How to view connected users to open vpn server?

Question

I'm developing a website for managing OpenVPN users with Django framework. But I need to know is there any way to extract active users from OpenVPN? My server is running Ubuntu 12.04.

Answer 1

There should be a status log you can look at to show you, mine is, for examle:

cat /etc/openvpn/openvpn-status.log

EDIT:

As an alternative, adding the flag --management IP port [pw-file] or adding that same directive to your server.conf, for example:

management localhost 7505

This would allow you to telnet to that port and offer you a list of commands to run:

telnet localhost 7505

help

Answer 2

To complete @sekrett answer :

killall -USR2 openvpn ; tail -f /var/log/syslog

It will keep running, it's not a "regular" kill, just a request to print some stats.

Displayed statistics are very readable. Sample output :

Oct 14 07:34:14 vpn2 openvpn[20959]: Updated,Fri Oct 14 07:34:14 2016
Oct 14 07:34:14 vpn2 openvpn[20959]: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Oct 14 07:26:26 vpn2 openvpn[20959]:
10.8.0.132,hostname1,213.219.XXX.XXX:63765,Fri Oct 14 07:25:01 2016
Oct 14 07:26:26 vpn2 openvpn[20959]:
10.8.0.242,hostname2,213.219.XXX.XXX:62416,Sun Sep 25 03:49:19 2016

Answer 3

I got the same need myself and the easiest solution I found out was to use as mentioned telnet to connect to the management interface(you'll have to add :management localhost 6666, in the server config file) .

To get the exact number of client you can do :

• telnet localhost 6666
• status

Then you'll get lot of logs :

10.9.10.11,test-docker,52.58.48.98:56859,Wed May  4 09:37:34 2016
10.9.7.45,test-docker,52.58.156.80:38774,Wed May  4 09:36:59 2016
10.9.1.103,test-docker,52.58.161.230:52201,Wed May  4 09:35:47 2016
GLOBAL STATS
Max bcast/mcast queue length,0
END
>CLIENT:ESTABLISHED,19845
>CLIENT:ENV,n_clients=19361
>CLIENT:ENV,time_unix=1462357164

• look for => >CLIENT:ENV,n_clients=19361

In my case since I have a very large number of client, using the log file is definitely not very practical.

Answer 4

I manage our companys OpenVPN servers and the way I see active connections is like this,

add to /etc/openvpn/server.conf

management 127.0.0.1 5555

restart openvpn server

systemctl restart openvpn@server.service

add an OpenVPN Monitor Python package - this will run via a Gunicorn web server and show active connections,

mkdir /opt/openvpn-monitor

create a virtual env (not required but good practice with py packages)

cd /opt/openvpn-monitor
virtualenv venv
source venv/bin/activate

install required packages

pip install openvpn-monitor gunicorn

add a Monitor config file

vi /opt/openvpn-monitor/openvpn-monitor.conf

[openvpn-monitor]
site=your-openvpn-site
#logo=logo.jpg
#latitude=40.72
#longitude=-74
maps=True
geoip_data=/var/lib/GeoIP/GeoLite2-City.mmdb
datetime_format=%d/%m/%Y %H:%M:%S

[VPN1]
host=localhost
port=
name=Your VPN Server Name
show_disconnect=False

start the web server that will show active connections,

gunicorn openvpn-monitor -b 0.0.0.0:80 --name openvpn-monitor --daemon

To stop monitor

pkill gunicorn 

to see active connections, go to the public IP of your VPN server

http://<ip of openvpn server>

make sure to configure proper firewall for port 80, whitelist only trusted inbound IPs

Answer 5

You can also send usr2 signal to openvpn process to make it write statistic information to syslog. This is safe, you don't need to reboot in case you did not enable management interface before.

Answer 6

Just use sacli with the following command. This will list the connected VPN clients.

/usr/local/openvpn_as/scripts/sacli VPNSummary
{
"n_clients": 15
}

To see all the IPs use this option. ./sacli VPNStatus

Answer 7

I made a litte script that can either do a one time check or be set to keep monitoring with specified intervalls.

I hink this is better than monitoring the /etc/openvpn/openvpn-status.log since this is really slow to update. Maybe there's a way to adjust the intervalls in some settings BUT, I only need to monitor the vpn connections sometimes. Not 24/7. Also its quite a messy log.

This script is on the OpenVPN server. Only tested on Ubuntu 20.04

One time run just do:

./ovpn-activity.sh

To keep monitoring with a 20 second intervall:

./ovpn-activity.sh view 20

Save this to .sh file (example oven-activity.sh):

Make sure to change the VPN subnet to match yours.

#!/bin/bash

SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

# MODIFY this to match your network
vpn_network="0.0.0.0/24"

####### FUNCTIONS ########

act_check () {
sudo echo "looking for active clients"
#Look for Virtual IPs that are online and save them.
activeIPs=$(fping -ag "$vpn_network")
i=0
for ip in $activeIPs; do
        if [[ $i -eq 0 ]]
        then
                i=$i+1
                continue
        fi

        echo " -- Active --"
        echo "| "$(sudo grep '/.*Learn: '$ip /var/log/openvpn.log | head -1 | sed 's/\/.*$//')
        echo "| ip: $ip"
        echo " ------------"
        echo " "
done
}

##########################


if [ "$1" = "view" ] ; then
    echo "view is set"
    if [ -z "$2" ] ; then
        watch "$SCRIPT_DIR""/ovpn-activity"
    else
    watch -n $2  "$SCRIPT_DIR""/ovpn-activity"
    fi
else
    act_check
fi


exit 0

There is no doubt room for improvements but im not a script genius. I needed it to see when colleagues where using the VPN so that I could see if it was safe to reboot the server. And if so, I could see who was online and call them to ask if it was ok to restart without interrupting their work.

Answer 8

Hey @perfecto25 I followed your steps for hosting the OpenVPN monitor, it is working, but now I am curious about adding one more security layer on top of it.

Is there a way to add user authentication to hosted OpenVPN monitor tool on gunicorn, as it contains vulnerable user information?