Home / server / Questions / 262474
In Process
Ivan
Asked: 2011-04-23 01:01:13 +0800 CST

How to check that an OpenVPN server is listening on a remote port without using OpenVPN client?

  • 772

I need to check that an OpenVPN (UDP) server is up and accessible on a given host:port.

I only have a plain Windows XP computer with no OpenVPN client (and no chance to install it) and no keys needed to connect to the server - just common WinXP command line tools, a browser and PuTTY are in my disposition.

If I was testing something like an SMTP or POP3 servert I'd use telnet and see if it responds, but how to do this with OpenVPN (UDP)?

openvpn security testing telnet

6 Answers

  1. Here is a shell one-liner:

    echo -e "\x38\x01\x00\x00\x00\x00\x00\x00\x00" | 
   timeout 10 nc -u openvpnserver.com 1194 | cat -v

    if there is an openvpn on the other end the output will be

    @$M-^HM--LdM-t|M-^X^@^@^@^@^@@$M-^HM--LdM-t|M-^X^@^@^@^@^@@$M-^HM--LdM-t|M-^X...

    otherwise it will just be mute and timeout after 10 seconds or display something different.

    NOTE: this works only if tls-auth config option is not active, otherwise the server rejects messages with incorrect HMAC.

    • 59

  2. Sorry if I'm a bit late with my answer ;)
    Send an udp packet with the following content:
    $38$01$00$00$00$00$00$00$00
    The server must respond something.
    You can forge udp packets with python like this: 

    import socket
senddata= "\x38\x01\x00\x00\x00\x00\x00\x00\x00"

def checkserver(ip,port):
   print('Checking %s:%s' %(ip,port)) 
   sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
   sock.settimeout(5) # in seconds
   sock.connect((ip, port))
   print("Sending request...")
   sock.send(senddata)
   try:
      dta=sock.recv(100)
      print("Server reply: %s" %(dta))
   except:
      print("Server not responding")
   sock.close()
   print("###########################################################")

def main():
   checkserver("addr.of.server1",1194)
   checkserver("addr.of.server2",1195)

if __name__ == "__main__":
   main()
    • 7

  3. For anyone running across this who's trying to monitor a server that has tls-auth enabled, you can use the python script here: https://github.com/liquidat/nagios-icinga-openvpn

    The output is formatted for use in Nagios or Icinga, but it can be run by anything/anyone, provided you have python and the tls keyfile available.

    For example, if you are using SHA256 as your digest, you'd use something like:

    python check-openvpn.py -p 1194 --tls-auth ta.key --digest SHA256 vpn-server.example.com

    Note: you might need to add --tls-auth-inverse depending on the server's key-direction value.

    • 6

  4. You can try to run the following at the CLI

    #netstat -ltnup

    This should list all processes that are listening on your server/system. Grep for the port number you want

    #netstat -ltnup | grep 1194
    • 4

  5. If you can get an pcap of valid OpenVPN Client to OpenVPN server interaction, you could model the initial set of packets with something like netcat, as suggested by TiZon.

    Basically, you want enough of a valid first packet to get the server to respond with at least an error message, so it doesn't have to be perfect, just good enough.

    I tried going to http://pcapr.net, but I didn't see an OpenVPN example there. Perhaps, if someone else is claiming the service is up, you could get that other person to grab a pcap of the transaction.

    • 0

  6. if you have setup openvpn on a tcp listen then its as simple as

    telnet vpnserver 1194

    assuming 1194 is the port you have it listening on

    this should give you a response of some sort to show that the openvpn server is listening

    • -3