Continuously check status of OpenVPN connection
I’m trying to check and display the status (connected/not connected) and the server’s hostname/cn of an OpenVPN connection that should connect at every boot. Now I’ve found out that in /var/log/syslog the connection is logged, which I could use to determine if Initialization Sequence Completed was logged and get the hostname/cn, 19 lines above from [brimstone] Peer Connection Initiated with [AF_INET]1.2.3.4:1234 . Taken this log, I may check for the Initialization Sequence Completed , which would mean that I am connected and the hostname, which I just want for a different script. Now my problem is that I currently don’t know if the connection is still alive and/or if I’m connected to another server. I could periodically check the log for changes but that seems a little extreme for a rather basic task. How may I check the connection status of my OpenVPN and if connected get the Servers hostname/cn?
3 Answers 3
You do not need to do that, but you can still do it by means of checking your apparent external IP address: the following command
queries checkip.dyndns.org for your external IP. You should be able to recognize the current status of your connection that way.
Alternatively, you may check your routing table:
$ ip route show 0.0.0.0/1 via 10.8.0.17 dev tun0 default via 192.168.73.1 dev eth0 proto static 10.8.0.0/24 via 10.8.0.17 dev tun0 10.8.0.17 dev tun0 proto kernel scope link src 10.8.0.18 128.0.0.0/1 via 10.8.0.17 dev tun0 192.168.73.0/24 dev eth0 proto kernel scope link src 192.168.73.74 metric 1 IP.Address.Of.Your.OpenVPN.server via 192.168.73.1 dev eth0 (this is for a routed OpenVPN, but this does not matter). The important line is the last one: if you have anything like this, your packets will be routed through the OpenVPN.
You can also use an instrument like mtr which pings and traceroutes simultaneously (and continuously!!) a given ip address, for instance:
If the OpenVPN is up, you will see the packets routed through the tunnel ( tun0 or tap0 ), not through your regular gateway.
As I said at the beginning, though, you do not need to do this: OpenVPN provides you with a mechanism to continuously check the status of the connection, and to restart it if need be:
—keepalive n m
A helper directive designed to simplify the expression of —ping and —ping-restart in server mode configurations. For example, —keepalive 10 60 expands as follows:
if mode server: ping 10 ping-restart 120 push "ping 10" push "ping-restart 60" else ping 10 ping-restart 60 You may use either keepalive or any suitable combination of ping , ping-restart , ping-exit , to control automatically the status of the connection.
Check openVPN client connected Debian
How can I check if my Debian OpenVPN client is connected? Is there a specific command I have to run? Or can I read it from the logfile? Thanks. Edit: The answers below provide great value in debugging. I used the same open vpn credentials on two different systems, causing issues.
You want to check on the client that the client is connected to the VPN? Or you want to check on the server that client is connected to the VPN?
5 Answers 5
It isn’t clear to me if you are asking from the perspective of a client or server. In any case one thing you should strongly look at is enabling the management interface on your OpenVPN daemon with this configuration option.
With the management interface enabled you can connected to whatever port you setup for this purpose using netcat/telnet. Then you can issue the status command, or many other commands to determine exactly what is going on from the daemons perspective.
There are a few methods, depending on what exactly you’re trying to achieve. If you want to check if the client is running and you’re using Debian’s initscript, you can use the service command:
% sudo service openvpn status mammon; echo $? * VPN 'mammon' is running 0 If you want to check that the client thinks it is connected to the server, you can check the routing table for the VPN subnet or local interface existence:
% ip route | grep -q 10.8.0.1; echo $? 0 % ip link show dev tun0 > /dev/null; echo $? 0 If you want to check that the client is connected and the server is contactable, ping the server:
% ping -c1 -w5 -q 10.8.0.1 > /dev/null; echo $? 0 While I think @mgorven get a good answer, I’d like to propose another one which kind of puts the problem into a different perspective.
If one is using /etc/network/interfaces for configuring the network, it’s possible to use it to control client OpenVPN tunnels. It goes like this:
- Use custom name of the tunnel device for the OpenVPN’s dev option, for instance, have
iface mytun inet manual pre-up /etc/init.d/openvpn start client pre-down /etc/init.d/openvpn stop client Having set things up this way, you can now do
# /sbin/ifup mytun # /sbin/ifdown mytun Now back to the original question — iface sections in the networking configuration file also support the post-up directives which could be used for scripting the «tunnel is ready» events.
