Why Monitor OpenVPN?
OpenVPN is one of the most popular VPN solutions, but monitoring VPN connections can be challenging. Without proper monitoring, you might not notice when clients are having connection issues, when traffic patterns change, or when your VPN server is under stress.
In this guide, we'll set up comprehensive monitoring for OpenVPN using Prometheus and Grafana, including:
- Real-time client connection tracking
- Traffic statistics and bandwidth monitoring
- Security alerts and access control
- Beautiful dashboards for visualization
The Challenge: OpenVPN Status Files
OpenVPN provides status information through text files, but these aren't designed for modern monitoring systems. The status files contain client information, traffic statistics, and connection details, but you need a way to:
- Parse these files regularly
- Convert the data to metrics format
- Expose metrics to Prometheus
- Visualize the data in Grafana
Solution: OpenVPN Prometheus Exporter
We'll use an open-source OpenVPN Prometheus Exporter that solves these challenges by:
- Reading OpenVPN status files automatically
- Converting data to Prometheus metrics format
- Providing security features like IP-based access control
- Including a ready-to-use Grafana dashboard
Step 1: Setting Up OpenVPN Server
First, ensure your OpenVPN server is configured to write status files. If you don't have OpenVPN set up yet, I recommend using the excellent openvpn-install script:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
Add this to your OpenVPN server configuration to enable status logging:
# Add to /etc/openvpn/server.conf
status /var/log/openvpn/status.log 30
The status file will be updated every 30 seconds with client information.
Step 2: Deploying the Exporter
The easiest way to deploy the exporter is using Docker:
# Download docker-compose.yml
curl -O https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/docker-compose.yml
# Start the exporter
docker compose up -d
Or use the one-command setup script:
curl -sSL https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/quick-start.sh | bash
The exporter will be available at http://localhost:9176/metrics.
Step 3: Security Configuration
For production environments, restrict metrics access to specific IPs:
# docker-compose.yml
environment:
- ALLOWED_IPS=192.168.1.100,10.0.0.50,monitoring-server.local
This ensures only your monitoring infrastructure can access the metrics.
Step 4: Prometheus Configuration
Add the exporter to your Prometheus configuration:
# prometheus.yml
scrape_configs:
- job_name: 'openvpn-exporter'
static_configs:
- targets: ['your-server:9176']
scrape_interval: 30s
metrics_path: /metrics
Step 5: Grafana Dashboard
Import the included dashboard for immediate visualization:
# Download the dashboard
curl -O https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/dashboard.json
In Grafana:
- Go to Dashboards → Import
- Upload
dashboard.json - Select your Prometheus datasource
The dashboard includes:
- Client Statistics: Connected clients, traffic, connection times
- Server Health: Server status and availability
- Traffic Analysis: Bytes sent/received, top users
- Security Monitoring: Access control alerts
Key Metrics to Monitor
Here are the most important metrics to track:
Client Connections
# Total connected clients
sum(openvpn_server_client_count)
# Clients by server
openvpn_server_client_count{instance="your-server"}
Traffic Analysis
# Top 5 clients by traffic
topk(5, openvpn_server_client_received_bytes_total + openvpn_server_client_sent_bytes_total)
# Traffic rate per client
rate(openvpn_server_client_received_bytes_total[5m])
Connection Duration
# How long clients have been connected
time() - openvpn_server_client_connection_time
Setting Up Alerts
Create alerts for critical events:
# alert.rules.yml
groups:
- name: openvpn_alerts
rules:
- alert: OpenVPNServerDown
expr: openvpn_up == 0
for: 1m
labels:
severity: critical
annotations:
summary: "OpenVPN server is down"
- alert: TooManyClients
expr: openvpn_server_client_count > 100
for: 2m
labels:
severity: warning
annotations:
summary: "Too many OpenVPN clients connected"
Advanced Configuration
Multiple OpenVPN Servers
Monitor multiple servers by updating the status paths:
export STATUS_PATHS="/var/log/openvpn/server1.status,/var/log/openvpn/server2.status"
docker compose up -d
Service Discovery
Use Prometheus file-based service discovery for dynamic monitoring:
# prometheus.yml
scrape_configs:
- job_name: 'openvpn-exporter'
file_sd_configs:
- files:
- 'openvpn-targets.json'
# openvpn-targets.json
[
{
"targets": ["openvpn-server-1:9176"],
"labels": {
"instance": "server-1",
"environment": "production"
}
}
]
Complete Monitoring Stack
For a full monitoring setup, use the complete Docker Compose stack:
# Download complete stack
curl -O https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/examples/config/docker-compose.full.yml
# Start monitoring stack
docker compose -f docker-compose.full.yml up -d
This includes:
- OpenVPN Exporter
- Prometheus
- Grafana
- Pre-configured dashboards and alerts
Access your monitoring:
- Prometheus:
http://localhost:9090 - Grafana:
http://localhost:3000(admin/admin)
Troubleshooting Common Issues
Status File Not Found
# Find your OpenVPN status files
find /var/log -name "*openvpn*" -type f
# Common locations:
# /var/log/openvpn/status.log
# /var/log/openvpn/server.status
No Metrics Available
# Check exporter logs
docker logs openvpn-exporter
# Test metrics endpoint
curl -s http://localhost:9176/metrics | grep openvpn
Access Denied Errors
# Check ALLOWED_IPS configuration
docker logs openvpn-exporter | grep "Access denied"
# Test from allowed IP
curl -H "X-Forwarded-For: 192.168.1.100" http://localhost:9176/metrics
Best Practices
- Security First: Always use IP restrictions in production
- Regular Monitoring: Set up alerts for server downtime and unusual traffic
- Capacity Planning: Monitor client counts and traffic trends
- Backup Configuration: Keep your monitoring configuration in version control
- Documentation: Document your monitoring setup and alert procedures
Conclusion
Monitoring OpenVPN with Prometheus and Grafana provides valuable insights into your VPN infrastructure. You'll be able to:
- Track client connections and usage patterns
- Monitor server health and performance
- Detect security issues and unusual activity
- Plan capacity based on traffic trends
- Troubleshoot connection problems quickly
The OpenVPN Prometheus Exporter makes this setup straightforward with its security features, comprehensive dashboard, and easy deployment options.
Resources
- OpenVPN Prometheus Exporter - The exporter we used
- Prometheus Documentation - Learn more about Prometheus
- Grafana Documentation - Grafana setup and configuration
- OpenVPN Documentation - OpenVPN configuration
Start monitoring your OpenVPN infrastructure today and gain the visibility you need to ensure reliable VPN services for your users!
Top comments (0)