This script checks the log messages flashy about incorrect settings in the configuration of the OpenVPN connection. In order to facilitate the Debugging.
It is how the monitoring script consists of two parts - client script, the script calls on the IPFire the OVP check via SSH.
This script may be used, expanded and supplemented. Thanks again to ummeegge for his work!
SSH and OVP-Check Script
The script was exemplarily saved on /mnt/mo_scripts/ directory. The script needs to be made executable.
SSH Client Script
This script must be stored on the client side.
filename = ovpstat.sh
#!/bin/bash -
####
#Spass an der Freude Skript Part 2 8-)
#SSH Session öffnen und IPFire OVP Skript aufrufen
#ummeegge 23.12.2012
####
ssh -p 222 -t root@IP-IPfire /mnt/mo_scripts/ovp_info.sh
After depositing or creation the script must be still made executable:
chmod +x ovpstat.sh
OVP-Check Script
Put this script on the IPFire.
filename = ovp_info.sh
#!/bin/bash -
###########################################
# OVPN Check for known errors script
# 5p9 13.03.2013
# supplemented some checks ummeegge 18.03.13
##########################################
LOG="/var/log/messages";
#################
# OVP Configcheck
#################
who=$(grep 'primary virtual IP for' ${LOG});
port=$(grep 'TCP/UDP: Socket bind failed on local address' ${LOG});
frag=$(grep 'FRAG_TEST not implemented' ${LOG});
sub=$(grep 'WARNING: potential route subnet conflict between local LAN' ${LOG});
fail=$(grep 'read UDPv4 [ECONNREFUSED]:|Connection refused' ${LOG});
outfw=$(grep 'Operation not permitted code=1' ${LOG});
mtu=$(grep 'WARNING: 'mtu-dynamic' is present in local config but missing in remote config' ${LOG});
mtu1=$(grep 'link-mtu is used inconsistently' ${LOG});
lzo=$(grep 'Bad LZO' ${LOG});
tls=$(grep 'TLS Error: TLS handshake failed' ${LOG});
tls1=$(grep 'TLS keys are out of sync' ${LOG});
tls2=$(grep 'TLS Error: Unroutable control packet' ${LOG});
note=$(grep -vE '"n2n"|openvpnserver' ${LOG} | grep 'NOTE:');
warning=$(grep -vE '"n2n"|openvpnserver' ${LOG} | grep 'WARNING');
error=$(grep -vE '"n2n"|openvpnserver' ${LOG} | grep 'ERROR:');
# Who is loggt on
if [](-n $who) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mCurrently, the following systems are connected:\033[0m"
echo;
grep "primary virtual IP for" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
elif [](-z $who) ; then
echo;
echo -e "\033[1;37;40mThere is no one connected.\033[0m";
fi
# Port already in use
if [](-n $port) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThe port is already in use, please use a different port.\033[0m";
echo;
grep "Address alread in use" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $port) ; then
echo;
echo -e "\033[1;37;40mNo port problem were detected.\033[0m";
fi
fi
# Fragment is not activated
if [](-n $frag) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mCheck fragment directive on both side for equal values.\033[0m";
echo;
grep "FRAG_TEST not implemented" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $frag) ; then
echo;
echo -e "\033[1;37;40mNo fragment problem were detected.\033[0m";
fi
fi
# Same subnet
if [](-n $sub) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mSame subnet in use, the subnet should be different on both sides.\033[0m";
echo ""
grep "WARNING: potential route subnet conflict between local LAN" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $sub) ; then
echo;
echo -e "\033[1;37;40mNo equal subnets were detected.\033[0m";
fi
fi
# Dest-Firewall or Dest-OVP Problem
if [](-n $outfw) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mCheck the firewall and / or OVPN settings on remote side.\033[0m";
echo;
grep 'read UDPv4 [ECONNREFUSED]:|Connection refused' ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $outfw) ; then
echo;
echo -e "\033[1;37;40mNo firewall or setting problem were detected.\033[0m";
fi
fi
# Operation not permitted Firewallsettings
if [](-n $fail) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThe outgoing firewall should include the OpenVPN port.\033[0m";
echo;
grep "Operation not permitted (code=1)" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $fail) ; then
echo;
echo -e "\033[1;37;40mNo outgoing firewall problem were detected.\033[0m";
fi
fi
# MTU Sizecheck
if [](-n $mtu) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThe MTU should be equal on both sides.\033[0m";
echo;
grep "WARNING: 'mtu-dynamic' is present in local config but missing in remote config" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $mtu) ; then
echo;
echo -e "\033[1;37;40mNo MTU problem were detected.\033[0m";
fi
fi
# LZO check
if [](-n $lzo) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThe LZO settings should be the same on both sides .\033[0m";
echo;
grep "Bad LZO" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $mtu) ; then
echo;
echo -e "\033[1;37;40mNo LZO problem were detected.\033[0m";
fi
fi
# TLS error check 1
if [](-n $tls) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThere is a TLS handshake problem, please check the certificates.\033[0m";
echo;
grep "TLS Error: TLS handshake failed" ${LOG};
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $mtu) ; then
echo;
echo -e "\033[1;37;40mNo TLS handshake problem were detected.\033[0m";
fi
fi
# TLS error check 2
if [](-n $tls1) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThe TLS keys are out of syncron, restarting both sides (ping and ping restart check).\033[0m";
echo;
grep 'TLS keys are out of sync' ${LOG};
echo "------------------------------------------------------------------------------------------------------------"
else
if [](-z $tls1) ; then
echo;
echo -e "\033[1;37;40mNo TLS sync error were detected.\033[0m";
fi
fi
# TLS error check 3
if [](-n $tls2) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThe TLS initialisation packet is unroutable, check the time, or maybe the certificates do not match well.\033[0m";
echo;
grep 'TLS Error: Unroutable control packet' ${LOG};
echo "------------------------------------------------------------------------------------------------------------"
else
if [](-z $tls2) ; then
echo;
echo -e "\033[1;37;40mNo TLS initiation problem were detected.\033[0m";
fi
fi
#general information
if [](-n $note) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThere were hints in the OpenVPN log, please look through it.\033[0m";
echo;
grep "n2n" ${LOG} | grep 'NOTE:';
grep openvpnserver ${LOG} | grep 'NOTE:';
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $note) ; then
echo;
echo -e "\033[1;37;40mNo 'NOTE' indications were detected.\033[0m";
fi
fi
# General Warning
if [](-n $warning) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThere was a warning in the OpenVPN log, please look through it.\033[0m";
echo;
grep "n2n" ${LOG} | grep 'WARNING';
grep openvpnserver ${LOG} | grep 'WARNING';
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $warning) ; then
echo;
echo -e "\033[1;37;40mNo general warnings were detected.\033[0m";
fi
fi
# general errors
if [](-n $error) ; then
echo;
echo "------------------------------------------------------------------------------------------------------------";
echo -e "\033[1;37;40mThere was an error in the OpenVPN log, please look through it.\033[0m";
echo;
grep "n2n" ${LOG} | grep 'ERROR:';
grep openvpnserver ${LOG} | grep 'ERROR:';
echo "------------------------------------------------------------------------------------------------------------";
else
if [](-z $error) ; then
echo;
echo -e "\033[1;37;40mNo errors were detcted.\033[0m";
fi
fi
echo;
echo "That was it with the checks ... ";
echo;
echo;
# End script
After depositing or creation the script must be still made executable:
chmod +x ovp_info.sh
Done!