Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Hi, On Mon, Feb 05, 2024 at 03:12:01PM +0100, Bo Berglund wrote: > >> $ openvpn --version > >> OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] > >> [PKCS11] > >Ah, yes. So that's a bit of an antique :-) > > $ apt policy openvpn > openvpn: > Installed: 2.4.12-0ubuntu0.20.04.1 > Candidate: 2.4.12-0ubuntu0.20.04.1 > > Cannot get anything newer... Yeah, that's Ubuntu/Debian policy. Never ugprade to a newer train of software than "what was there when shipping" - we missed 20.04 deadline by a wide margin (2.5.0 was released in October 2020), so they took 2.4.x and at least upgraded that to "the latest version". 22.04 has 2.6.x [..] > >Date: Sat Jun 20 19:23:03 2020 +0200 > > > >Change timestamps in file-based logging to ISO 8601 time format. > > > > Thanks for the clarification! > That is exactly what I need... > > Can I upgrade the apt installed openvpn to 2.5 even though it is not offered > by > the apt system? I know that some of my co-maintainers do build OpenVPN packages for debian/ubuntu distros, but this is not my speciality, so I can't give specific advice. It can, but no idea on the "how". > NOTE > > On the *other* Ubuntu server running openvpn, which is Ubuntu Server 22.04.3 > LTS > (was upgraded back in October) the version is: > > $ apt policy openvpn > openvpn: > Installed: 2.5.9-0ubuntu0.22.04.2 > Candidate: 2.5.9-0ubuntu0.22.04.2 > > > it shows this using the command suggested earlier: > > $ openvpn --show-gateway > 2024-02-05 07:41:09 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=eth0 > HWADDR=00:50:56:9e:c6:86 So, ISO timestamp :-) > But the logs do not show any timestamp at all... > A typical line: > HasanA_AGI/83.**.**.105:59902 [Hasan] Inactivity timeout (--ping-restart), > restarting > > So here the server logs are totally without timestamps and there is nothing in > the /lib/systemd/system/openvpn-server@.service file about logging either. > > EXITING > I think I will drop this altogether, the servers are doing their thing > anyway... Not sure why this is so. I bet it's still systemd. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Mon, 5 Feb 2024 14:04:38 +0100, Gert Doering wrote: >Hi, > >On Mon, Feb 05, 2024 at 12:25:51PM +0100, Bo Berglund wrote: >> >How old is your OpenVPN? >> >> This is on the Ubuntu 20.04 LTS server: >> >> Aug 21 2023: >> >> $ openvpn --version >> OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] >> [PKCS11] > >Ah, yes. So that's a bit of an antique :-) $ apt policy openvpn openvpn: Installed: 2.4.12-0ubuntu0.20.04.1 Candidate: 2.4.12-0ubuntu0.20.04.1 Cannot get anything newer... >> It looks like a kind of locale thing, thinking that it is a US location, but >> it >> uses the CET time zone notwithstanding: > >No, it's just old OpenVPN. The ticket I linked to shows that I changed >the logging timestamp to ISO format "for 2.5.0". Your 2.4.12 has a >release date younger than 2.5.0 (due to overlapping release trains), but >feature-wise, it's older. > >We maintain multiple releases in parallel (like, 2.4.x and 2.5.x, or now >2.5.x and 2.6.x). Features get added to "master" and show up in the next >.0 release (2.5.0, 2.6.0). After that, only bugfixes (and sometimes minor >features) get added to .1, .2, .3 releases - "changing time stamps and >making logs look very different" was seen as breaking change, so even >if the code change is small, not suitable for integration in 2.4.9->2.4.10. > >See also: > https://community.openvpn.net/openvpn/wiki/SupportedVersions > > >IOW, yes, the old code was using the C function "ctime()", which will >print "something locale based". The new code changes that to an ISO 8601 >based format, locale independent >Date: Sat Jun 20 19:23:03 2020 +0200 > >Change timestamps in file-based logging to ISO 8601 time format. > Thanks for the