No monitoring/statistics for clients connected to ER605 OpenVPN server?
No monitoring/statistics for clients connected to ER605 OpenVPN server?
I have an ER605 (firmwware: 2.2.4 Build 20240119 Rel.44368) operating in standalone mode configured as an OpenVPN server. And clients that can successfully connect to it and use the VPN tunnel. (Some connect using the OpenVPN client on mobile devices, others with routers acting as clients, NOT a site-to-site configuration).
However, is there no way to see any statistics or information at all about connected clients? As far as I can tell, the ER605 standalone mode web interface doesn't seem to tell me anything about connected clients. I'd like to see what tunnels are established, from where, bytes in/out, and ideally even be able to drop a tunnel. Basically the info that it looks like the "OpenVPN Tunnel List" tab would show but that's always empty - as presumably that tab's not for clients connecting to the ER605 as the VPN server.
Is there really nothing that the ER605 displays about inbound tunnels or am I missing something? The system log really only shows DHCP requests from a relatively recent time frame.
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi all,
The reason has been that the ACL blocks the reading of the VPN stats.
To avoid such a problem, please examine if you have created an ACL in your router. If you have an ACL like blocking all service and all directions, please consider doing the following steps:
1. Create a new Service.
2. Create an ACL and place this at a higher priority than any other entries you have.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Cold_in_Canada wrote
Yes. That fixes the issue. And that ACL can't be tightened up any further - it has to come from IPGROUP_ANY as it's the remote client accessing that port is it? Thanks.
I think you can. But you should know what you are doing. 127.0.0.1 is the local host. You can use the local host IP address in source. You can try that.
- Copy Link
- Report Inappropriate Content
@Clive_A , I'm not sure how to implement that suggestion, at least using the standalone web interface. Because:
- I don't think that we can enter in a direct IP address as a source or destination for an ACL, only an IP group or network.
- It doesn't let us build an IP group for localhost 127.0.0.1 (in neither IP-range or CIDR format).
Am I missing something from your suggestion? Can you please guide me on how to implement an ACL based on localhost 127.0.0.1? Thanks.
- Copy Link
- Report Inappropriate Content
Cold_in_Canada wrote
@Clive_A , I'm not sure how to implement that suggestion, at least using the standalone web interface. Because:
- I don't think that we can enter in a direct IP address as a source or destination for an ACL, only an IP group or network.
- It doesn't let us build an IP group for localhost 127.0.0.1 (in neither IP-range or CIDR format).
Am I missing something from your suggestion? Can you please guide me on how to implement an ACL based on localhost 127.0.0.1? Thanks.
If it doesn't allow you to build the 127.0.0.1/32 then there is no options for this implementation. We don't have any ways to work around it.
That's a system restriction.
- Copy Link
- Report Inappropriate Content
@Clive_A so is this not a security concern for TP-Link? As perhaps it's something that should be handled in the router's firmware vs a user-created ACL.
Because as it stands, the only way to get OpenVPN to work properly then on the ER605 is to expose that port 7510 as a "closed" port to the public internet. While all other ports are properly "stealth".
I don't have to to this with other routers. Hence is this not a bug or at the very least a deficiency in the ER605 that should be corrected in the firmware?
- Copy Link
- Report Inappropriate Content
Cold_in_Canada wrote
@Clive_A so is this not a security concern for TP-Link? As perhaps it's something that should be handled in the router's firmware vs a user-created ACL.
Because as it stands, the only way to get OpenVPN to work properly then on the ER605 is to expose that port 7510 as a "closed" port to the public internet. While all other ports are properly "stealth".
I don't have to to this with other routers. Hence is this not a bug or at the very least a deficiency in the ER605 that should be corrected in the firmware?
Not really.
You can try the IP of the router instead of 127.0.0.1.
As the 127.0.0.1 is a generic way to stand for the local host. That might not be considered as legal in the ACL rule or forbidden.
The actual router IP like 192.168.0.1 or try the "Me" which is also indicates the router local IP.
The default block to that port will be optimized in the future firmware updates which is what I learned from the dev.
This is actually not a bug as it fits the ACL rules as it configured. But a point which can be improved/optimized.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1367
Replies: 17
Voters 0
No one has voted for it yet.