check_openvpn: Update to 20151106
This commit is contained in:
parent
3155447fb2
commit
7eb6cc05d9
|
|
@ -2,9 +2,9 @@
|
||||||
|
|
||||||
# Check if an OpenVPN server runs on a given UDP port.
|
# Check if an OpenVPN server runs on a given UDP port.
|
||||||
#
|
#
|
||||||
# Copyright 2013 Roland Wolters, credativ GmbH
|
# Copyright 2013 Roland Wolters
|
||||||
#
|
#
|
||||||
# Version 20130904
|
# Version 20151106
|
||||||
#
|
#
|
||||||
# Permission is hereby granted, free of charge, to any person obtaining
|
# Permission is hereby granted, free of charge, to any person obtaining
|
||||||
# a copy of this software and associated documentation files (the
|
# a copy of this software and associated documentation files (the
|
||||||
|
|
@ -25,62 +25,145 @@
|
||||||
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||||
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
|
||||||
import sys
|
import os
|
||||||
|
import time
|
||||||
|
import hmac
|
||||||
|
import hashlib
|
||||||
|
import struct
|
||||||
import socket
|
import socket
|
||||||
import argparse
|
import argparse
|
||||||
import binascii
|
import binascii
|
||||||
|
|
||||||
|
HMAC_CLIENT_KEY_START = 192
|
||||||
|
BUFFER_SIZE = 1024
|
||||||
|
|
||||||
def ok(msg):
|
def ok(msg):
|
||||||
print "OK: %s" % msg
|
print 'OK: %s' % msg
|
||||||
sys.exit(0)
|
return 0
|
||||||
|
|
||||||
def critical(msg):
|
def critical(msg):
|
||||||
print "CRIT: %s" % msg
|
print 'CRIT: %s' % msg
|
||||||
sys.exit(2)
|
return 2
|
||||||
|
|
||||||
def checkserver(host,port,proto):
|
def buildpacket(tcp, key, digestmod):
|
||||||
byte_stream = "\x38\x01\x00\x00\x00\x00\x00\x00\x00"
|
packet = 1
|
||||||
|
ts = int(time.time())
|
||||||
|
session = os.urandom(8)
|
||||||
|
|
||||||
|
if key:
|
||||||
|
# hmac
|
||||||
|
h = hmac.new(key, digestmod=digestmod)
|
||||||
|
h.update(struct.pack('>I', packet)) # packet id
|
||||||
|
h.update(struct.pack('>I', ts)) # net time
|
||||||
|
h.update('\x38') # type
|
||||||
|
h.update(session) # session id
|
||||||
|
h.update(struct.pack('>B', 0)) # message packet id array length
|
||||||
|
h.update(struct.pack('>I', 0)) # message packet id
|
||||||
|
|
||||||
|
# packet
|
||||||
|
result = ''
|
||||||
|
result += '\x38' # type
|
||||||
|
result += session # session id
|
||||||
|
if key: result += h.digest() # hmac
|
||||||
|
result += struct.pack('>I', packet) # packet id
|
||||||
|
result += struct.pack('>I', ts) # net time
|
||||||
|
result += struct.pack('>B', 0) # message packet id array length
|
||||||
|
result += struct.pack('>I', 0) # message packet id
|
||||||
|
if tcp: result = struct.pack('>H', len(result)) + result
|
||||||
|
return result
|
||||||
|
|
||||||
if proto:
|
def checkserver(host, port, tcp, timeout, key, digest):
|
||||||
ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
packet = buildpacket(tcp, key, digest)
|
||||||
else:
|
if tcp: checkserver_tcp(host, port, timeout, packet)
|
||||||
ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
else: checkserver_udp(host, port, timeout, packet)
|
||||||
|
|
||||||
ovpn_sock.settimeout(5)
|
|
||||||
|
|
||||||
|
def checkserver_udp(host, port, timeout, packet):
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||||
|
s.settimeout(timeout)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
ovpn_sock.connect((host, port))
|
s.sendto(packet, (host, port))
|
||||||
ovpn_sock.sendto(byte_stream, (host, port))
|
data, _ = s.recvfrom(BUFFER_SIZE)
|
||||||
data, addr = ovpn_sock.recvfrom(1024) # buffer size is 1024 bytes
|
|
||||||
reply = binascii.hexlify(data)
|
reply = binascii.hexlify(data)
|
||||||
if proto:
|
return ok('OpenVPN UDP server response (hex): %s' % reply)
|
||||||
ok("OpenVPN tcp port reachable.")
