HOWTO - use Monit to monitor VPN Users login

[pankaj]

Hi,

I use this set up to get an alert whenever a VPN user (family members) logs into my home LAN, the HOWTO is meant for smaller network when use of VPN is minimal.

Step-1: Under OpenVPN, go to "server" settings and under "Advanced" add these lines

Code Select Expand

status /var/log/openvpn-status.log
status-version 1

Step-2: head over to Monit and create following "Service Test Setting"
Name: VPN_EVE
content = "192\.168\.9"
Action: Alert

Note: # The content can be any keyword and in this example I using the subnet for the VPN clients but any unique keyword can be used (see below for more on openvpn-status log file)

Step-3: Under "Service Settings"

Name: VPN_Alert
Type: File
Path: /var/log/openvpn-status.log
Tests: VPN_EVE

Step-4: Under Alert Settings create a new one or to an existing one make sure following is selected:
ContentFailed

In addition, you can change message format like:
Subject:  VPN User Alert
Message:
$EVENT
$SERVICE
$ACTION
$DESCRIPTION

Step-5: If everything went well then under status you should see something like:

Code Select Expand


File 'VPN_Alert'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  permission                   600
  uid                          0
  gid                          0
  size                         227 B
  access timestamp             Mon, 03 Jan 2022 13:41:26
  change timestamp             Mon, 03 Jan 2022 14:00:39
  modify timestamp             Mon, 03 Jan 2022 14:00:39
  content match                no
  data collected               Mon, 03 Jan 2022 14:01:27


Notes:
1. Based on the "polling interval" under general setting of Monit, the above configuration will poll for changes to openvpn-status.log file once per cycle.
2. The openvpn-status.log file is updated every 60 seconds by default
3. Here is how the file /var/log/openvpn-status.log looks before and after a VPN user logs into the system:

Code Select Expand


root@OPNsense:~ # cat /var/log/openvpn-status.log
OpenVPN CLIENT LIST
Updated,2022-01-03 10:43:54
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END


root@OPNsense:~ # cat /var/log/openvpn-status.log
OpenVPN CLIENT LIST
Updated,2022-01-03 10:47:59
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
vpn,200.190.04.40:1828,9183,10901,2022-01-03 10:47:14
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.9.6,vpn,200.190.04.40:1828,2022-01-03 10:47:58
GLOBAL STATS
Max bcast/mcast queue length,0
END


4. So we could have used any unique sub-string from the file for Step-2 which would establish conclusively that the file has changed thereby a VPN user has logged into the system.

Lastly, Monit is a very feature rich tool and it is possible to improve just about every step outlined above and here are few resources.

- Options for tweaking OpenVPN - https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?__cf_chl_jschl_tk__=WZ3kUQ81f2Ri6EzWRaRVczyEQVkIq5ZJRQfe4GjVqtQ-1641247846-0-gaNycGzNCL0#lbAS
- Manual for Monit - https://mmonit.com/monit/documentation/monit.html#Message-format
- Examples specific to OPNSense - https://docs.opnsense.org/manual/monit.html?highlight=monit#example-2


Hope this helps!

[opncya1]

Thanks, instructions working great.  One note I'd like to add (since I'm new to all this and may be helpful for someone else too) ... don't log your udp/tcp/openvpn instances to the same file!  I had set my tcp and udp instances to the same log file and wasn't seeing any 'changes' to it after it created it.

[heffneil]

Curious if you know how to set this up if using WireGuard with OpnSense?  I can't find any write-ups but I would like to know if / when someone connects.