Following a post a couple of days a go, I bumped into a piece of software called openvpn-monitor. It allows you to see all active incoming OpenVPN connections to ClearOS in a web browser. This Howto shows how to install it.
Create a file /etc/httpd/conf.d/openvpn-monitor.conf:
Set up the GeoIP:
In /etc/openvpn/clients.conf add a line:
Then navigate to http://your_server_IP/openvpn-monitor and there you are.
Then you look at /var/log/messages and see it gets spammed with openvpn MANAGEMENT rubbish. To get rid of that, create a file in /etc/rsyslog.d. I have a general one I use for filtering bits of rubbish called messages-filter.conf but call it what you like. Add the lines:
I have only used this with the UDP configuration of OpenVPN. I have a feeling that if your want to monitor another instance of OpenVPN, such as the TCP configuration, you'll need to use a different management port and have a separate instance of OpenVPN Monitor running in the web server (change the port in /var/www/html/openvpn-monitor/openvpn-monitor.cfg and the line you add to clients.conf and use a different subdirectory of /var/www/html/ to install the second instance of OpenVPN Monitor).
[edit]
Edited 11/03/2016 following this post
Credit to Dennis Pantazis
[/edit]
[edit2 02/10/2016]
/var/www/html/openvpn-monitor/openvpn-monitor.cfg is now /var/www/html/openvpn-monitor/openvpn-monitor.conf
lat is now latitude
long is now longitude
[/edit2]
[edit3 04/10/2019]
Added python-semantic_version to the yum command
[/edit3]
yum install mod_python python-GeoIP python-ipaddr python-argparse python-humanize python-semantic_version git --enablerepo=clearos-core,clearos-epel
cd /var/www/html
git clone https://github.com/furlongm/openvpn-monitor.git
chown apache:apache /var/www/html/openvpn-monitor -R
Note mod_python and python-argparse are not needed in ClearOS 7.x and may not be needed in 6.x.Create a file /etc/httpd/conf.d/openvpn-monitor.conf:
# AddHandler cgi-script .cgi
<Directory /var/www/html/openvpn-monitor>
Options +ExecCGI
AddHandler cgi-script .py
DirectoryIndex openvpn-monitor.py
Order deny,allow
Deny from all
Allow from 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
</Directory>
Edit the file /var/www/html/openvpn-monitor/openvpn-monitor.conf changing site, latitude, longitude and name. I used this site to find my latitude and longitude from my postcode. You may need another site depending on where you are. I also turned the map off.Set up the GeoIP:
cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz
mv GeoLiteCity.dat GeoIPCity.dat
Restart apache:service httpd restart
In /etc/openvpn/clients.conf add a line:
management 127.0.0.1 5555
Then restart OpenVPN e.g.service openvpn restart
Then navigate to http://your_server_IP/openvpn-monitor and there you are.
Then you look at /var/log/messages and see it gets spammed with openvpn MANAGEMENT rubbish. To get rid of that, create a file in /etc/rsyslog.d. I have a general one I use for filtering bits of rubbish called messages-filter.conf but call it what you like. Add the lines:
# Suppress Openvpn MAMAGEMENT messages
if $programname == 'openvpn' and $msg contains 'MANAGEMENT' then ~
Then restart rsyslog:service rsyslog restart
End of messages I have only used this with the UDP configuration of OpenVPN. I have a feeling that if your want to monitor another instance of OpenVPN, such as the TCP configuration, you'll need to use a different management port and have a separate instance of OpenVPN Monitor running in the web server (change the port in /var/www/html/openvpn-monitor/openvpn-monitor.cfg and the line you add to clients.conf and use a different subdirectory of /var/www/html/ to install the second instance of OpenVPN Monitor).
[edit]
Edited 11/03/2016 following this post
Credit to Dennis Pantazis
[/edit]
[edit2 02/10/2016]
/var/www/html/openvpn-monitor/openvpn-monitor.cfg is now /var/www/html/openvpn-monitor/openvpn-monitor.conf
lat is now latitude
long is now longitude
[/edit2]
[edit3 04/10/2019]
Added python-semantic_version to the yum command
[/edit3]
In VPN
Share this post:
Responses (3)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Here's a necro-bump.
Since this first post was written I've been installing GeoLite by yum but for the last year the GeoLite database has gone into maintenance mode. openvpn-monitor was updated today on github to work with the GeoIP2 database which is maintained. The free version is less accurate than the paid version but it is maintained. I have found sources for this at the fan-city repo and you can run your own auto-updater with:
Note this installs a third-party repo, but it is in a disabled state so should not interfere with regular updates. If installing from fresh, also install "geoipupdate-cron" from the same repo. You may need to update your /etc/GeoIP.conf to these settings (all comments have been removed):rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-1.rhel7.noarch.rpm
yum update Geo* --enablerepo=city-fan.org
More info is available at Maxmind's site. (You do not need to set up the cron job - yum took care of that)LicenseKey 000000000000
UserId 0
ProductIds GeoLite2-City
You also need python2-geoip2:yum install python2-geoip2
Then in your /var/www/html/openvpn-monitor/openvpn-monitor.conf (your location may vary depending on where you installed your website), change:
to:geoip_data=/usr/share/GeoIP/GeoIPCity.dat
geoip_data=/usr/share/GeoIP/GeoLite2-City.mmdb
Alternatively it looks like you can get the GeoLite2-City database directly from EPEL. As this is enabled by default you'll automatically get updates with a small delay as the package maintainer needs to push an update via epel-testing. If you want to use the EPEL GeoLite2-City then it is much easier.
You can remove all the old GeoIP packages (but don't use yum or it will remove too many dependencies):
Then just install the following:rpm -e --nodeps GeoIP-update GeoIP-data
yum install python2-geoip2 geolite2-city
Then in your /var/www/html/openvpn-monitor/openvpn-monitor.conf (your location may vary depending on where you installed your website), change:
to:geoip_data=/usr/share/GeoIP/GeoIPCity.dat
geoip_data=/usr/share/GeoIP/GeoLite2-City.mmdb
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »