Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: coffen on March 16, 2011, 08:32:44 am

Title: [SOLVED] OpenVPN DHCP client list
Post by: coffen on March 16, 2011, 08:32:44 am: Is there some place where I can see the ip addresses of the VPN clients currently connected to the TAP interface?
Dashboard only shows DHCP leases of eth0, but not tap0
Title: Re: OpenVPN DHCP client list
Post by: Trym on March 16, 2011, 03:05:45 pm: You can easily see who's connected by adding the OpenVPN-widgets to your dashbard. ("Configure Widgets", top of the page, next to the search field.).

That, however, will only list the address the client is connecting from, not which internal VPN-address it has.

I'm sure there's a better way to do this, but you can see which certificate is given which IP by:

Code: [Select]
sudo cat /etc/openvpn/<name of vpn>-ipp.txt
That file is updated with new ip's as clients with different certificates connect for the first time.
I think you can edit that file too if you want to hand out specific addresses to specific clients/certificates.

::Trym
Title: Re: OpenVPN DHCP client list
Post by: coffen on March 16, 2011, 04:28:18 pm: Quote from: Trym on March 16, 2011, 03:05:45 pm
You can easily see who's connected by adding the OpenVPN-widgets to your dashbard. ("Configure Widgets", top of the page, next to the search field.).

That, however, will only list the address the client is connecting from, not which internal VPN-address it has.

I'm sure there's a better way to do this, but you can see which certificate is given which IP by:

Code: [Select]
sudo cat /etc/openvpn/<name of vpn>-ipp.txt
That file is updated with new ip's as clients with different certificates connect for the first time.
I think you can edit that file too if you want to hand out specific addresses to specific clients/certificates.

::Trym

OK, that sort of solves my problem.
I am looking for a way to easilly open an vnc session to a client connecting through vpn.
For that I need to know the vpn ip the client is assigned.
Would be nice if the widget showed both public ip and vpn ip of the client.

The <name of vpn>-ipp.txt shows a list of ip's assigned even if the vpn session is no longer active.
Title: Re: OpenVPN DHCP client list
Post by: Trym on March 16, 2011, 05:55:17 pm: Quote
The <name of vpn>-ipp.txt shows a list of ip's assigned even if the vpn session is no longer active.

Yes, which is why you need to look at the dashboard-widget to see who's currently connected to VPN.

Quote
Would be nice if the widget showed both public ip and vpn ip of the client.

Agreed, I suggest you add it to the Zentyal wish-list.

::Trym
Title: Re: OpenVPN DHCP client list
Post by: Sam Graf on March 16, 2011, 10:43:08 pm: Unless something changed recently, Zentyal supports a single simultaneous VPN client connection per server. In my case, I have one server per possible client connection (so nobody gets bumped) and so maybe I'm missing something here. But at least in my 1-to-1 server/client relationships, the client's VPN interface address is always the server's VPN interface address plus one (at least using /24 addresses). A client connecting to a server running at VPN interface address 192.168.200.1 will have a VPN interface address of 192.168.200.2. It's true that Zentyal doesn't tell me that at the server end, but that's how it has worked out in my experience, making it possible to assume the client address almost certainly to be the server address plus 1.

Am I completely missing something here? :)
Title: Re: OpenVPN DHCP client list
Post by: Trym on March 16, 2011, 11:01:46 pm: Maybe I'm the one missing something. I manage a server with one OpenVPN-server set up, and certificates given out to approx 75% of the users, approx 20 in total. Out of them, 12 use VPN regularly.

I've never had any complaints about drop-outs, and I've with my own eyes seen four users connected simultaneously. The samba logs shows all users except me were browsing and opening files from shares on the server at around the same time.

Maybe this isn't supposed to work, but it does for me.

(Unless you are using the same certificate for different users of course, that won't work.)

::Trym
Title: Re: OpenVPN DHCP client list
Post by: sixstone on March 16, 2011, 11:58:23 pm: Hi there,

The VPN module is intended to be multihost with a unique certificate per VPN client for security purposes.

I've added your request to our wishlist. [1]

Thanks very much for your suggestions.

[1] http://trac.zentyal.org/wiki/Document/Development/Wishlist/Module/OpenVPN#ShowtheVPNIPaddressinwidget
Title: Re: OpenVPN DHCP client list
Post by: Sam Graf on March 17, 2011, 03:42:32 am: Quote from: Trym on March 16, 2011, 11:01:46 pm
Maybe I'm the one missing something.

Nope. Maybe it was the way I described in eBox? Maybe I just don't know what I'm talking about and am hopelessly confused? In any case, I learned something. Now if I can just remember that I learned something …
Title: Re: OpenVPN DHCP client list
Post by: half_life on March 17, 2011, 04:32:39 am: Since the IP address is persistent (user always gets the same IP) you can just add them to your dns manually.