OPNSense – Monitor number of connected OpenVPN users with Zabbix

Hello everyone!

Recently I’ve been toying around with my new, fully featured lab. I couldn’t decide what kind of firewall I’d like to use (obviously considering the fact that I was trying to avoid getting anything commercial). I really enjoyed using pfSense in the past but felt like the UI was a bit dated. Fortunately, OPNSense exists!

After configuring everything and setting up remote access I decided to set up a Zabbix server in my new environment to keep an eye on various things. The one thing I couldn’t monitor, however, was the amount of remote users connected to my OpenVPN server hosted on my OPNSense firewall.

I read a couple of articles, as well as few stackoverflow questions and thought to myself – alright, that won’t be pretty. And it’s not. But hey, it works!

Let’s get to it.


Make sure your Zabbix server is able to authenticate using SSH keys. Please refer to https://www.zabbix.com/documentation/current/manual/config/items/itemtypes/ssh_checks if you haven’t done this yet.


Please bear in mind this might not work if you’re not using a pfSense/OPNSense firewalls.

Let’s open up a template of our choice and create a new application called “OpenVPN”:

Now let’s switch to “Items” and create a new item:

  • Name: Active OpenVPN Users
  • Type: SSH agent
  • Key: ssh.run[ovpnusers] (You can change ovpnusers to whatever you like. It’s just a description of the check we do. If you are using SSH on custom port, your key will look like this: ssh.run[ovpnusers,,2222] where 2222 is your custom port)
  • User name: *blank*
  • Password: *blank*
  • Authentication method: Public key
  • User name: root (obviously this can be different in your case)
  • Public key file: yourkey.pub (will lead to /home/zabbix/.ssh/yourkey.pub)
  • Private key file: yourkey (will lead to /home/zabbix/.ssh/yourkey)
  • Key passphrase: your_passphrase (if your key has a passphrase, specify it here)
  • Executed script: echo “status” | nc -w 0 -U /var/etc/openvpn/server1.sock | grep -E “^\w*\,((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).*” | wc -l
  • Type of information: Numeric (float)
  • Update interval: 30s
  • Applications: Select “OpenVPN”

And press “Update”. That’s it!

You should now be able to see the result in Latest Data:

Please let me know if you have any problems getting this to work. As I said, I couldn’t find a good way of getting this done on OPNSense as the articles I came across usually used OpenVPN management port to communicate with the server. In OPNSense’s case, this port isn’t exposed and we have to connect straight to the socket

Leave a Reply

Your email address will not be published. Required fields are marked *