-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (I don't top-post, reply at bottom)
On 02/09/14 21:50, debbie...@gmail.com wrote: > If you are using UDP see --explicit-exit-notify in the Manual. > https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage > > ----- Original Message ----- From: "Simon Vargas" > <simo...@gmx.com> To: <openvpn-users@lists.sourceforge.net> Sent: > Tuesday, September 02, 2014 11:59 AM Subject: [Openvpn-users] > Openvpn logout time? > > >> Hello >> >> I working on a simple script which gathers all the users >> login/logout time and ip from openvpn log files and possibly the >> failed login attempts with bad certificates/passwords as well. >> >> I can find the client's ips and login times by searching for >> "VERIFY OK: depth=1" keyword but it seems that logout's are not >> logged by openvpn. Is there a way to log it or all I can do is >> look for timeout's like: "Inactivity timeout (--ping-restart), >> restarting" in the log files which are most likely occured >> because the client timed out and had to reconnect, not because he >> stopped openvpn or shut down his laptop. Isn't there a way of >> telling that which client disconnected and when exactly? >> >> If anybody knows a good log analyzer for openvpn out there what I >> could use, that would be also great! >> >> Thanks Just to explain --explicit-exit-notify slightly more. This is a client-side option, which will notify the server when the client disconnects. Otherwise the server will keep the connection state open until the connection times out (defined by --ping-restart). This is particularly handy when using UDP, as UDP does not have a connection handshake like TCP does. When a TCP connection disconnects, the OpenVPN server knows it instantly, due to the TCP connection state. UDP is stateless, and therefore needs an explicit notification. Otherwise it could just mean the client had connection issues for a little while. But instead of parsing the log file, I would rather recommend looking at the --client-connect, --client-disconnect and/or --learn-address script hooks for more advanced ways of connection tracking. Another alternative is to look at --status, where OpenVPN can track connection statuses. If you want a more advanced client tracking, using client certificates and username/password authentication, you can also have a look at http://www.eurephia.net/ ... This plug-in does a lot of this tracking as well, in addition to block connection attempts after too many failures (to limit bruteforce password attacks) - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQGPzEACgkQDC186MBRfrrISwCfbWcFt1cZcBUEksq27p8Ke8no PxgAoJZOvLVn7kMrupSsrBlxEX6le2xm =FdHj -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
