Logging#
There are three places where you can have VPN server logging:
- OpenVPN logging
- VPN client connection logging
- Web server logging
OpenVPN Log#
The OpenVPN logging can be enabled in the
Profile Configuration with the
oEnableLog
option.
This is mostly useful for debugging connection problems, e.g. figure out why a
client connection was rejected. You can use journalctl
to “follow” the log:
$ sudo journalctl -f -t openvpn
Authentication Log#
NOTE: this information is current as of vpn-user-portal >= 3.6.4
When using a “local” authentication mechanism, i.e. LDAP, RADIUS or the local user database, a syslog entry is generated of both successful and failing user authentication.
By default the “User ID” is logged for which the authentication was performed, or attempted, e.g.:
$ journalctl -f -t vpn-user-portal
Mai 17 09:56:39 X vpn-user-portal[8538]: AUTH OK [USER_ID=foo]
Mai 17 09:56:50 X vpn-user-portal[8538]: AUTH FAIL [USER_ID=bar]
We made it possible to configure this log format using the authLogOkTemplate
and authLogFailTemplate
templates. The below shows the default:
'Log' => [
'authLogOkTemplate' => 'AUTH OK [USER_ID={{USER_ID}}]',
'authLogFailTemplate' => 'AUTH FAIL [USER_ID={{USER_ID}}]',
],
You can additionally use the following template variables that will be replaced by their actual values:
Variable | In Template | Description |
---|---|---|
USER_ID |
OK, FAIL | The User ID in the “Username” input field (sanitized) |
RAW_USER_ID |
FAIL | The User ID in the “Username” input field (exact string) |
REMOTE_ADDR |
OK, FAIL | The IPv4 or IPv6 address the authentication originated from |
FAIL_REASON |
FAIL | The reason the authentication failed, if available |
NOTE: in vpn-user-portal >= 3.7.0 we sanitize the USER_ID
value and
replace all characters that are not a-z
, A-Z
, 0-9
, .
and -
with an
underscore (_
). If you want the actual value provided by the user in the
“Username” input field, use RAW_USER_ID
.
NOTE: the RAW_USER_ID
and FAIL_REASON
field MAY contain any character,
including "
and ]
, so when “parsing” the syslog message, make sure you
take that in consideration!
'Log' => [
'authLogOkTemplate' => 'AUTH OK [USER_ID={{USER_ID}},REMOTE_ADDR={{REMOTE_ADDR}}]',
'authLogFailTemplate' => 'AUTH FAIL [USER_ID={{USER_ID}},REMOTE_ADDR={{REMOTE_ADDR}}]: {{FAIL_REASON}}',
],
VPN Connection Log#
Portal#
Finding out which user had a particular IP address at a specified moment can be done through the portal as an admin.
Syslog#
Connect and disconnect events can be written in syslog as well.
Modify /etc/vpn-user-portal/config.php
to enable it:
'Log' => [
// Write CONNECT/DISCONNECT events to syslog
// OPTIONAL, DEFAULT = false
'syslogConnectionEvents' => true,
// Log the "originating IP", i.e. the IP the VPN client is connecting
// from. Currently only available for OpenVPN connections.
// OPTIONAL, DEFAULT = false
//'originatingIp' => false,
// Log the `authData` column from the `users` table to syslog as well
// (Unpadded Base64 URL-safe encoded)
// OPTIONAL, DEFAULT = false
'authData' => false,
// Specify your own connect/disconnect template
// OPTIONAL, DEFAULT = see below
//'connectLogTemplate' => 'C {{USER_ID}} {{PROFILE_ID}}',
//'disconnectLogTemplate' => 'D {{USER_ID}} {{PROFILE_ID}}'
// GeoIP database to use to determine CC (and "Geo URI") of originating
// IP
//'geoIpDb' => '/usr/local/share/DB-IP/dbip-city-lite.mmdb',
],
NOTE: the authData
option is available in vpn-user-portal >= 3.4.1. The
authData
column is currently only used with
Guest Access.
NOTE: the connectLogTemplate
and disconnectLogTemplate
options are only
available in vpn-user-portal >= 3.5.0 and makes the authData
option obsolete
as you can configure your template to include it (or not).