clarification! That is exactly what I need... Can I upgrade the apt installed openvpn to 2.5 even though it is not offered by the apt system? NOTE On the *other* Ubuntu server running openvpn, which is Ubuntu Server 22.04.3 LTS (was upgraded back in October) the version is: $ apt policy openvpn openvpn: Installed: 2.5.9-0ubuntu0.22.04.2 Candidate: 2.5.9-0ubuntu0.22.04.2 it shows this using the command suggested earlier: $ openvpn --show-gateway 2024-02-05 07:41:09 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 IFACE=eth0 HWADDR=00:50:56:9e:c6:86 But the logs do not show any timestamp at all... A typical line: HasanA_AGI/83.**.**.105:59902 [Hasan] Inactivity timeout (--ping-restart), restarting So here the server logs are totally without timestamps and there is nothing in the /lib/systemd/system/openvpn-server@.service file about logging either. EXITING I think I will drop this altogether, the servers are doing their thing anyway... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Hi, On Mon, Feb 05, 2024 at 12:25:51PM +0100, Bo Berglund wrote: > > https://community.openvpn.net/openvpn/ticket/719 > > > >which says that from 2.5.0 on, there should be POSIX timestamps. > > > >How old is your OpenVPN? > > This is on the Ubuntu 20.04 LTS server: > > Aug 21 2023: > > $ openvpn --version > OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] > [PKCS11] Ah, yes. So that's a bit of an antique :-) > Well not quite so: > > $ openvpn --show-gateway > Mon Feb 5 12:15:15 2024 ROUTE_GATEWAY 192.168.119.1/255.255.255.0 IFACE=eth0 > HWADDR=a4:ae:12:7f:4d:c3 > > It looks like a kind of locale thing, thinking that it is a US location, but > it > uses the CET time zone notwithstanding: No, it's just old OpenVPN. The ticket I linked to shows that I changed the logging timestamp to ISO format "for 2.5.0". Your 2.4.12 has a release date younger than 2.5.0 (due to overlapping release trains), but feature-wise, it's older. We maintain multiple releases in parallel (like, 2.4.x and 2.5.x, or now 2.5.x and 2.6.x). Features get added to "master" and show up in the next .0 release (2.5.0, 2.6.0). After that, only bugfixes (and sometimes minor features) get added to .1, .2, .3 releases - "changing time stamps and making logs look very different" was seen as breaking change, so even if the code change is small, not suitable for integration in 2.4.9->2.4.10. See also: https://community.openvpn.net/openvpn/wiki/SupportedVersions IOW, yes, the old code was using the C function "ctime()", which will print "something locale based". The new code changes that to an ISO 8601 based format, locale independent commit ff063b6f19e035da56fbf49c891e6376543b391d Author: Gert Doering Date: Sat Jun 20 19:23:03 2020 +0200 Change timestamps in file-based logging to ISO 8601 time format. ... --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c ... -buf_printf(&out, "%s", ctime(&t)); -buf_rmtail(&out, '\n'); +struct tm *tm = localtime(&t); + +buf_printf(&out, "%04d-%02d-%02d %02d:%02d:%02d", +tm->tm_year+1900, tm->tm_mon+1, tm->tm_mday, +tm->tm_hour, tm->tm_min, tm->tm_sec); gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Bo Berglund wrote: I mean the logs being produced from these server.conf lines: status /etc(openvpn/log/openvpn-status.log log /etc(openvpn/log/openvpn.log verb 4 Why do you insist on using legacy file based logs? Systemd's journal has much better options to filter/display log messages. And the best - it's enabled by default on systemd based systems. As written before, you can change the date format of journal *on*demand* with "-o" even if the event you want to troubleshoot happened in the passt. Cheers, Mathias ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Mon, 5 Feb 2024 12:15:53 +0100, Marc SCHAEFER wrote: >On Mon, Feb 05, 2024 at 09:55:58AM +0100, Bo Berglund wrote: >> I tried