Openvpn Emails and Audit Logs


(Ryan) #1

Hello, all I am new to the community but started using Nethserver for our small business a week or two back. What brought me to Nethserver was mostly the OpenVPN module since it provides a good interface and easy way to grant users access to the VPN.

A couple of things that I wanted with OpenVPN that I could not find within the Nethserver module was a way to have an easily readable audit log showing connections and disconnects from the system. This started with me first trying to create a couple of bash scripts (probably could have been done easier with a different method but this seems to work) that would send emails on connect or disconnect from OpenVPN.

However, when I had this mostly figured out I saw that if I dropped a new log file with just the information I wanted into the /var/log/openvpn directory I could quickly open and view my new audit log.

Since I had mostly created the email portion I went ahead and left sending email in the script which I will probably comment out after the first week. I also wanted a file that the system could email me weekly in a .csv format since I am hoping I do not need to pay much attention to the Nethserver system once it is rolling along. I will just use a cron job to send me the .csv file weekly.

Anyhow here is how I did this (I am placing this all here for when I forget and need to come find it and with some hope that this might help someone with this issue)

Also, note to use the floating point math in the bash scripts you need to install bc (yum install bc) on the system. These scripts were cobbled together from different sources on the internet.

I created the following two scripts in the directory /root/scripts:
###VPNUP.SH

 #!/bin/sh

 #Recipients email address
      TO="someone@example.org"

 #Sets message variable for display message, with OpenVPN variables to show connected time, ip address, and name of connection
      message=$(echo "<b>Connected Since:</b> $time_ascii<br><b>Name:</b> $common_name<br> \
      <b>Real Address:</b> $untrusted_ip<b> Virtual Address:</b> $ifconfig_pool_remote_ip")

#Formats email body date shows localtime
                echo "Date: `date`" >>/tmp/mailup.txt
                echo "<br>" >>/tmp/mailup.txt
                echo "<br>Client has connected to a very lonely OpenVPN Server:" >>/tmp/mailup.txt
                echo "<br><br>" >>/tmp/mailup.txt
                echo "$message" >>/tmp/mailup.txt
                echo "<br>" >>/tmp/mailup.txt
                echo "---" >>/tmp/mailup.txt
                echo "<br>YOUR LONELY VPN SERVER." >>/tmp/mailup.txt

#Email VPN connection email, -r setting sender info, -s setting subject and html body, this uses the Nethserver email settings
       cat /tmp/mailup.txt | mail -r "VPN Server <fromemail@example.org>" -s "$(echo -e "VPN Connect\nContent-Type: text/html")" $TO

#Copy last file created into root directory for debugging
        cp /tmp/mailup.txt /root/mailup.txt
        rm /tmp/mailup.txt

###########Add Data to CSV Audit FILE
        TIMESTMP=$(echo $(date))
        AUDITCSVUP=$(echo "Timestamp:,$TIMESTMP, Connected:,$time_ascii,,, Name:,$common_name,,,,, Real Address:,$untrusted_ip, Virtual Address:,$ifconfig_pool_remote_ip")
         echo "$AUDITCSVUP" >>/root/connect.csv

 ###########ADD Data to Audit File in Log Directory
         AUDITLOGUP=$(echo "CONNECTION- Timestamp: $TIMESTMP  Connected: $time_ascii  Name: $common_name  Real Address: $untrusted_ip  Virtual Address:,$ifconfig_pool_remote_$
         echo "$AUDITLOGUP" >>/var/log/openvpn/openvpn_audit.log

####VPNDWN.SH

#!/bin/sh

#Recipients email address
        TO="recipient@example.org"

#Calculates megabytes recieved with openvpn variable bytes_received, uses bc to do floating point math and awk to format with leading zero
        MBREC=$(echo "scale=2;$bytes_received/1048576" | bc | awk '{printf"%.2f\n",$0}')

#Calculates megabytes sent with openvpn variable bytes_sent, uses bc to do floating point math and awk to format with leading zero
        MBSENT=$(echo "scale=2;$bytes_sent/1048576" | bc | awk '{printf"%.2f\n",$0}')

#Calculates time connected in minutes with openvpn variable time_duration, uses bc to do floating point math and awk to format with leading zero
        TIMEMIN=$(echo "scale=2;$time_duration/60" | bc | awk '{printf"%.2f\n",$0}')

