Este artículo demuestra las posibilidades existentes para el monitoreo del estado de una VPN y los logs del demonio OpenVPN. Tiene como objetivo proveer herramientas para el análisis y evaluación de posibles inconvenientes con la VPN.
Estado de la VPN
El servidor OpenVPN mantiene dos archivos dentro del directorio /var/log/openvpn/
para registrar el estado de la VPN y las direcciones IP asignadas a cada cliente:
root@vpn:~# cat /var/log/openvpn/openvpn-status.log OpenVPN CLIENT LIST Updated,Wed Jan 27 10:01:12 2021 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since user1,***.***.***.***:61831,22237,22363,Wed Jan 27 08:55:47 2021 user2,***.***.***.***:49645,79268,81572,Wed Jan 27 09:20:22 2021 juan,***.***.***.***:36434,203312,487600,Wed Jan 27 08:00:40 2021 pedrou,***.***.***.***:37482,364694,10813648,Wed Jan 27 09:10:09 2021 admin,***.***.***.***:39118,38694,22455,Wed Jan 27 09:08:31 2021 user7,***.***.***.***:53269,231433,331450,Wed Jan 27 09:00:07 2021 diegol,***.***.***.***:51574,217252,282732,Wed Jan 27 08:17:37 2021 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 10.8.0.58,user1,***.***.***.***:61831,Wed Jan 27 08:55:48 2021 10.8.0.54,admin,***.***.***.***:39118,Wed Jan 27 10:00:12 2021 10.8.0.10,user7,***.***.***.***:53269,Wed Jan 27 10:01:11 2021 10.8.0.50,diegol,***.***.***.***:51574,Wed Jan 27 10:01:03 2021 10.8.0.26,user2,***.***.***.***:49645,Wed Jan 27 10:00:20 2021 10.8.0.30,pedrou,***.***.***.***:37482,Wed Jan 27 10:00:57 2021 10.8.0.6,juan,***.***.***.***:36434,Wed Jan 27 10:00:25 2021 GLOBAL STATS Max bcast/mcast queue length,9 END
root@vpn:~# cat /var/log/openvpn/ipp.txt juan,10.8.0.4 user7,10.8.0.8 juanita,10.8.0.12 circe,10.8.0.16 cristina,10.8.0.20 user2,10.8.0.24 pedrou,10.8.0.28 juan2,10.8.0.32 user10,10.8.0.36 webmaster,10.8.0.40 user4,10.8.0.44 diegol,10.8.0.48 admin,10.8.0.52 user1,10.8.0.56
Logs de OpenVPN
El demonio OpenVPN loguea su actividad en el syslog. Es posible definir un alias openvpn-logs-follow
para visualizar el log de openVPN en tiempo real (con tail follow):
root@vpn:~# alias | grep vpn alias openvpn-logs='grep -e "openvpn\|ovpn-server" /var/log/syslog | less' alias openvpn-logs-follow='tail -f /var/log/syslog | grep -e "openvpn\|ovpn-server"'
Ejemplo:
root@vpn:~# openvpn-logs-follow Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_LZO=1 Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_COMP_STUB=1 Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_COMP_STUBv2=1 Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_TCPNL=1 Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Este alias puede ser de utilidad para monitorear la actividad del servidor de VPN y depurar eventuales problemas con el servicio.
Por último, el script vpnusers.sh
fuerza al demonio OpenVPN a volcar su lista de clientes inmediatamente:
#!/bin/bash PID=$(ps -ax -o pid,command | grep "[o]penvpn" | sed 's/^ *//' | cut -d' ' -f1) kill -USR2 $PID sleep 2 tac /var/log/syslog | grep -m1 -B 1000 'OpenVPN CLIENT LIST' | tac
Ejemplo:
root@vpn:~# vpnusers.sh Jan 27 13:18:27 vpn ovpn-server[16243]: OpenVPN CLIENT LIST Jan 27 13:18:27 vpn ovpn-server[16243]: Updated,Wed Jan 27 10:18:27 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since Jan 27 13:18:27 vpn ovpn-server[16243]: user1,***.***.***.***:61831,26357,26523,Wed Jan 27 08:55:47 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: user2,***.***.***.***:49645,91288,100540,Wed Jan 27 09:20:22 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: juan,***.***.***.***:36434,211160,494156,Wed Jan 27 08:00:40 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: pedrou,***.***.***.***:37482,388056,10821403,Wed Jan 27 09:10:09 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: admin,***.***.***.***:39118,96226,142219,Wed Jan 27 09:08:31 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: user7,***.***.***.***:53269,282622,404821,Wed Jan 27 09:00:07 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: diegol,***.***.***.***:51574,236296,310525,Wed Jan 27 08:17:37 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: ROUTING TABLE Jan 27 13:18:27 vpn ovpn-server[16243]: Virtual Address,Common Name,Real Address,Last Ref Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.58,user1,***.***.***.***:61831,Wed Jan 27 08:55:48 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.54,admin,***.***.***.***:39118,Wed Jan 27 10:18:12 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.10,user7,***.***.***.***:53269,Wed Jan 27 10:18:17 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.50,diegol,***.***.***.***:51574,Wed Jan 27 10:18:13 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.26,user2,***.***.***.***:49645,Wed Jan 27 10:14:58 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.30,pedrou,***.***.***.***:37482,Wed Jan 27 10:18:16 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.6,juan,***.***.***.***:36434,Wed Jan 27 10:17:49 2021 Jan 27 13:18:27 vpn ovpn-server[16243]: GLOBAL STATS Jan 27 13:18:27 vpn ovpn-server[16243]: Max bcast/mcast queue length,9 Jan 27 13:18:27 vpn ovpn-server[16243]: END
Como beneficio adicional y no relacionado a la VPN, estos logs permiten determinar rápidamente cuál es la dirección IP pública en uso (censuradas con asteriscos en las capturas previas) de un usuario de la VPN. Puede ser de utilidad si se necesita habilitar un acceso en un firewall o Security Group de AWS.