API log for OPEN VPN

  • Hi guys.

    There is a way to use an API to get OPEN VPN logs ?
    I want to see in realtime who are connected in my VPN, but I want this information outside PfSense WEBGUI.

  • LAYER 8 Moderator

    You can simply do the following: create a monitoring/whatever like user that can only login via SSH into your firewall, then let it login and use a command like

    echo status <1-3> | socat - UNIX-CONNECT:/var/etc/openvpn/<your_server_socket>.sock
    echo status 2 | socat - UNIX-CONNECT:/var/etc/openvpn/server1.sock

    The output should be something like

    >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
    TITLE,OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
    TIME,Tue Jun 30 11:44:24 2020,1593510264
    HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
    CLIENT_LIST,<username>,<real_user_ip>:10911,<vpn_ip>,,1544896,6129124,Tue Jun 30 11:29:13 2020,1593509353,<username>,121,4
    HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
    ROUTING_TABLE,<vpn_ip>,<username>,<real_user_ip>:10911,Tue Jun 30 11:44:24 2020,1593510264
    GLOBAL_STATS,Max bcast/mcast queue length,0

    whereas <username> is obviously the OpenVPN User connected, <vpn_ip> is the internal VPN IP handed out via OpenVPN and <real_user_ip> is its external IP where the client is connecting from. The "Connected Since" columns give you an idea about the login time / how long it's connected.

    Other values for "status" e.g. status 1 is more compact CSV-like or status 3 is more verbose with some spaces/tabs for formatting. Status 2 is a CSV-like export that should be good to use in other scripts or monitoring systems and is the same value pfSense itself uses when querying the management port via OpenVPN/Status page.

  • Didn't we have something comparable, where constantly OpenVPN server usage info was mailed away ?
    A couple of month ago, when everybody needed to know what OPENVPN was ... ?

  • LAYER 8 Moderator

    Can't remember but if you mean that thingy, where one would like a notification mail after a client has disconnected, I did some work on that little script, too. But that only gets triggered if a client disconnects. OK you could also include it for client connects, but as it sets up on the system notifications via mail, it could be "spammy" to use and only works with mails.

    Above variant can be triggered by pretty much any monitoring that can work with external scripts. Small simple shell script with the SSH connect and the status call to the socket, bit of awk/python/whatever magic to get the infos you want and report it back to the calling system :)

  • @JeGr said in API log for OPEN VPN:

    it could be "spammy" to use and only works with mails.

    Could be ?
    I had to stop it after receiving thousands of emails per day.
    But oh boy, what was I informed ....

  • LAYER 8 Moderator

    Still running it on my homelab without a problem but yeah in a busy setting that can hurt ;)

Log in to reply