Configuring OpenVPN Management Interface on pfSense
Accessing OpenVPN Management Interface over TCP
TLDR; if you want to jump directly to the solution, go to "The Solution" section.
pfSense is a popular open-source software used for firewalling and routing. pfSense is not just batteries included, but much more. It can provide services like captive portals, VPNs, RADIUS, certificate management, etc. This blog revolves around one of the VPN services provided by pfsense, i.e.OpenVPN.
OpenVPN is a very powerful and flexible tool, and pfSense has tried to accommodate commonly used settings in the GUI. But for settings that are unavailable in the GUI, pfSense provides a Custom Options field where the user can directly input configuration for the OpenVPN server.
Anything which is added in Custom Options is appended to the end of the OpenVPN configuration file, found at /var/etc/openvpn/server<server-id>/config.ovpn.
With this and the information obtained from OpenVPN's documentation on Management Interface, making management interface to listen on a TCP port seems simple. Just put in management 127.0.0.1 7505; in the Custom Options field and it should work.
Well, if you have already tried it, you must be startled after reading similar output from telnet.
telnet 127.0.0.1 7505
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Operation timed out
telnet: Unable to connect to remote host
If you check the OpenVPN logs at /var/log/openvpn.log, you will find a similar log for the management interface:
# In /var/log/openvpn.log
Aug 19 19:42:21 gateway openvpn[67597]: MANAGEMENT: unix domain socket listening on localhost
Wait, a UNIX socket on localhost? This does not make any sense.
After interacting with the community on NetGate forum, I became aware that it is not possible to override the default pfSense configuration for the OpenVPN management interface.
The Solution
We can create a bidirectional relay to get away with this restriction of pfSense. You can even use netcat for this, but this solution will use socat for its additional features.
Before doing anything permanent, it is better to make sure that socat is relaying traffic properly.
Execute the following command to start a bidirectional relay
socat -d -d TCP4-LISTEN:7505,fork,bind=127.0.0.1 UNIX-CONNECT:/var/etc/openvpn/server<server-id>/sock
The above command will create a bidirectional relay on port 7505 for TCP traffic on the localhost (127.0.0.1) interface. You can alter the port and interface for the relay by updating values for TCP-LISTEN:7505 and bind=127.0.0.1 respectively.
With this, you should be able to access the OpenVPN management interface through TCP protocol. You can verify it by executing telnet 127.0.0.1 7505 from another terminal session. You should obtain similar output:
$ telnet 127.0.0.1 7505
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
💡 Tip: Type exit and press enter to exit from the telnet session.
Once ensured that the solution works for you, it's time to make it permanent. We want the bidirectional relay to start on boot. pfSense provides three ways to achieve this which are briefly described in their documentation. This solution uses the shell script option. Just follow these two simple steps to get it working:
Step 1: Create a script containing the socat command in /usr/local/etc/rc.d/.
cat > /usr/local/etc/rc.d/openvpn_relay.sh
#!/bin/sh
(socat TCP4-LISTEN:7505,fork,bind=127.0.0.1 UNIX-CONNECT:/var/etc/openvpn/server<server-id>/sock) &
⚠️ It is required that the script's filename ends with .sh.
Step 2: Make the script executable.
chmod +x /usr/local/etc/rc.d/openvpn_relay.sh
Voila! The script will execute on every boot and start the bidirectional relay using socat, enabling you to access OpenVPN's management interface over TCP protocol.
Acknowledgement
Many thanks to Federico Capoano (@nemesisdesign) for encouraging me to document my findings while working on OpenWISP.
It wouldn't have been possible without clarifications by folks from the Netgate community: jimp and (gertjan)[forum.netgate.com/user/gertjan].