Hi,
I use this set up to get an alert whenever a VPN user (family members) logs into my home LAN, the HOWTO is meant for smaller network when use of VPN is minimal.
Step-1: Under OpenVPN, go to "server" settings and under "Advanced" add these lines
status /var/log/openvpn-status.log
status-version 1
Step-2: head over to Monit and create following "Service Test Setting"
Name: VPN_EVE
content = "192\.168\.9"
Action: Alert
Note: # The content can be any keyword and in this example I using the subnet for the VPN clients but any unique keyword can be used (see below for more on openvpn-status log file)
Step-3: Under "Service Settings"
Name: VPN_Alert
Type: File
Path: /var/log/openvpn-status.log
Tests: VPN_EVE
Step-4: Under Alert Settings create a new one or to an existing one make sure following is selected:
ContentFailed
In addition, you can change message format like:
Subject: VPN User Alert
Message:
$EVENT
$SERVICE
$ACTION
$DESCRIPTION
Step-5: If everything went well then under status you should see something like:
File 'VPN_Alert'
status OK
monitoring status Monitored
monitoring mode active
on reboot start
permission 600
uid 0
gid 0
size 227 B
access timestamp Mon, 03 Jan 2022 13:41:26
change timestamp Mon, 03 Jan 2022 14:00:39
modify timestamp Mon, 03 Jan 2022 14:00:39
content match no
data collected Mon, 03 Jan 2022 14:01:27
Notes:
1. Based on the "polling interval" under general setting of Monit, the above configuration will poll for changes to openvpn-status.log file once per cycle.
2. The openvpn-status.log file is updated every 60 seconds by default
3. Here is how the file /var/log/openvpn-status.log looks before and after a VPN user logs into the system:
root@OPNsense:~ # cat /var/log/openvpn-status.log
OpenVPN CLIENT LIST
Updated,2022-01-03 10:43:54
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
root@OPNsense:~ # cat /var/log/openvpn-status.log
OpenVPN CLIENT LIST
Updated,2022-01-03 10:47:59
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
vpn,200.190.04.40:1828,9183,10901,2022-01-03 10:47:14
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.9.6,vpn,200.190.04.40:1828,2022-01-03 10:47:58
GLOBAL STATS
Max bcast/mcast queue length,0
END
4. So we could have used any unique sub-string from the file for Step-2 which would establish conclusively that the file has changed thereby a VPN user has logged into the system.
Lastly, Monit is a very feature rich tool and it is possible to improve just about every step outlined above and here are few resources.
- Options for tweaking OpenVPN - https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?__cf_chl_jschl_tk__=WZ3kUQ81f2Ri6EzWRaRVczyEQVkIq5ZJRQfe4GjVqtQ-1641247846-0-gaNycGzNCL0#lbAS (https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?__cf_chl_jschl_tk__=WZ3kUQ81f2Ri6EzWRaRVczyEQVkIq5ZJRQfe4GjVqtQ-1641247846-0-gaNycGzNCL0#lbAS)
- Manual for Monit - https://mmonit.com/monit/documentation/monit.html#Message-format (https://mmonit.com/monit/documentation/monit.html#Message-format)
- Examples specific to OPNSense - https://docs.opnsense.org/manual/monit.html?highlight=monit#example-2 (https://docs.opnsense.org/manual/monit.html?highlight=monit#example-2)
Hope this helps!
Thanks, instructions working great. One note I'd like to add (since I'm new to all this and may be helpful for someone else too) ... don't log your udp/tcp/openvpn instances to the same file! I had set my tcp and udp instances to the same log file and wasn't seeing any 'changes' to it after it created it.
Curious if you know how to set this up if using WireGuard with OpnSense? I can't find any write-ups but I would like to know if / when someone connects.