API log for OPEN VPN

querichelli55

Hi guys.

There is a way to use an API to get OPEN VPN logs ?
I want to see in realtime who are connected in my VPN, but I want this information outside PfSense WEBGUI.

JeGr

You can simply do the following: create a monitoring/whatever like user that can only login via SSH into your firewall, then let it login and use a command like

echo status <1-3> | socat - UNIX-CONNECT:/var/etc/openvpn/<your_server_socket>.sock

e.g.:

echo status 2 | socat - UNIX-CONNECT:/var/etc/openvpn/server1.sock

The output should be something like

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
TITLE,OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
TIME,Tue Jun 30 11:44:24 2020,1593510264
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,<username>,<real_user_ip>:10911,<vpn_ip>,,1544896,6129124,Tue Jun 30 11:29:13 2020,1593509353,<username>,121,4
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,<vpn_ip>,<username>,<real_user_ip>:10911,Tue Jun 30 11:44:24 2020,1593510264
GLOBAL_STATS,Max bcast/mcast queue length,0
END

whereas <username> is obviously the OpenVPN User connected, <vpn_ip> is the internal VPN IP handed out via OpenVPN and <real_user_ip> is its external IP where the client is connecting from. The "Connected Since" columns give you an idea about the login time / how long it's connected.

Other values for "status" e.g. status 1 is more compact CSV-like or status 3 is more verbose with some spaces/tabs for formatting. Status 2 is a CSV-like export that should be good to use in other scripts or monitoring systems and is the same value pfSense itself uses when querying the management port via OpenVPN/Status page.

Gertjan

Didn't we have something comparable, where constantly OpenVPN server usage info was mailed away ?
A couple of month ago, when everybody needed to know what OPENVPN was ... ?

JeGr

Can't remember but if you mean that thingy, where one would like a notification mail after a client has disconnected, I did some work on that little script, too. But that only gets triggered if a client disconnects. OK you could also include it for client connects, but as it sets up on the system notifications via mail, it could be "spammy" to use and only works with mails.

Above variant can be triggered by pretty much any monitoring that can work with external scripts. Small simple shell script with the SSH connect and the status call to the socket, bit of awk/python/whatever magic to get the infos you want and report it back to the calling system :)

Gertjan

@JeGr said in API log for OPEN VPN:

it could be "spammy" to use and only works with mails.

Could be ?
I had to stop it after receiving thousands of emails per day.
But oh boy, what was I informed ....

JeGr

Still running it on my homelab without a problem but yeah in a busy setting that can hurt ;)