OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: ezra55 on January 23, 2018, 12:04:28 pm

Title: Monit for OpenVPN clients
Post by: ezra55 on January 23, 2018, 12:04:28 pm: Hey guys,

Quick question, my VPN clients (5x) seem to fail quite often. I've setup different monitoring IP's in the corresponding gateways for each client.

I have a 'Killswitch' in place to not use my WAN ISP only for the VPN client Ports DNS and Ping from the firewall to connect to the vpn and nothing else.

At random they all stop and not get back up. Does anyone has some experience setting this up in Monit to get fixed?
I use monit CLI but this GUI stuff is hard to figure out.

Thanks!
Title: Re: Monit for OpenVPN clients
Post by: faunsen on January 23, 2018, 02:14:08 pm: Hi ezra55,

Quote from: ezra55 on January 23, 2018, 12:04:28 pm
At random they all stop and not get back up. Does anyone has some experience setting this up in Monit to get fixed?
I use monit CLI but this GUI stuff is hard to figure out.

what exactly is your problem?
Do you have a Monit config and don't know how to do the same with the GUI?
Or do you need a more basic advice how to monitor your VPNs?

Cheers,
Frank
Title: Re: Monit for OpenVPN clients
Post by: ezra55 on January 23, 2018, 07:07:07 pm: Hey, I'm sorry for not being clear. I need either, i just need a solution for my VPN clients to stay up. Scanning the OpenVPN logs doesnt really get me to a cause that they drop... So any advice is welcome. Thanks
Title: Re: Monit for OpenVPN clients
Post by: faunsen on January 24, 2018, 10:57:10 am: Ok, first we need to know how to monitor the clients.
The easiest way would be ICMP. Make sure you can ping the remote side.

The Monit plugin installer should have already created a Ping test.
Name: Ping Condition: failed ping Action: Alert

Then create a Service of type 'Remote Host'.
Name: Client1 Type: Remote Host Address: <REMOTE_IP> Tests: Ping

Restart Monit and check the status page. If the VPN is up the status of Client1 should be OK.

Now comes the difficult part: restarting the client if the ping fails.

The os-monit plugin is only a GUI for the monit(1) service configuration.
And therefore we need a shell command to start/stop the clients.
Unfortunately OPNsense has no way to restart the VPNs from command line. https://github.com/opnsense/core/issues/412 (https://github.com/opnsense/core/issues/412)

You need to create your own start/stop script.
Connect the firewall via SSH and open a Shell.
The client configuration naming is client1, client2 and so on.
The folder /var/etc/openvpn/ holds the configs. Have a look at clientX.conf to see which client for which Monit config you need.

The openvpn rc.d script expects its config files in /usr/local/etc/openvpn/.
Therefore create a link to it
Code: [Select]
# cd /usr/local/etc/ # ln -s /var/etc/openvpn
Then create a link to the openvpn start/stop script for e.g. client1.
The name of the link must match the prefix of the config file in /var/etc/openvpn/.
Code: [Select]
# cd /usr/local/etc/rc.d # ln -s openvpn client1
Then you can check the status of client1:
Code: [Select]
# /usr/local/etc/rc.d/client1 onestatus openvpn_client1 is running as pid 55319.
Try to stop and start it:
Code: [Select]
# /usr/local/etc/rc.d/client1 stop Stopping client1. Waiting for PIDS: 55319. # /usr/local/etc/rc.d/client1 onestart Starting client1.
Now edit the Monit service 'Client1' and add the
start/stop scripts
Start: /usr/local/etc/rc.d/client1 onestart Stop: /usr/local/etc/rc.d/client1 stop

Edit the 'Ping' Service Test, change the action from 'Alert' to 'Restart' and restart Monit.

Additionally I'd limit the restarts.
Add a service test:
Name: RestartLimit5 Condition: 5 restarts within 5 cycles Action: unmonitor

And add it to the 'Client1' service:
Test: Ping, RestartLimit5
Title: Re: Monit for OpenVPN clients
Post by: ezra55 on January 25, 2018, 10:48:57 pm: Wow man, thanks for this great detailed "How to". I just setup everything from scratch again. When i find some time this weekend I'm gonna implement this and report back. Thanks again, have a great weekend!

Ezra
Title: Re: Monit for OpenVPN clients
Post by: faunsen on January 26, 2018, 08:49:01 am: No worries.
If it works I'll put it into the How-To section. :)
Title: Re: Monit for OpenVPN clients
Post by: franco on January 26, 2018, 07:34:02 pm: We will be working on core integration of Monit as the new notification service and subsequently start to provide more service hooks for it like OpenVPN in this particular case. :)

Cheers,
Franco
Title: Re: Monit for OpenVPN clients
Post by: ezra55 on January 26, 2018, 08:17:05 pm: Aah great, thanks a bunch! I'll be setting it up tomorrow! Thanks again.
Title: Re: Monit for OpenVPN clients
Post by: ezra55 on March 26, 2018, 05:52:24 pm: Sorry for the long wait. Only started this last week. In my case i have 5x client using nl.privateinternetaccess.com as hostname.
Which can all have a different IP:
Code: [Select]
nl.privateinternetaccess.com has address 46.166.190.130 nl.privateinternetaccess.com has address 46.166.186.244 nl.privateinternetaccess.com has address 46.166.190.197 nl.privateinternetaccess.com has address 46.166.188.212 nl.privateinternetaccess.com has address 109.201.154.141 nl.privateinternetaccess.com has address 46.166.190.220 nl.privateinternetaccess.com has address 46.166.186.236 nl.privateinternetaccess.com has address 46.166.188.213 nl.privateinternetaccess.com has address 46.166.137.234 nl.privateinternetaccess.com has address 46.166.188.226 nl.privateinternetaccess.com has address 109.201.154.151 nl.privateinternetaccess.com has address 46.166.137.240 nl.privateinternetaccess.com has address 46.166.138.135
How to proceed in this case, any ideas?
Thanks again for the write up.

Ezra