Note: I can only speak for client connections.
Following up from the previous topic (https://forum.opnsense.org/index.php?topic=33173.0):
The Dashboard Widget now only displays the gateway (remote server) IP address. The VIP is no longer shown.
The Connection Status page is missing the CN, Real Address (is this the gateway address?) and both Bytes Sent and Bytes Received.
I guess something changed between commit 13d77cc and the 23.1.5 release. Maybe due to changes for local server instances / connections..?
EDIT: Set to [SOLVED]
Since 13d77cc is unclear:
% git describe 13d77cc
fatal: Not a valid object name 13d77cc
Between 23.1.4 and 23.1.5 is https://github.com/opnsense/core/commit/30e38b0cc393
Between 23.1.3 and 23.1.4 is https://github.com/opnsense/core/commit/7272b4bb036
Which one are you referring to?
Cheers,
Franco
Sorry Franco, I was referring to Fright's patch and pull 6440.
https://github.com/opnsense/core/pull/6440/commits/13d77cc36219e21f5536711605d4bb6eff007b28
It seemed to be working following that...
Think I found the widget one:
src/www/widgets/widgets/openvpn.widget.php
Line 123: <td><?=$client['remote_host'];?><br/><?=$client['virtual_addr'];?></td>
Should be : <td><?=$client['remote_host'];?><br/><?=$client['virtual_address'];?></td>
Maybe?
Definitely. Made change on running system.
As for Connection Status...
Could it be the management interface parsing in the ovpn_status function of src/opnsense/scripts/openvpn/ovpn_status.py...?
Everything else looks good to me.
Right, this definitely makes sense https://github.com/opnsense/core/commit/a0c8016b2
So now it works?
Thanks,
Franco
That certainly fixes the dashboard widget.
I had a quick look-see re the Connection Status page by installing socat and looking at the management interface output for the state and status commands, which the src/opnsense/scripts/openvpn/ovpn_status.py script appears to use.
State:
root@opnsense_redacted_host:~ # echo state | socat - unix-connect:/var/etc/openvpn/clientX.sock
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
1680171329,CONNECTED,SUCCESS,<VIP redacted>,<Server IP Redacted>,<Redacted Server (Destination) Port>,<I/F IP Redacted>,<Redacted Source Port>
END
Status:
root@opnsense_redacted_host:~ # echo status 3 | socat - unix-connect:/var/etc/openvpn/clientX.sock
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
OpenVPN STATISTICS
Updated,2023-03-31 03:08:03
TUN/TAP read bytes,707211
TUN/TAP write bytes,954184
TCP/UDP read bytes,1151666
TCP/UDP write bytes,898354
Auth read bytes,955224
pre-compress bytes,0
post-compress bytes,0
pre-decompress bytes,0
post-decompress bytes,0
END
The OpenVPN Management Interface Community Resource (https://openvpn.net/community-resources/management-interface/) states (emphasis added):
QuoteCOMMAND -- status
-----------------
Show current daemon status information, in the same format as
that produced by the OpenVPN --status directive.
Command examples:
status -- Show status information using the default status
format version.
status 3 -- Show status information using the format of
--status-version 3.
...and the Reference Manual for OpenVPN 2.5 (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-5/) states (emphasis added):
Quote--status args
Write operational status to file every n seconds.
Valid syntaxes:
status file
status file n
Status can also be written to the syslog by sending a SIGUSR2 signal.
With multi-client capability enabled on a server, the status file includes a list of clients and a routing table. The output format can be controlled by the --status-version option in that case.
For clients or instances running in point-to-point mode, it will contain the traffic statistics.
--status-version n
Set the status file format version number to n.
This only affects the status file on servers with multi-client capability enabled. Valid status version values:
1 -- Traditional format (default). The client list contains the following fields comma-separated: Common Name, Real Address, Bytes Received, Bytes Sent, Connected Since.
2 -- A more reliable format for external processing. Compared to version 1, the client list contains some additional fields: Virtual Address, Virtual IPv6 Address, Username, Client ID, Peer ID, Data Channel Cipher. Future versions may extend the number of fields.
3 -- Identical to 2, but fields are tab-separated.
The script looks mainly written for servers; for clients a different solution might be needed.
One option might be to re-write the script to parse:
- The clientX.conf file for the "CN";
- The output of state for "Real Address"; &
- The output of status for "Bytes Sent" & "Bytes Received".
Will need to discover routing table by other means also.
Another way might be to use the --status directive and a status file for clients... Not sure whether that would yield routing information, or whether routing information is even relevant for clients.
EDIT: This will not work as the same limitation applies. Only multi-client server instances get replies with the relevant information, regardless of whether it is in a status file or a unix socket.
Looks like prior to 23.1.4, the openvpn_get_client_status function in src/etc/inc/plugins.inc.d/openvpn.inc did:
QuoteOne option might be to re-write the script to parse:
The clientX.conf file for the "CN";- The output of state for "Real Address"; &
- The output of status for "Bytes Sent" & "Bytes Received".
Can you dump this as a digestible feature request in GitHub? I'm sure we can discuss these points and improve it.
Thanks,
Franco
Done: https://github.com/opnsense/core/issues/6464
Solved - Github commits:
a5c4de0 (https://github.com/opnsense/core/commit/a5c4de07b0512518d07aee2624c4ff314d09b778)
3066c87 (https://github.com/opnsense/core/commit/3066c875a2f61bde48a230ebb3fc150f52cf3db1)
Thanks and credit to @AdSchellevis. If he drops a reply here, applaud the good fellow.
Use the following or wait for the hotfix/release:
opnsense-patch a5c4de0
opnsense-patch 3066c87