OpenVPN MI GUI
Description
OpenVPN MI GUI is a Windows graphical user interface for the OpenVPN client management interface.
It is based on the OpenVPN GUI by Mathias Sundman (version 1.0.3 from August 2005) which is shipped with OpenVPN, but had large parts of the backend adapted by Boris Wesslowski from Inside Security GmbH, commissioned by Conergy AG.
OpenVPN versions 2.1.x, 2.2.x are supported. OpenVPN 2.3.x too, but not all new features are supported yet.
Purpose
The original OpenVPN GUI encounters the following problems especially in enterprise or high security environments:
- Users have no administrative rights, but unprivileged users do not have enough permissions to add and delete routes.
- The GUI will exit on user logout closing all VPN tunnels and preventing e.g. remote VNC logins by an administrator.
- The OpenVPN service wrapper can start one or more OpenVPN instances with enough rights, but the GUI has no control over them.
- OpenVPN running as a service can not request passwords for certificates or user authentication data from the user directly or through the GUI.
The OpenVPN MI GUI talks to the management interfaces of OpenVPN instances started through the service wrapper and can overcome the above problems.
Differences
The major differences to the original GUI are:
- Handling of OpenVPN clients was replaced with management interface support including port and state auto detection, input reassembly, command queueing, log display, password requests...
- Proxy settings support was removed since it can't be passed on to OpenVPN over the management interface.
- Byte count displays were added to status windows.
start
andstop
command line options were added for batch script use.
Requirements
OpenVPN MI GUI will read but not modify your OpenVPN configuration file(s). The following configuration options are required:
management 127.0.0.1 <port_number> management-hold management-query-passwords auth-retry interact
Where the <port_number>
must be different for every configuration file so each instance of OpenVPN can be controlled through it's own port. You can for example start at 1194 and add 1 for every configuration file you add.
Additionally, using auth-nocache
is recommended, or you may want to consider using management-forget-disconnect
and management-signal
.
Only the management
option is actually required, if neither user authentication nor certificate passwords are in use you may omit the rest, including the management-hold
option.
Like the original GUI the MI GUI can be configured on the command line or with global registry settings which must be initialized by an administrator.
Known issues
If OpenVPN configuration files are added, removed or changed while the MI GUI is running it may run into an inconsistent state. Since in such cases the OpenVPN service wrapper has to be restarted to activate the changes an additional restart of the MI GUI is usually not necessary.
When an OpenVPN instance exits the OpenVPN service wrapper will still be running and will not restart the missing instance. The OpenVPN MI GUI tries to avoid this, but cases remain where it can happen. The missing cancel button in the user authentication dialog is an example of a workaround of a case where OpenVPN would exit.
Using management-forget-disconnect
with OpenVPN version 2.1.x will lead to problems due to a known bug in the included pkcs11-helper.
At system boot the MI GUI may be started before the OpenVPN service is running, this will trigger an error message.
The OpenVPN service may also be unavailable after the system was in standby or suspend mode. You may want to use the do_not_check_service
option and NSSM to handle this case.
Screenshots
Minimal setup with 1 configuration and disabled configuration edit menu item on Windows XP:
Setup with 10 configurations, change password feature and OpenVPN service control menu on Windows 7 (1 active connection):
Status and user authentication windows on Windows 7:
Download
OpenVPN MI GUI consists of a single executable file.
There are two variants: With and without support for changing the password of PEM and PKCS12 certificates. The one with support should be installed in the bin
directory of your OpenVPN installation. The other can run from anywhere.
The latest version is 20160308:
- OpenVPN MI GUI executable: 32-bit (70 kB) / 64-bit (75 kB)
- OpenVPN MI GUI executable with certificate password change support, dynamically linked against OpenSSL: 32-bit (83 kB) / 64-bit (86 kB)
German localization:
- OpenVPN MI GUI auf Deutsch: 32-bit / 64-bit
- OpenVPN MI GUI auf Deutsch, mit Unterstützung für Passwortänderung von Zertifikaten, dynamisch gegen OpenSSL gebunden: 32-bit / 64-bit
Czech localization: 32-bit / 64-bit / chpw 32-bit / chpw 64-bit
Italian localization: 32-bit / 64-bit / chpw 32-bit / chpw 64-bit
OpenVPN MI GUI is open source software under the GNU General Public License (GPL).
- OpenVPN MI GUI source code (52 kB)
You can contact the author at bw <at> inside <minus> security <dot> de.
Changelog
20160308
- Added do_not_check_service option.
- Added italian localization.
20140918
- Added stop_on_exit option and fixed a problem with the stop command.
- Increased possible password size and fixed special character escaping.
- Fixed 64-bit linking to OpenSSL.
- Added czech localization.
20130109
- Moved to MinGW-w64 and added 64-bit support.
20120316
- Fixed a bug in the byte count display beyond 1 GB.
20110902
- Added application manifest to avoid virtualization on Windows 7 and make the program UAC aware.
- Extended "management ip port" parsing to allow all IPs.
- Included OpenSSL Applink to fix changing passwords with library versions 0.9.8 and newer.
- Increased number of allowed configurations to 25.
20110624
- Added german localization.
20110511
- Initial public release.
Copyright © 2011-2016 Boris Wesslowski, Inside Security GmbH