#sets up message uses calculated variables and openvpn variable time_ascii for connection time
        message=$(echo "<b>Connected Since:</b> $time_ascii<br> <b>Connection Duration (MIN):</b> $TIMEMIN<br><b>Name:</b> $common_name<br> \
        <b>Data Received (MB):</b> $MBREC <b>Data Sent (MB):</b> $MBSENT<br><b>Real Address:</b> $untrusted_ip<b> Virtual Address:</b> $ifconfig_pool_remote_ip")

 #formats email body date shows localtime
        echo "Date: `date`" >>/tmp/maildwn.txt
        echo "<br>" >>/tmp/maildwn.txt
        echo "<br>Client has disconnected from a very very lonely OpenVPN Server:<br>" >>/tmp/maildwn.txt
        echo "<br>" >>/tmp/maildwn.txt
        echo "$message" >>/tmp/maildwn.txt
        echo "<br>" >>/tmp/maildwn.txt
        echo "---" >>/tmp/maildwn.txt
        echo "<br>Your Super Lonely VPN SERVER." >>/tmp/maildwn.txt

#Email VPN disconnect email, -r setting sender info, -s setting subject and html body, this uses the Nethserver email settings

        cat /tmp/maildwn.txt | mail -r "VPN Server <fromsomeone@example.org>" -s "$(echo -e "VPN Disconnect\nContent-Type: text/html")" $TO

#Copy last file created into root directory for debugging
        cp /tmp/maildwn.txt /root/maildwn.txt
        rm /tmp/maildwn.txt

##############ADD Data to CSV Audit File

#set timestamp for record
    TIMESTMP=$(echo $(date))

    AUDITCSVDWN=$(echo "Timestamp:,$TIMESTMP, Connected Since,$time_ascii, Connection duration (min),$TIMEMIN, Name:,$common_name, Data sent (mb),$MBSENT, \
    Data received (mb),$MBREC, Real Address:,$untrusted_ip, Virtual Address:,$ifconfig_pool_remote_ip")
    echo "$AUDITCSVDWN" >>/root/connect.csv

#############ADD Data to Audit Log File in Log Directory
    AUDITLOGDWN=$(echo "DISCONNECT- Timestamp: $TIMESTMP  Connected Since: $time_ascii  Connection duration (min): $TIMEMIN  Name: $common_name  Data sent (mb): $MBSENT $
    Data received (mb): $MBREC  Real Address: $untrusted_ip  Virtual Address: $ifconfig_pool_remote_ip")
    echo "$AUDITLOGDWN" >>/var/log/openvpn/openvpn_audit.log

Once these scripts were created I created a file called 91connect in the custom templates directory for openvpn (I had to create this directory if you do not find it on your system) the path to the directory is:

/etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf

####Start 91connect

############FROM "/etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf"#####
client-connect /root/scripts/vpnup.sh
client-disconnect /root/scripts/vpndwn.sh

Once the 91connect file is created you need to reexpand the openvpn host-to-net.conf template. I could not figure out that command quickly so I just changed my routed network from 10.10.1.0 to 10.10.2.0 and this recreated the host-to-net.conf file in /etc/openvpn/host-to-net.conf with the contents of 91connect at the end of the host-to-net.conf file.

Now once this is done try to connect a VPN client to the server, if it does not connect but was working before there is something wrong with the scripts, the error that it will throw always came up with bad username/password for me but it was something in the scripts.

So if Openvpn was working before you tried this but is not after it is something in the scripts so you will want to debug.

I ended up with receiving emails that look like the following:
VPNconnect

VPNdisconnect

the .csv files looks like

You can also go to the log viewer module on your Nethsever webpage and scroll down to /var/log/openvpn/openvpn_audit.log and click it and you will see the following

Hopefully, this will help someone. There is probably better ways to do this but I am not a programmer and do not even play one on tv, this is just a way I came up with to accomplish this task. If you have questions or comments I am glad to hear them.

Thanks.


(Alessio Fattorini) #2

Hi Ryan! First of all sorry for the late response and welcome to the NethServer Community.
Thanks for sharing your work I really appreciate it. It’s not usual to land on a new community and start to share things :heart_eyes_cat:

Good to know. I guess that someone else is happy to see your words :slight_smile: @giacomo @davide_marini

Looks like a good starting point in order to manage and control opevpn connections
What do you think @davide_marini ?

p.s. would you mind sharing something about you here?