Monitoring OpenVPN with Prometheus and Grafana: A Complete Guide

Why Monitor OpenVPN?

OpenVPN is one of the most popular VPN solutions, but monitoring VPN connections can be challenging. Without proper monitoring, you might not notice when clients are having connection issues, when traffic patterns change, or when your VPN server is under stress.

In this guide, we'll set up comprehensive monitoring for OpenVPN using Prometheus and Grafana, including:

• Real-time client connection tracking
• Traffic statistics and bandwidth monitoring
• Security alerts and access control
• Beautiful dashboards for visualization

The Challenge: OpenVPN Status Files

OpenVPN provides status information through text files, but these aren't designed for modern monitoring systems. The status files contain client information, traffic statistics, and connection details, but you need a way to:

1. Parse these files regularly
2. Convert the data to metrics format
3. Expose metrics to Prometheus
4. Visualize the data in Grafana

Solution: OpenVPN Prometheus Exporter

We'll use an open-source OpenVPN Prometheus Exporter that solves these challenges by:

• Reading OpenVPN status files automatically
• Converting data to Prometheus metrics format
• Providing security features like IP-based access control
• Including a ready-to-use Grafana dashboard

Step 1: Setting Up OpenVPN Server

First, ensure your OpenVPN server is configured to write status files. If you don't have OpenVPN set up yet, I recommend using the excellent openvpn-install script:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh ./openvpn-install.sh 

Add this to your OpenVPN server configuration to enable status logging:

# Add to /etc/openvpn/server.conf status /var/log/openvpn/status.log 30 

The status file will be updated every 30 seconds with client information.

Step 2: Deploying the Exporter

The easiest way to deploy the exporter is using Docker:

# Download docker-compose.yml curl -O https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/docker-compose.yml # Start the exporter docker compose up -d 

Or use the one-command setup script:

curl -sSL https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/quick-start.sh | bash 

The exporter will be available at http://localhost:9176/metrics.

Step 3: Security Configuration

For production environments, restrict metrics access to specific IPs:

# docker-compose.yml environment: - ALLOWED_IPS=192.168.1.100,10.0.0.50,monitoring-server.local 

This ensures only your monitoring infrastructure can access the metrics.

Step 4: Prometheus Configuration

Add the exporter to your Prometheus configuration:

# prometheus.yml scrape_configs: - job_name: 'openvpn-exporter' static_configs: - targets: ['your-server:9176'] scrape_interval: 30s metrics_path: /metrics 

Step 5: Grafana Dashboard

Import the included dashboard for immediate visualization:

# Download the dashboard curl -O https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/dashboard.json 

In Grafana:

1. Go to Dashboards → Import
2. Upload dashboard.json
3. Select your Prometheus datasource

The dashboard includes:

• Client Statistics: Connected clients, traffic, connection times
• Server Health: Server status and availability
• Traffic Analysis: Bytes sent/received, top users
• Security Monitoring: Access control alerts

Key Metrics to Monitor

Here are the most important metrics to track:

Client Connections

# Total connected clients sum(openvpn_server_client_count) # Clients by server openvpn_server_client_count{instance="your-server"} 

Traffic Analysis

# Top 5 clients by traffic topk(5, openvpn_server_client_received_bytes_total + openvpn_server_client_sent_bytes_total) # Traffic rate per client rate(openvpn_server_client_received_bytes_total[5m]) 

Connection Duration

# How long clients have been connected time() - openvpn_server_client_connection_time 

Setting Up Alerts

Create alerts for critical events:

# alert.rules.yml groups: - name: openvpn_alerts rules: - alert: OpenVPNServerDown expr: openvpn_up == 0 for: 1m labels: severity: critical annotations: summary: "OpenVPN server is down" - alert: TooManyClients expr: openvpn_server_client_count > 100 for: 2m labels: severity: warning annotations: summary: "Too many OpenVPN clients connected" 

Advanced Configuration

Multiple OpenVPN Servers

Monitor multiple servers by updating the status paths:

export STATUS_PATHS="/var/log/openvpn/server1.status,/var/log/openvpn/server2.status" docker compose up -d 

Service Discovery

Use Prometheus file-based service discovery for dynamic monitoring:

# prometheus.yml scrape_configs: - job_name: 'openvpn-exporter' file_sd_configs: - files: - 'openvpn-targets.json' 

# openvpn-targets.json [ { "targets": ["openvpn-server-1:9176"], "labels": { "instance": "server-1", "environment": "production" } } ] 

Complete Monitoring Stack

For a full monitoring setup, use the complete Docker Compose stack:

# Download complete stack curl -O https://raw.githubusercontent.com/B4DCATs/openvpn_exporter/main/examples/config/docker-compose.full.yml # Start monitoring stack docker compose -f docker-compose.full.yml up -d 

This includes:

• OpenVPN Exporter
• Prometheus
• Grafana
• Pre-configured dashboards and alerts

Access your monitoring:

• Prometheus: http://localhost:9090
• Grafana: http://localhost:3000 (admin/admin)

Troubleshooting Common Issues

Status File Not Found

# Find your OpenVPN status files find /var/log -name "*openvpn*" -type f # Common locations: # /var/log/openvpn/status.log # /var/log/openvpn/server.status 

No Metrics Available

# Check exporter logs docker logs openvpn-exporter # Test metrics endpoint curl -s http://localhost:9176/metrics | grep openvpn 

Access Denied Errors

# Check ALLOWED_IPS configuration docker logs openvpn-exporter | grep "Access denied" # Test from allowed IP curl -H "X-Forwarded-For: 192.168.1.100" http://localhost:9176/metrics 

Best Practices

1. Security First: Always use IP restrictions in production
2. Regular Monitoring: Set up alerts for server downtime and unusual traffic
3. Capacity Planning: Monitor client counts and traffic trends
4. Backup Configuration: Keep your monitoring configuration in version control
5. Documentation: Document your monitoring setup and alert procedures

Conclusion

Monitoring OpenVPN with Prometheus and Grafana provides valuable insights into your VPN infrastructure. You'll be able to:

• Track client connections and usage patterns
• Monitor server health and performance
• Detect security issues and unusual activity
• Plan capacity based on traffic trends
• Troubleshoot connection problems quickly

The OpenVPN Prometheus Exporter makes this setup straightforward with its security features, comprehensive dashboard, and easy deployment options.

Resources

• OpenVPN Prometheus Exporter - The exporter we used
• Prometheus Documentation - Learn more about Prometheus
• Grafana Documentation - Grafana setup and configuration
• OpenVPN Documentation - OpenVPN configuration

Start monitoring your OpenVPN infrastructure today and gain the visibility you need to ensure reliable VPN services for your users!