OpenVPN offers several options to monitor the clients connected to a server. The most commonly used method is using a status file. This recipe will show how to use and read the OpenVPN's status file.
The network layout used in this recipe is the same as in the Server-side routing recipe. This recipe uses the PKI files created in the first recipe of this chapter. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9. The first client was running Fedora 20 Linux and OpenVPN 2.3.9. The second client was running Windows 7 64 bit and OpenVPN 2.3.11. For the Linux server, keep the server configuration file basic-udp-server.conf
from the Server-side routing recipe at hand. For the Linux client, keep the client configuration file basic-udp-client.conf
from the same recipe at hand. For the Windows client, keep the corresponding client configuration file, basic-udp-client.ovpn
, from the previous recipe at hand.
basic-udp-server.conf
file:status /var/log/openvpn.status
Save it as example2-10-server.conf
.
[root@server]# openvpn --config example2-10-server.conf
[root@client1]# openvpn --config basic-udp-client.conf
openvpn.status
file: [root@server]# cat /var/log/openvpn.status
A sample output is shown in the following screenshot:
ca.crt
, client2.crt
, and client2.key
files along with the tls-auth
secret key file, ta.key
, to the Windows machine using a secure channel, such as winscp
or PuTTY's pscp
command-line tool.[WinClient2]C:> cd program filesopenvpnconfig [WinClient2]C:> ..inopenvpn --config basic-udp- client.ovpn
Remember that this client's private key file is protected using a password or passphrase.
[root@server]# cat /var/log/openvpn.status
A sample output is shown in the following screenshot:
Each time a client connects to the OpenVPN server, the status file is updated with the connection information. The OpenVPN CLIENT LIST and ROUTING TABLE tables are the most interesting ones, as they provide the following information:
In addition, the routing table also shows which networks are routed to each client.
There are three things to keep in mind when using status files:
The status
directive takes two parameters:
Note that when a client disconnects the status file, it is not updated immediately. OpenVPN first tries to reconnect to the client based on the keepalive
parameters in the server configuration file. The server configuration file in this recipe uses:
keepalive 10 60
This tells the server that it will ping the client every 10 seconds. If it does not get a response after 60 seconds * 2, the connection is restarted. The OpenVPN server will double the value of the second argument. The server will also tell the client to ping every 10 seconds and to restart the connection after 60 seconds if it does not get any response.
One of the lesser-known options of OpenVPN is the following directive:
explicit-exit-notify [N]
This can be set on the client side so that when the client disconnects, it will send an explicit OCC_EXIT message to the server (if at all possible). This will speed up the removal of disconnected clients. The optional parameter N indicates the number of times the message will be sent. By default, only a single OCC_EXIT message is sent, which can cause problems as the UDP protocol does not guarantee the delivery of packets.
3.145.50.124