OpenVPN offers several options to monitor the clients connected to a server. The most commonly used method is using a status file. This recipe will show how to use and read the OpenVPN's status file.
We use the following network layout:
This recipe uses the PKI files created in the first recipe of this chapter. In this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The first client was running Fedora 12 Linux and OpenVPN 2.1.1. The second client was running Windows XP SP3 and OpenVPN 2.1.1. For the Linux server, keep the server configuration file basic-udp-server.conf from the recipe Server-side routing at hand. For the Linux client, keep the client configuration file basic-udp-client.conf from the same recipe at hand. For the Windows client, keep the corresponding client configuration file basic-udp-client.ovpn from the previous recipe at hand.
- Create the server configuration file by adding a line to the
basic-udp-server.conffile:status /var/log/openvpn.statusSave it as
example2-8-server.conf. - Start the server:
[root@server]# openvpn --config example2-8-server.conf - First, start the Linux client:
[root@client1]# openvpn --config basic-udp-client.conf - After the VPN is established, list the contents of the
openvpn.statusfile:[root@server]# cat /var/log/openvpn.status
- Transfer the
ca.crt,client2.crt,client2.keyfiles and thetls-authsecret key file,ta.key, to the Windows machine using a secure channel, such aswinscpor the PuTTY'spscpcommand-line tool. - Start the Windows client on the command-line:
[WinClient2]C:> cd \program files\openvpn\config [WinClient2]C:> ..\bin\openvpn --config basic-udp-client.ovpn
Remember that this client's private key file is protected using a password or passphrase.
- List the contents of the status file again on the server:
[root@server]# cat /var/log/openvpn.status
Each time a client connects to the OpenVPN server, the status file is updated with the connection information. The OpenVPN CLIENT LIST and ROUTING TABLE are the most interesting tables, as they show:
- Which clients are connected
- From which IP address the clients are connecting
- The number of bytes each client has received and transferred
- The time at which the client connected
In addition, the routing table also shows which networks are routed to each client.
Note that the second client is connected to the server using the same Real Address as the first client. This is caused by the fact that the Windows XP client was running as a virtual machine on the Linux client. It also shows that OpenVPN can handle NAT'ted clients quite easily.
The status directive takes two parameters:
Note that when a client disconnects the status file, it is not updated immediately. OpenVPN first tries to reconnect to the client based on the keepalive parameters in the server configuration file. The server configuration file in this recipe uses:
keepalive 10 60
This tells the server that it will ping the client every 10 seconds. If it does not get response after 60 seconds * 2, the connection is restarted. The OpenVPN server will double the value of the second argument. The server will also tell the client to ping every 10 seconds and to restart the connection after 60 seconds if it does not get any response.
One of the lesser-known options of OpenVPN is the following directive:
explicit-exit-notify [N]
This can be set on the client side so that when the client disconnects it will send an explicit OCC_EXIT message to the server (if at all possible). This will speed up the removal of disconnected clients. The optional parameter N indicates the number of times the message will be sent. By default, only a single OCC_EXIT message is sent, which can cause problems as the UDP protocol does not guarantee the delivery of packets.