OpenVPN log - log userids?
-
So I went looking in /var/log/openvpn.log to see who had logged in using pfSense, and I was unable to do so for two reasons:
1. The entire log is filled with
Jul 9 07:31:41 remote openvpn[24106]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jul 9 07:31:41 remote openvpn[24106]: MANAGEMENT: CMD 'status 2' Jul 9 07:31:42 remote openvpn[24106]: MANAGEMENT: CMD 'quit' Jul 9 07:31:42 remote openvpn[24106]: MANAGEMENT: Client disconnected Jul 9 07:32:44 remote openvpn[24106]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jul 9 07:32:44 remote openvpn[24106]: MANAGEMENT: CMD 'status 2' Jul 9 07:32:44 remote openvpn[24106]: MANAGEMENT: CMD 'quit' Jul 9 07:32:44 remote openvpn[24106]: MANAGEMENT: Client disconnected Jul 9 07:33:46 remote openvpn[24106]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock Jul 9 07:33:46 remote openvpn[24106]: MANAGEMENT: CMD 'status 2' Jul 9 07:33:46 remote openvpn[24106]: MANAGEMENT: CMD 'quit' Jul 9 07:33:46 remote openvpn[24106]: MANAGEMENT: Client disconnected
which means that thanks to clog, I'm only storing ~48hrs of openvpn log, and that it's also really hard to find what I'm looking for among the logspam, and
2. even when I do find an openvpn connection event in the log, it doesn't appear to log the username:
Jul 10 11:19:51 remote openvpn[69623]: OpenVPN 2.3.17 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 26 2017 Jul 10 11:19:51 remote openvpn[69623]: library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10 Jul 10 11:19:51 remote openvpn[69734]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want Jul 10 11:19:51 remote openvpn[69734]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 10 11:19:51 remote openvpn[69734]: Initializing OpenSSL support for engine 'cryptodev' Jul 10 11:19:51 remote openvpn[69734]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Jul 10 11:19:51 remote openvpn[69734]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Jul 10 11:19:51 remote openvpn[69734]: TUN/TAP device ovpns1 exists previously, keep at program end Jul 10 11:19:51 remote openvpn[69734]: TUN/TAP device /dev/tun1 opened Jul 10 11:19:51 remote openvpn[69734]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 Jul 10 11:19:51 remote openvpn[69734]: /sbin/ifconfig ovpns1 192.168.99.1 192.168.99.2 mtu 1500 netmask 255.255.255.0 up Jul 10 11:19:51 remote openvpn[69734]: /sbin/ifconfig ovpns1 inet6 fd60:7f9c:65d8:99::1/64 Jul 10 11:19:51 remote openvpn[69734]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1559 192.168.99.1 255.255.255.0 init Jul 10 11:19:51 remote openvpn[69734]: Listening for incoming TCP connection on [AF_INET]205.200.228.156:1194 Jul 10 11:19:51 remote openvpn[69734]: TCPv4_SERVER link local (bound): [AF_INET]205.200.228.156:1194 Jul 10 11:19:51 remote openvpn[69734]: TCPv4_SERVER link remote: [undef] Jul 10 11:19:51 remote openvpn[69734]: Initialization Sequence Completed
…where's the userid???
Am I missing something obvious here? I don't want to know who's connected right now, I know how to find that out, I want to know who connected at (e.g.) 3:48AM last Wednesday. How do I accomplish this?
-
The first log was all GUI status checks. Perhaps you left the dashboard open.
The second log was just the service starting up, no clients connected.
Then they do connect, the username shows in the log.
-
Would it be possible to first read the log, filter out management lines, store it in a file then GUI reads the file instead of OpenVPN`s own log?
-
No.
More likely might be in the future having a separate VPN "login" log like we have for PPPoE and L2TP servers, where we just have the auth script log there instead of (or in addition to) the main OpenVPN log.
-
Here I just disconnected and reconnected so it was at the top of my log. As you can see it logs username, and you could also just enable the openvpn widget on your desktop to show you who is connected.
If you want to filter your logs for just login, you should be able to send to syslog and then just filter you syslog to show you what your interested in.
Your other option if your log is not holding enough info for you would be change the log file size from its default.
edit: Just thought of another way to just see your logins.. Filter your log in the gui - see picture 3
-
OK, so what I got out of this so far is:
1. when someone connects, it does log their username. Somewhere in there, anyway. I don't have any examples right now.
1b. server startup looks an awful lot like a tunnel coming up!2. something on my firewall continuously polls OpenVPN status even though no-one's logged in to the admin GUI [this is kind of concerning…]
3. because of #2, there's effectively no way for me to look back in time to see who connected when. (This actually sucks pretty bad right at the moment, but oh well.)
~~4. the forum software doesn't like johnpoz or me, the attachments/logs/etc he references in his post aren't visible to me. Is this a setting somewhere?
5. I still don't reallly have an answer to my ultimate question, which was: "I want to know who connected at (e.g.) 3:48AM last Wednesday. How do I accomplish this?" At the moment, it looks like the answer is, essentially, "tough luck".~~
Suddenly the pictures show up, and johnpoz' post makes a lot more sense. Thanks for the pointers!
-
That is the pfSense GUI polling OpenVPN`s management interface to show you information.
Nothing to worry about. -
@johnpoz Hi JohnPoz! any chance that you could share "picture 3" again?
The pic was In regards to filtering the pfsense gui log for vpn user logins. (old thread)