• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN no authenticated log generated

Scheduled Pinned Locked Moved OpenVPN
31 Posts 4 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    biggsy @tienpro113396
    last edited by biggsy Mar 31, 2020, 7:43 AM Mar 31, 2020, 7:40 AM

    @tienpro113396
    Sorry, I don't know why it would have stopped logging but I think using logger is possibly a better way to do this.

    Forgot to mention that there are functions available to format the numbers but that wasn't so important to me.

    1 Reply Last reply Reply Quote 0
    • T
      tienpro113396 @Gertjan
      last edited by Mar 31, 2020, 7:48 AM

      @Gertjan Yes I need to logging users disconnect time, I do a research and know that I can edit that file to get the disconnected log in openvpn.log file. In 5 days I have both authenticated and disconnected log and boom only disconnected log appear there. No more authenticated log

      1 Reply Last reply Reply Quote 0
      • G
        Gertjan
        last edited by Gertjan Mar 31, 2020, 7:54 AM Mar 31, 2020, 7:53 AM

        Put on the second line in your script file openvpn.attributes.sh these commands :

        /usr/bin/logger "test"
        /usr/bin/logger $script_type

        also, type

        logger "test"
        

        at the command line (console or SSH access - no GUI) and have a look at the main System log ^^

        b09ce301-b05d-448c-9a72-985983960b69-image.png

        Now, test.
        When this file gets used, it will log.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        T B 2 Replies Last reply Mar 31, 2020, 7:58 AM Reply Quote 0
        • T
          tienpro113396 @Gertjan
          last edited by tienpro113396 Mar 31, 2020, 7:59 AM Mar 31, 2020, 7:58 AM

          @Gertjan great tips. And I dont have "test" on StatusSystem\Logs\OpenVPN :((
          Change to that, right?

          if [ "$script_type" = "client-connect" ]; then
                  if [ -f /tmp/$common_name ]; then
                          /usr/bin/logger "test"
                          /usr/bin/logger $script_type
                          /bin/cat /tmp/$common_name > $1
                          /bin/rm /tmp/$common_name
                          /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /var/log/openvpn.log
                          /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' authenticated" >> /home/tien.tran/testlog.log
                  fi
          elif [ "$script_type" = "client-disconnect" ]; then
                  command="/sbin/pfctl -a 'openvpn/$common_name' -F rules"
                  eval $command
                  /sbin/pfctl -k $ifconfig_pool_remote_ip
                  /sbin/pfctl -K $ifconfig_pool_remote_ip
                  /bin/echo "$(date +'%b %d %H:%M:%S') pfSense2 openvpn: user '${common_name}' disconnected" >> /var/log/openvpn.log
          fi
          
          exit 0
          
          G 1 Reply Last reply Mar 31, 2020, 8:03 AM Reply Quote 0
          • B
            biggsy @Gertjan
            last edited by Mar 31, 2020, 8:01 AM

            There was also "explicit-exit-notify" and automatic timeouts.

            You can see some discussion in Redmine: issue 9085

            T 1 Reply Last reply Mar 31, 2020, 8:41 AM Reply Quote 0
            • G
              Gertjan @tienpro113396
              last edited by Mar 31, 2020, 8:03 AM

              @tienpro113396 said in OpenVPN no authenticated log generated:

              And I dont have "test" on StatusSystem\Logs\OpenVPN :((

              That's right.
              the "logger" command will log in the System log (as said above).

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              T 1 Reply Last reply Mar 31, 2020, 8:44 AM Reply Quote 0
              • B
                biggsy
                last edited by Mar 31, 2020, 8:11 AM

                ... and Redmine 9108

                1 Reply Last reply Reply Quote 0
                • G
                  Gertjan
                  last edited by Mar 31, 2020, 8:35 AM

                  That redmine ticket was closed because .... the (your) issue isn't an issue ;)

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  B 1 Reply Last reply Mar 31, 2020, 9:28 AM Reply Quote 0
                  • T
                    tienpro113396 @biggsy
                    last edited by Mar 31, 2020, 8:41 AM

                    @biggsy I added "explicit-exit-notify 3" before and got some error so I delete it :v

                    1 Reply Last reply Reply Quote 0
                    • T
                      tienpro113396 @Gertjan
                      last edited by Mar 31, 2020, 8:44 AM

                      @Gertjan Thanks! I see that log.I will check more about that

                      1 Reply Last reply Reply Quote 0
                      • B
                        biggsy @Gertjan
                        last edited by Mar 31, 2020, 9:28 AM

                        @Gertjan

                        True - but there was some discussion that others might find interesting or useful.

                        1 Reply Last reply Reply Quote 0
                        • N
                          noplan
                          last edited by Mar 31, 2020, 9:48 AM

                          hey all

                          does it really make sense to do scripting in core pfS files ?

                          i dont think so.

                          if you want to receive emails when vpn-clients log in or out
                          use the method described in this post

                          https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/26

                          as far as some others are concerned if you read the post from top to bottom
                          you can use a nice working tool

                          truely mentioned
                          as @Gertjan mentioned you or someone can aff logger to the script to get more information into the log

                          the main question still remains
                          does it really make sense to do scripting in core pfS files ?