Yet another approach, for a Desktop machine, might be using a visual tool like TunTun to manage OpenVPN tunnels.
Linux/Unix check if VPN connection is Active/Up
It’s not that strange a full code is here: if echo ‘ifconfig tun0’ | grep -q «00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00» then echo «VPN up» else echo 1 > /usr/syno/etc/synovpnclient/vpnc_connecting synovpnc reconnect —protocol=openvpn —name=XXXXXX fi exit 0
so basically I need to reconnect VPN once is down. the re-connection script works fine but I’m struggling with the «if»
To anyone who ever sees this question, if echo ‘ifconfig tun0’ | grep -q «00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00» means: check if the string «ifconfig tun0» contains the string «00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00». A correct example would be if ifconfig tun0 | grep -q «00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00» (no echo, no single quotes), which means: run ifconfig tun0 and then check for the string from its output.
5 Answers 5
That echo statement is erroneous. As @unwind says, the single quotes (‘) should be backtics (`). Your current code is sending the literal value ifconfig ppp0 to grep, which doesn’t do anything useful.
But you don’t actually need the backtics, either. You can just send the output of ifconfig to grep directory; using echo doesn’t get you anything:
if ifconfig ppp0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00"; then echo ppp connection is up fi in your example I’m getting «ifconfig: ppp0: error fetching interface information: Device not found» when there is no vpn and nothing where is vpn connection.
The following script will:
- Run the ISPConnectivity.sh script every 5 minutes. This will mean that the VPN tunnel will not be down for more than 5 minutes.
- Check if the tun interface is down, and start the vpn script if it is.
- Check connectivity if the tun0 interface is up. It does ping tests on 2 Public IPs (if I get even a single response from 1 of the IPs tested, I consider this a success ), and all have to fail to run the vpn script. I ran ping tests on multiple hosts to prevent the vpn script from starting in case the ping test failed on 1 IP.
- Send all failure output to a file in my home directory. I do not need to see if any test succeeded.
*/5 * * * * /home/userXXX/ISPConnectivity.sh >> /home/userXXX/ISPConnectivity.log 2>&1 Contents of ISPConnectivity.sh script:
#!/bin/bash # add ip / hostname separated by white space #HOSTS="1.2.3.4" HOSTS="8.8.8.8 4.2.2.4" # no ping request totalcount=0 COUNT=4 DATE=`date +%Y-%m-%d:%H:%M:%S` if ! /sbin/ifconfig tun0 | grep -q "00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" then echo $DATE tun0 down sudo /home/userXXX/startVPN.sh start else for myHost in $HOSTS; do count=`ping -c $COUNT $myHost | grep 'received' | awk -F',' '< print $2 >' | awk '< print $1 >'` totalcount=$(($totalcount + $count)) done if [ $totalcount -eq 0 ] then echo $DATE $totalcount "fail" sudo /home/userXXX/startVPN.sh start #else # echo $DATE $totalcount "pass" fi fi Access Server Daemon Status and Control
Run the commands below on your Access Server console, with root access from /usr/local/openvpn_as/scripts/.
Get live, detailed, low-level VPN status information from the OpenVPN daemons (JSON format):
Show the number of users currently connected to the VPN:
Show the status of internal Access Server services:
Stop internal Access Server services:
Start/restart internal Access Server services:
The ‘start’ command is smart in the sense that if the Access Server is already running, and you modified the configuration via the Config DB, only those services whose parameters are changed will be restarted. Note that if you modify any parameters in the Access Server bootstrap configuration file (/usr/local/openvpn_as/etc/as.conf), you will need to do a full unix restart in order for those settings to take effect.
Also note that the start/stop commands above don’t actually start or stop the Access Server daemon itself, only internal services within the daemon. To start/stop the access server daemon itself, use the traditional unix syntax:
Start the Access Server daemon:
Stop the Access Server daemon:
service openvpnas restart
Restart the Access Server daemon:
service openvpnas restart