OpenVPN logfile

Arno · August 4, 2018, 11:59am

Hi,

Installed and I wanted to configure a logfile for OpenVPN.

First approach:
Copy config openvpn sample_client in config file.
Add (log) options to config
Add VPN service config file
Use new config when starting OpenVPN.

Can't get that working. OpenVPN does not expect this type of config.
Options error: Unrecognized option or missing parameter(s)
Tips welcome.

Second approach: Use VPN service config file
Add (log) options to /etc/init.d/openvpn
Removed --syslog
Added --log-append

Does not use the new log file.
Is it possible to use a logfile instead of syslog?

Kind regards,
Arno
Netgear WNDR3800
OpenWRT 18.06

jow · August 4, 2018, 12:18pm

Note that --syslog also prevents daemonization so that procd can supervise the openvpn process. Did you also remove (--)daemon from your configuration after dropping --syslog from the init script?

Arno · August 4, 2018, 1:23pm

There was and is no (--)daemon in the downloaded config file of the VPN provider.

I use OpenVPN to connect to a VPN provider.
There are issues connecting and I want to seperate OpenVPN log entries in syslog in a OpenVPN log file.

JW0914 · August 5, 2018, 3:52am

Please elaborate, as log and log_append config options work.

ZOzo · August 5, 2018, 4:52am

My approach to this issue:

disable openvpn log options, all logs will go to system logs
create a file somewhere you call syslog.txt
create a crontab to logread > path to syslog.txt
crontab time to be define as per your usual log volume

then another crontab daily or as per your log volume again
perl -i -ne 'print if ! $x{$_}++' path to syslog.txt
to remove duplicate lines in your syslog.txt

from there you cat pipe sed perl to get your vpn logs clean

openwrt log file size can be increased if 64 is an issue after a week troubleshooting

use https://crontab.guru for help

Implementation of openvpn in recent routers firmwares are much better than in openwrt when auditing and troubleshooting is required

Arno · August 5, 2018, 12:25pm

Tried again and indeed those options work. I don't remember what I did the first time. I should say I did the same but I don't know....????

On my first aproach to use the config file instead of /etc/init.d/openvpn for (log) options I will reply later. My first explanation was not clear so I want to check some things first.

ZOzo:
Solved it by using --log and copy the log file to a seperate file with timestamp in file name after each connection attempt.

JW0914 · August 9, 2018, 5:53pm

That would be highly inefficient, as you will end up with hundreds, if not thousands, of lines of non-openvpn related log entries.

OpenVPN supports logging to a specific log file, and by default, logs to /tmp/openvpn.log
- I always recommend a server verbosity of 5 [verb 5] and a client verbosity of 7 [verb 7]
  - Default verbosity is 3

@Arno's idea of copying the OpenVPN log file to a separate location and appending a timestamp would be the most efficient way I can think of.

You may have added log-append, which is the standard on every Linux distro, except OpenWrt. OpenWrt uses underscores in place of dashes

ZOzo · August 5, 2018, 1:52pm

Inneficient but im sure I have the logs

special scripts comes afterwards for specific logs lines cleaning for sharp and clean logs as per required. This is where bash perl cat pipe sed awk comes in

If you know of a way to get the open vpn logs and that will work on all openwrt compatible routers without issues i would really like to know your solution.

openvpn site states log and log apend and file in /tmp.openvpn.log but this file is nowhere to be find on router with or without option log or log apend, tested on 3 brand of routers so far, tp-link, netgear and d-link

Behaviour of openwrt/lede is not equal on all compatible routers, some issues require restart on some routers and not on others, requires unplugging of lan or wan on some routers but not on others… the list goes on

JW0914 · August 5, 2018, 2:10pm

You're making far more work for yourself than is required.

Either you're missing the log option in your config, or your config is malformed... please post your config (within code boxes please)

I'm not sure exactly what you're referencing, but OpenVPN configs will work on all OSes, regardless of distro.

To make an OpenWrt config compatible with any other distro, remove:
- option
- list in front of push options
- Change all underscores to dashes.
To make another distro's config compatible with OpenWrt, perform the reverse.

ZOzo · August 5, 2018, 3:13pm

will these logs stays theres after a reboot/powercut?

ZOzo · August 5, 2018, 3:27pm

Logs does not survived reboots
How to audit connections later after issue

You were to convince me that everything are fine today, but after a test right now I CONFIRM that on my WDR4300 TP-Link router logs are gone after reboot.

For both System log and /var alias /tmp /log/openvpn.log

JW0914 · August 5, 2018, 3:38pm

No, as /tmp is volatile since it's a ramfs (/var is symbolicly linked to /tmp)

To have the log survive power loss/reboot, you'll need to specify a path either on a network share or an attached drive.
- log_append /mnt/sda1/logs/openvpn/openvpn.log
  - I'd recommend doing what @Arno is doing to timestamp logs if you go this route.
- You could also save them to ROM's overlay, however this may not be practical depending on how much ROM your device has in relation to how much free space your device has.
  - log_append /root/logs/openvpn/openvpn.log
You could configure a syslog server on a separate device, however the above would be the easiest way to get up and running.

Arno · August 5, 2018, 4:03pm

That's why I backup logs once a day to another server on disk.
But when I read your question I realized I also have to create an 'reboot' alias that does a backup and then reboots. Not tested yet.
With powercuts logs of that day are lost.
Choose to log to RAM because of more free space. When logging to /etc/config/something (stays there after reboot) free space goes to 0 fast and other strange things start to happen.

