OPNSense – Monitor number of connected OpenVPN users with Zabbix

Hello everyone!

Recently I’ve been toying around with my new, fully featured lab. I couldn’t decide what kind of firewall I’d like to use (obviously considering the fact that I was trying to avoid getting anything commercial). I really enjoyed using pfSense in the past but felt like the UI was a bit dated. Fortunately, OPNSense exists!

After configuring everything and setting up remote access I decided to set up a Zabbix server in my new environment to keep an eye on various things. The one thing I couldn’t monitor, however, was the amount of remote users connected to my OpenVPN server hosted on my OPNSense firewall.

I read a couple of articles, as well as few stackoverflow questions and thought to myself – alright, that won’t be pretty. And it’s not. But hey, it works!

Let’s get to it.

Prerequisites:

Make sure your Zabbix server is able to authenticate using SSH keys. Please refer to https://www.zabbix.com/documentation/current/manual/config/items/itemtypes/ssh_checks if you haven’t done this yet.

Zabbix:

Please bear in mind this might not work if you’re not using a pfSense/OPNSense firewalls.

Let’s open up a template of our choice and create a new application called “OpenVPN”:

Now let’s switch to “Items” and create a new item:

  • Name: Active OpenVPN Users
  • Type: SSH agent
  • Key: ssh.run[ovpnusers] (You can change ovpnusers to whatever you like. It’s just a description of the check we do. If you are using SSH on custom port, your key will look like this: ssh.run[ovpnusers,,2222] where 2222 is your custom port)
  • User name: *blank*
  • Password: *blank*
  • Authentication method: Public key
  • User name: root (obviously this can be different in your case)
  • Public key file: yourkey.pub (will lead to /home/zabbix/.ssh/yourkey.pub)
  • Private key file: yourkey (will lead to /home/zabbix/.ssh/yourkey)
  • Key passphrase: your_passphrase (if your key has a passphrase, specify it here)
  • Executed script: echo “status” | nc -w 0 -U /var/etc/openvpn/server1.sock | grep -E “^\w*\,((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).*” | wc -l
  • Type of information: Numeric (float)
  • Update interval: 30s
  • Applications: Select “OpenVPN”

And press “Update”. That’s it!

You should now be able to see the result in Latest Data:

Please let me know if you have any problems getting this to work. As I said, I couldn’t find a good way of getting this done on OPNSense as the articles I came across usually used OpenVPN management port to communicate with the server. In OPNSense’s case, this port isn’t exposed and we have to connect straight to the socket

Leave a Reply

Your email address will not be published. Required fields are marked *

Navigation