No monitoring/statistics for clients connected to ER605 OpenVPN server?
No monitoring/statistics for clients connected to ER605 OpenVPN server?
I have an ER605 (firmwware: 2.2.4 Build 20240119 Rel.44368) operating in standalone mode configured as an OpenVPN server. And clients that can successfully connect to it and use the VPN tunnel. (Some connect using the OpenVPN client on mobile devices, others with routers acting as clients, NOT a site-to-site configuration).
However, is there no way to see any statistics or information at all about connected clients? As far as I can tell, the ER605 standalone mode web interface doesn't seem to tell me anything about connected clients. I'd like to see what tunnels are established, from where, bytes in/out, and ideally even be able to drop a tunnel. Basically the info that it looks like the "OpenVPN Tunnel List" tab would show but that's always empty - as presumably that tab's not for clients connecting to the ER605 as the VPN server.
Is there really nothing that the ER605 displays about inbound tunnels or am I missing something? The system log really only shows DHCP requests from a relatively recent time frame.
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi all,
The reason has been that the ACL blocks the reading of the VPN stats.
To avoid such a problem, please examine if you have created an ACL in your router. If you have an ACL like blocking all service and all directions, please consider doing the following steps:
1. Create a new Service.
2. Create an ACL and place this at a higher priority than any other entries you have.
- Copy Link
- Report Inappropriate Content
Cold_in_Canada wrote
@Clive_A so is this not a security concern for TP-Link? As perhaps it's something that should be handled in the router's firmware vs a user-created ACL.
Because as it stands, the only way to get OpenVPN to work properly then on the ER605 is to expose that port 7510 as a "closed" port to the public internet. While all other ports are properly "stealth".
I don't have to to this with other routers. Hence is this not a bug or at the very least a deficiency in the ER605 that should be corrected in the firmware?
Not really.
You can try the IP of the router instead of 127.0.0.1.
As the 127.0.0.1 is a generic way to stand for the local host. That might not be considered as legal in the ACL rule or forbidden.
The actual router IP like 192.168.0.1 or try the "Me" which is also indicates the router local IP.
The default block to that port will be optimized in the future firmware updates which is what I learned from the dev.
This is actually not a bug as it fits the ACL rules as it configured. But a point which can be improved/optimized.
- Copy Link
- Report Inappropriate Content
In testing, clients connect successfully, can route successfully (full-tunnel mode), get an IP address on the correct VLAN and from their perspective, it's all perfect.
The only issue is that on the ER605 I have no trace of the connection at all. Nothing in the system log. And I don't even see the client in the "DHCP client list" (which is a bit surprising - I thought i might at least see them there since they did get an IP in the correct VLAN).
Is there really nothing here? No way to detect and control who's connecting to my network, beyond turning off ("disabling") the VPN which I don't want to do?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
I have a question, what kind of statistics do you expect to view?
I checked a different system which is an open source software that cannot delete or view specific information.
To control a client, just delete its user config. That's a common way to do it.
If you have more for me, please upload the vendor name and their move with a screenshot. Will take a look and check if it is necessary to write in the request report. Thank you.
- Copy Link
- Report Inappropriate Content
@Clive_A : thanks for that but I think you missed the fact that I'm running in Standalone mode. And consquently, even with clients connected, I'm not seeing any information about them anywhere.
Even with clients connected, the "OpenVPN Tunnel List" screen shows nothing:
Is that a bug perhaps?
Thanks.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
Cold_in_Canada wrote
@Clive_A : thanks for that but I think you missed the fact that I'm running in Standalone mode. And consquently, even with clients connected, I'm not seeing any information about them anywhere.
Even with clients connected, the "OpenVPN Tunnel List" screen shows nothing:
Is that a bug perhaps?
Thanks.
They are actually connected but not showing up? Strange. Never seen this reported before. Are you sure they are connected? Server and related config, and client config from your cell. Also, your WAN IP address.
Can you do a remote desktop with us if possible and necessary using ToDesk or TeamViewer?
Please mosaic your sensitive information. Here is a list of information considered sensitive:
1. Public IP address on your WAN if your WAN is.
2. Real MAC address of your device.
3. Your personal information including address, domain name, and credentials.
For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.
- Copy Link
- Report Inappropriate Content
@Clive_A I am happy to do a remote screen sharing to help debug this. Can you DM me so I can share contact info outside of the public forum?
---
In the meantime, my OpenVPN server setup is pretty straight forward:
That goes to a dedicated VLAN with nothing too special in the setup:
And a connection from the phone works fine and allocates an IP address in that CIDR block:
But notice: The assigned IP address is outside of my LAN IP address - OpenVPN is doing the DHCP, not the ER605 LAN configuration.
(Side note: other clients connect router-to-router -- using my mobile phone just for testing.)
And as mentined, the VPN tunnel works, but nothing is visible about it from the ER605.
- Copy Link
- Report Inappropriate Content
And another interesting observation.... with a client connected (my phone for testing) if I go to the "OpenVPN Tunnel List" there is nothing.
But if I hit the "Refresh" button, then the green progress bar advances quite quickly to what looks like about half way across the screen and then hangs there for a few minutes. You can see that in this screenshot: it's progressed to about the "o" in "Remote IP".
That gives me a clue that it's trying something and perhaps timing out behind the scenes. Eventually the progress bar dissappears but it still says "Entry Count: 0".
I've had lots of client connect successfully and use the VPN but I've never seen anything displayed here in this table.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
Cold_in_Canada wrote
And another interesting observation.... with a client connected (my phone for testing) if I go to the "OpenVPN Tunnel List" there is nothing.
But if I hit the "Refresh" button, then the green progress bar advances quite quickly to what looks like about half way across the screen and then hangs there for a few minutes. You can see that in this screenshot: it's progressed to about the "o" in "Remote IP".
That gives me a clue that it's trying something and perhaps timing out behind the scenes. Eventually the progress bar dissappears but it still says "Entry Count: 0".
I've had lots of client connect successfully and use the VPN but I've never seen anything displayed here in this table.
Try to clear the browser cache. If it still does not work, go to the incognito mode and check if this displays normally.
And, V2.2.5 firmware has been out. You can also upgrade it to this one and we will prepare a remote next week if this is unresolved.
Please get ready with the software Anydesk. I will create a ticket for you later.
- Copy Link
- Report Inappropriate Content
@Clive_A , thanks for pointing out the new firmware. I have upgraded and am now on 2.2.5 Build 20240522 Rel.75860
Unfortunately, this has made no difference at all on my VPN monitoring issues. Logged into the ER605 using a different browser, in incognito mode - still can't see any information on the OpenVPN client connections.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
Cold_in_Canada wrote
@Clive_A , thanks for pointing out the new firmware. I have upgraded and am now on 2.2.5 Build 20240522 Rel.75860
Unfortunately, this has made no difference at all on my VPN monitoring issues. Logged into the ER605 using a different browser, in incognito mode - still can't see any information on the OpenVPN client connections.
Place the subnet in a different non-existent subnet, like 192.168.101.1/24, will the tunnel display?
- Copy Link
- Report Inappropriate Content
@Clive_A
Good suggestion. Clients are receiving IPs such as 192.168.101.10 and 192.168.101.6 so the change has come into effect. But no change from the monitoring side unfortunately. "OpenVPN Tunnel List" remains empty
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1632
Replies: 17
Voters 0
No one has voted for it yet.