bb-service entry for OpenVPN
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server)
OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).
[openvpn] expect "CONNECTED(00000003)" option ssl port 12345
Here is a few manual sessions using openssl. I'd be happy to label the service as 'up' if I get the CONNECTED(00000003) string. any ideas?
/etc/hobbit# openssl s_client -ssl3 -connect vip1.vip.com:12345 CONNECTED(00000003) 30739:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286: /etc/hobbit# openssl s_client -ssl2 -connect vip1.vip.com:12345 CONNECTED(00000003) 30742:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:
anyone ?
On 8/25/06, Jerry Yu <jjj863 at gmail.com> wrote:
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server)
OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).
[openvpn] expect "CONNECTED(00000003)" option ssl port 12345
Here is a few manual sessions using openssl. I'd be happy to label the service as 'up' if I get the CONNECTED(00000003) string. any ideas?
/etc/hobbit# openssl s_client -ssl3 -connect vip1.vip.com:12345 CONNECTED(00000003) 30739:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286: /etc/hobbit# openssl s_client -ssl2 -connect vip1.vip.com:12345 CONNECTED(00000003) 30742:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:
On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server)
OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).
In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service.
Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.
[openvpn] expect "CONNECTED(00000003)" option ssl port 12345
That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility.
Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check.
Regards, Henrik
Will the new ports test work here, to at least show that it is listening?
Henrik Stoerner wrote:
On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server)
OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).
In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service.
Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.
[openvpn] expect "CONNECTED(00000003)" option ssl port 12345
That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility.
Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check.
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com
Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
the PORT & PROC work, locally. I merely want to be sure it is accessible from remote, since the Internet access from the monitor server to the VPN server is somewhat flaky.
On 8/28/06, Rich Smrcina <rsmrcina at wi.rr.com> wrote:
Will the new ports test work here, to at least show that it is listening?
Henrik Stoerner wrote:
On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server)
OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).
In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service.
Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.
[openvpn] expect "CONNECTED(00000003)" option ssl port 12345
That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility.
Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check.
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com
Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
The server is configured to use TCP. Argh, it didn't occur to me that the 'CONNECTED' is actually client speaking instead of from the VPN server. That would explain why it fails all the time! Well, what about just to see if I can open tcp connection to that port (Again, the HMAC secret probably will get in the way of establishing a true SSL connection)?
On 8/28/06, Henrik Stoerner <henrik at hswn.dk> wrote:
On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:
I need to monitor OpenVPN service on a remote server (OpenVPN is already monitored as a PROC locally on that server)
OpenVPN is SSL-based, so, I made up a service entry as below. The test is failing, got 'unexpected service response'm w/o any data. Because a shared HMAC secret is used for this OpenVPN server, a connection attempt w/o the HMAC secret will not be able to get the certificate (maybe this is why it fails?).
In the default configuration, OpenVPN is only UDP traffic - Hobbit has no support for communicating with this type of service.
Assuming you did configure OpenVPN for TCP, then it is likely that the SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN traffic needs to precede the actual SSL handshake.
[openvpn] expect "CONNECTED(00000003)" option ssl port 12345
That "expect" string will never match; the "CONNECTED" string is a debugging output from the OpenSSL "s_client" utility.
Your best bet is probably to enable the OpenVPN management service, and check that with a normal "http" status check.
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Mon, Aug 28, 2006 at 01:55:23PM -0400, Jerry Yu wrote:
The server is configured to use TCP. Argh, it didn't occur to me that the 'CONNECTED' is actually client speaking instead of from the VPN server. That would explain why it fails all the time! Well, what about just to see if I can open tcp connection to that port
[openvpn] port 12345
should do that.
(Again, the HMAC secret probably will get in the way of establishing a true SSL connection)?
Probably.
Regards, Henrik
I did the simple port way, now it is green. yeah !
On 8/28/06, Henrik Stoerner <henrik at hswn.dk> wrote:
On Mon, Aug 28, 2006 at 01:55:23PM -0400, Jerry Yu wrote:
The server is configured to use TCP. Argh, it didn't occur to me that the 'CONNECTED' is actually client speaking instead of from the VPN server. That would explain why it fails all the time! Well, what about just to see if I can open tcp connection to that port
[openvpn] port 12345
should do that.
(Again, the HMAC secret probably will get in the way of establishing a true SSL connection)?
Probably.
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
participants (3)
-
henrik@hswn.dk
-
jjj863@gmail.com
-
rsmrcina@wi.rr.com