Напишу небольшую напоминашку как статусы OpenVPN смотреть, а то вчера пол для вспоминал как я это раньше делал.

Логирование статусов OpenVPN-сервера

Самый простой способ это логировать текущие статусы в текстовый файл. Для этого добавляем в файл конфигурации сервера параметр.

status /var/log/openvpn/openvpn-status.log

Соответственно в файле будут появляться записи вида.

# cat /var/log/openvpn/openvpn-status.log
TITLE,OpenVPN 2.5.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 17 2024
TIME,2025-06-01 10:08:32,1748747312
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID,Data Channel Cipher
CLIENT_LIST,client-4,92.246.129.81:58762,,,9605469,13468790,2025-05-20 03:20:01,1747686001,UNDEF,1182,0,AES-256-GCM
CLIENT_LIST,client-1,213.171.26.110:46228,,,7478268,10938438,2025-05-15 04:27:33,1747258053,UNDEF,821,0,AES-256-GCM
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,1e:97:f2:f8:b4:9c@0,client-1,213.171.26.110:46228,2025-06-01 05:03:27,1748729007
ROUTING_TABLE,fa:7b:a7:2b:6f:3c@0,client-4,92.246.129.81:58762,2025-06-01 10:04:52,1748747092
GLOBAL_STATS,Max bcast/mcast queue length,76
END

Настройка интерфейса управления

Если вы хотите немного больше возможностей, то добавляем параметр который нам предоставит возможность использовать интерфейс управления.

management localhost 7505

Перезапускаем сервис.

# systemctl restart openvpn-server@server.service

Используем telnet для управления OpenVPN сервером.

# telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
help
Management Interface for OpenVPN 2.5.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 17 2024
Commands:
auth-retry t           : Auth failure retry mode (none,interact,nointeract).
bytecount n            : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
cr-response response   : Send a challenge response answer via CR_RESPONSE to server
exit|quit              : Close management session.
forget-passwords       : Forget passwords entered so far.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
load-stats             : Show global server load stats.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
needok type action     : Enter confirmation for NEED-OK request of 'type',
                         where action = 'ok' or 'cancel'.
needstr type action    : Enter confirmation for NEED-STR request of 'type',
                         where action is reply string.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.
proxy type [host port flags] : Enter dynamic proxy server info.
pid                    : Show process ID of the current OpenVPN process.
pkcs11-id-count        : Get number of available PKCS#11 identities.
pkcs11-id-get index    : Get PKCS#11 identity at index.
client-auth CID KID    : Authenticate client-id/key-id CID/KID (MULTILINE)
client-auth-nt CID KID : Authenticate client-id/key-id CID/KID
client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason
                             text R and optional client reason text CR
client-pending-auth CID MSG : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg                          to the client and wait for a final client-auth/client-deny
client-kill CID [M]    : Kill client instance CID with message M (def=RESTART)
env-filter [level]     : Set env-var filter level
client-pf CID          : Define packet filter for client CID (MULTILINE)
rsa-sig                : Enter a signature in response to >RSA_SIGN challenge
                         Enter signature base64 on subsequent lines followed by END
pk-sig                 : Enter a signature in response to >PK_SIGN challenge
                         Enter signature base64 on subsequent lines followed by END
certificate            : Enter a client certificate in response to >NEED-CERT challenge
                         Enter certificate base64 on subsequent lines followed by END
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version [n]            : Set client's version to n or show current version of daemon.
END

Функционал выглядит достаточно бодренько. Не забываем прикрывать доступ из дикого интернета к консоли.

Управление через kill USRX

Тут, как и в случае с dd очень интересно куда сервис выведет результат, но в принципе команду.

# kill -SIGUSR2 <PID>

Не отменяли. И хочу добавить, что можно еще на порт управления прикрепить web-интерфейс, Zabbiх, Prometheos и вообще очень много вариантов.