Connect#
Default format:
CONNECT {{USER_ID}} ({{PROFILE_ID}}:{{CONNECTION_ID}}) [{{ORIGINATING_IP}} => {{IP_FOUR}},{{IP_SIX}}]
Example:
CONNECT fkooman (prefer-openvpn:FvrfxD1m0rvaxfWKZFY+kXAb3hn2yQjY7O37po1XDGM=) [* => 10.222.172.6,fde6:76bd:ad97:ac5e::6]
NOTE: the {{CONNECTION_ID}}
field is replaced with the X.509 certificate
Common Name (CN) of the OpenVPN client certificate, or in case of WireGuard
with the WireGuard Public Key.
If the originatingIp
configuration option is set to true
, the IP address of
the client establishing the connection is also logged and written instead of
the *
. This is currently only available when clients connect using OpenVPN
and this IP address is not logged anywhere else.
The default format with authData
enabled, looks like this:
CONNECT {{USER_ID}} ({{PROFILE_ID}}:{{CONNECTION_ID}}) [{{ORIGINATING_IP}} => {{IP_FOUR}},{{IP_SIX}}] [AUTH_DATA={{AUTH_DATA}}]
Example:
CONNECT fkooman (prefer-openvpn:FvrfxD1m0rvaxfWKZFY+kXAb3hn2yQjY7O37po1XDGM=) [* => 10.222.172.6,fde6:76bd:ad97:ac5e::6] [AUTH_DATA=eyJ1c2VySWQiOiJmb28ifQo]
NOTE: if no authData
is available, this results in the “empty string”,
i.e. [AUTH_DATA=]
. The authData
is always Base64 URL-safe encoded without
padding.
Disconnect#
Default format:
DISCONNECT {{USER_ID}} ({{PROFILE_ID}}:{{CONNECTION_ID}})
Example:
DISCONNECT fkooman (prefer-openvpn:FvrfxD1m0rvaxfWKZFY+kXAb3hn2yQjY7O37po1XDGM=)
Templates#
NOTE: only available in vpn-user-portal >= 3.5.0
NOTE: the GEO_IP_*
variables are available in vpn-user-portal >= 3.6.1.
See Geo IP for more information.
NOTE: the NODE_*
variables are available in vpn-user-portal >= 3.7.2.
If you do not like the default templates, or would like additional (or less)
information logged, you can use your own templates using the
connectLogTemplate
and disconnectLogTemplate
options.
The table below lists the available variables you can use in your template and when they are available:
Field | On Connect | On Disconnect | Notes |
---|---|---|---|
USER_ID |
Yes | Yes | |
PROFILE_ID |
Yes | Yes | |
VPN_PROTO |
Yes | Yes | wireguard or openvpn |
CONNECTION_ID |
Yes | Yes | |
IP_FOUR |
Yes | Yes | |
IP_SIX |
Yes | Yes | |
ORIGINATING_IP |
Yes | No | Only for OpenVPN |
AUTH_DATA |
Yes | Yes | |
BYTES_IN |
No | Yes | Bytes received from client |
BYTES_OUT |
No | Yes | Bytes sent to client |
GEO_IP_CC |
Yes | No | CC of VPN client IP |
GEO_IP_URI |
Yes | No | “Geo URI” of VPN client IP |
NODE_NUMBER |
Yes | Yes | |
NODE_URL |
Yes | Yes | |
NODE_HOST_NAME |
Yes | Yes |
If you want to log only the user ID and the profile the user connect(ed) to, you can use this:
'connectLogTemplate' => 'C {{USER_ID}} {{PROFILE_ID}}',
'disconnectLogTemplate' => 'D {{USER_ID}} {{PROFILE_ID}}'
Web Server Log#
The Web server request logging you can enable as well by modifying the virtual
host configuration, on CentOS in /etc/httpd/conf.d/vpn.example.org.conf
where
vpn.example.org
is the hostname of your VPN server. In the
<VirtualHost *:443>
section you can uncomment this line:
TransferLog logs/vpn.example.org_ssl_access_log
After that, restart Apache:
$ sudo systemctl restart httpd
The web server log file will be written to
/var/log/httpd/vpn.example.org_ssl_access_log
.