API log for OPEN VPN
querichelli55 last edited by
There is a way to use an API to get OPEN VPN logs ?
I want to see in realtime who are connected in my VPN, but I want this information outside PfSense WEBGUI.
You can simply do the following: create a monitoring/whatever like user that can only login via SSH into your firewall, then let it login and use a command like
echo status <1-3> | socat - UNIX-CONNECT:/var/etc/openvpn/<your_server_socket>.sock e.g.: echo status 2 | socat - UNIX-CONNECT:/var/etc/openvpn/server1.sock
The output should be something like
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info TITLE,OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020 TIME,Tue Jun 30 11:44:24 2020,1593510264 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID CLIENT_LIST,<username>,<real_user_ip>:10911,<vpn_ip>,,1544896,6129124,Tue Jun 30 11:29:13 2020,1593509353,<username>,121,4 HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,<vpn_ip>,<username>,<real_user_ip>:10911,Tue Jun 30 11:44:24 2020,1593510264 GLOBAL_STATS,Max bcast/mcast queue length,0 END
whereas <username> is obviously the OpenVPN User connected, <vpn_ip> is the internal VPN IP handed out via OpenVPN and <real_user_ip> is its external IP where the client is connecting from. The "Connected Since" columns give you an idea about the login time / how long it's connected.
Other values for "status" e.g. status 1 is more compact CSV-like or status 3 is more verbose with some spaces/tabs for formatting. Status 2 is a CSV-like export that should be good to use in other scripts or monitoring systems and is the same value pfSense itself uses when querying the management port via OpenVPN/Status page.
Gertjan last edited by
Didn't we have something comparable, where constantly OpenVPN server usage info was mailed away ?
A couple of month ago, when everybody needed to know what OPENVPN was ... ?
Can't remember but if you mean that thingy, where one would like a notification mail after a client has disconnected, I did some work on that little script, too. But that only gets triggered if a client disconnects. OK you could also include it for client connects, but as it sets up on the system notifications via mail, it could be "spammy" to use and only works with mails.
Above variant can be triggered by pretty much any monitoring that can work with external scripts. Small simple shell script with the SSH connect and the status call to the socket, bit of awk/python/whatever magic to get the infos you want and report it back to the calling system :)
Gertjan last edited by
it could be "spammy" to use and only works with mails.
Could be ?
I had to stop it after receiving thousands of emails per day.
But oh boy, what was I informed ....
Still running it on my homelab without a problem but yeah in a busy setting that can hurt ;)