Icon Rufen Sie uns an
+49 441.309197-69 +49 441.309197-69
 
EN

Taking the OpenVPN experience to a new level: the bytemine manager

Posted by Felix Kronlage on Tuesday, July 21, 2009

We’ve been deploying OpenVPN installs for a few years now and ever since the administration of the OpenVPN concentrators was something our customers never really liked. For once there is the Certificate Authority and the user management. The scripts provided by the OpenVPN developers, named ‘’easy-rsa’’, are nice but not very user-friendly. For another there is always the wish, to see which users are currently connected to the VPN and how much data they shove around.

At the end of last year, I looked around to find a different solution for handling the certificates and the users. While there are some tools out there, none of them really did it.
The features we were looking for:

  • Easy handling of certificates and users
  • Being able to control the VPN Servers and see what was happening

Ain’t a big list. Wanting to handle the Certificate Authority (CA) meant for us, that it had to be a stand-alone application and not a webfrontend on the OpenVPN Servers. Why? Very simple: In most places it is a requirement, that the CA may not be connected permanently to the network or at least not be on the same host who grants access based on certificates that are issued with this CA. The CA needs to be protected. Furthermore I did not want to offer our customers a set of applications to use with the vpn servers, but only one application that would fullfill all their needs in regards to the OpenVPN concentrators.

We came up with what we call the ‘’bytemine manager’‘. The ’’bytemine manager’’ is a stand-alone java-based desktop application. Why java you ask? For one very simple reason: it allows you to use the application almost anywhere. Yes, there are tons of possiblities to achieve the same thing with other languages, but java was from our perspective the most simplest one. Mono was another idea, but there is no stable mono environment for OpenBSD, and of course, we wanted to use the application for ourselves on OpenBSD.

Currently we’ve tested the ‘’bytemine manager’’ on the following platforms:

  • various Windows flavours (XP, Vista)
  • various Linux Distributions (Ubuntu, Fedora, Debian)
  • OpenBSD

As long as you have access to a Java 6 runtime environment, you should be on the safe side. All libraries needed, are bundled with the application. The contents of the application (certificates, users, configuration data) is stored in a sqlite database.

Coming back to the features of the ‘’bytemine manager’’. Currently it brings the following features along:

  • user and certificate management
  • synchronisation of users and certificates to multiple OpenVPN servers
  • import of existing user and certificate data from existing OpenVPN installations
  • management of users and certificates stored in LDAP
  • users can be assigned independently to servers
  • display of currently connected users per server
  • display of usage data per user
  • termination of connections
  • modular design – various modules can be used independently of each other

Users and certificate data is synchronised from within the application to the vpn concentrators via ssh. Of course the application supports the use of ssh keys, so you don’t even have to use password authentication, makes it even more safe. All communication with the vpn servers is done over the ssh connections. The manager application also allows filesystem- and ldap-based export of the user- and certificate-data.

So this is already quite a lot. One of the neat features is, that the ‘’bytemine manager’’ is not only for use with out bytemine openbsd appliance, but can be used with any OpenVPN server. The only requirement is, that if you want to use the controlcenter, you will need at least OpenVPN 2.1rc14, since that version introduced the unix domain socket for the management interface. For security reasons, we decided not to support the cleartext telnet interface. However, the socket-wrapper interface, will be covered in an upcoming blog article by Holger.

More (german) information on the bytemine manager, can be found on the corresponding product page.