check_openvpn: Update to 20151106

This commit is contained in:
Jan Wagner 2016-06-12 15:52:00 +02:00
parent 3155447fb2
commit 7eb6cc05d9
2 changed files with 126 additions and 43 deletions

View file

@ -2,9 +2,9 @@
# Check if an OpenVPN server runs on a given UDP port.
#
# Copyright 2013 Roland Wolters, credativ GmbH
# Copyright 2013 Roland Wolters
#
# Version 20130904
# Version 20151106
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
@ -25,62 +25,145 @@
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
import sys
import os
import time
import hmac
import hashlib
import struct
import socket
import argparse
import binascii
HMAC_CLIENT_KEY_START = 192
BUFFER_SIZE = 1024
def ok(msg):
print "OK: %s" % msg
sys.exit(0)
print 'OK: %s' % msg
return 0
def critical(msg):
print "CRIT: %s" % msg
sys.exit(2)
print 'CRIT: %s' % msg
return 2
def checkserver(host,port,proto):
byte_stream = "\x38\x01\x00\x00\x00\x00\x00\x00\x00"
def buildpacket(tcp, key, digestmod):
packet = 1
ts = int(time.time())
session = os.urandom(8)
if proto:
ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
else:
ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
if key:
# hmac
h = hmac.new(key, digestmod=digestmod)
h.update(struct.pack('>I', packet)) # packet id
h.update(struct.pack('>I', ts)) # net time
h.update('\x38') # type
h.update(session) # session id
h.update(struct.pack('>B', 0)) # message packet id array length
h.update(struct.pack('>I', 0)) # message packet id
ovpn_sock.settimeout(5)
# packet
result = ''
result += '\x38' # type
result += session # session id
if key: result += h.digest() # hmac
result += struct.pack('>I', packet) # packet id
result += struct.pack('>I', ts) # net time
result += struct.pack('>B', 0) # message packet id array length
result += struct.pack('>I', 0) # message packet id
if tcp: result = struct.pack('>H', len(result)) + result
return result
def checkserver(host, port, tcp, timeout, key, digest):
packet = buildpacket(tcp, key, digest)
if tcp: checkserver_tcp(host, port, timeout, packet)
else: checkserver_udp(host, port, timeout, packet)
def checkserver_udp(host, port, timeout, packet):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(timeout)
try:
ovpn_sock.connect((host, port))
ovpn_sock.sendto(byte_stream, (host, port))
data, addr = ovpn_sock.recvfrom(1024) # buffer size is 1024 bytes
s.sendto(packet, (host, port))
data, _ = s.recvfrom(BUFFER_SIZE)
reply = binascii.hexlify(data)
if proto:
ok("OpenVPN tcp port reachable.")
else:
ok("OpenVPN server response (hex): %s" % reply)
except socket.timeout:
critical("Request timed out")
ovpn_sock.close()
except (socket.error, Exception):
critical("OpenVPN server not responding")
ovpn_sock.close()
return ok('OpenVPN UDP server response (hex): %s' % reply)
except:
return critical('OpenVPN UDP server not responding')
finally:
s.close()
ovpn_sock.close()
return data
def checkserver_tcp(host, port, timeout, packet):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
def optionsparser():
try:
s.connect((host, port))
s.send(packet)
data = s.recv(BUFFER_SIZE)
if len(data) <= 0: raise RuntimeError
reply = binascii.hexlify(data)
return ok('OpenVPN TCP server response (hex): %s' % reply)
except:
return critical('OpenVPN TCP server not responding')
finally:
s.close()
def readkey(path):
key = None
try:
with open(path, 'r') as myfile: key = myfile.read()
except:
return None
index_start = key.find('-\n');
index_end = key.find('\n-', index_start);
if index_start < 0 or index_end < 0 or index_end <= index_start:
return None
index_start += 2
key = key[index_start:index_end].replace('\n', '').replace('\r', '')
return key
def optionsparser(args=None):
parser = argparse.ArgumentParser()
parser.add_argument("-p","--port", help="set port number",
type=int, dest="port", default="1194")
parser.add_argument("-t","--tcp", help="use tcp instead of udp",
action="store_true")
parser.add_argument("host", type=str, help="the OpenVPN host name or ip")
return parser.parse_args()
parser.add_argument('-p', '--port', help='set port number (default is %%default)', type=int, dest='port', default='1194')
parser.add_argument('-t', '--tcp', help='use tcp instead of udp', action='store_true')
parser.add_argument('--timeout', help='set timeout (default is %%default)', type=int, default='5')
parser.add_argument('--digest', help='set HMAC digest (default is %%default)', type=str, default='sha1')
parser.add_argument('--digest-size', help='set HMAC digest size', type=int)
parser.add_argument('--digest-key', help='set HMAC key', type=str, default=None)
parser.add_argument('--tls-auth', help='set tls-auth file', type=str, default=None)
parser.add_argument('host', type=str, help='the OpenVPN host name or ip')
return parser.parse_args(args)
def main():
arguments = optionsparser()
args = optionsparser()
data = checkserver(arguments.host,arguments.port,arguments.tcp)
if args.digest_size and args.digest_size < 0:
critical('digest size must be positive')
if args.tls_auth and args.digest_key:
critical('--tls-auth cannot go with --digest-key')
if __name__ == "__main__":
key = args.digest_key
digest = args.digest
digest_size = args.digest_size
digest = digest.lower()
if digest not in hashlib.algorithms:
return critical('digest not available')
try:
digest = getattr(hashlib, digest)
if not digest_size: digest_size = digest().digest_size
except:
return critical('digest creation failed')
if args.tls_auth:
key = readkey(args.tls_auth)
if key == None: return critical('cannot read tls auth file')
index_start = HMAC_CLIENT_KEY_START * 2
index_end = (HMAC_CLIENT_KEY_START + digest_size) * 2
key = key[index_start:index_end]
if key: key = binascii.unhexlify(key)
return checkserver(args.host, args.port, args.tcp, args.timeout, key, digest)
if __name__ == '__main__':
main()

View file

@ -1,6 +1,6 @@
Homepage: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn
Watch: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn Version\ ([0-9.]+)
Recommends: libpython-stdlib
Version: 20130904
Version: 20151106
Uploaders: Jan Wagner <waja@cyconet.org>
Description: plugin to check if an OpenVPN server runs on a given port