Arno · August 5, 2018, 4:26pm

Is it possible to put options in a configuration file instead of /etc/init.d/openvpn? That is easier to maintain when updating/upgrading.

I tried to use /etc/config/openvpn (the file with sample configurations).
Added a new configuration with log options.
And included the configuration file of the vpn provider
But I never got it to work.

Is /etc/config/openvpn the correct file or is this only for use with LuCI?
In the web interface I only see Services->OpenVPN. Is that openvpn server? I'm not setting up an openvpn server. The router connects as client.

If it is of any help I can post the config I added to the config file.

ZOzo · August 5, 2018, 8:21pm

Document all you setup in a text file per device, it will definitely help in upgrade and update purpose

prepare script where you can and save on your computer later scp to upgraded router and resetup, will take less than 10 minutes for however complexe the config might be.

Document document document
automate automate automate as much as you can

example for vpn log cleaning if vpn logs are going in a textfile containing other logs somewhere on the system that will not be deleted after reboot would be
cat "file location of existing log file" | grep openvpn > "file location for vpnlogs.txt"

then scp to get it on your computer.
create scripts to help you out

JW0914 · August 5, 2018, 11:27pm

I addressed this before... this is not the correct way to perform OpenVPN logging. Have you ever even looked at an OpenVPN log?

If you had, you'd realize 99% of OpenVPN log output does not contain "OpenVPN" in the output
Log output example:

root@OpenWrt ~ # cat /tmp/openvpn.log
Thu Oct 20 13:35:30 2016 us=653309 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication: using '/etc/ssl/openvpn/tls-auth.key' as a OpenVPN static key file
Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Oct 20 13:35:30 2016 us=706722 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Thu Oct 20 13:35:30 2016 us=706760 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 72 bytes
Thu Oct 20 13:35:30 2016 us=706804 TLS-Auth MTU parms [ L:48104 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Oct 20 13:35:30 2016 us=706857 Socket Buffers: R=[87380->327680] S=[16384->327680]
Thu Oct 20 13:35:30 2016 us=707392 TUN/TAP device tun0 opened
Thu Oct 20 13:35:30 2016 us=707465 TUN/TAP TX queue length set to 100
Thu Oct 20 13:35:30 2016 us=707517 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 20 13:35:30 2016 us=707587 /sbin/ip link set dev tun0 up mtu 48000
Thu Oct 20 13:35:30 2016 us=709190 /sbin/ip addr add dev tun0 10.1.0.1/28 broadcast 10.1.0.15
Thu Oct 20 13:35:30 2016 us=714514 Data Channel MTU parms [ L:48104 D:48104 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Oct 20 13:35:30 2016 us=714630 GID set to nogroup
Thu Oct 20 13:35:30 2016 us=714680 UID set to nobody
Thu Oct 20 13:35:30 2016 us=714859 Listening for incoming TCP connection on [undef]
Thu Oct 20 13:35:30 2016 us=714908 TCPv4_SERVER link local (bound): [undef]
Thu Oct 20 13:35:30 2016 us=714945 TCPv4_SERVER link remote: [undef]
Thu Oct 20 13:35:30 2016 us=714986 MULTI: multi_init called, r=256 v=256
Thu Oct 20 13:35:30 2016 us=715050 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Thu Oct 20 13:35:30 2016 us=715095 ifconfig_pool_read(), in='vpn-client1-foobar1-device1,10.1.0.5', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715138 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715176 ifconfig_pool_read(), in='John Doe (OpenWrt VPNserver Client),10.1.0.6', TODO: IPv6
Thu Oct 20 13:35:30 2016 us=715213 succeeded -> ifconfig_pool_set()
Thu Oct 20 13:35:30 2016 us=715249 IFCONFIG POOL LIST
Thu Oct 20 13:35:30 2016 us=715287 vpn-client1,10.1.0.5
Thu Oct 20 13:35:30 2016 us=715331 John Doe (OpenWrt VPNserver Client),10.1.0.6
Thu Oct 20 13:35:30 2016 us=715428 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Oct 20 13:35:30 2016 us=715971 Initialization Sequence Completed

If you want to attempt to log OpenVPN log output to the system log, best of luck to you when you attempt to troubleshoot something, let alone finding someone to help. There's a log option in OpenVPN for a reason...

ZOzo · August 6, 2018, 5:52am

Yep,

thx JW, I know

If everything were to always worked perfectly this is the proper way to go
OpenVPN on a computer and openvpn on embeded routers sometimes behave differently.
Thus troubleshooted differently by different users and as per resource and knowledge available.

also while troubleshooting issues, the watch tic tok does not stop for you to find the perfect solution.

May be I will get myself an apple watch so no tic tok and i will always have all my time

Arno · August 6, 2018, 11:20am

Does anyone know an answer?
If there is a seperate config file that would be great. If not that's OK.
Then configuration has to be done in /etc/init.d/openvpn.

JW0914 · August 6, 2018, 12:56pm

@Arno What specific options, besides log, are you looking for?

You clearly have zero understanding of what you're attempting to speak to... I'd encourage you to read the OpenVPN Man Page and HowTo

Arno · August 6, 2018, 1:28pm

@JW0914
No specific option.
I prefer a separate configuration file over editing /etc/init.d/openvpn for options.