[hobbit] bb-service entry for OpenVPN
Jerry Yu
jjj863 at gmail.com
Mon Aug 28 19:55:23 CEST 2006
The server is configured to use TCP.
Argh, it didn't occur to me that the 'CONNECTED' is actually client speaking
instead of from the VPN server. That would explain why it fails all the
time!
Well, what about just to see if I can open tcp connection to that port
(Again, the HMAC secret probably will get in the way of establishing a true
SSL connection)?
On 8/28/06, Henrik Stoerner <henrik at hswn.dk> wrote:
>
> On Fri, Aug 25, 2006 at 10:09:50AM -0400, Jerry Yu wrote:
> > I need to monitor OpenVPN service on a remote server (OpenVPN is
> > already monitored as a PROC locally on that server)
> >
> > OpenVPN is SSL-based, so, I made up a service entry as below. The test
> > is failing, got 'unexpected service response'm w/o any data. Because a
> > shared HMAC secret is used for this OpenVPN server, a connection
> > attempt w/o the HMAC secret will not be able to get the certificate
> > (maybe this is why it fails?).
>
> In the default configuration, OpenVPN is only UDP traffic - Hobbit has
> no support for communicating with this type of service.
>
> Assuming you did configure OpenVPN for TCP, then it is likely that the
> SSL protocol is either wrapped inside an OpenVPN header, or some OpenVPN
> traffic needs to precede the actual SSL handshake.
>
> > [openvpn]
> > expect "CONNECTED(00000003)"
> > option ssl
> > port 12345
>
> That "expect" string will never match; the "CONNECTED" string is a
> debugging output from the OpenSSL "s_client" utility.
>
> Your best bet is probably to enable the OpenVPN management service, and
> check that with a normal "http" status check.
>
>
> Regards,
> Henrik
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20060828/37b7e0bb/attachment.html>
More information about the Xymon
mailing list