用 Prometheus 來監控 OpenVPN server

需求

如果你已經有了一個自己管理的 OpenVPN access server, 他本身是有一個簡單的管理介面, 但在這個時代, 用 Grafana + Prometheus 應該是比較好的選擇.

OpenVPN 的 Prometheus 方案

Google 一下有幾個, 不過因為我們用的是自建的 OpenVPN Access Server, 只能用這個.

• https://github.com/lfdominguez/openvpn-access-exporter

這個是不能用的, 不過很可惜, 這個的功能看來比較多.

• https://github.com/kumina/openvpn_exporter

安裝使用

1. 下載適合你環境的程式 (https://github.com/lfdominguez/openvpn-access-exporter/releases)

2. 執行下列指令啟動 exporter

   1$ openvpn-access-exporter --file /usr/local/openvpn_as/etc/db/log.db
   2[2022-07-05T23:10:41Z INFO  openvpn_access_exporter] Using file: /usr/local/openvpn_as/etc/db/log.db
   

3. 連線到 http://localhost:9185, 就會看到類似下面的 metrics

    1# HELP access_counter Requests counter
    2# TYPE access_counter counter
    3access_counter 61
    4# HELP openvpn_user_bytes_in Bytes in
    5# TYPE openvpn_user_bytes_in gauge
    6openvpn_user_bytes_in{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="hYTtny0ozcppC3tS",username="user1",vpn_ip="172.27.224.2"} 3623 1656473784000
    7openvpn_user_bytes_in{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="lXgWcyk33yOe92Zg",username="user1",vpn_ip="172.27.224.3"} 3320 1655708617000
    8openvpn_user_bytes_in{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="9RCKoPcSj0CB8Cyo",username="user1",vpn_ip="172.27.224.8"} 3554022 1657085339000
    9# HELP openvpn_user_bytes_out Bytes out
   10# TYPE openvpn_user_bytes_out gauge
   11openvpn_user_bytes_out{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="hYTtny0ozcppC3tS",username="user1",vpn_ip="172.27.224.2"} 3145 1656473784000
   12openvpn_user_bytes_out{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="lXgWcyk33yOe92Zg",username="user1",vpn_ip="172.27.224.3"} 3592 1655708617000
   13openvpn_user_bytes_out{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="9RCKoPcSj0CB8Cyo",username="user1",vpn_ip="172.27.224.8"} 11765019 1657085339000
   14# HELP openvpn_user_duration Connection duration
   15# TYPE openvpn_user_duration gauge
   16openvpn_user_duration{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="hYTtny0ozcppC3tS",username="user1",vpn_ip="172.27.224.2"} 0 1656473784000
   17openvpn_user_duration{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="lXgWcyk33yOe92Zg",username="user1",vpn_ip="172.27.224.3"} 0 1655708617000
   18openvpn_user_duration{common_name="user1",node="vm1655366325290-2779681-iaas",real_ip="x.x.x.x",session_id="9RCKoPcSj0CB8Cyo",username="user1",vpn_ip="172.27.224.8"} 901 1657085339000
   

4. 不過很可惜的, 沒有找到現成的 Grafana Dashboard, 只能自力救濟了.

故障排除

1. 如果程式跑起來了, 但一打 http://localhost:9185 就遇到這個訊息的話, 我這邊是遇到權限問題, 因為是用 root 執行 openvpn, 然後用一般 user 執行 exporter, 他沒權限的訊息並沒有很清楚.

   1thread 'tokio-runtime-worker-0' panicked at 'called `Result::unwrap()` on an `Err` value: Error { code: Some(14), message: None }', src/main.rs:70:48
   2note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
   3Aborted (core dumped)
   

相關文章

1. 如果你要自己在 Linux(Ubuntu) 上安裝 OpenVPN server, 可參考 OpenVPN server 簡易安裝使用 (Ubuntu)
2. 如果你使用的是 Asuswrt-Merlin, 他有內建 OpenVPN server, 可參考 在 Asuswrt-Merlin 使用 OpenVPN server
3. 這是一篇 Open Source VPN 方案的簡單比較和測速: Open Source VPN 之不嚴謹比較