How to ping OpenVpn server to see if it's up?

Question

I just want to check if my remote openVpn server is running. That's is. How can I do that? It'll be safer to use "top" or "ps aux" but perhaps I can ping it somehow instead, that is, without having to connect/authenticate via ssh first?

Answer 1

If you want to know that the host is alive you can just ping its IP or hostname. Make sure the firewall is open for incoming ICMP echo packets from wherever you try to ping it.

However if you want to know that openvpn is running you'll have to connect to the host. OpenVPN uses UDP on port 1194 by default so you have to send it a UDP packet to that port.

If openvpn is running it will accept that packet and discard it (because it's not a valid OpenVPN handshake). You can test it with netcat for instance and also check the return code ($? - 0=success, 1=error):

~ $ echo "abcd" | netcat -u -v -w2 192.168.130.1 1194
Connection to 192.168.130.1 1194 port [udp/openvpn] succeeded!
~ $ echo $?
0
~ $

On the other hand if openvpn service isn't running the host should send back an ICMP udp port 1194 unreachable packet which will make netcat exit immediately:

~ $ echo "abcd" | netcat -u -v 192.168.130.54 1194
~ $ echo $?
1
~ $ 

Be aware that netcat will report success even if the host is down because with UDP it's can't distinguish between host down and openvpn receiving and discarding the packet. In neither case it will receive any response. Only if host is up and openvpn is down it will receive the ICMP port unreachable response and exit with 1. That means you have to run ping -n -c2 ... fist to verify that the host is actually up.

Hope that helps :)

Answer 2

This is relatively old question, but I wanted to add that instead of netcat you can use hping3 or nping (this tool usually comes with nmap) to check UDP port in similar fashion. These tools have much more verbose output and provide more data.

For example checking closed UDP using hping3:

$ sudo hping3 --udp -p 26010 router.local
HPING router.local (eth0 192.168.1.1): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.1.1 name=router.local
ICMP Port Unreachable from ip=192.168.1.1 name=router.local
^C
--- router.local hping statistic ---
2 packets tramitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

or via nping:

$ sudo  nping -c 2 --udp -p 26010 router.local

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2020-09-19 20:57 EEST
SENT (0.0173s) UDP 192.168.1.40:53 > 192.168.1.1:26010 ttl=64 id=16061 iplen=28 
RCVD (0.0177s) ICMP [192.168.1.1 > 192.168.1.40 Port unreachable (type=3/code=3) ] IP [ttl=64 id=4711 iplen=56 ]
SENT (1.0181s) UDP 192.168.1.40:53 > 192.168.1.1:26010 ttl=64 id=16061 iplen=28 
RCVD (1.0185s) ICMP [192.168.1.1 > 192.168.1.40 Port unreachable (type=3/code=3) ] IP [ttl=64 id=4794 iplen=56 ]
 
Max rtt: 0.418ms | Min rtt: 0.343ms | Avg rtt: 0.380ms
Raw packets sent: 2 (56B) | Rcvd: 2 (112B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 1.03 seconds

Sending data to closed UDP port (if it isn't filtered by firewall) generates ICMP message with icmp_type 3 (destination unreachable), which should be visible in examples above. OS of the client processes this message and returns error to the application that tried to send data onto that port. In the same time OS could report error in other cases too, for example because filtering firewall rejects traffic to some locations and generates Host administratively prohibited or other icmp messages. So checking via hping3 or nping should be more reliable.

In the same time if port is opened (or filtered by firewall), there will be no responses:

$ sudo  nping -c 2 --udp -p 1194 router.local

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2020-09-19 20:58 EEST
SENT (0.0265s) UDP 192.168.1.40:53 > 192.168.1.1:1194 ttl=64 id=54477 iplen=28 
SENT (1.0268s) UDP 192.168.1.40:53 > 192.168.1.1:1194 ttl=64 id=54477 iplen=28 
 
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 2 (56B) | Rcvd: 0 (0B) | Lost: 2 (100.00%)
Nping done: 1 IP address pinged in 2.04 seconds

$ sudo hping3 --udp -p 1194 router.local  # or via hping3
HPING router.local (eth0 192.168.1.1): udp mode set, 28 headers + 0 data bytes
^C
--- router.local hping statistic ---
2 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Also, since both hping3 and nping directly process icmp message about unreachable destination they require root privileges. Although, nping can ping UDP without root permissions but in that case output will be less verbose (cause it will report about error that was returned by the OS).

In addition you can use tcpdump if you suspect there is some kind of issue during connection, for example using sudo tcpdump -i any -n "host 192.168.1.1 && (udp port 1194 || icmp)".