{"id":6709,"date":"2020-08-16T23:37:14","date_gmt":"2020-08-16T20:37:14","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6709"},"modified":"2024-03-14T22:31:38","modified_gmt":"2024-03-14T19:31:38","slug":"how-to-monitor-openvpn-connections-using-openvpn-monitor-tool","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-monitor-openvpn-connections-using-openvpn-monitor-tool\/","title":{"rendered":"How to Monitor OpenVPN Connections using openvpn-monitor tool"},"content":{"rendered":"\n

In this tutorial, we are going to learn how to monitor OpenVPN connections using openvpn-monitor tool. This tutorial focuses on monitoring OpenVPN connections established using the OpenVPN Community Edition<\/a>. OpenVPN CE provides a de-facto standard for creating a secure VPN connections over the internet using a custom security protocol that utilizes SSL\/TLS.<\/p>\n\n\n\n

While scouring the Internet for the tools that can be used to monitor active OpenVPN connections, I came across a python based tool called openvpn-monitor<\/a> which utilizes OpenVPN management interface to generate an html report that displays the status of an OpenVPN server, including all current connections.<\/p>\n\n\n\n

Monitoring OpenVPN Connections using openvpn-monitor tool<\/h2>\n\n\n\n

Prerequisites<\/h3>\n\n\n\n

Before you can proceed, there are a few things that needs to have setup.<\/p>\n\n\n\n

Install and configure OpenVPN Server<\/h4>\n\n\n\n

Of course you can be wanting to monitor OpenVPN server connections without having an OpenVPN server running. Follow the links below to install and setup OpenVPN server on CentOS\/Ubuntu systems;<\/p>\n\n\n\n

Install and<\/a> Setup OpenVPN Server on CentOS 8<\/a><\/p>\n\n\n\n

Install and Setup OpenVPN Server on Ubuntu 20.04<\/a><\/p>\n\n\n\n

Enable Management Interface<\/h4>\n\n\n\n

openvpn-monitor<\/strong><\/code> tools requires that OpenVPN management interface is enabled. The OpenVPN Management interface allows OpenVPN to be administratively controlled from an external program via a TCP or unix domain socket. OpenVPN management server can be enabled on a Unix socket or on a designated TCP port. While using the Unix socket is the recommended method, the openvpn-monitor tool uses OpenVPN management interface TCP connection. It is therefore strongly recommended that you set the OpenVPN management Interface IP to 127.0.0.1 (localhost) to restrict accessibility of the management server to local clients.<\/p>\n\n\n\n

OpenVPN management interface TCP connection can be enabled by editing the OpenVPN server configuration file and adding the line, management IP port<\/strong><\/code><\/em>.<\/p>\n\n\n\n

