How to check that an OpenVPN server is listening on a remote port without using OpenVPN client?

Question

I need to check that an OpenVPN (UDP) server is up and accessible on a given host:port.

I only have a plain Windows XP computer with no OpenVPN client (and no chance to install it) and no keys needed to connect to the server - just common WinXP command line tools, a browser and PuTTY are in my disposition.

If I was testing something like an SMTP or POP3 servert I'd use telnet and see if it responds, but how to do this with OpenVPN (UDP)?

Can you elaborate on why you would want to solve this from an obsolete Windows system and not from a real monitoring system? — Alex Holst, Apr 22 '11 at 13:40
If the UDP openvpn server uses the (recommended) `tls-auth` configuration option, then it is IMPOSSIBLE (If you don't have at least the outer wrapper key)! Any packet with incorrect HMAC signature will be discarded without response by the server. — Alex Stragies, Aug 27 '15 at 20:09

score 62 · Answer 1 · edited Nov 17 '15 at 18:10

62

Here is a shell one-liner:

echo -e "\x38\x01\x00\x00\x00\x00\x00\x00\x00" | 
   timeout 10 nc -u openvpnserver.com 1194 | cat -v

if there is an openvpn on the other end the output will be

@$M-^HM--LdM-t|M-^X^@^@^@^@^@@$M-^HM--LdM-t|M-^X^@^@^@^@^@@$M-^HM--LdM-t|M-^X...

otherwise it will just be mute and timeout after 10 seconds or display something different.

NOTE: this works only if tls-auth config option is not active, otherwise the server rejects messages with incorrect HMAC.

edited Nov 17 '15 at 18:10

ocirocir

103
4

answered Jan 17 '13 at 16:26

Loic Dachary

891
1
7
11

2

I get something bit different, but I do get something. Thanks. – artfulrobot Feb 06 '13 at 16:27
12

Just to state the obvious, this is for Linux/Unix, not for Windows. And it requires netcat (not installed by default in some distros). Also, if your Linux distro does not have the "timeout" command, just use the netcat "-w" parameter, like "nc -w 10 -u openvpnserver.com 1194". – MV. May 05 '13 at 00:48
1

I am wondering, did that work for anybody? I've tried it against a number of OpenVPN servers, but received no response. – ayaz May 29 '13 at 13:57
1

This is fscking awesome. – dmourati Jun 10 '13 at 18:55
2

This will not work in OP scenario, if the server uses the `tls-auth` config option to drop packets with incorrect HMAC sig. – Alex Stragies Aug 27 '15 at 20:11
Awesome, thanks! Note that my version of timeout (on Ubuntu 14.04) requires a `-t` before the `10` parameter, e.g. `... | timeout -t 10 nc ...` – Jeff Ward Mar 23 '16 at 15:10
openvpn return empty result, but the status service says: TLS Error: reading acknowledgement record from packet. – e-info128 Dec 16 '16 at 16:14
3

I find piping to `od -x -N 14` rather than `cat -v` is much more useful because you can a) see the actual binary content rather than ASCII garbage and b) instantly receive the each line of output as the server sends each handshake packet and stop it right away after the first. `-N 14` because the handshake packet is 14 bytes long and just repeats. – BaseZen Feb 05 '17 at 18:53
Does this still work? I believe it doesn't. – Andrew Lamarra Jun 23 '17 at 00:03
In case anyone else is an a similar situation to mine... if `tls-auth` is active and you can't/don't want to alter your configuration, you can at least see if the server is receiving the packets by examining the logs; you should see something like `TLS Error: cannot locate HMAC in incoming packet from [AF_INET]:`, though maybe that's not always much help. – fakedad Nov 21 '17 at 17:54

score 8 · Answer 2 · edited Nov 30 '22 at 23:55

Sorry if I'm a bit late with my answer ;)
Send an udp packet with the following content:
$38$01$00$00$00$00$00$00$00
The server must respond something.
You can forge udp packets with python like this:

import socket
senddata= "\x38\x01\x00\x00\x00\x00\x00\x00\x00"

def checkserver(ip,port):
   print('Checking %s:%s' %(ip,port)) 
   sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
   sock.settimeout(5) # in seconds
   sock.connect((ip, port))
   print("Sending request...")
   sock.send(senddata.encode())
   try:
      dta=sock.recv(100)
      print("Server reply: %s" %(dta))
   except:
      print("Server not responding")
   sock.close()
   print("###########################################################")
   
def main():
   checkserver("addr.of.server1",1194)
   checkserver("addr.of.server2",1195)

if __name__ == "__main__":
   main()

For Python 3 line 10 will cause an issue. Replace "sock.send(senddata)" by "sock.send(senddata.encode())" and it will work. — NDB, Feb 15 '17 at 15:31

score 6 · Answer 3 · answered Apr 22 '11 at 12:49

6

You can try to run the following at the CLI

#netstat -ltnup

This should list all processes that are listening on your server/system. Grep for the port number you want

#netstat -ltnup | grep 1194

answered Apr 22 '11 at 12:49

Mister IT Guru

1,178
3
15
35

OP only has windows XP tools. – user9517 Apr 22 '11 at 13:18
1

@Iain: The OP had PuTTY, so may be able to SSH into the server. In that case, this very simple check is a useful first step. – mivk Feb 21 '19 at 18:49

seren · Answer 4 · 2018-11-20T23:22:22.800

For anyone running across this who's trying to monitor a server that has tls-auth enabled, you can use the python script here: https://github.com/liquidat/nagios-icinga-openvpn

The output is formatted for use in Nagios or Icinga, but it can be run by anything/anyone, provided you have python and the tls keyfile available.

For example, if you are using SHA256 as your digest, you'd use something like:

python check-openvpn.py -p 1194 --tls-auth ta.key --digest SHA256 vpn-server.example.com

Note: you might need to add --tls-auth-inverse depending on the server's key-direction value.

score 0 · Answer 5 · answered Apr 22 '11 at 19:02

If you can get an pcap of valid OpenVPN Client to OpenVPN server interaction, you could model the initial set of packets with something like netcat, as suggested by TiZon.

Basically, you want enough of a valid first packet to get the server to respond with at least an error message, so it doesn't have to be perfect, just good enough.

I tried going to http://pcapr.net, but I didn't see an OpenVPN example there. Perhaps, if someone else is claiming the service is up, you could get that other person to grab a pcap of the transaction.

score -3 · Answer 6 · answered Apr 22 '11 at 09:25

-3

if you have setup openvpn on a tcp listen then its as simple as

telnet vpnserver 1194

assuming 1194 is the port you have it listening on

this should give you a response of some sort to show that the openvpn server is listening

answered Apr 22 '11 at 09:25

anthonysomerset

4,233
2
21
24

Are you 100% sure? When I do this, I get "Could not open connection to the host, on port 1194: Connect failed" after some waiting. Isn't a client meant to say something first, before an OpenVPN server responds? – Ivan Apr 22 '11 at 10:02
6

Note that by default OpenVPN is UDP-only and telnet is meant to use TCP. – Ivan Apr 22 '11 at 10:05
3

No reason to downvote this. He clearly stated that this solution is for openvpns which listen to tcp. I for instance have such a solution because my load balancer doesnt allow udp – InsOp Mar 26 '21 at 10:03

How to check that an OpenVPN server is listening on a remote port without using OpenVPN client?

6 Answers6