Number of online users script for OpenVPN

July 6, 2011

We wanted to create a graph (using rrd) that monitors the number of online users of our OpenVPN setup. The solutions where:

  1. retrieve the status file created by OpenVPN to the RRD server and parse it locally
  2. execute a small script that parses the status file and reports the number of users. The result can be available to the RRD server though the network with the use of inetd(8)
  3. use the management interface for OpenVPN to get the same information

Each solution had some drawbacks. The best solution seemed to be 3) but this had a number of problems.

  • the management interface is still unencrypted, so it is easy to sniff the password
  • there is no way to restrict the commands that can be executed through the management interface (someone with access to the management interface can disable the service)
  • the tun interfaces on Solaris (don’t even ask me why we have Solaris as the VPN Gateway) are not “complete” network interfaces, so you cannot really filter traffic passing through them with ipfilter. (that’s what the local Solaris guru said). So even if we used another physical interface for the management service to run, the vpn users could also access the management interface port.

For the above reasons I was quite reluctant to enable as is the management interface. The final solution came with a combination of solutions 2) and 3).

I had the OpenVPN management interface run on localhost (so that none outside the machine can touch the interface) and had a small script run through inetd , connected to the management interface and return the number of online users as a number.

The setup is the following:

  1. add to vpn config the corresponding lines to enable the management interface on localhost port 25:
    management localhost 1025 pwfile
  2. create the pwfile on the OpenVPN config directory that contains just one line with the password, set 400 permissions and the owner to the user tha openvpn runs. i.e.
  3. restart openvpn and make sure that the management interface works.
  4. create the following script in a place, lets call it $SCRIPT_HOME named

    export PATH

    if [ "xx$1" = "xx" ]
    echo "no conf file specified"
    exit 1;
    . $1

    (echo "$PASSWORD" ; sleep 1 ; echo "status 2" ; sleep 1 ; echo "quit" ; sleep 1 ) |
    telnet $HOST $PORT 2>/dev/null |
    grep '^CLIENT_LIST' | wc -l

  5. create a configuration file for the script $SCRIPT_HOME/stat.conf, set the owner to nobody and permissions 400
  6. add the service to /etc/services
    openvpnstat     1026/tcp                        # OpenVPN user statistics
  7. add the service to /etc/inetd.conf
    #service used for OpenVPN statistics
    openvpnstat     stream  tcp     nowait  nobody  $SCRIPT_HOME/ $SCRIPT_HOME/stat.conf
  8. For some extra security enable tcpwrappers (if they are not yet enabled)
  9. create (or add in) /etc/hosts.allow :
    where is the machine, or subnet that you want to permit connections to this port
  10. create (or add in) /etc/hosts.deny : ALL
  11. pkill -HUP inetd for Solaris 9, or for Solaris 10 follow the procedure to import the new service from inetd.conf and refresh inetd
  12. test the configuration with netcat, or telnet
    nc vpnhost 1026

With this setup it is possible to have the number of online users, and with some config you can feed it to mrtg or rrd and create some nice graphs 🙂 (Still waiting for some image to be created 😉 ) Hopefully, I haven’t forgotten any step 🙂


2 Responses to “Number of online users script for OpenVPN”

  1. Dimitris K Says:

    To be on the safe side, it would be nice to increase
    the sleep time of the last sleep in the subshell,
    since it is the time the subshell “waits” to gather
    the output of the status command sent to the management

    • aristotelhs Says:

      All the tests done the interface was really fast. If there is the case that the machine starts responding really slow, it will be the less of our problems. (the connection is local (so there will be no network delay of link saturation on this part and also unencrypted .. so there is no real overhead on that).
      (the bigger value was used in the switches, since some old switches provide a new definition of the word delay :p)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: