I am doing that for a setup with two OpenVPN clients where I have set the management port of the second client on port 17:
Code:
telnet localhost 17
Log 40
Log on

See: https://openvpn.net/community-resources/management-interface/
When you have opened the management console just type help to see all possibilities Smile

But I will put it on my list to see if there is a quick and easy solution Very Happy

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jun 09, 2022 17:48    Post subject: Reply with quote
As @egc stated, while you can change the management port via the Additional Config field, it's NOT going to change the port the webpage source code uses to access that service.

Could this port be exposed in the GUI for such purposes? Of course, although this is a good example of further complicating the GUI, which is already pretty complicated as it is. So I don't know if this is something @egc would want to consider.

Frankly, I don't think it's necessary to use the management port for these purposes anyway. Such information could be gleaned from the OpenVPN client using the following in the config file.

Code:
status /tmp/openvpncl/status


Now the stats would be updated every 60 secs in that file (it takes an optional third argument to change the update period) and available for display. And it would eliminate those annoying warning messages in the syslog about the management UI not using a password, and the CMD messages as well. On the downside, a refresh of the page would only change if the status file had been updated since the last refresh.

At least if *I* was going to consider allowing a user-defined port, I'd seriously consider revamping the process entirely to use the status file.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jun 09, 2022 18:14    Post subject: Reply with quote
Well there is a reason why many knobs are hidden and only available to those who venture outside comfort zones and have enough experience to know better.

I would say in addition to whats been said, that some clients need to be equally as flexible in order to communicate properly with servers, and some crap is still closed source, like much of OpenVPN is apparently.

Thats not to say there aren't ways around things, but it not so cut and try.

So, forgive my brains farts folks, nothing to see here, move along, move along and keep calm.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 10, 2022 10:42    Post subject: Reply with quote
eibgrad wrote:
As @egc stated, while you can change the management port via the Additional Config field, it's NOT going to change the port the webpage source code uses to access that service.

Could this port be exposed in the GUI for such purposes? Of course, although this is a good example of further complicating the GUI, which is already pretty complicated as it is. So I don't know if this is something @egc would want to consider.

Frankly, I don't think it's necessary to use the management port for these purposes anyway. Such information could be gleaned from the OpenVPN client using the following in the config file.

Code:
status /tmp/openvpncl/status


Now the stats would be updated every 60 secs in that file (it takes an optional third argument to change the update period) and available for display. And it would eliminate those annoying warning messages in the syslog about the management UI not using a password, and the CMD messages as well. On the downside, a refresh of the page would only change if the status file had been updated since the last refresh.

At least if *I* was going to consider allowing a user-defined port, I'd seriously consider revamping the process entirely to use the status file.


Thanks for your comment.

I indeed was not contemplating adding a GUI option (as the American saying is: You cannot be too rich or too thin but you can have too much GUI options Smile )

This is not much sought after and we have good workarounds, using the command line or your excellent option (thanks for that).

However at this moment the GUI is querying the conf file for the used management port but it starts from the top and of course does find the DDWRT port first and does not take the port from the additional config into account.

A simple adding of "| tail -1" might solve this.

But I am traveling the next weeks so do not have much time to do meaningful work (and that is nice for a change Smile )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jun 19, 2022 10:57    Post subject: Reply with quote
Solved in next build.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Jun 19, 2022 16:23    Post subject: Reply with quote
egc wrote:
Solved in next build.


As in how? (just curious)

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jun 19, 2022 16:42    Post subject: Reply with quote
The scripts were already parsing the management port.

But as the management port was already set by DDWRT they always return that port.

I added tail (see: https://svn.dd-wrt.com/changeset/49252 )
So that it just uses the last added management port
(If you now a better solution of course always welcome, but this seems to work Smile )

Other patch is to prevent the use of --nobind in the client setup file.
This was asked by a user who wanted to set the --local_port as all ports except a few are blocked.
Also does not warrant a GUI settings but can be done by setting an nvram parameter

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Jun 19, 2022 17:15    Post subject: Reply with quote
Looks good. Although, it is possible to get the last occurrence of management w/o the need for tail, or even grep.

awk '/^management /{x=$3}END{print x}' /tmp/openvpn/openvpn.conf

IOW, awk can both search and print from the last matching line, all in one command.

Not really a big deal, but I see a lot of scripting that makes unnecessary calls like this.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jun 19, 2022 18:41    Post subject: Reply with quote
Thanks, I knew you could come up with a smarter solution Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Duxa
DD-WRT User


Joined: 16 Aug 2013
Posts: 191

PostPosted: Sun Jun 19, 2022 19:35    Post subject: Reply with quote
can confirm its working (note need to CTRL + SHIFT + R after switching ports).

perhaps its a good time to make sure that the rest of the config file is queried bottom up as well? Because for example verb 3 is pre-set in the file. While debugging I set it to verb 5 via additional parameters (to get extra debug) but not sure it was working, at least I didnt get the info I was looking from from the logs.

Another solution perhaps less elegant but more geeky would be to make the config field pre-populate the defaults from /tmp/openvpn/openvpn.conf in it. And then when applied overwrite the file. So that basically the GUI text field is mirror of the openvpn.conf instead of being additional appendage. Basically enabling you to edit the entire config file instead of just adding to it.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 20, 2022 12:21    Post subject: Reply with quote
Duxa wrote:
can confirm its working (note need to CTRL + SHIFT + R after switching ports).

perhaps its a good time to make sure that the rest of the config file is queried bottom up as well? Because for example verb 3 is pre-set in the file. While debugging I set it to verb 5 via additional parameters (to get extra debug) but not sure it was working, at least I didnt get the info I was looking from from the logs.

Another solution perhaps less elegant but more geeky would be to make the config field pre-populate the defaults from /tmp/openvpn/openvpn.conf in it. And then when applied overwrite the file. So that basically the GUI text field is mirror of the openvpn.conf instead of being additional appendage. Basically enabling you to edit the entire config file instead of just adding to it.



The way OpenVPN is using its config file and how DDWRT uses it (to parse the management port) are different.
OpenVPN should use the last entry (not for everything sometimes you cannot set a duplicate entry but OpenVPN will warn against that).

The fact that it is working this way is that you can override the management port like you are doing Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum