OpenVPN no authenticated log generated
-
Hi All,
I edited /usr/local/sbin/openvpn.attributes.sh file to get user disconnected log but last 2 days no more authenticated log generated.
My first config with "log-verbose:default" not work anymore and I changed to 4, then I HAVE TO config "log-append /var/log/openvpn.log" but still no user authenticated log although log must be generated by default for authenticate event
My file:#!/bin/sh # # openvpn.attributes.sh # # part of pfSense (https://www.pfsense.org) # Copyright (c) 2004-2020 Rubicon Communications, LLC (Netgate) # All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. if [ "$script_type" = "client-connect" ]; then if [ -f /tmp/$common_name ]; then /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /var/log/openvpn.log #for test /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /home/tien.tran/testlog.log #for test fi elif [ "$script_type" = "client-disconnect" ]; then command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" eval $command /sbin/pfctl -k $ifconfig_pool_remote_ip /sbin/pfctl -K $ifconfig_pool_remote_ip /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' disconnected" >> /var/log/openvpn.log fi exit 0But no authenticated log created???
Please if you have any solutions
Thanks & Regards -
out of the blue
why dont you use the method described here
Forum:email-notification-openvpn-client-connect-common-nameworks like a charm.
-
@noplan It's great but I only need log
I dont know how to make your script work. Can I change the client-connect/disconnect sh file without any problem?
Sorry I'm newbie here
Thanks -
@tienpro113396 said in OpenVPN no authenticated log generated:
Can I change the client-connect/disconnect sh file without any problem?
Well, you decided to edit pfSense core files without thinking that that wouldn't be a problem.
So, yes, or no ... dono, . no problem.The files client-connect/disconnect sh mentioned in the other thread are mailing out but they could even make you a coffee, or log to some file, you decide. It's a shell script - only your brains are the the limiting factor here.
Looking at what you did to your "/usr/local/sbin/openvpn.attributes.sh", I guess you will manage.
And without changes core files ;)No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan Yes with that script I only get disconnected log. My log file have authenticated log by default without any echo command I added. So the question here is why they dont run the condition???
if [ "$script_type" = "client-connect" ]; then if [ -f /tmp/$common_name ]; then /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name fi -
For what it's worth, here's what I did some time ago to get some more useful stuff out of openVPN syslogs. I have the Verbosity level set to "none" in the OpenVPN config.
The openvpn.attributes.sh file will be overwritten by updates.
#!/bin/sh # # openvpn.attributes.sh # # part of pfSense (https://www.pfsense.org) # Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate) # All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. if [ "$script_type" = "client-connect" ]; then logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_pool_remote_ip}." if [ -f /tmp/$common_name ]; then /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name fi elif [ "$script_type" = "client-disconnect" ]; then logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_pool_remote_ip}. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes" command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" eval $command /sbin/pfctl -k $ifconfig_pool_remote_ip /sbin/pfctl -K $ifconfig_pool_remote_ip fi exit 0 -
@biggsy But I don't run any update and the openvpn.attributes.sh not changed! In case this file overwritten to default, it should have authenticate log, right?
-
I don't know how this file is used, in what context, etc.
@tienpro113396 said in OpenVPN no authenticated log generated:
openvpn.attributes.sh
-
@tienpro113396
Sorry, I don't know why it would have stopped logging but I think using logger is possibly a better way to do this.Forgot to mention that there are functions available to format the numbers but that wasn't so important to me.
-
@Gertjan Yes I need to logging users disconnect time, I do a research and know that I can edit that file to get the disconnected log in openvpn.log file. In 5 days I have both authenticated and disconnected log and boom only disconnected log appear there. No more authenticated log
-
Put on the second line in your script file openvpn.attributes.sh these commands :
/usr/bin/logger "test"
/usr/bin/logger $script_typealso, type
logger "test"at the command line (console or SSH access - no GUI) and have a look at the main System log ^^
Now, test.
When this file gets used, it will log. -
@Gertjan great tips. And I dont have "test" on StatusSystem\Logs\OpenVPN :((
Change to that, right?if [ "$script_type" = "client-connect" ]; then if [ -f /tmp/$common_name ]; then /usr/bin/logger "test" /usr/bin/logger $script_type /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /var/log/openvpn.log /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /home/tien.tran/testlog.log fi elif [ "$script_type" = "client-disconnect" ]; then command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" eval $command /sbin/pfctl -k $ifconfig_pool_remote_ip /sbin/pfctl -K $ifconfig_pool_remote_ip /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' disconnected" >> /var/log/openvpn.log fi exit 0 -
There was also "explicit-exit-notify" and automatic timeouts.
You can see some discussion in Redmine: issue 9085
-
@tienpro113396 said in OpenVPN no authenticated log generated:
And I dont have "test" on StatusSystem\Logs\OpenVPN :((
That's right.
the "logger" command will log in the System log (as said above). -
... and Redmine 9108
-
That redmine ticket was closed because .... the (your) issue isn't an issue ;)
-
@biggsy I added "explicit-exit-notify 3" before and got some error so I delete it :v
-
@Gertjan Thanks! I see that log.I will check more about that
-
True - but there was some discussion that others might find interesting or useful.
-
hey all
does it really make sense to do scripting in core pfS files ?
i dont think so.
if you want to receive emails when vpn-clients log in or out
use the method described in this posthttps://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/26
as far as some others are concerned if you read the post from top to bottom
you can use a nice working tooltruely mentioned
as @Gertjan mentioned you or someone can aff logger to the script to get more information into the logthe main question still remains
does it really make sense to do scripting in core pfS files ?
