Making Nagios check OpenVPN

I've been slowly expanding the amount of automation that runs on the servers I personally maintain. With Puppet as my configuration management system I'm able to deploy changes to however many of my servers quickly and easily. Similarly, if any server dies a fiery death a new one can be spun up immediately with no data loss.

To ensure that I'm keeping tabs on the health of the boxes, I run Nagios on my master server and monitor an ever increasing list of services across my collection. Since I've recently added a puppet controlled VPN to my repertoire, it was only natural that I should want to ensure the OpenVPN process was both online and responsive to connections.

Since I run OpenVPN on UDP port 1194, all the resources I managed to find online made reference to piping something towards the port via netcat or nc. Unfortunately, because OpenVPN is not sensible, binary information needs to be sent rather than a few ASCII characters I can read and understand. Similarly, the response is equally indecipherable.

Through testing however, I was able to identify that unless I gave OpenVPN a very specific string of binary, it would timeout on me. With this in mind, I was able to use the check_udp command that comes with Nagios, and a timeout to verify that OpenVPN was up and responding to VPN requests.

I could define the check_openvpn command for Nagios like this:

  # We're not looking for a specific response, here. More that we actually get
  # one and not a timeout or no data.
  nagios_command { 'check_openvpn':
    ensure       => present,
    command_line => '$USER1$/check_udp -H $HOSTADDRESS$ -p $ARG1$ -E -s "$38$01$00$00$00$00$00$00$00" -e "^@^@^@^@^@" -t 10 -M ok'
  }

I could then call that check from within my custom VPN puppet configuration like this:

  # We're using 1194 for this service and that's the only argument accepted
  # by the openvpn check.
  nagios::service { "check_openvpn_${fqdn}":
    check_command       => "check_openvpn!1194",
    service_description => 'openvpn',
  }

Comments

Submitted by Bill (not verified) on

I had the same problem you did with monitoring OpenVPN, so I was happy to find your posting. While the example you gave worked fine from the command line, I couldn't get it to work within nagios, so I spent some time debugging it. I could find no documentation indicating that the check_udp plugin could send encoded values, so I invoked it on the command line with '-v', and saw that it really isn't sending what it seems. The dollar-signs seem to be being interpreted as an invocation of bash, and the string ultimately sent by check_udp is something like "8-bash1-bash0-bash..." I confirmed this by sending that very string without any dollar-sign encoding, and it worked. I of course don't know how you arrived at the string you're sending, but I guessing it was a miracle of good fortune.

Add new comment