~fkooman/vpn-documentation

ref: 13ed958d65981a2744683ffbffae1c0d2c51e36d vpn-documentation/LOGGING.md -rw-r--r-- 2.4 KiB
13ed958dFrançois Kooman make clear that "the only difference" now refers only to OAuth 4 months ago

#title: VPN Server Logging description: How to use/view VPN Server logging category: documentation

#Logging

There are three places where you can have VPN server logging:

  • OpenVPN logging
  • VPN client connection logging
  • Web server logging

#OpenVPN Log

The OpenVPN logging can be enabled in the profile configuration with the enableLog option. This is mostly useful for debugging connection problems, i.e. figure out why a client connection is rejected. You can use journalctl to "follow" the log:

$ sudo journalctl -f -t openvpn

#VPN Connection Log

#Portal

Finding out which user had a particular IP address at a specified moment can be done through the portal as an admin.

#Syslog

NOTE: this is only available in vpn-server-api >= 2.2.11.

In addition to writing connection information to the database, this information is also written to syslog.

An example of these log entries:

Jul 12 16:48:43 vpn.tuxed.net vpn-server-api[8643]: CONNECT fkooman (default) [10.202.56.2,fd5e:eccc:d4b:783f::1000]
Jul 12 16:48:46 vpn.tuxed.net vpn-server-api[8642]: DISCONNECT fkooman (default) [10.202.56.2,fd5e:eccc:d4b:783f::1000]

The format is {CONNECT,DISCONNECT} ${USER_ID} (${PROFILE_ID}) [${IPv4},${IPv6}].

NOTE: in vpn-server-api >= 2.2.12 the format changes slightly and also includes the "originating" client IP, e.g.:

Jul 20 17:04:04 vpn.tuxed.net vpn-server-api[1811]: CONNECT fkooman (default) [46.X.Y.Z => 10.202.56.2,fd5e:eccc:d4b:783f::1000]
Jul 20 17:04:19 vpn.tuxed.net vpn-server-api[1813]: DISCONNECT fkooman (default) [46.X.Y.Z => 10.202.56.2,fd5e:eccc:d4b:783f::1000]

The format is {CONNECT,DISCONNECT} ${USER_ID} (${PROFILE_ID}) [${ORIGINATING_IP} => ${IPv4},${IPv6}] where the ${ORIGINATING_IP} can be an IPv4 or IPv6 address, depending on which protocol the client used to connect to the VPN server.

#Web Server Log

The Web server request logging you can enable as well by modifying the virtual host configuration, on CentOS in /etc/httpd/conf.d/vpn.example.org.conf where vpn.example.org is the hostname of your VPN server. In the <VirtualHost *:443> section you can uncomment this line:

TransferLog logs/vpn.example.org_ssl_access_log

After that, restart Apache:

$ sudo systemctl restart httpd

The web server log file will be written to /var/log/httpd/vpn.example.org_ssl_access_log.