Hello, all I am new to the community but started using Nethserver for our small business a week or two back. What brought me to Nethserver was mostly the OpenVPN module since it provides a good interface and easy way to grant users access to the VPN.
A couple of things that I wanted with OpenVPN that I could not find within the Nethserver module was a way to have an easily readable audit log showing connections and disconnects from the system. This started with me first trying to create a couple of bash scripts (probably could have been done easier with a different method but this seems to work) that would send emails on connect or disconnect from OpenVPN.
However, when I had this mostly figured out I saw that if I dropped a new log file with just the information I wanted into the /var/log/openvpn directory I could quickly open and view my new audit log.
Since I had mostly created the email portion I went ahead and left sending email in the script which I will probably comment out after the first week. I also wanted a file that the system could email me weekly in a .csv format since I am hoping I do not need to pay much attention to the Nethserver system once it is rolling along. I will just use a cron job to send me the .csv file weekly.
Anyhow here is how I did this (I am placing this all here for when I forget and need to come find it and with some hope that this might help someone with this issue)
Also, note to use the floating point math in the bash scripts you need to install bc (yum install bc) on the system. These scripts were cobbled together from different sources on the internet.
I created the following two scripts in the directory /root/scripts:
###VPNUP.SH
#!/bin/sh
#Recipients email address
TO="someone@example.org"
#Sets message variable for display message, with OpenVPN variables to show connected time, ip address, and name of connection
message=$(echo "<b>Connected Since:</b> $time_ascii<br><b>Name:</b> $common_name<br> \
<b>Real Address:</b> $untrusted_ip<b> Virtual Address:</b> $ifconfig_pool_remote_ip")
#Formats email body date shows localtime
echo "Date: `date`" >>/tmp/mailup.txt
echo "<br>" >>/tmp/mailup.txt
echo "<br>Client has connected to a very lonely OpenVPN Server:" >>/tmp/mailup.txt
echo "<br><br>" >>/tmp/mailup.txt
echo "$message" >>/tmp/mailup.txt
echo "<br>" >>/tmp/mailup.txt
echo "---" >>/tmp/mailup.txt
echo "<br>YOUR LONELY VPN SERVER." >>/tmp/mailup.txt
#Email VPN connection email, -r setting sender info, -s setting subject and html body, this uses the Nethserver email settings
cat /tmp/mailup.txt | mail -r "VPN Server <fromemail@example.org>" -s "$(echo -e "VPN Connect\nContent-Type: text/html")" $TO
#Copy last file created into root directory for debugging
cp /tmp/mailup.txt /root/mailup.txt
rm /tmp/mailup.txt
###########Add Data to CSV Audit FILE
TIMESTMP=$(echo $(date))
AUDITCSVUP=$(echo "Timestamp:,$TIMESTMP, Connected:,$time_ascii,,, Name:,$common_name,,,,, Real Address:,$untrusted_ip, Virtual Address:,$ifconfig_pool_remote_ip")
echo "$AUDITCSVUP" >>/root/connect.csv
###########ADD Data to Audit File in Log Directory
AUDITLOGUP=$(echo "CONNECTION- Timestamp: $TIMESTMP Connected: $time_ascii Name: $common_name Real Address: $untrusted_ip Virtual Address:,$ifconfig_pool_remote_$
echo "$AUDITLOGUP" >>/var/log/openvpn/openvpn_audit.log
####VPNDWN.SH
#!/bin/sh
#Recipients email address
TO="recipient@example.org"
#Calculates megabytes recieved with openvpn variable bytes_received, uses bc to do floating point math and awk to format with leading zero
MBREC=$(echo "scale=2;$bytes_received/1048576" | bc | awk '{printf"%.2f\n",$0}')
#Calculates megabytes sent with openvpn variable bytes_sent, uses bc to do floating point math and awk to format with leading zero
MBSENT=$(echo "scale=2;$bytes_sent/1048576" | bc | awk '{printf"%.2f\n",$0}')
