bb-service entry for OpenVPN
list Jerry Yu
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server) OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?). [openvpn] expect "CONNECTED(00000003)" option ssl port 12345 Here is a few manual sessions using openssl. I'd be happy to label the service as 'up' if I get the CONNECTED(00000003) string. any ideas? /etc/hobbit# openssl s_client -ssl3 -connect vip1.vip.com:12345 CONNECTED(00000003) 30739:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286: /etc/hobbit# openssl s_client -ssl2 -connect vip1.vip.com:12345 CONNECTED(00000003) 30742:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:
list Jerry Yu
anyone ? On 8/25/06, Jerry Yu <user-764c1f364fe0@xymon.invalid> wrote:
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server) OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?). [openvpn] expect "CONNECTED(00000003)" option ssl port 12345 Here is a few manual sessions using openssl. I'd be happy to label the service as 'up' if I get the CONNECTED(00000003) string. any ideas? /etc/hobbit# openssl s_client -ssl3 -connect vip1.vip.com:12345 CONNECTED(00000003) 30739:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286: /etc/hobbit# openssl s_client -ssl2 -connect vip1.vip.com:12345 CONNECTED(00000003) 30742:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:
list Henrik Størner
▸
On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server) OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).
In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service. Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.
[openvpn] expect "CONNECTED(00000003)" option ssl port 12345
That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility. Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check. Regards, Henrik
list Rich Smrcina
Will the new ports test work here, to at least show that it is listening?
▸
Henrik Stoerner wrote:On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server) OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service. Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.[openvpn] expect "CONNECTED(00000003)" option ssl port 12345That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility. Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check. Regards, Henrik
--
Rich Smrcina VM Assist, Inc. Phone: XXX-XXX-XXXX Ans Service: XXX-XXX-XXXX user-61add9955ef9@xymon.invalid Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
list Jerry Yu
the PORT & PROC work, locally. I merely want to be sure it is accessible from remote, since the Internet access from the monitor server to the VPN server is somewhat flaky.
▸
On 8/28/06, Rich Smrcina <user-cf452ff334e0@xymon.invalid> wrote:Will the new ports test work here, to at least show that it is listening? Henrik Stoerner wrote:On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server) OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service. Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.[openvpn] expect "CONNECTED(00000003)" option ssl port 12345That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility. Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check. Regards, Henrik-- Rich Smrcina VM Assist, Inc. Phone: XXX-XXX-XXXX Ans Service: XXX-XXX-XXXX user-61add9955ef9@xymon.invalid Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
list Jerry Yu
The server is configured to use TCP. Argh, it didn't occur to me that the 'CONNECTED' is actually client speaking instead of from the VPN server. That would explain why it fails all the time! Well, what about just to see if I can open tcp connection to that port (Again, the HMAC secret probably will get in the way of establishing a true SSL connection)?
▸
On 8/28/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server) OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service. Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.[openvpn] expect "CONNECTED(00000003)" option ssl port 12345That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility. Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check. Regards, Henrik
list Henrik Størner
▸
On Mon, Aug 28, 2006 at 12:19:54PM -0500, Rich Smrcina wrote:
Will the new ports test work here, to at least show that it is listening?
If it's listening on a TCP port: Yes. If UDP only: No. Regards, Henrik
list Henrik Størner
▸
On Mon, Aug 28, 2006 at 01:55:23PM -0400, Jerry Yu wrote:
The server is configured to use TCP. Argh, it didn't occur to me that the 'CONNECTED' is actually client speaking instead of from the VPN server. That would explain why it fails all the time! Well, what about just to see if I can open tcp connection to that port
[openvpn] port 12345 should do that.
▸
(Again, the HMAC secret probably will get in the way of establishing a true SSL connection)?
Probably. Regards, Henrik
list Jerry Yu
I did the simple port way, now it is green. yeah !
▸
On 8/28/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:On Mon, Aug 28, 2006 at 01:55:23PM -0400, Jerry Yu wrote:The server is configured to use TCP. Argh, it didn't occur to me that the 'CONNECTED' is actually client speaking instead of from the VPN server. That would explain why it fails all the time! Well, what about just to see if I can open tcp connection to that port[openvpn] port 12345 should do that.(Again, the HMAC secret probably will get in the way of establishing a true SSL connection)?Probably. Regards, Henrik