What's the best method to monitor an OpenVPN server?

monitoring openvpn nagios

I have an OpenVPN server machine which resides on an isolated network, a NAT rule in the company's firewall is redirecting all traffic on port 1194 (tcp) from the public IP I chose to the internal address of the OpenVPN server machine. I'd like to create a Nagios check which will monitor the availability of the OpenVPN server. What would be the best method to monitor it, considering that the check will run from the world (a Nagios server) rather than from within the company?


Solution 1:

I do it remotely, via NAGIOS, using a local plugin called check_openvpn.pl, invoked via nrpe, which in turn uses OpenVPN's built-in management capability to report on its detailed status.

Since you're using TCP as the VPN bearer, you could do a simple TCP connectivity check on port 1194 (as Dennis notes in his answer) but the advantage of this plugin is it runs a fairly rigorous check of OpenVPN, and reports the CNs currently connected to the server. If it's reporting at that level, I can have confidence that the server is completely up and offering service to the world at large, which a simple connectivity check wouldn't give me.

The plugin came from this page at NAGIOS exchange; the author's website is apparently http://emergeworld.blogspot.com.

The gory details are: the following entry in the NAGIOS server's config (plus appropriate connecting logic):

define service{
    use                 myconf-svc
    host_name           openvpn.server.hostname
    service_description openvpn
    check_command       check_nrpe!check_openvpn
    }

Then this in the OpenVPN server's nrpe.cfg:

command[check_openvpn]=/usr/lib64/nagios/plugins/check_openvpn.pl -H localhost -p 11940 -P XXXXXXX

Then this at the end of the OpeVPN server's `.conf' file:

# enable the mgmt interface for monitoring - tom 20120814
management 127.0.0.1 11940 /etc/openvpn/man.pass

Note the 11940 common to the both the previous data; that's the port number for the management interface. The password in the nrpe.cfg entry above (shown as XXXXXXX) should also appear in the file /etc/openvpn/man.pass.

Solution 2:

For OpenVPN, I simply monitor whether it is listening on the usual port:

define command {
        command_name    check_openvpn
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 1194
}

Related

expand hostnames to fqdn before calling ssh?
Can a 7200RPM drive transfer speed at a full 6 Gbit/s?
Adding Single Line to File with SaltStack
Varnish 503 error after exactly 60 seconds... how to change this timeout value?
RAM is being under reported in Windows Task Manager?
tcpdump Server Hello Certificate Filter
Use nginx reverse proxy for redirection
Techniques to implement iptables rules
ejabberd starttls_required in c2s/s2s and disable SSLv3 + unsecure Ciphers
DHCPv6: passing delegated prefix to local RA
How can I mount the SSD drive on Amazon's m3.medium?
How can I set Postfix outgoing port to 465, but keep incoming port to default?