Logging#

There are three places where you can have VPN server logging:

OpenVPN logging
VPN client connection logging
Web server logging

OpenVPN Log#

The OpenVPN logging can be enabled in the Profile Configuration with the oEnableLog option.

This is mostly useful for debugging connection problems, e.g. figure out why a client connection was rejected. You can use journalctl to “follow” the log:

$ sudo journalctl -f -t openvpn

VPN Connection Log#

Portal#

Finding out which user had a particular IP address at a specified moment can be done through the portal as an admin.

Syslog#

Connect and disconnect events can be written in syslog as well.

Modify /etc/vpn-user-portal/config.php to enable it:

    'Log' => [
        // Write CONNECT/DISCONNECT events to syslog
        // OPTIONAL, DEFAULT = false
        'syslogConnectionEvents' => true,

        // Log the "originating IP", i.e. the IP the VPN client is connecting
        // from. Currently only available for OpenVPN connections.
        // OPTIONAL, DEFAULT = false
        //'originatingIp' => false,

        // Log the `authData` column from the `users` table to syslog as well
        // (Unpadded Base64 URL-safe encoded)
        // OPTIONAL, DEFAULT = false
        'authData' => false,

        // Specify your own connect/disconnect template
        // OPTIONAL, DEFAULT = see below
        //'connectLogTemplate' => 'C {{USER_ID}} {{PROFILE_ID}}',
        //'disconnectLogTemplate' => 'D {{USER_ID}} {{PROFILE_ID}}'

        // GeoIP database to use to determine CC (and "Geo URI") of originating 
        // IP
        //'geoIpDb' => '/usr/local/share/DB-IP/dbip-city-lite.mmdb',
    ],

NOTE: the authData option is available in vpn-user-portal >= 3.4.1. The authData column is currently only used with Guest Access.

NOTE: the connectLogTemplate and disconnectLogTemplate options are only available in vpn-user-portal >= 3.5.0 and makes the authData option obsolete as you can configure your template to include it (or not).

Connect#

Default format:

CONNECT {{USER_ID}} ({{PROFILE_ID}}:{{CONNECTION_ID}}) [{{ORIGINATING_IP}} => {{IP_FOUR}},{{IP_SIX}}]

Example:

CONNECT fkooman (prefer-openvpn:FvrfxD1m0rvaxfWKZFY+kXAb3hn2yQjY7O37po1XDGM=) [* => 10.222.172.6,fde6:76bd:ad97:ac5e::6]

NOTE: the {{CONNECTION_ID}} field is replaced with the X.509 certificate Common Name (CN) of the OpenVPN client certificate, or in case of WireGuard with the WireGuard Public Key.

If the originatingIp configuration option is set to true, the IP address of the client establishing the connection is also logged and written instead of the *. This is currently only available when clients connect using OpenVPN and this IP address is not logged anywhere else.

The default format with authData enabled, looks like this:

CONNECT {{USER_ID}} ({{PROFILE_ID}}:{{CONNECTION_ID}}) [{{ORIGINATING_IP}} => {{IP_FOUR}},{{IP_SIX}}] [AUTH_DATA={{AUTH_DATA}}]

Example:

CONNECT fkooman (prefer-openvpn:FvrfxD1m0rvaxfWKZFY+kXAb3hn2yQjY7O37po1XDGM=) [* => 10.222.172.6,fde6:76bd:ad97:ac5e::6] [AUTH_DATA=eyJ1c2VySWQiOiJmb28ifQo]

NOTE: if no authData is available, this results in the “empty string”, i.e. [AUTH_DATA=]. The authData is always Base64 URL-safe encoded without padding.

Disconnect#

Default format:

DISCONNECT {{USER_ID}} ({{PROFILE_ID}}:{{CONNECTION_ID}})

Example:

DISCONNECT fkooman (prefer-openvpn:FvrfxD1m0rvaxfWKZFY+kXAb3hn2yQjY7O37po1XDGM=)

Templates#

NOTE: only available in vpn-user-portal >= 3.5.0

NOTE: the GEO_IP_* variables are available in vpn-user-portal >= 3.6.1. See Geo IP for more information.

If you do not like the default templates, or would like additional (or less) information logged, you can use your own templates using the connectLogTemplate and disconnectLogTemplate options.

The table below lists the available variables you can use in your template and when they are available:

Field	On Connect	On Disconnect	Notes
`USER_ID`	Yes	Yes
`PROFILE_ID`	Yes	Yes
`VPN_PROTO`	Yes	Yes	`wireguard` or `openvpn`
`CONNECTION_ID`	Yes	Yes
`IP_FOUR`	Yes	Yes
`IP_SIX`	Yes	Yes
`ORIGINATING_IP`	Yes	No	Only for OpenVPN
`AUTH_DATA`	Yes	Yes
`BYTES_IN`	No	Yes	Bytes received from client
`BYTES_OUT`	No	Yes	Bytes sent to client
`GEO_IP_CC`	Yes	No	CC of VPN client IP
`GEO_IP_URI`	Yes	No	“Geo URI” of VPN client IP

If you want to log only the user ID and the profile the user connect(ed) to, you can use this:

'connectLogTemplate' => 'C {{USER_ID}} {{PROFILE_ID}}',
'disconnectLogTemplate' => 'D {{USER_ID}} {{PROFILE_ID}}'

Web Server Log#

The Web server request logging you can enable as well by modifying the virtual host configuration, on CentOS in /etc/httpd/conf.d/vpn.example.org.conf where vpn.example.org is the hostname of your VPN server. In the <VirtualHost *:443> section you can uncomment this line:

TransferLog logs/vpn.example.org_ssl_access_log

After that, restart Apache:

$ sudo systemctl restart httpd

The web server log file will be written to /var/log/httpd/vpn.example.org_ssl_access_log.