OpenVPN check for Datadog
TL;DR: a check to send bandwidth usage and the count of active connections to Datadog.
I once ran an OpenVPN service on my VPS. Its sole purpose was to securely tunnel traffic anytime I needed to connect to unencrypted WiFi (something I found deployed to nearly every single hotel I visited last year). Because I used it only infrequently, I hadthe expectation that there would almost never be any connected users, and when there were, there would never be more than one.
Luckily, OpenVPN provides a handy management interface that can be interrogated for such information. If we can get Datadog to drink from the management interface, we could instrument and alert on these things. This is the output from running
load-stats on the management interface which we will need to parse:
Once parsed, we can send the results to Datadog to build graphs and alert anytime a connection is made. The steps below will help you start ingesting these metrics, and assume you already have OpenVPN and Datadog installed and running.
Step 1: Enabling the OpenVPN Management Interface
/etc/openvpn/openvpn.conf and add the following line:
management localhost 7505
Save and restart OpenVPN. OpenVPN should now be listening on port 7505 on localhost. The port choice is arbitrary according to the author, but localhost is a bit more intentional. You could bind the management interface to 0.0.0.0 instead and let anyone connect to it, but this is a bad idea unless you know what you're doing and why you're doing it.
You can use telnet or netcat to verify that the management interface is up:
$ telnet localhost 7505 >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help to bring up the command list and
quit to exit when you're done.
Step 2: Installing the Datadog OpenVPN check
openvpn.yamland configure to your liking (the default options are sufficient, apart from the tags)
Restart the Datadog agent
There are plenty more metrics available through the OpenVPN Management Interface than are exposed by
load-stats, but because I was mostly interested in the number of connected clients, that's what this check focuses on. If you'd like to see other metrics collected, feel free to open a pull request.
Regarding other operating systems: I've only tested the check and above steps on Linux. PRs are welcome if you have steps for configuring this and installing it on other OSes (and especially if it's completely broken on other OSes and you have a fix!)
Pull requests are welcome!
Software is provided as-is. You accept all responsibility in the event that your infracture becomes sentient and christens itself SkyNet (and other less specific misfortunes arising from downloading and running this software).