Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    reading openvpn server socket with zabbix user

    General pfSense Questions
    2
    5
    230
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikee last edited by mikee

      Hi all.

      I am trying to monitor active openvpn connections in a pfSense system from zabbix. To do that I have to read the openvpn server socket with netcat as explained in other thread in this forum.

      I created a bash script with the commands to get that list. I am able to execute that script from a local shell session successfully. I also can get the connections list using zabbix_get from that same local shell thus confirming that the zabbix local agent is correctly configured.

      But when I try to get that same data from the remote zabbix server (issuing the same zabbix_get command in the remote system) I get no data at all. An empty string. The command I am trying to execute is

      echo 'status 1' | nc -Uw 1 /var/etc/openvpn/server1.sock

      Fiddling with the script to check what is going wrong and if what I have is a comms problem or not, I only put the echo part I got the echo reply. Then If I put 'nc -h' I get the help reply from the nc command so everything seems to be working excluding the reading of the socket.

      The full command works fine when executed from the shell (as admin user, root privileges) as told before but does not work if executed as zabbix user that is the one the agent runs under.

      How can I do to make this work if possible?. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        Sounds like a permissions problem then if the Zabbix user can't execute it. Can you use the sudo package to grant it that permission?

        1 Reply Last reply Reply Quote 0
        • M
          mikee last edited by

          Thanks for your reply.

          Yes I tried. I made a test.sh file with this inside:

          su -m root -c echo 'status 1' | nc -Uw 1 /var/etc/openvpn/server1.sock

          Reply

          [root@zabbix ~]# zabbix_get -s xxx.xxx.xxx.xxx -k ovpnserver.test
          su: Sorry

          1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            You can't run su like that but you shouldnlt have to if you've given the user permissions to run nc and echo as root.

            Seems like it's either not got permission to access that socket, but no permission errors are shown, or it's just not seeing the result. That seems more likely.

            Hmm

            1 Reply Last reply Reply Quote 0
            • M
              mikee last edited by

              Hi Stephen. Thanks for your reply and interest.

              How can I give the zabbix user rights to run nc? Anyway it looks like it already has permissions for that as I am able to get the nc help screen from the zabbix server. What I am not able to is to read the openvpn server socket. It also has permission to echo data as I am able to get the echo output from there too.

              Is there any way to give the zabbix user limited permissions to the openvpn server socket? making zabbix root equivalent is not a good idea for a firewall so we should avoid this approach.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post