How can I log OpenVPN packet contents?

Question

I'm designing a developer tool that would analyse and debug arbitrary network connections, but I want to provide it as a service rather than software to be installed locally.

Ideally I would like to save all inbound and outbound packets on a per-user basis to a database.

For example:

1. The developer connects the machine running his software to the VPN.
2. The developer then runs his software, which may connect to arbitrary hosts.
3. Traffic is routed through the VPN, where it is logged.
4. The developer can then access the logs for that session.

I'm having difficulty figuring out how to address the third step.

I've read the manual, searched the web, and searched Server Fault, but I suspect I'm missing a piece of the puzzle somewhere. Do I need an additional tool to sniff the virtual interface or can OpenVPN handle this somehow?

Answer 1

OpenVPN by itself doesn't sniff anything, but you can use standard sniffing tools.

If you configure OpenVPN to operate in tunnel mode, then the connection between the application host and your server will appear on a virtual interface (with a name like tun0 on unix-like hosts) with its own IP address on each side. From the point of view of the application, your server will appear as if it was physically on the same network of the application host, and acting as a router, so any sniffing tool that works on regular network interface to obtain the data that you need will do.

I would do more or less something as follows

• Have the user connect to the VPN (of course OpenVPN has to be configured to route all the traffic through the VPN server).
• Server-side, configure an hook that registers the time of the connection, the user and the IP address it is using
• (optionally) server-side, configure another hook on disconnection that register the event.

Meanwhile, have a sniffing program running on the VPN virtual device that continuosly grabs a packet from the interface, looks at the remote address, match it with the current list of users, and save it in the database. It will probably be a combination of a standard sniffing tool for extracting the the packet from the network interface and a custom tool that parses the packet, extract the information you need and save it somewhere.

Answer 2

You will need to sniff the traffic as it leaves the OpenVPN TUN or TAP interface on your computer that is acting as the VPN endpoint. There's no magic here (or at least none than I can think of). An interface, is an interface, is an interface.

OpenVPN does not provide native functionality for packet sniffing but there are plenty of purpose-built tools to perform that duty such as tcpdump or tshark/wireshark.

Answer 3

How does OpenVPN fits in the picture, really?

I have a vague feeling you read somewhere that Linux supports "virtual" network interfaces, whose types are called "TUN" and "TAP" (for IP-tunnel-style and Ethernet-style interfaces, respectively), so you googled and the search turned up OpenVPN which happens to name the types of its interfaces the same way (because I beleive it uses the same kernel machinery on Linux).

I reckon that in fact you're looking after the direct manipulation of those virtual interfaces which allows you to create your own network interfaces, which effectively pass all the traffic coming over them through your user-space application.