OpenVPN no authenticated log generated
-
out of the blue
why dont you use the method described here
Forum:email-notification-openvpn-client-connect-common-nameworks like a charm.
-
@noplan It's great but I only need log
I dont know how to make your script work. Can I change the client-connect/disconnect sh file without any problem?
Sorry I'm newbie here
Thanks -
@tienpro113396 said in OpenVPN no authenticated log generated:
Can I change the client-connect/disconnect sh file without any problem?
Well, you decided to edit pfSense core files without thinking that that wouldn't be a problem.
So, yes, or no ... dono, . no problem.The files client-connect/disconnect sh mentioned in the other thread are mailing out but they could even make you a coffee, or log to some file, you decide. It's a shell script - only your brains are the the limiting factor here.
Looking at what you did to your "/usr/local/sbin/openvpn.attributes.sh", I guess you will manage.
And without changes core files ;) -
@Gertjan Yes with that script I only get disconnected log. My log file have authenticated log by default without any echo command I added. So the question here is why they dont run the condition???
if [ "$script_type" = "client-connect" ]; then if [ -f /tmp/$common_name ]; then /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name fi
-
For what it's worth, here's what I did some time ago to get some more useful stuff out of openVPN syslogs. I have the Verbosity level set to "none" in the OpenVPN config.
The openvpn.attributes.sh file will be overwritten by updates.
#!/bin/sh # # openvpn.attributes.sh # # part of pfSense (https://www.pfsense.org) # Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate) # All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. if [ "$script_type" = "client-connect" ]; then logger -t openvpn "User '${common_name}' at ${trusted_ip} connected on tunnel IP ${ifconfig_pool_remote_ip}." if [ -f /tmp/$common_name ]; then /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name fi elif [ "$script_type" = "client-disconnect" ]; then logger -t openvpn "User '${common_name}' at ${trusted_ip} disconnected on tunnel IP ${ifconfig_pool_remote_ip}. Server sent ${bytes_sent} bytes, rcvd ${bytes_received} bytes" command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" eval $command /sbin/pfctl -k $ifconfig_pool_remote_ip /sbin/pfctl -K $ifconfig_pool_remote_ip fi exit 0
-
@biggsy But I don't run any update and the openvpn.attributes.sh not changed! In case this file overwritten to default, it should have authenticate log, right?
-
I don't know how this file is used, in what context, etc.
@tienpro113396 said in OpenVPN no authenticated log generated:
openvpn.attributes.sh
-
@tienpro113396
Sorry, I don't know why it would have stopped logging but I think using logger is possibly a better way to do this.Forgot to mention that there are functions available to format the numbers but that wasn't so important to me.
-
@Gertjan Yes I need to logging users disconnect time, I do a research and know that I can edit that file to get the disconnected log in openvpn.log file. In 5 days I have both authenticated and disconnected log and boom only disconnected log appear there. No more authenticated log
-
Put on the second line in your script file openvpn.attributes.sh these commands :
/usr/bin/logger "test"
/usr/bin/logger $script_typealso, type
logger "test"
at the command line (console or SSH access - no GUI) and have a look at the main System log ^^
Now, test.
When this file gets used, it will log. -
@Gertjan great tips. And I dont have "test" on StatusSystem\Logs\OpenVPN :((
Change to that, right?if [ "$script_type" = "client-connect" ]; then if [ -f /tmp/$common_name ]; then /usr/bin/logger "test" /usr/bin/logger $script_type /bin/cat /tmp/$common_name > $1 /bin/rm /tmp/$common_name /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /var/log/openvpn.log /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /home/tien.tran/testlog.log fi elif [ "$script_type" = "client-disconnect" ]; then command="/sbin/pfctl -a 'openvpn/$common_name' -F rules" eval $command /sbin/pfctl -k $ifconfig_pool_remote_ip /sbin/pfctl -K $ifconfig_pool_remote_ip /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' disconnected" >> /var/log/openvpn.log fi exit 0
-
There was also "explicit-exit-notify" and automatic timeouts.
You can see some discussion in Redmine: issue 9085
-
@tienpro113396 said in OpenVPN no authenticated log generated:
And I dont have "test" on StatusSystem\Logs\OpenVPN :((
That's right.
the "logger" command will log in the System log (as said above). -
... and Redmine 9108
-
That redmine ticket was closed because .... the (your) issue isn't an issue ;)
-
@biggsy I added "explicit-exit-notify 3" before and got some error so I delete it :v
-
@Gertjan Thanks! I see that log.I will check more about that
-
True - but there was some discussion that others might find interesting or useful.
-
hey all
does it really make sense to do scripting in core pfS files ?
i dont think so.
if you want to receive emails when vpn-clients log in or out
use the method described in this posthttps://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/26
as far as some others are concerned if you read the post from top to bottom
you can use a nice working tooltruely mentioned
as @Gertjan mentioned you or someone can aff logger to the script to get more information into the logthe main question still remains
does it really make sense to do scripting in core pfS files ? -
@noplan said:
does it really make sense to do scripting in core pfS files ?
No, it's not ideal to modify the core files. However, did you see the note in 9085 about conflicting scripts?
Putting client-connect and client-disconnect entries in Custom options caused /usr/local/sbin/openvpn.attributes.sh to be overridden. (I wonder if users of the solution in the other topic are seeing that.)
As openvpn.attributes.sh appears to be cleaning up pf table entries on client-disconnect, it didn't seem wise to override it. Adding the two logger lines to it seemed to be the safer, if not the cleanest, way.