the service restart and it worked inasfar as the logs now look like >> this >> example: >> >> Mon Feb 5 09:42:42 2024 us=734354 succeeded -> ifconfig_pool_set() > >Do you mean rsyslog logs? I mean the logs being produced from these server.conf lines: status /etc(openvpn/log/openvpn-status.log log /etc(openvpn/log/openvpn.log verb 4 I don't care about rsyslog (don't know what it is)... The reason for posting here is that in a previous thread tincantec showed excerpts from openvpn log entries and these had the exact format I want for the timestamps! So I expected someone "in the know" to say something like this: Add ** to the conf file and restart the service. There is this to set the output to be machine readable: machine-readable-output But that produces output like this: 1705839017.435830 3204 Current Parameter Settings: So maybe something like: iso-output or similar to set the -mm-dd HH:mm:ss ISO 8601 format? But that has not happened unfortunately. > >AFAIK you can change rsyslog log format in /etc/rsyslog.conf, however this >might break all of your default/existing logcheck rules. I wuld not like to break anything as a side effect... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Mon, 5 Feb 2024 10:52:22 +0100, Gert Doering wrote: >Hi, > >On Mon, Feb 05, 2024 at 09:55:58AM +0100, Bo Berglund wrote: >> I really wonder why it uses this terrible illogical display with the day name >> first? >> >> So how can I change it to use the ISO 8601 format? > >Well. There's --machine-readable-output, I think, This outputs a terrible string looking looking like the seconds since very long ago with a very long decimal part too. So in order to get an actual readable date I removed the setting --machine-readable-output too. > and also > > https://community.openvpn.net/openvpn/ticket/719 > >which says that from 2.5.0 on, there should be POSIX timestamps. > >How old is your OpenVPN? This is on the Ubuntu 20.04 LTS server: Aug 21 2023: $ openvpn --version OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 21 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 > >Maybe it's a bit more convoluted ("depending on logging mode, format might >be different"), but a good test would be to run > >$ openvpn --show-gateway > >which should print something like > >2024-02-05 10:51:14 ROUTE_GATEWAY 193.149.48.190/255.255.255.192 IFACE=igb0 >HWADDR=3c:ec:ef:9e:4a:a4 >2024-02-05 10:51:14 ROUTE6_GATEWAY 2001:608:4::1 IFACE=igb0 > >... with a nice and shiny ISO timestamp. Well not quite so: $ openvpn --show-gateway Mon Feb 5 12:15:15 2024 ROUTE_GATEWAY 192.168.119.1/255.255.255.0 IFACE=eth0 HWADDR=a4:ae:12:7f:4d:c3 It looks like a kind of locale thing, thinking that it is a US location, but it uses the CET time zone notwithstanding: $ date Mon 05 Feb 2024 12:23:43 PM CET It is the correct Swedish time when I hit enter, so it uses the US time format but knows that it is in central Europe time-wise... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Mon, Feb 05, 2024 at 09:55:58AM +0100, Bo Berglund wrote: > I tried the service restart and it worked inasfar as the logs now look like > this > example: > > Mon Feb 5 09:42:42 2024 us=734354 succeeded -> ifconfig_pool_set() Do you mean rsyslog logs? Again, systemd changes everything: you can exploit a system without rsyslog, and systemd-journald. This writes the log to a binary format, that you can see with journalctl. Maybe in that cas you can format the datetime field as you wish? Currently, I still run rsyslog (and Debian, at least with the bookworm release, merges the rsyslog /var/log AND journalctl logs for use by logcheck, with the side effect that logs entries are doubled). AFAIK you can change rsyslog log format in /etc/rsyslog.conf, however this might break all of your default/existing logcheck rules. > I really wonder why it uses this terrible illogical display with the day name > first? historic? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] A few questions about revoking keys
