Monitoring/correlating traffic to VPN sessions

Post Reply
jfc
OpenVpn Newbie
Posts: 7
Joined: Wed Mar 06, 2019 7:56 pm

Monitoring/correlating traffic to VPN sessions

Post by jfc » Wed Mar 06, 2019 9:58 pm

Hi all,

I have a problem with two (interrelated) components of our network, and one of those is OpenVPN. I'm not sure if the problem can be solved by fixing one part, or both.

- We have a number of users who work remotely and connect to our internal LAN using OpenVPN. Pretty standard.
- We also have an IDS appliance inside the network perimeter, that watches for unusual network activity. Also pretty standard.

The problem I'm running into is that, within the perimeter of the LAN, any traffic generated by VPN users appears to be coming from the OpenVPN server itself. That itself isn't an issue since I'm still getting alerted to suspicious activity, and I know the VPN server isn't the true source of the traffic - the problem is that the OVPN logs don't contain any information I can use to trace the activity back to a specific remote user.

I was trying to figure out if increasing the logfile verbosity might help, but the documentation doesn't clarify what the different logging levels actually do.

Any suggestions?

novaflash
I should be on the dev team.
Posts: 1017
Joined: Fri Apr 13, 2012 8:43 pm

Re: Monitoring/correlating traffic to VPN sessions

Post by novaflash » Thu Mar 07, 2019 8:11 am

Yes, switch to routing mode, so the IP address of the VPN client itself is retained while its traffic goes onto your network.

If you also give VPN clients static IP addresses, you can always establish a relation between the IP and the user.

This does require that your network cooperates by routing VPN client traffic responses from your network back to the Access Server. It serves as gateway to the VPN client subnet.

jfc
OpenVpn Newbie
Posts: 7
Joined: Wed Mar 06, 2019 7:56 pm

Re: Monitoring/correlating traffic to VPN sessions

Post by jfc » Thu Mar 07, 2019 6:57 pm

Excellent, thank you!

Also, as a note for anyone who might stumble on this thread in the future: I realized last night (I know, it should have been obvious) that if OpenVPN AS is configured for NAT, that translation is done by the operating system and not by OVPN itself. If you want connection logs, you need to configure iptables for that separately.

jfc
OpenVpn Newbie
Posts: 7
Joined: Wed Mar 06, 2019 7:56 pm

Re: Monitoring/correlating traffic to VPN sessions

Post by jfc » Wed Apr 24, 2019 5:28 pm

(Time passes...)

So we did as suggested here, and switched the AS from NAT mode to routing mode. (It took awhile, long story.)

That solved half the problem. Then we realized that the configuration item we'd changed reads: "Should VPN clients have access to private subnets (non-public networks on the server side)?"

So now traffic from VPN clients, destined for the configured private subnets inside our network, is no longer NAT'ed - but traffic exiting the network is still NAT'ed... which is an improvement, but still not ideal. As far as I can tell, there's no way to change this?

novaflash
I should be on the dev team.
Posts: 1017
Joined: Fri Apr 13, 2012 8:43 pm

Re: Monitoring/correlating traffic to VPN sessions

Post by novaflash » Tue Apr 30, 2019 3:41 pm

You want traffic going from the Access Server to the Internet to not be NATted at any point? Is that it?

jfc
OpenVpn Newbie
Posts: 7
Joined: Wed Mar 06, 2019 7:56 pm

Re: Monitoring/correlating traffic to VPN sessions

Post by jfc » Mon May 13, 2019 7:26 pm

Yes, exactly.

I'm pretty sure I can do it by manually manipulating iptables, but that seems hacky.

novaflash
I should be on the dev team.
Posts: 1017
Joined: Fri Apr 13, 2012 8:43 pm

Re: Monitoring/correlating traffic to VPN sessions

Post by novaflash » Mon May 13, 2019 7:31 pm

You can disable outgoing NAT on the Access Server.
https://openvpn.net/vpn-server-resource ... or-setting

But if you don't do NAT between the boundary of your private network and the Internet, you're gonna have a bad time. You cannot ROUTE private networks over the Internet. You MUST translate it somewhere to your public IP or the traffic gets filtered away.

So the idea of just disabling NAT entirely won't fly. You have to do it somewhere, but it doesn't have to be in the Access Server.

Good luck.

jfc
OpenVpn Newbie
Posts: 7
Joined: Wed Mar 06, 2019 7:56 pm

Re: Monitoring/correlating traffic to VPN sessions

Post by jfc » Mon May 13, 2019 7:40 pm

Oh, absolutely. It's not going away completely, I just want it to be done at the border router (just like for non-VPN clients) rather than by the OpenVPN server.

Thanks for the link!

Post Reply