1

We have an OpenVPN server setup in our organization. we have provided created PAM access to our staff. using verb 3 we manage to store who logs in using which IP address.

We want to store which host is user browsing, we know the fact we can't see anything behind https that's why we just wanted to store host for example facebook.com:443

below is our current server.conf file

port 1194
proto tcp
link-mtu 1500
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh2048.pem
cipher AES-128-CBC
auth SHA1
server 10.8.0.0 255.255.255.0  
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "dhcp-option SEARCH rancher.internal"
push "route 10.42.0.0 255.255.0.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
username-as-common-name
verb 3
status /etc/openvpn/log/openvpn-status.log
log-append /etc/openvpn/log/openvpn.log
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
khizar ansari
  • 205
  • 1
  • 2
  • 10

3 Answers3

2

You are using a routed OpenVPN connection (dev tun and pushing routes. To log host connections it would be required to setup logging on TCP packet level using e.g. iptables or netfilter.

During OpenVPN setup it is likely that a command similar to the following was executed to setup the packet forwarding from remote hosts to the private network: iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 10.42.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

To log connections from remote hosts to private hosts on TCP packet level a command similar to the following is required: iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 10.42.0.0/24 -p tcp -dports 80,443 -state NEW -j LOG This rule needs to be inserted before the corresponding ACCEPT rule.

This provides logging on the TCP level, but not provide details on the HTTP host or DNS names. The log results will only contain IP addresses.

Other options to achieve your goal, including DNS names are by far more complicated and will require more efforts in setting them up. The following tools might be a starting point for such solution.

Intrusion Detection Systems:

Transparent Proxies:

hargut
  • 3,848
  • 6
  • 10
0

Hargut is right. I add one rule - you have to give client's certification and assign them a virtual IP one by one. Only in that way can you identify who browsed what site.

George Y
  • 380
  • 2
  • 11
  • how i can assign virtual ip ? i'm keen to know your setup – khizar ansari May 21 '20 at 07:29
  • It is a hard topic, I suggest you read the book `Beginning OpenVPN 2.0.9` by Markus Feilner & Norbert Graf. Chapter 13. – George Y May 21 '20 at 07:56
  • 1
    I don't see why certificates and virtual ips would be required, as clients do also get an ip and are authenticated through pam. By analyzing the OpenVpn logs it would be possible to get the user <-> ip correlation. Even though correlation would be much easier if users always get the same addresses. – hargut May 21 '20 at 08:03
  • what if he wants to automatically ban that client caught on browsing forbidden ip? – George Y May 21 '20 at 08:06
  • 1
    Depends on the goals of the logging. For a use case with forbidding access to destinations a proxy solution which can blacklist destinations would likely be a good choice. Locking the user in the pam user source and dropping packets from his current ip would also be possible to implement such ban. – hargut May 21 '20 at 11:16
0

You can monitor host connection using interactive log monitoring tools.

iptraf --> Iptraf is an interactive and colorful IP Lan monitor. It shows individual connections and the amount of data flowing between the hosts.

Installing iptraf:

# Centos (base repo)
$ yum install iptraf

# fedora or centos (with epel)
$ yum install iptraf-ng -y

# ubuntu or debian
$ sudo apt-get install iptraf iptraf-ng

Nload --> Nload is a commandline tool that allows users to monitor the incoming and outgoing traffic separately. It also draws out a graph to indicate the same, the scale of which can be adjusted.

Installing Nload:

# fedora or centos
$ yum install nload -y

# ubuntu/debian
$ sudo apt-get install nload

Also you can use 3rd party tools like Loggly or wireshark.

Here are some helpful links:

https://www.loggly.com/ultimate-guide/managing-linux-logs/

How to get a linux network log?

Mike Fiedler
  • 2,152
  • 1
  • 17
  • 33
Shazakz
  • 1
  • 1