                          B 1 Reply Last reply Apr 1, 2020, 1:06 AM Reply Quote 0
                          • B
                            biggsy @noplan
                            last edited by Apr 1, 2020, 1:06 AM

                            @noplan said:

                            does it really make sense to do scripting in core pfS files ?

                            No, it's not ideal to modify the core files. However, did you see the note in 9085 about conflicting scripts?

                            Putting client-connect and client-disconnect entries in Custom options caused /usr/local/sbin/openvpn.attributes.sh to be overridden. (I wonder if users of the solution in the other topic are seeing that.)

                            As openvpn.attributes.sh appears to be cleaning up pf table entries on client-disconnect, it didn't seem wise to override it. Adding the two logger lines to it seemed to be the safer, if not the cleanest, way.

                            N 1 Reply Last reply Apr 1, 2020, 5:52 AM Reply Quote 0
                            • N
                              noplan @Gertjan
                              last edited by Apr 1, 2020, 5:48 AM

                              @Gertjan
                              how can they (.sh scripts) can make me coffee .... /me pretty interested ;)
                              but for real dyin from coffee overdose not the best way to leave this world ...

                              G 1 Reply Last reply Apr 1, 2020, 6:08 AM Reply Quote 0
                              • N
                                noplan @biggsy
                                last edited by Apr 1, 2020, 5:52 AM

                                @biggsy

                                help me out, still early mornin here,
                                i get the concern at client-connect (point taken)
                                i dont get it at client-disconnect

                                so addin the logger lines to the scripts (connect and disconnect) will be a task for today.

                                i'll keep u posted on this one.

                                B 1 Reply Last reply Apr 1, 2020, 6:25 AM Reply Quote 0
                                • G
                                  Gertjan @noplan
                                  last edited by Apr 1, 2020, 6:08 AM

                                  @noplan said in OpenVPN no authenticated log generated:

                                  how can they (.sh scripts) can make me coffee .... /me pretty interested ;)

                                  Scripts build cars, fly planes and launch nukes.
                                  And coffee should be a problem ?

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  N 1 Reply Last reply Apr 1, 2020, 12:48 PM Reply Quote 1
                                  • B
                                    biggsy @noplan
                                    last edited by biggsy Apr 1, 2020, 6:30 AM Apr 1, 2020, 6:25 AM

                                    @noplan said in OpenVPN no authenticated log generated:

                                    @biggsy

                                    help me out, still early mornin here,
                                    i get the concern at client-connect (point taken)
                                    i dont get it at client-disconnect

                                    I'm just saying that the solution offered in the other topic (using user-written client-connect and client-disconnect scripts in Custom options) will conflict with and prevent the openvpn.attributes.sh script from running.

                                    Because openvpn.attributes.sh uses pfctl to kill state entries when a client disconnects, I think it's better to just add in the logger calls and let the rest of the script do its thing.

                                    By modifying openvpn.attributes.sh, though, you are changing one of the core pfSense files.

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      Gertjan
                                      last edited by Gertjan Apr 1, 2020, 7:12 AM Apr 1, 2020, 7:11 AM

                                      These lines :

                                      ...
                                      client-connect /usr/local/sbin/openvpn.attributes.sh
                                      client-disconnect /usr/local/sbin/openvpn.attributes.sh
                                      ...
                                      are placed into the openvpn server config file when one of these LAST two options are chosen (User Auth ...) :

                                      Each pfSense OpenVPN server instance has a config file here : /var/etc/openvpn/.....

                                      9972a5bc-f1fd-46f1-918e-348aafd0c061-image.png

                                      So, when User names and passwords are used, "/usr/local/sbin/openvpn.attributes.sh" is used with the client-connect and client-disconnect commands.

                                      In that case, adding client-connect and client-disconnect commands in the "Custom options" box has consequences and or side effects. Which ones ? Dono, up to you to find out.

                                      So, when you want to use client-connect and client-disconnect commands (with your own scripts) in the Custom options box, you should not chose to use User/password auth, just SSL/TLS.

                                      Btw : had to look up in the manual, the one that explains it all ;)

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      1 Reply Last reply Reply Quote 1
                                      • B
                                        biggsy
                                        last edited by biggsy Apr 1, 2020, 7:47 AM Apr 1, 2020, 7:32 AM

                                        Thanks for that @Gertjan. By "the manual" I assume you mean the code.

                                        I've only ever used the last two options and didn't realize that openvpn.attributes.sh wasn't used in the top three.

                                        Hmmm...
                                        I think I can see why it wouldn't apply to Peer to Peer but I'm now wondering why it wouldn't apply to Remote Access (SSL/TLS)

                                        Got it!

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          noplan @Gertjan
                                          last edited by Apr 1, 2020, 12:48 PM

                                          @Gertjan
                                          allrigth gotYa ! no my coffeeMachine is not gettin a network connection NO WAY !
                                          plenty of IoT Crap here ;)

                                          1 Reply Last reply Reply Quote 0
                                          28 out of 31
                                          • First post
                                            28/31
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received