Using the status file

OpenVPN offers several options to monitor the clients connected to a server. The most commonly used method is using a status file. This recipe will show how to use and read the OpenVPN's status file.

Getting ready

The network layout used in this recipe is the same as in the Server-side routing recipe. This recipe uses the PKI files created in the first recipe of this chapter. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9. The first client was running Fedora 20 Linux and OpenVPN 2.3.9. The second client was running Windows 7 64 bit and OpenVPN 2.3.11. For the Linux server, keep the server configuration file basic-udp-server.conf from the Server-side routing recipe at hand. For the Linux client, keep the client configuration file basic-udp-client.conf from the same recipe at hand. For the Windows client, keep the corresponding client configuration file, basic-udp-client.ovpn, from the previous recipe at hand.

How to do it...

  1. Create the server configuration file by adding a line to the basic-udp-server.conf file:
            status /var/log/openvpn.status 
    

    Save it as example2-10-server.conf.

  2. Start the server:
           [root@server]# openvpn --config example2-10-server.conf
    
  3. First, start the Linux client:
           [root@client1]# openvpn --config basic-udp-client.conf
    
  4. After the VPN is established, list the contents of the openvpn.status file:
           [root@server]# cat /var/log/openvpn.status
    

    A sample output is shown in the following screenshot:

    How to do it...
  5. Transfer the ca.crtclient2.crt, and client2.key files along with the tls-auth secret key file, ta.key, to the Windows machine using a secure channel, such as winscp or PuTTY's pscp command-line tool.
  6. Start the Windows client on the command line:
           [WinClient2]C:> cd program filesopenvpnconfig
           [WinClient2]C:> ..inopenvpn --config basic-udp-
               client.ovpn
    

    Remember that this client's private key file is protected using a password or passphrase.

  7. List the contents of the status file again on the server:
           [root@server]# cat /var/log/openvpn.status
    

    A sample output is shown in the following screenshot:

    How to do it...

How it works...

Each time a client connects to the OpenVPN server, the status file is updated with the connection information. The OpenVPN  CLIENT LIST and ROUTING  TABLE tables are the most interesting ones, as they provide the following information:

  • Which clients are connected
  • From which IP address the clients are connecting
  • The number of bytes each client has received and transferred
  • The time at which the client connected

In addition, the routing table also shows which networks are routed to each client.

There's more...

There are three things to keep in mind when using status files:

Status parameters

The status directive takes two parameters:

  • The filename of the status file.
  • Optionally, the refresh frequency for updating the status file. The default value of 60 seconds should suffice for most situations.

Disconnecting clients

Note that when a client disconnects the status file, it is not updated immediately. OpenVPN first tries to reconnect to the client based on the keepalive parameters in the server configuration file. The server configuration file in this recipe uses:

keepalive 10 60 

This tells the server that it will ping the client every 10 seconds. If it does not get a response after 60 seconds * 2, the connection is restarted. The OpenVPN server will double the value of the second argument. The server will also tell the client to ping every 10 seconds and to restart the connection after 60 seconds if it does not get any response.

Explicit-exit-notify

One of the lesser-known options of OpenVPN is the following directive:

explicit-exit-notify [N] 

This can be set on the client side so that when the client disconnects, it will send an explicit OCC_EXIT message to the server (if at all possible). This will speed up the removal of disconnected clients. The optional parameter N indicates the number of times the message will be sent. By default, only a single OCC_EXIT message is sent, which can cause problems as the UDP protocol does not guarantee the delivery of packets.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.50.124