张微波的BLOG: OpenVPN 2.0 HOWTO-进程管理和管理接口(翻译)

« OpenVPN 2.0 HOWTO-初始化测试篇(翻译) | 首页 | OpenVPN的视频 »

August 19, 2006

OpenVPN 2.0 HOWTO-进程管理和管理接口(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Configuring OpenVPN to run automatically on system startup

The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.

Linux
If you install OpenVPN via an RPM package on Linux, the installer will set up an initscript. When executed, the initscript will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.

Windows
The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.

When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.

--------------------------------------------------------------------------------

Controlling a running OpenVPN process

Running on Linux/BSD/Unix

OpenVPN accepts several signals:

SIGUSR1 -- Conditional restart, designed to restart without root privileges
SIGHUP -- Hard restart
SIGUSR2 -- Output connection statistics to log file or syslog
SIGTERM, SIGINT -- Exit

Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal (if you are starting openvpn with an initscript, the script may already be passing a --writepid directive on the openvpn command line).

Running on Windows as a GUI
See the OpenVPN GUI page.

Running in a Windows command prompt window

On Windows, you can start OpenVPN by right clicking on an OpenVPN configuration file (.ovpn file) and selecting "Start OpenVPN on this config file".

Once running in this fashion, several keyboard commands are available:

F1 -- Conditional restart (doesn't close/reopen TAP adapter)
F2 -- Show connection statistics
F3 -- Hard restart
F4 -- Exit

Running as a Windows Service
When OpenVPN is started as a service on Windows, the only way to control it is:

Via the service control manager (Control Panel / Administrative Tools / Services) which gives start/stop control.
Via the management interface (see below).

Modifying a live server configuration

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

client-config-dir -- This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (see the the manual page for more information). Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one which has disconnected, but where the server has not timed-out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the new client-config-dir file.

crl-verify -- This directive names a Certificate Revocation List file, described below in the Revoking Certificates section. The CRL file can be modified on the fly, and changes will take effect immediately for new connections, or existing connections which are renegotiating their SSL/TLS channel (occurs once per hour by default). If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface (described below).

Status File

The default server.conf file has a line

status openvpn-status.log

which will output a list of current client connections to the file openvpn-status.log once per minute.

Using the management interface

The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:

management localhost 7505

This tells OpenVPN to listen on TCP port 7505 for management interface clients (port 7505 is an arbitrary choice -- you can use any free port).

Once OpenVPN is running, you can connect to the management interface using a telnet client. For example:

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END
exit
Connection closed by foreign host.
ai:~ #For more information, see the OpenVPN Management Interface Documentation.

配置OpenVPN在系统启动的时自动启动

因为没有这方面的标准，所以每个系统在启动的时候都有不同的启动进程/服务的方式，最好的办法就是安装专门为OpenVPN制作的各种安装包，比如在linux下的RPM包或者在windows下的安装包.

Linux
如果你在linux下使用RPM包安装OPenVPN，那么安装后会自动产生一个启动脚本，当脚本执行的时候，会自动在/etc/openvpn目录下寻找后缀为.conf的配置文件，如果找到配置文件，会自动启动相应配置文件的OpenVPN进程.

Windows
Windows下安装后，会产生一个服务，默认这个服务是关闭的，为了启动激活它，可以在控制面板/管理工具/服务, 选择OpenVPN服务。右键单击属性，设置为启动的时候自动运行。设置完以后下次系统重启，就会同时自动启动OpenVPN服务。

当启动OpenVPN服务的时候，会搜索\Program Files\OpenVPN\config目录下后缀为.ovpn的配置文件，并启动对应的OpenVPN进程。

控制运行中的OpenVPN进程

运行在Linux/BSD/Unix

OpenVPN接受下面几个信号:

SIGUSR1 – 有条件的重启，非root用户重启OpenVPN进程
SIGHUP – 重启
SIGUSR2 – 输出连接状态到log文件或者系统log
SIGTERM, SIGINT – 退出

在配置文件中使用writepid参数指定OpenVPN的pid文件，好让你发送信号给这个pid文件（如果你用启动脚本启动OpenVPN，已经在OpenVPN的命令行里其通过了writepid参数)。

在windows下运行图形界面

具体请看 OpenVPN GUI page.

运行在windows下的命令提示窗口

在Windows下，你可以通过右键单击一个OpenVPN的配置文件（.opvn文件）然后选择"Start OpenVPN on this config file"启动OpenVPN.

这种方式一运行，这几个键盘命令能接受：

F1 – 有条件的重启(不关闭/重启TAP适配器)
F2 – 显示连接状态
F3 – 重启
F4 – 退出

做为Windows的服务启动

当OpenVPN做为windows的服务启动时，只有下列方法可以控制它：

通过服务控制管理器 (控制面板/管理工具/服务)来控制启动和停止。
通过管理界面 (看下面).

修改正在运行的服务器的配置文件

大多数情况修改配置文件，都要重启服务才能生效，这里有2个比较特殊的参数，可以进行动态更新操作，并且立即生效而不用重启OpenVPN服务进程。

client-config-dir – 这个参数设置客户端配置文件的目录，OpenVPN服务器会检查相关进来的连接请求，然后在目录寻找相对应客户端的配置文件 (看指南页面获取更多信息)。不用重启服务，在这个目录里的文件就能动态更新。注意新的修改只对新的连接才生效，不对已经存在的连接不起作用。如果里希望指定的客户端配置文件立即生效与当前的连接 (或者连接已经断，但服务器的实例目标也还没过期), 可以通过管理接口杀掉客户端的实例物体(下面描述). 那么就可以用client-config-dir新的配置文件，重新连接客户端.

crl-verify – 这个参数的意思是证书废除名单文件，详细的描述在下面Revoking Certificates 这一节. CRL文件可以时实修改，并且立即生效，或者对那些已经连接的客户端重新协商SSL/TSL通道（默认每隔1小时）. 如果你想干掉那些正在连接，但其对应证书被追加到CTL的用户，可以通过管理接口进行操作 (下面详细介绍).

状态文件

默认服务端配置文件server.conf有下列一行

status openvpn-status.log

那个参数的作用是将每分钟输出一个现有用户连接列表到openvpn-status.log文件。

使用管理接口

OpenVPN管理接口是一个很好的控制运行中的OpenVPN进程的方法。你可以使用管理接口通过telnet命令直接连接到管理接口的端口，或者直接使用 OpenVPN GUI 连接管理接口

如果要在OpenVPN服务端或者客户端启用管理接口，你得在配置文件中添加以下这行：

management localhost 7505

这就告诉OpenVPN监听通过客户端通过管理接口访问TCP的7505端口 (7505端口是一个任意选择的端口，你可以选择任何一个没被使用的端口)。

一旦OpenVPN启动，我们可以用telnet客户端程序连接上管理接口，比如下面的例子：

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : 杀掉通用名为cn的客户端。
kill IP:port : 杀掉来自指定ip和端口的客户端。
log [on|off] [N|all] : 打开/关闭时实的日志显示
+ 显示最后N条或者'所有' 历史日志.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (只在windows下有效) 显示网络信息和路由表。
password type p : Enter password p for a queried OpenVPN password.
signal s : 发送信号给进程,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : 跟log一样,但是静态显示。
status [n] : 显示现在进程的状态信息。
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : 显示当前版本号.
END
exit
Connection closed by foreign host.
ai:~ #