Making Nagios check OpenVPN

I've been slowly expanding the amount of automation that runs on the servers I personally maintain. With Puppet as my configuration management system I'm able to deploy changes to however many of my servers quickly and easily. Similarly, if any server dies a fiery death a new one can be spun up immediately with no data loss.

To ensure that I'm keeping tabs on the health of the boxes, I run Nagios on my master server and monitor an ever increasing list of services across my collection. Since I've recently added a puppet controlled VPN to my repertoire, it was only natural that I should want to ensure the OpenVPN process was both online and responsive to connections.

Since I run OpenVPN on UDP port 1194, all the resources I managed to find online made reference to piping something towards the port via netcat or nc. Unfortunately, because OpenVPN is not sensible, binary information needs to be sent rather than a few ASCII characters I can read and understand. Similarly, the response is equally indecipherable.

Through testing however, I was able to identify that unless I gave OpenVPN a very specific string of binary, it would timeout on me. With this in mind, I was able to use the check_udp command that comes with Nagios, and a timeout to verify that OpenVPN was up and responding to VPN requests.

I could define the check_openvpn command for Nagios like this:

# We're not looking for a specific response, here. More that we actually get
# one and not a timeout or no data.
nagios_command { 'check_openvpn':
  ensure       => present,
  command_line => '$USER1$/check_udp -H $HOSTADDRESS$ -p $ARG1$ -E -s "$38$01$00$00$00$00$00$00$00" -e "^@^@^@^@^@" -t 10 -M ok'
}

I could then call that check from within my custom VPN puppet configuration like this:

# We're using 1194 for this service and that's the only argument accepted # by the openvpn check.
nagios::service { "check_openvpn_${fqdn}":
  check_command       => "check_openvpn!1194",
  service_description => 'openvpn',
}