OpenVPN Monitoring
Real TLS handshake checks for OpenVPN servers — not just port probes. Supports UDP and TCP, AES-256-GCM and ChaCha20 cipher suites, TLS-Auth and TLS-Crypt. Sub-second alerts, REST API, free for 5 monitors.
Why OpenVPN needs protocol-aware monitoring
OpenVPN's flexibility is also what makes it hard to monitor. A single server can be configured with dozens of cipher, auth, and compression combinations. A TCP port check against OpenVPN/443 returns a TLS handshake attempt to anything — including a stopped openvpn process where systemd hasn't noticed yet.
Common silent failures that port-only monitors miss:
- Expired TLS certificate on the server side (cert chain still present but past
notAfter) - TLS-Auth key mismatch after a rotation
- Wrong cipher negotiation (server was reconfigured, client config wasn't updated)
- Stale OpenVPN process where the control channel responds but the data channel is broken
- MTU mismatches causing fragmentation-triggered handshake timeouts
TunnelHQ parses your .ovpn config and performs an actual OpenVPN control channel exchange, all the way through HMAC verification.
How TunnelHQ monitors OpenVPN
1. Upload your .ovpn config
Paste the config or upload the file. TunnelHQ parses:
remote <host> <port>— endpointproto udp | tcp— transportcipher/auth— negotiated via TLS<ca>,<cert>,<key>,<tls-auth>,<tls-crypt>— embedded keys and certs- Direction flags, compression settings
2. Real OpenVPN handshake
TunnelHQ negotiates the TLS control channel, verifies the server cert against the CA, exchanges the HMAC tls-auth/tls-crypt challenge, and validates the key material. Only a successful full exchange counts as "up".
3. UDP and TCP supported
OpenVPN's most common deployment is UDP/1194 for performance, TCP/443 for censorship resistance. TunnelHQ monitors both, and will distinguish between "UDP path blocked" vs. "server actually down".
4. Regional check nodes
Checks run from US, EU, APAC, SA regions. If OpenVPN fails from one region but succeeds from others, you know it's regional — often BGP routing, ISP-level blocking, or geographic rate-limiting — not a server issue.
Alerts and integrations
Sub-second alerts on state change via:
- Email — included in every plan
- Slack — threaded with incident IDs
- Telegram, Discord — bot integrations
- Webhook — raw JSON POST for custom pipelines
Pricing for OpenVPN monitoring
| Plan | OVPN Monitors | Interval | Price |
|---|---|---|---|
| Free | 5 | 10 min | $0 |
| Starter | 20 | 5 min | $12/mo or $84/yr |
| Pro | 100 | 2 min | $39/mo or $276/yr |
| Business | 500 | 1 min | $99/mo or $756/yr |
FAQ
Does TunnelHQ support both UDP and TCP OpenVPN?
Yes. Auto-detected from the proto line in your .ovpn config. Both are first-class.
What about tls-crypt-v2?
Supported. TunnelHQ handles tls-auth, tls-crypt, and tls-crypt-v2 keys. If your config uses embedded key material, paste the full config and TunnelHQ will use it directly.
Does TunnelHQ need my client certificate and private key?
Yes — without the client cert/key, we can't do a real handshake. Everything is stored with AES-256-GCM encryption and never shared. For best hygiene, generate a dedicated monitoring client cert separate from your real users' credentials, and revoke it if you ever stop using TunnelHQ.
Can TunnelHQ monitor self-hosted OpenVPN Access Server?
Yes — same .ovpn user-exported config format works. TunnelHQ doesn't need the admin interface; it just needs a standard client config.