OpenVPN Management Interface Python API
Summary
A Python API for interacting with the OpenVPN management interface.
Currently a work in progress so support for client management interfaces and events is lacking.
Very useful for extracting metrics and status from OpenVPN server management interfaces.
This project was inspired by the work of Marcus Furlong in creating openvpn-monitor.
It also uses openvpn-status by Jiangge Zhang for parsing the output of the OpenVPN status
command as there's no point reinventing the wheel when an excellent solution already exists.
Release notes can be found here on GitHub.
Requirements
This project requires Python >= 3.6.
Other packages:
Installation
Via PyPI
pip install openvpn-api
Via Source
git clone https://github.com/Jamie-/openvpn-api.git
cd openvpn-api
python setup.py install
Usage
Introduction
Create a VPN
object for your management interface connection.
import openvpn_api.VPN
v = openvpn_api.VPN('localhost', 7505)
Then you can either manage connection and disconnection yourself
v.connect()
print(v.release)
v.disconnect()
If the connection is successful, v.connect()
will return True
.
However, if the connection fails v.connect()
will raise an openvpn_api.errors.ConnectError
exception with the reason for the connection failure.
Or use the connection context manager
with v.connection():
print(v.release)
After initialising a VPN object, we can query specifics about it.
We can get the address we're communicating to the management interface on
>>> v.mgmt_address
'localhost:7505'
And also see if this is via TCP/IP or a Unix socket
>>> v.type
'ip'
or
>>> v.type
'socket'
These are represented by the VPNType
class as VPNType.IP
or VPNType.UNIX_SOCKET
>>> v.type
'ip'
>>> v.type == openvpn_api.VPNType.IP
True
Daemon Interaction
All the properties that get information about the OpenVPN service you're connected to are stateful.
The first time you call one of these methods it caches the information it needs so future calls are super fast.
The information cached is unlikely to change often, unlike the status and metrics we can also fetch which are likely to change very frequently.
We can fetch the release string for the version of OpenVPN we're using
>>> v.release
'OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018'
Or just the version number
>>> v.version
'2.4.4'
We can get more information about the service by looking at it's state which is returned as a State object
>>> s = v.state
>>> s
<models.state.State object at 0x7f5eb549a630>
The state cached by all 3 of these properties can be also be cleared and will be repopulated on the next call
v.clear_cache()
Daemon State
The State object contains the following things:
The daemon's current mode, client
or server
>>> s.mode
'server'
Date and time the daemon was started
>>> s.up_since
datetime.datetime(2019, 6, 5, 23, 3, 21)
The daemon's current state
>>> s.state_name
'CONNECTED'
Which can be any of:
CONNECTING
- OpenVPN's initial state.WAIT
- (Client only) Waiting for initial response from server.AUTH
- (Client only) Authenticating with server.GET_CONFIG
- (Client only) Downloading configuration options from server.ASSIGN_IP
- Assigning IP address to virtual network interface.ADD_ROUTES
- Adding routes to system.CONNECTED
- Initialization Sequence Completed.RECONNECTING
- A restart has occurred.EXITING
- A graceful exit is in progress.RESOLVE
- (Client only) DNS lookupTCP_CONNECT
- (Client only) Connecting to TCP server
The descriptive string - unclear from the OpenVPN documentation quite what this is, usually SUCCESS
or the reason for disconnection if the state is RECONNECTING
or EXITING
>>> s.desc_string
'SUCCESS'
The daemon's local virtual (VPN internal) address, returned as a netaddr.IPAddress
for ease of sorting, it can be easily converted to a string with str()
>>> s.local_virtual_v4_addr
IPAddress('10.0.0.1')
>>> str(s.local_virtual_v4_addr)
'10.0.0.1'
If the daemon is in client mode, then remote_addr
and remote_port
will be populated with the address and port of the remote server
>>> s.remote_addr
'1.2.3.4'
>>> s.remote_port
1194
If the daemon is in server mode, then local_addr
and local_port
will be populated with the address and port of the exposed server
>>> s.local_addr
'5.6.7.8'
>>> s.local_port
1194
If the daemon is using IPv6 instead of, or in addition to, IPv4 then the there is also a field for the local virtual (VPN internal) v6 address
>>> s.local_virtual_v6_addr
'2001:db8:85a3::8a2e:370:7334'
Daemon Status
The daemon status is parsed from the management interface by openvpn_status
an existing Python library for parsing the output from OpenVPN's status response.
The code for which can be found in it's GitHub repo: https://github.com/tonyseek/openvpn-status
Therefore when we fetch the status from the OpenVPN daemon, it'll be returned using their models.
For more information see their docs: https://openvpn-status.readthedocs.io/en/latest/api.html
Unlike the VPN state, the status is not stateful as it's output is highly likely to change between calls.
Every time the status is requested, the management interface is queried for the latest data.
A brief example:
>>> status = v.get_status()
>>> status
<openvpn_status.models.Status object at 0x7f5eb54a2d68>
>>> status.client_list
OrderedDict([('1.2.3.4:56789', <openvpn_status.models.Client object at 0x7f5eb54a2128>)])