vim \/etc\/openvpn\/server\/server.conf<\/code><\/pre>\n\n\n\n
...\ncomp-lzo\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn\/openvpn-status.log\nlog-append  \/var\/log\/openvpn\/openvpn.log\nverb 3\nexplicit-exit-notify 1\nauth SHA512\n# Enable OpenVPN Management Interface on localhost using TCP port 17562\nmanagement 127.0.0.1 17562<\/strong>\n<\/code><\/pre>\n\n\n\n
The line;<\/p>\n\n\n\n
management 127.0.0.1 17562<\/strong><\/pre>\n\n\n\n
Sets the OpenVPN management interface IP address to 127.0.0.1 (localhost) and TCP port 17562. The openvpn-monitor expects the OpenVPN Management Interface to be listening on TCP port 5555. We will change that later.<\/p>\n\n\n\n
Check that the assigned port is not being used by any other program on your system;<\/p>\n\n\n\n
lsof -i :17562<\/code><\/pre>\n\n\n\n
If no application is using the port, restart OpenVPN server service;<\/p>\n\n\n\n
systemctl restart openvpn-server@server.service<\/code><\/pre>\n\n\n\n
Check that port is now opened;<\/p>\n\n\n\n
lsof -i :17562<\/code><\/pre>\n\n\n\n
COMMAND   PID USER   FD   TYPE DEVICE SIZE\/OFF NODE NAME\nopenvpn 44178 root    3u  IPv4 189028      0t0  TCP localhost:17562 (LISTEN)<\/code><\/pre>\n\n\n\n
Ensure that OpenVPN server service is running;<\/p>\n\n\n\n
systemctl status openvpn-server@server.service<\/code><\/pre>\n\n\n\n
\u25cf openvpn-server@server.service - OpenVPN service for server\n     Loaded: loaded (\/lib\/systemd\/system\/openvpn-server@.service; enabled; vendor preset: enabled)\n     Active: active (running) since Sun 2020-08-16 16:15:46 UTC; 1h 15min ago\n       Docs: man:openvpn(8)\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\n             https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\n   Main PID: 44178 (openvpn)\n     Status: \"Initialization Sequence Completed\"\n<\/strong>      Tasks: 1 (limit: 2282)\n     Memory: 1.9M\n     CGroup: \/system.slice\/system-openvpn\\x2dserver.slice\/openvpn-server@server.service\n             \u2514\u250044178 \/usr\/sbin\/openvpn --status \/run\/openvpn-server\/status-server.log --status-version 2 --suppress-timestamps --config server.conf\n\nAug 16 16:15:46 ubuntu20.kifarunix-demo.com systemd[1]: Starting OpenVPN service for server...\nAug 16 16:15:46 ubuntu20.kifarunix-demo.com systemd[1]: Started OpenVPN service for server.<\/code><\/pre>\n\n\n\n
Install and Setup openvpn-monitor tool<\/h3>\n\n\n\n
There are different methods of installing openvpn-monitor tool as outlined on the program’s Github repository<\/a>. In this tutorial, we will use Apache to server the openvpn-monitor OpenVPN connections.<\/p>\n\n\n\n
Install Apache for openvpn-monitor<\/h4>\n\n\n\n
Install Apache and the required package dependencies;<\/p>\n\n\n\n
apt install git apache2 libapache2-mod-wsgi python3-geoip2 python3-ipaddr python3-humanize python3-bottle python3-semantic-version geoip-database geoipupdate<\/code><\/pre>\n\n\n\n
Download the openvpn-monitor program<\/h4>\n\n\n\n
Next, clone the openvpn-monitor Github repository to your default web server root directory. In this setup, we use, \/var\/www\/html\/openvpn-monitor<\/strong><\/code> directory.<\/p>\n\n\n\n
git clone https:\/\/github.com\/furlongm\/openvpn-monitor.git \/var\/www\/html\/openvpn-monitor<\/code><\/pre>\n\n\n\n
ls \/var\/www\/html\/openvpn-monitor\/<\/code><\/pre>\n\n\n\n
AUTHORS COPYING images MANIFEST.in openvpn-monitor.conf.example openvpn-monitor.py README.md requirements.txt setup.py tests VERSION.txt<\/code><\/pre>\n\n\n\n
Configure openvpn-monitor<\/h4>\n\n\n\n
Rename the sample configuration file, openvpn-monitor.conf.example<\/strong><\/code> to openvpn-monitor.conf<\/code><\/strong>.<\/p>\n\n\n\n
cp \/var\/www\/html\/openvpn-monitor\/openvpn-monitor.conf{.example,}<\/code><\/pre>\n\n\n\n
Replace the OpenVPN management interface if you changed it to a port other than 5555 defined on the openvpn-monitor.py<\/strong><\/code> Python program.<\/p>\n\n\n\n
cd \/var\/www\/html\/openvpn-monitor<\/code><\/pre>\n\n\n\n
grep -irl 5555 . | xargs -I {} sed -i 's\/5555\/17562\/' {}<\/code><\/pre>\n\n\n\n
Next, you can now open the configuration file and set site name, add a logo, set the default map location (latitude and longitude, defaults to New York, USA).<\/p>\n\n\n\n
This is how our modified configuration file looks like;<\/p>\n\n\n\n
cat \/var\/www\/html\/openvpn-monitor\/openvpn-monitor.conf<\/code><\/pre>\n\n\n\n
[openvpn-monitor]\nsite=Kifarunix-demo-VPN\n#logo=logo.jpg\nlatitude=11.016844\nlongitude=76.955833\nmaps=True\ngeoip_data=\/var\/lib\/GeoIP\/GeoLite2-City.mmdb\ndatetime_format=%d\/%m\/%Y %H:%M:%S\n\n[VPN1]\nhost=localhost\nport=17562\nname=Kifarunix-demo VPN\nshow_disconnect=False<\/code><\/pre>\n\n\n\n
Note the GeoIP2 City Database location. If it is not available on your system, register and download a free version from MaxMind<\/a>.<\/p>\n\n\n\n
