Este artículo demuestra las posibilidades existentes para el monitoreo del estado de una VPN y los logs del demonio OpenVPN. Tiene como objetivo proveer herramientas para el análisis y evaluación de posibles inconvenientes con la VPN.

Estado de la VPN

El servidor OpenVPN mantiene dos archivos dentro del directorio /var/log/openvpn/ para registrar el estado de la VPN y las direcciones IP asignadas a cada cliente:

root@vpn:~# cat /var/log/openvpn/openvpn-status.log 
OpenVPN CLIENT LIST
Updated,Wed Jan 27 10:01:12 2021
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
user1,***.***.***.***:61831,22237,22363,Wed Jan 27 08:55:47 2021
user2,***.***.***.***:49645,79268,81572,Wed Jan 27 09:20:22 2021
juan,***.***.***.***:36434,203312,487600,Wed Jan 27 08:00:40 2021
pedrou,***.***.***.***:37482,364694,10813648,Wed Jan 27 09:10:09 2021
admin,***.***.***.***:39118,38694,22455,Wed Jan 27 09:08:31 2021
user7,***.***.***.***:53269,231433,331450,Wed Jan 27 09:00:07 2021
diegol,***.***.***.***:51574,217252,282732,Wed Jan 27 08:17:37 2021
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.58,user1,***.***.***.***:61831,Wed Jan 27 08:55:48 2021
10.8.0.54,admin,***.***.***.***:39118,Wed Jan 27 10:00:12 2021
10.8.0.10,user7,***.***.***.***:53269,Wed Jan 27 10:01:11 2021
10.8.0.50,diegol,***.***.***.***:51574,Wed Jan 27 10:01:03 2021
10.8.0.26,user2,***.***.***.***:49645,Wed Jan 27 10:00:20 2021
10.8.0.30,pedrou,***.***.***.***:37482,Wed Jan 27 10:00:57 2021
10.8.0.6,juan,***.***.***.***:36434,Wed Jan 27 10:00:25 2021
GLOBAL STATS
Max bcast/mcast queue length,9
END
root@vpn:~# cat /var/log/openvpn/ipp.txt 
juan,10.8.0.4
user7,10.8.0.8
juanita,10.8.0.12
circe,10.8.0.16
cristina,10.8.0.20
user2,10.8.0.24
pedrou,10.8.0.28
juan2,10.8.0.32
user10,10.8.0.36
webmaster,10.8.0.40
user4,10.8.0.44
diegol,10.8.0.48
admin,10.8.0.52
user1,10.8.0.56

Logs de OpenVPN

El demonio OpenVPN loguea su actividad en el syslog. Es posible definir un alias openvpn-logs-follow para visualizar el log de openVPN en tiempo real (con tail follow):

root@vpn:~# alias | grep vpn
alias openvpn-logs='grep -e "openvpn\|ovpn-server" /var/log/syslog | less'
alias openvpn-logs-follow='tail -f /var/log/syslog | grep -e "openvpn\|ovpn-server"'

Ejemplo:

root@vpn:~# openvpn-logs-follow 
Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_LZO=1
Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_COMP_STUB=1
Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_COMP_STUBv2=1
Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 peer info: IV_TCPNL=1
Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 27 13:10:10 vpn ovpn-server[16243]: pedrou/***.***.***.***:37482 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

Este alias puede ser de utilidad para monitorear la actividad del servidor de VPN y depurar eventuales problemas con el servicio.

Por último, el script vpnusers.sh fuerza al demonio OpenVPN a volcar su lista de clientes inmediatamente:

#!/bin/bash
PID=$(ps -ax -o pid,command | grep "[o]penvpn" | sed 's/^ *//' | cut -d' ' -f1)
kill -USR2 $PID
sleep 2
tac /var/log/syslog | grep -m1 -B 1000 'OpenVPN CLIENT LIST' | tac

Ejemplo:

root@vpn:~# vpnusers.sh 
Jan 27 13:18:27 vpn ovpn-server[16243]: OpenVPN CLIENT LIST
Jan 27 13:18:27 vpn ovpn-server[16243]: Updated,Wed Jan 27 10:18:27 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Jan 27 13:18:27 vpn ovpn-server[16243]: user1,***.***.***.***:61831,26357,26523,Wed Jan 27 08:55:47 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: user2,***.***.***.***:49645,91288,100540,Wed Jan 27 09:20:22 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: juan,***.***.***.***:36434,211160,494156,Wed Jan 27 08:00:40 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: pedrou,***.***.***.***:37482,388056,10821403,Wed Jan 27 09:10:09 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: admin,***.***.***.***:39118,96226,142219,Wed Jan 27 09:08:31 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: user7,***.***.***.***:53269,282622,404821,Wed Jan 27 09:00:07 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: diegol,***.***.***.***:51574,236296,310525,Wed Jan 27 08:17:37 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: ROUTING TABLE
Jan 27 13:18:27 vpn ovpn-server[16243]: Virtual Address,Common Name,Real Address,Last Ref
Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.58,user1,***.***.***.***:61831,Wed Jan 27 08:55:48 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.54,admin,***.***.***.***:39118,Wed Jan 27 10:18:12 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.10,user7,***.***.***.***:53269,Wed Jan 27 10:18:17 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.50,diegol,***.***.***.***:51574,Wed Jan 27 10:18:13 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.26,user2,***.***.***.***:49645,Wed Jan 27 10:14:58 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.30,pedrou,***.***.***.***:37482,Wed Jan 27 10:18:16 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: 10.8.0.6,juan,***.***.***.***:36434,Wed Jan 27 10:17:49 2021
Jan 27 13:18:27 vpn ovpn-server[16243]: GLOBAL STATS
Jan 27 13:18:27 vpn ovpn-server[16243]: Max bcast/mcast queue length,9
Jan 27 13:18:27 vpn ovpn-server[16243]: END

Como beneficio adicional y no relacionado a la VPN, estos logs permiten determinar rápidamente cuál es la dirección IP pública en uso (censuradas con asteriscos en las capturas previas) de un usuario de la VPN. Puede ser de utilidad si se necesita habilitar un acceso en un firewall o Security Group de AWS.

Compartí este artículo