#Calculates time connected in minutes with openvpn variable time_duration, uses bc to do floating point math and awk to format with leading zero
TIMEMIN=$(echo "scale=2;$time_duration/60" | bc | awk '{printf"%.2f\n",$0}')
#sets up message uses calculated variables and openvpn variable time_ascii for connection time
message=$(echo "<b>Connected Since:</b> $time_ascii<br> <b>Connection Duration (MIN):</b> $TIMEMIN<br><b>Name:</b> $common_name<br> \
<b>Data Received (MB):</b> $MBREC <b>Data Sent (MB):</b> $MBSENT<br><b>Real Address:</b> $untrusted_ip<b> Virtual Address:</b> $ifconfig_pool_remote_ip")
#formats email body date shows localtime
echo "Date: `date`" >>/tmp/maildwn.txt
echo "<br>" >>/tmp/maildwn.txt
echo "<br>Client has disconnected from a very very lonely OpenVPN Server:<br>" >>/tmp/maildwn.txt
echo "<br>" >>/tmp/maildwn.txt
echo "$message" >>/tmp/maildwn.txt
echo "<br>" >>/tmp/maildwn.txt
echo "---" >>/tmp/maildwn.txt
echo "<br>Your Super Lonely VPN SERVER." >>/tmp/maildwn.txt
#Email VPN disconnect email, -r setting sender info, -s setting subject and html body, this uses the Nethserver email settings
cat /tmp/maildwn.txt | mail -r "VPN Server <fromsomeone@example.org>" -s "$(echo -e "VPN Disconnect\nContent-Type: text/html")" $TO
#Copy last file created into root directory for debugging
cp /tmp/maildwn.txt /root/maildwn.txt
rm /tmp/maildwn.txt
##############ADD Data to CSV Audit File
#set timestamp for record
TIMESTMP=$(echo $(date))
AUDITCSVDWN=$(echo "Timestamp:,$TIMESTMP, Connected Since,$time_ascii, Connection duration (min),$TIMEMIN, Name:,$common_name, Data sent (mb),$MBSENT, \
Data received (mb),$MBREC, Real Address:,$untrusted_ip, Virtual Address:,$ifconfig_pool_remote_ip")
echo "$AUDITCSVDWN" >>/root/connect.csv
#############ADD Data to Audit Log File in Log Directory
AUDITLOGDWN=$(echo "DISCONNECT- Timestamp: $TIMESTMP Connected Since: $time_ascii Connection duration (min): $TIMEMIN Name: $common_name Data sent (mb): $MBSENT $
Data received (mb): $MBREC Real Address: $untrusted_ip Virtual Address: $ifconfig_pool_remote_ip")
echo "$AUDITLOGDWN" >>/var/log/openvpn/openvpn_audit.log
Once these scripts were created I created a file called 91connect in the custom templates directory for openvpn (I had to create this directory if you do not find it on your system) the path to the directory is:
/etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf
####Start 91connect
############FROM "/etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf"#####
client-connect /root/scripts/vpnup.sh
client-disconnect /root/scripts/vpndwn.sh
Once the 91connect file is created you need to reexpand the openvpn host-to-net.conf template. I could not figure out that command quickly so I just changed my routed network from 10.10.1.0 to 10.10.2.0 and this recreated the host-to-net.conf file in /etc/openvpn/host-to-net.conf with the contents of 91connect at the end of the host-to-net.conf file.
Now once this is done try to connect a VPN client to the server, if it does not connect but was working before there is something wrong with the scripts, the error that it will throw always came up with bad username/password for me but it was something in the scripts.
So if Openvpn was working before you tried this but is not after it is something in the scripts so you will want to debug.
I ended up with receiving emails that look like the following:
the .csv files looks like
You can also go to the log viewer module on your Nethsever webpage and scroll down to /var/log/openvpn/openvpn_audit.log and click it and you will see the following
Hopefully, this will help someone. There is probably better ways to do this but I am not a programmer and do not even play one on tv, this is just a way I came up with to accomplish this task. If you have questions or comments I am glad to hear them.
Thanks.
