I want to log server side client connect/disconnect events on my Ubuntu server.
And I have tried to read the documentation here:
https://openvpn.net/community-resources ... envpn-2-5/
I can find a lot of entries for the client-connect client-disconnect details, including how it can be configured with call arguments.
But what I don't find is any working example of such a script...
I have also googled for it but that too fails because no-one I have found seems to want to show an actually working setup including:
- What needs to be entered in the server.conf file, like permissions
- Where the script could reside to be usable
- What the script file properties should be
- How the script can get the information to write to the log
- How it can actually reach a log location and write a file there
A working example, which logs client connect and disconnect events with a readable timestamp and some user data into a log file located in say the /etc/openvpn/log directory would be very useful in my opinion.
I definitely do NOT want to send any email or such, just log to the file.
But the file must never be overwritten such that info disappears.
Is there such an example somewhere?
Script examples for client-connect/disconnect??
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN Power User
- Posts: 167
- Joined: Mon May 05, 2014 10:17 pm
-
- OpenVPN Power User
- Posts: 167
- Joined: Mon May 05, 2014 10:17 pm
Re: Script examples for client-connect/disconnect??
UPDATE WITH WORKING SOLUTION:
/etc/openvpn/server/serverlocal.conf:
/etc/openvpn/scripts/serverlocal-events.sh:
And when I test this with a connect - disconnect cycle this is what I get:
Case closed.
/etc/openvpn/server/serverlocal.conf:
Code: Select all
#Add logging of client connect/disconnect events:
script-security 2
client-connect /etc/openvpn/scripts/serverlocal-events.sh
client-disconnect /etc/openvpn/scripts/serverlocal-events.sh
Code: Select all
#!/bin/bash
# Executed on the server side for client connect and disconnect events.
# Log file path
LOG_FILE="/etc/openvpn/log/serverlocal-events.log"
# Log timestamp
LOG_TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
# Log client connect or disconnect event with IP address
if [ "$script_type" == "client-connect" ]; then
echo "$LOG_TIMESTAMP - $common_name connected with IP $trusted_ip" >>
"$LOG_FILE"
elif [ "$script_type" == "client-disconnect" ]; then
echo "$LOG_TIMESTAMP - $common_name disconnected with IP $trusted_ip" >>
"$LOG_FILE"
fi
Code: Select all
2024-02-16 11:34:26 - BosseUbu connected with IP 217.213.74.168
2024-02-16 11:34:32 - BosseUbu disconnected with IP 217.213.74.168
-
- OpenVPN User
- Posts: 34
- Joined: Wed Sep 18, 2019 10:11 am
Re: Script examples for client-connect/disconnect??
You can also use the script to add further security to your server.
We use easy-rsa to generate a unique certificate for each client machine - baked into the .ovpn file. It has the hostname of the client as the "cn" in the certificate. Users need to sign in with AD user/password and google authenticator TOTP, and must be members of an AD vpn_users group.
Additionally, on the server we have a text file that lists which users are allowed to connect using each certificate. A simple text file list of
In the script we have
# first, search for the common_name (cn) in the user_certs.txt file, and set the cert_user environment variable to the listed user(s)
# note: multiple users are permitted for a cert to allow for shared laptops, and emergency admin user logins.
# seperate multiple users with commas (no spaces)
# ordinary users should not be allowed to use each other's certs
We use easy-rsa to generate a unique certificate for each client machine - baked into the .ovpn file. It has the hostname of the client as the "cn" in the certificate. Users need to sign in with AD user/password and google authenticator TOTP, and must be members of an AD vpn_users group.
Additionally, on the server we have a text file that lists which users are allowed to connect using each certificate. A simple text file list of
Code: Select all
<user1>[,<user2>,...<userN>]<TAB><hostname>
# first, search for the common_name (cn) in the user_certs.txt file, and set the cert_user environment variable to the listed user(s)
# note: multiple users are permitted for a cert to allow for shared laptops, and emergency admin user logins.
# seperate multiple users with commas (no spaces)
# ordinary users should not be allowed to use each other's certs
Code: Select all
declare $(/usr/bin/awk -v cn="$common_name" -v tmp="CERT_NOT_FOUND" '$0 ~ cn{tmp=$1} END {print "cert_user=" tmp}' /etc/openvpn/server/user-certs.txt )
export cert_user
# $(cert_user,,} converts $cert_user to lowercase, ${username,,} converts $username to lowercase
# [[ ]] statement looks for *username* to not match cert_user - effectively - if username is not a substring of cert_user
if [[ "${cert_user,,}" != *"${username,,}"* ]]; then
echo "$(date '+%Y-%m-%d %H:%M:%S') DENIED username=$username cert_user=$cert_user cert=$common_name" >> $logfile
exit 1
fi
echo "$(date '+%Y-%m-%d %H:%M:%S') GRANTED username=$username cert_user=$cert_user cert=$common_name" >> $logfile
exit 0