|
except:
|
||||||
else:
|
return critical('OpenVPN UDP server not responding')
|
||||||
ok("OpenVPN server response (hex): %s" % reply)
|
finally:
|
||||||
except socket.timeout:
|
s.close()
|
||||||
critical("Request timed out")
|
|
||||||
ovpn_sock.close()
|
|
||||||
except (socket.error, Exception):
|
|
||||||
critical("OpenVPN server not responding")
|
|
||||||
ovpn_sock.close()
|
|
||||||
|
|
||||||
ovpn_sock.close()
|
def checkserver_tcp(host, port, timeout, packet):
|
||||||
return data
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
s.settimeout(timeout)
|
||||||
|
|
||||||
|
try:
|
||||||
|
s.connect((host, port))
|
||||||
|
s.send(packet)
|
||||||
|
data = s.recv(BUFFER_SIZE)
|
||||||
|
if len(data) <= 0: raise RuntimeError
|
||||||
|
reply = binascii.hexlify(data)
|
||||||
|
return ok('OpenVPN TCP server response (hex): %s' % reply)
|
||||||
|
except:
|
||||||
|
return critical('OpenVPN TCP server not responding')
|
||||||
|
finally:
|
||||||
|
s.close()
|
||||||
|
|
||||||
def optionsparser():
|
def readkey(path):
|
||||||
|
key = None
|
||||||
|
try:
|
||||||
|
with open(path, 'r') as myfile: key = myfile.read()
|
||||||
|
except:
|
||||||
|
return None
|
||||||
|
index_start = key.find('-\n');
|
||||||
|
index_end = key.find('\n-', index_start);
|
||||||
|
if index_start < 0 or index_end < 0 or index_end <= index_start:
|
||||||
|
return None
|
||||||
|
index_start += 2
|
||||||
|
key = key[index_start:index_end].replace('\n', '').replace('\r', '')
|
||||||
|
return key
|
||||||
|
|
||||||
|
def optionsparser(args=None):
|
||||||
parser = argparse.ArgumentParser()
|
parser = argparse.ArgumentParser()
|
||||||
parser.add_argument("-p","--port", help="set port number",
|
parser.add_argument('-p', '--port', help='set port number (default is %%default)', type=int, dest='port', default='1194')
|
||||||
type=int, dest="port", default="1194")
|
parser.add_argument('-t', '--tcp', help='use tcp instead of udp', action='store_true')
|
||||||
parser.add_argument("-t","--tcp", help="use tcp instead of udp",
|
parser.add_argument('--timeout', help='set timeout (default is %%default)', type=int, default='5')
|
||||||
action="store_true")
|
parser.add_argument('--digest', help='set HMAC digest (default is %%default)', type=str, default='sha1')
|
||||||
parser.add_argument("host", type=str, help="the OpenVPN host name or ip")
|
parser.add_argument('--digest-size', help='set HMAC digest size', type=int)
|
||||||
return parser.parse_args()
|
parser.add_argument('--digest-key', help='set HMAC key', type=str, default=None)
|
||||||
|
parser.add_argument('--tls-auth', help='set tls-auth file', type=str, default=None)
|
||||||
|
parser.add_argument('host', type=str, help='the OpenVPN host name or ip')
|
||||||
|
return parser.parse_args(args)
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
arguments = optionsparser()
|
args = optionsparser()
|
||||||
|
|
||||||
|
if args.digest_size and args.digest_size < 0:
|
||||||
|
critical('digest size must be positive')
|
||||||
|
if args.tls_auth and args.digest_key:
|
||||||
|
critical('--tls-auth cannot go with --digest-key')
|
||||||
|
|
||||||
|
key = args.digest_key
|
||||||
|
digest = args.digest
|
||||||
|
digest_size = args.digest_size
|
||||||
|
|
||||||
|
digest = digest.lower()
|
||||||
|
if digest not in hashlib.algorithms:
|
||||||
|
return critical('digest not available')
|
||||||
|
try:
|
||||||
|
digest = getattr(hashlib, digest)
|
||||||
|
if not digest_size: digest_size = digest().digest_size
|
||||||
|
except:
|
||||||
|
return critical('digest creation failed')
|
||||||
|
|
||||||
|
if args.tls_auth:
|
||||||
|
key = readkey(args.tls_auth)
|
||||||
|
if key == None: return critical('cannot read tls auth file')
|
||||||
|
index_start = HMAC_CLIENT_KEY_START * 2
|
||||||
|
index_end = (HMAC_CLIENT_KEY_START + digest_size) * 2
|
||||||
|
key = key[index_start:index_end]
|
||||||
|
|
||||||
|
if key: key = binascii.unhexlify(key)
|
||||||
|
|
||||||
|
return checkserver(args.host, args.port, args.tcp, args.timeout, key, digest)
|
||||||
|
|
||||||
data = checkserver(arguments.host,arguments.port,arguments.tcp)
|
if __name__ == '__main__':
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
main()
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
Homepage: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn
|
Homepage: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn
|
||||||
Watch: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn Version\ ([0-9.]+)
|
Watch: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn Version\ ([0-9.]+)
|
||||||
Recommends: libpython-stdlib
|
Recommends: libpython-stdlib
|
||||||
Version: 20130904
|
Version: 20151106
|
||||||
Uploaders: Jan Wagner <waja@cyconet.org>
|
Uploaders: Jan Wagner <waja@cyconet.org>
|
||||||
Description: plugin to check if an OpenVPN server runs on a given port
|
Description: plugin to check if an OpenVPN server runs on a given port
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue