Management Interface Password

[karabelnikov]

Scott, I want to return to question about the possibility of specifying a password for the management interface. This is a very important function in the production environment when working with OpenVPN and will expand the capabilities of our project for other users. Perhaps someone uses or would like to protect the password management interface, but does not want to lose the ability to use the host IP address for external connections. Perhaps there is some way to transfer this password when connecting to the service port?

What will be the ideas?

[bnhf]

@karabelnikov

Shura, I'm in favor of adding a password to the management interface. I know how to create a password for the interface, and I know how to access it interactively. What I don't know, and could use your help on, is what format is used to send a command with the password included?

Similar to our challenge with creating a password protected private key, I have not been able to locate any documentation on this. Any help would be appreciated!

[karabelnikov]

@bnhf

Accepted! I will do research on this issue, as soon as there is interesting information, I will immediately let you know.

[karabelnikov]

@bnhf

Scott, I have not yet found the information I need, because I don’t know how the OpenVPN Admin web management interface works with the OpenVPN management interface, how does it interact with it and connect? If the password is set and, for example, make a connection with the command: telnet 172.17.0.1 2080, then a password for authorization will be requested. I don’t know how to transfer the password in a non-interactive format, because I don’t know how OpenVPN Admin connects.

[bnhf]

@karabelnikov

If you want to see the Go code, look at the library -- which can be found in my go-openvpn repository. Specifically, the code in the server/mi directory. The code reads and writes to the port in a "raw" form using a couple of standard Go libraries, "bufio" and "net".

I'm imaging that when a command is sent the password has to be included somehow -- but the question is in what format? First, last, with some special characters or delimiters before or after? Or maybe I need to figure out a way to provide the password in some pseudo interactive fashion?

Much as I'd like to add a password, I'm feeling pretty good about only exposing the MI port to the Docker host gateway. If a password can be added without muddling-up a pretty elegantly written library -- let's do it. Otherwise, this may be something we need to punt on.

[karabelnikov]

@bnhf

In fact, it all comes down to finalizing the code, the library on Go. Unfortunately, I am not a programmer, but a system engineer, I am not familiar with the Go code. It is difficult for me to advise or suggest something in this direction:(

I can only make some suggestions that may lead you to the right course of thought for solving this problem.

I agree that it is possible to restrict access to host 172.17.0.1 only for the OpenVPN Admin container via Iptables rules. It is action that I have now done for security purposes. But if you expand the capabilities of the project and ensure that the requirements of the security standard are met, there should be such an option.

I understand that this is not an easy task. It takes time to solve it or the help of more experienced ones.

[bnhf]

@karabelnikov

I don't think this is going to be overly difficult to implement, once we know the format required to send one-line data to the port -- which includes the password. Are you still looking to see if this is documented somewhere? Doing it by guessing is not appealing. :-)

[bnhf]

@karabelnikov

I've done more research on this issue now, and am fairly confident there's no way to send one-line commands to the port which include the password. Rather, the port needs to be handled in a pseudo interactive fashion, with the code sending commands based on certain replies from the port.

I've come across some other work in this area written in Go, but unfortunately, none that include dealing with sending the password, followed by the command -- each following specific responses from the port. I'm sure it can be done, but it's going to require more experimentation. So far I've been able to send the password successfully, or a command, just not both in the needed sequential fashion.

[bnhf]

@karabelnikov

OK, something of a breakthrough with this enhancement -- I now have functioning standalone code to send both the password and the management interface command, including capturing the reply from the interface. It'll still take some work to incorporate this into the package, but the hardest part should be done now.

It'll probably be a couple of weeks before I can get back to this however, as I'm travelling for the holidays. I'll bring my laptop though, and will work on this if/when time allows on the road. :-)

[karabelnikov]

Scott, you are a real enthusiast)) This is good news. Work, hobbies, it's all clear, butt rest is sacred, especially travel. We have nowhere to hurry. But if you have the opportunity to finish the code on the road, that's great. Yes, you and I, in particular you Scott, have done a lot for this project since its initial birth.

The password function of the management interface is a very important and tedious function. We understand this together with you.