Feature #11935
closed
Log external IP address of OpenVPN clients on connect and disconnect
100%
Description
Would it be possible to add the IP address of the user when they are authenticated? This would assist with doing graylog email alerts when users connect in as this particular syslog entry does not include where the user is connecting from. I attached a mocked up example.
openvpn PID user 'USERNAME' authenticated from aaa.bb.c.ddd
Files
| OpenVPN ip address.png (84.9 KB) OpenVPN ip address.png | Mockup example | ||
| graylog email alert.png (98.8 KB) graylog email alert.png | email from graylog | ||
| vpn.png (5.18 KB) vpn.png |
Updated by Michael Novotny over 3 years ago
- File graylog email alert.png graylog email alert.png added
Attached is what the syslog entry from graylog.
Updated by Jim Pingle over 3 years ago
- Category changed from Logging to OpenVPN
- Priority changed from Normal to Low
- Target version set to Future
In theory it should be possible, but would need validation to ensure it works as desired.
The data should be available from OpenVPN in the environment via untrusted_ip/untrusted_ip6 but would need passed through the various auth scripts like is done for the user/pass/cn.
Updated by Michael Novotny over 3 years ago
The syslog entries are called on /etc/inc/openvpn.auth-user.php around lines 120 & 163 ("could not authenticate" & "authenticated"); the user's connected from IP address entry would go there.
I'm not a daily programming guru... but at quick glance, I'm not seeing OpenVPN env vars being passed, so I leave this with the experts.
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version changed from Future to 2.6.0
- Plus Target Version set to 21.09
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov over 3 years ago
- % Done changed from 0 to 100
Applied in changeset 1e9e12c2180110ef556eee48516cfde0065d4f1a.
Updated by 
Updated by Jim Pingle over 3 years ago
Alhusein Zawi wrote:
IP address is not added to openvpn log yet
Where did you test that? It would only be in 2.6.0 snapshots currently.
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle about 3 years ago
- Subject changed from Add IP address to OpenVPN logging to Log external IP address of OpenVPN clients on connect and disconnect
Updating subject for release notes.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Max Leighton almost 3 years ago
- Status changed from Feedback to Resolved
Tested in:
2.6.0-DEVELOPMENT (amd64)
built on Sat Nov 27 06:23:02 UTC 2021
FreeBSD 12.3-PRERELEASE
In my testing this works:
Nov 27 13:21:42 openvpn 33195 openvpn server 'ovpns1' user 'admin' address '100.65.10.17:42624' - connecting
Nov 27 13:21:42 openvpn 36422 openvpn server 'ovpns1' user 'admin' address '100.65.10.17:42624' - connected
Nov 27 13:22:15 openvpn 43814 openvpn server 'ovpns1' user 'admin' address '100.65.10.17:42624' - disconnected
I tested it in the latest 22.01 and it works there too. Marking the ticket resolved.