Monit for OpenVPN clients

Started by ezra55, January 23, 2018, 12:04:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 23, 2018, 12:04:28 PM
Hey guys,

Quick question, my VPN clients (5x) seem to fail quite often. I've setup different monitoring IP's in the corresponding gateways for each client.

I have a 'Killswitch' in place to not use my WAN ISP only for the VPN client Ports DNS and Ping from the firewall to connect to the vpn and nothing else.

At random they all stop and not get back up. Does anyone has some experience setting this up in Monit to get fixed?
I use monit CLI but this GUI stuff is hard to figure out.

Thanks!
January 23, 2018, 02:14:08 PM #1
Hi ezra55,

Quote from: ezra55 on January 23, 2018, 12:04:28 PM
At random they all stop and not get back up. Does anyone has some experience setting this up in Monit to get fixed?
I use monit CLI but this GUI stuff is hard to figure out.

what exactly is your problem?
Do you have a Monit config and don't know how to do the same with the GUI?
Or do you need a more basic advice how to monitor your VPNs?


Cheers,
Frank
January 23, 2018, 07:07:07 PM #2
Hey, I'm sorry for not being clear. I need either, i just need a solution for my VPN clients to stay up. Scanning the OpenVPN logs doesnt really get me to a cause that they drop... So any advice is welcome. Thanks
January 24, 2018, 10:57:10 AM #3 Last Edit: January 26, 2018, 08:45:06 AM by faunsen
Ok, first we need to know how to monitor the clients.
The easiest way would be ICMP. Make sure you can ping the remote side.

The Monit plugin installer should have already created a Ping test.
Name: Ping
Condition: failed ping
Action: Alert

Then create a Service of type 'Remote Host'.
Name: Client1
Type: Remote Host
Address: <REMOTE_IP>
Tests: Ping

Restart Monit and check the status page. If the VPN is up the status of Client1 should be OK.


Now comes the difficult part: restarting the client if the ping fails.

The os-monit plugin is only a GUI for the monit(1) service configuration.
And therefore we need a shell command to start/stop the clients.
Unfortunately OPNsense has no way to restart the VPNs from command line. https://github.com/opnsense/core/issues/412

You need to create your own start/stop script.
Connect the firewall via SSH and open a Shell.
The client configuration naming is client1, client2 and so on.
The folder /var/etc/openvpn/ holds the configs. Have a look at clientX.conf to see which client for which Monit config you need.

The openvpn rc.d script expects its config files in /usr/local/etc/openvpn/.
Therefore create a link to it
Code Select
# cd /usr/local/etc/
# ln -s /var/etc/openvpn

Then create a link to the openvpn start/stop script for e.g. client1.
The name of the link must match the prefix of the config file in /var/etc/openvpn/.
Code Select
# cd /usr/local/etc/rc.d
# ln -s openvpn client1

Then you can check the status of client1:
Code Select
# /usr/local/etc/rc.d/client1 onestatus
openvpn_client1 is running as pid 55319.

Try to stop and start it:
Code Select
# /usr/local/etc/rc.d/client1 stop
Stopping client1.
Waiting for PIDS: 55319.
# /usr/local/etc/rc.d/client1 onestart
Starting client1.

Now edit the Monit service 'Client1' and add the
start/stop scripts
Start: /usr/local/etc/rc.d/client1 onestart
Stop: /usr/local/etc/rc.d/client1 stop

Edit the 'Ping' Service Test, change the action from 'Alert' to 'Restart' and restart Monit.

Additionally I'd limit the restarts.
Add a service test:
Name: RestartLimit5
Condition: 5 restarts within 5 cycles
Action: unmonitor

And add it to the 'Client1' service:
Test: Ping, RestartLimit5


January 25, 2018, 10:48:57 PM #4
Wow man, thanks for this great detailed "How to". I just setup everything from scratch again. When i find some time this weekend I'm gonna implement this and report back. Thanks again, have a great weekend!

Ezra
January 26, 2018, 08:49:01 AM #5
No worries.
If it works I'll put it into the How-To section.  :)
January 26, 2018, 07:34:02 PM #6
We will be working on core integration of Monit as the new notification service and subsequently start to provide more service hooks for it like OpenVPN in this particular case. :)


Cheers,
Franco
January 26, 2018, 08:17:05 PM #7
Aah great, thanks a bunch! I'll be setting it up tomorrow! Thanks again.
March 26, 2018, 05:52:24 PM #8
Sorry for the long wait. Only started this last week. In my case i have 5x client using nl.privateinternetaccess.com as hostname.
Which can all have a different IP:
Code Select
nl.privateinternetaccess.com has address 46.166.190.130
nl.privateinternetaccess.com has address 46.166.186.244
nl.privateinternetaccess.com has address 46.166.190.197
nl.privateinternetaccess.com has address 46.166.188.212
nl.privateinternetaccess.com has address 109.201.154.141
nl.privateinternetaccess.com has address 46.166.190.220
nl.privateinternetaccess.com has address 46.166.186.236
nl.privateinternetaccess.com has address 46.166.188.213
nl.privateinternetaccess.com has address 46.166.137.234
nl.privateinternetaccess.com has address 46.166.188.226
nl.privateinternetaccess.com has address 109.201.154.151
nl.privateinternetaccess.com has address 46.166.137.240
nl.privateinternetaccess.com has address 46.166.138.135

How to proceed in this case, any ideas?
Thanks again for the write up.

Ezra
Print
Go Up Pages1
User actions