One more thing is that, this setup is tested on Ubuntu 20.04, with python 3 being the default. Since openvpn-monitor uses python, simply create a symbolic link from python 3 to python;<\/p>\n\n\n\n
ln -s \/usr\/bin\/python3 \/usr\/bin\/python<\/code><\/pre>\n\n\n\n
Configure Apache to Execute openvpn-monitor script<\/h4>\n\n\n\n
Next, execute the command below to configure Apache to execute the openvpn-monitor Python script.<\/p>\n\n\n\n
vim \/etc\/apache2\/sites-available\/openvpn-monitor.conf<\/code><\/pre>\n\n\n\n
ScriptAlias \/ \/var\/www\/html\/openvpn-monitor\/openvpn-monitor.py\n<Directory \/var\/www\/html\/openvpn-monitor>\n\tOptions +ExecCGI\n\tAddHandler cgi-script .py\n\tDirectoryIndex openvpn-monitor.py\n\n\tAllowOverride None\n\tRequire ip 192.168.0.0\/16\n<\/Directory><\/code><\/pre>\n\n\n\n
Save and exit the configuration file.<\/p>\n\n\n\n
Set the ownership of the openvpn-monitor web root directory to Apache user, www-data<\/strong><\/code>.<\/p>\n\n\n\n
chown -R www-data: \/var\/www\/html\/openvpn-monitor\/<\/code><\/pre>\n\n\n\n
Check Apache configuration syntax;<\/p>\n\n\n\n
apachectl -t<\/code><\/pre>\n\n\n\n
Syntax OK<\/code><\/pre>\n\n\n\n
Enable openvpn-monitor Apache site configuration and disable the default site.<\/p>\n\n\n\n
a2ensite openvpn-monitor.conf<\/code><\/pre>\n\n\n\n
a2dissite 000-default.conf<\/code><\/pre>\n\n\n\n
Start Apache and enable it to run on system boot;<\/p>\n\n\n\n
systemctl enable --now apache2<\/code><\/pre>\n\n\n\n
Debugging openvpn-monitor<\/h4>\n\n\n\n
You can run openvpn-monitor from the command line to check if it actually generates the html report correctly:<\/p>\n\n\n\n
cd \/var\/www\/html\/openvpn-monitor\npython openvpn-monitor.py<\/code><\/pre>\n\n\n\n
You can as well add option -d<\/strong><\/code> for debugging;<\/p>\n\n\n\n
python openvpn-monitor.py -d<\/code><\/pre>\n\n\n\n
Sample output;<\/p>\n\n\n\n
...\noms.addListener(\"click\", function(marker) {\n   popup.setContent(marker.alt);\n   popup.setLatLng(marker.getLatLng());\n   map.openPopup(popup);\n});\noms.addListener(\"spiderfy\", function(markers) {\n   map.closePopup();\n});\nbounds.extend(centre);\nmap.fitBounds(bounds);\n<\/script>\n<\/div><\/div>\n<div class=\"well well-sm\">\nPage automatically reloads every 5 minutes.\nLast update: <b>16\/08\/2020 19:10:26<\/b><\/div>\n<\/div><\/body><\/html>\nDEBUG:\n === begin vpns\n{'VPN1': {'host': 'localhost',\n          'name': 'Staff VPN',\n          'port': '17562',\n          'release': 'OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] '\n                     '[LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Sep  '\n                     '5 2019',\n          'sessions': {},\n          'show_disconnect': False,\n          'socket_connected': True,\n          'state': {'connected': 'CONNECTED',\n                    'local_ip': IPv4Address('10.8.0.1'),\n                    'mode': 'Server',\n                    'remote_ip': '',\n                    'success': 'SUCCESS',\n                    'up_since': datetime.datetime(2020, 8, 16, 16, 15, 46)},\n          'stats': {'bytesin': 0, 'bytesout': 0, 'nclients': 0},\n          'version': Version('2.4.7')}}\n=== end vpns\n<\/code><\/pre>\n\n\n\n
Accessing openvpn-monitor on Browser<\/h3>\n\n\n\n
If all is well, you can now access your OpenVPN statistics via the address http:\/\/<OpenVPN-server-Address\/openvpn-monitor<\/strong><\/code> or http:\/\/<OpenVPN-server-Address\/<\/code><\/strong> as per our redirection.<\/p>\n\n\n\n
\"monitoring<\/figure>\n\n\n\n
And there you go. Beautiful, isn’t? All credit goes to furlongm<\/a>. As you can see, we have connection status for my locally connected OpenVPN clients.<\/p>\n\n\n\n
Reference<\/h4>\n\n\n\n
openvpn-monitor<\/a><\/p>\n\n\n\n
Related Tutorials<\/h4>\n\n\n\n
Install and Setup OpenVPN Server on Ubuntu 20.04<\/a><\/p>\n\n\n\n
Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n\n\n\n
Assign Static IP Addresses for OpenVPN Clients<\/a><\/p>\n\n\n\n
Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this tutorial, we are going to learn how to monitor OpenVPN connections using openvpn-monitor tool. This tutorial focuses on monitoring OpenVPN connections established using<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,72,282,34,321],"tags":[1915,283,1916,1200],"class_list":["post-6709","post","type-post","status-publish","format-standard","hentry","category-howtos","category-monitoring","category-openvpn","category-security","category-vpn","tag-monitor-openvpn-connections","tag-openvpn","tag-openvpn-monitor","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6709"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6709"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6709\/revisions"}],"predecessor-version":[{"id":21477,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6709\/revisions\/21477"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}