On 04.02.24 16:32, Bo Berglund wrote: It took a week after revoking him until I could no longer access the site myself (I live about 6000 km away from the site and rely on OpenVPN for access). We once apparently had someone think that it'd be "neat and tidy" to have a root CA cert's validity end 01-Jan 00:00 ... 'nuff said. However: That's a central server that supposedly can be adminned only by your IT, and is being monitored in some way, likely allowing to keep tabs on whether the installed CRL is current/recent (or someone snuck in some pre-revocation version), too. What's the rationale to limit a CRL installed *there* to a lifetime of one week, if that's a burden to ops? Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On 05.02.24 09:55, Bo Berglund wrote: I really wonder why it uses this terrible illogical display with the day name first? Because the need for global, *cross-OS* standards for a timestamp format first arose with BBSes, USENET, E-Mails and the like, and the developers of those wanted to have the "Date:" headers primarily *human*-readable (as long as the human can read English): $ date --rfc-email Mon, 05 Feb 2024 11:23:57 +0100 $ LANG=C date Mon Feb 5 11:24:03 CET 2024 $ LANG=C date +%c Mon Feb 5 11:24:06 2024 So the human-readable variants are *older* and more widely implemented than machine-readable or purpose-optimized ones. Be grateful that the code for *logging* is unlikely to support *localization* (to one of what, 400+?, regional human conventions) ... ;-3 $ echo $LANG de_DE.UTF-8 $ date Mo 5. Feb 11:24:22 CET 2024 $ date +%c Mo 05 Feb 2024 11:24:25 CET $ LANG=fr_FR.UTF-8 date lun. 05 févr. 2024 11:24:43 CET $ LANG=fr_FR.UTF-8 date +%c lun. 05 févr. 2024 11:24:50 $ LANG=en_US.UTF-8 date +%c --date="4 hours" Mon 05 Feb 2024 03:41:11 PM CET $ LANG=en_GB.UTF-8 date +%c --date="4 hours" Mon 05 Feb 2024 15:41:16 CET $ locale -a | wc -l 873 Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Hi, On Mon, Feb 05, 2024 at 09:55:58AM +0100, Bo Berglund wrote: > I really wonder why it uses this terrible illogical display with the day name > first? > > So how can I change it to use the ISO 8601 format? Well. There's --machine-readable-output, I think, and also https://community.openvpn.net/openvpn/ticket/719 which says that from 2.5.0 on, there should be POSIX timestamps. How old is your OpenVPN? Maybe it's a bit more convoluted ("depending on logging mode, format might be different"), but a good test would be to run $ openvpn --show-gateway which should print something like 2024-02-05 10:51:14 ROUTE_GATEWAY 193.149.48.190/255.255.255.192 IFACE=igb0 HWADDR=3c:ec:ef:9e:4a:a4 2024-02-05 10:51:14 ROUTE6_GATEWAY 2001:608:4::1 IFACE=igb0 ... with a nice and shiny ISO timestamp. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Bo Berglund wrote: I tried the service restart and it worked inasfar as the logs now look like this example: Mon Feb 5 09:42:42 2024 us=734354 succeeded -> ifconfig_pool_set() Now I just need to get it to display as -mm-dd hh:mm:ss so it would be useful for me. I really wonder why it uses this terrible illogical display with the day name first? So how can I change it to use the ISO 8601 format? journalctl has an the "-o" option to adjust the timestamp output (see "man journalctl"): journalctl -o short-iso -u Cheers, Mathias ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
On Mon, 5 Feb 2024 09:04:06 +0100, Marc SCHAEFER wrote: >Hello, > >On Mon, Feb 05, 2024 at 12:06:13AM +0100, Bo Berglund wrote: >> restart the specific services or do I have to restart the server computer >> itself? > >I am no systemd specialist, however, most of the times you change a systemd >config file you should do: > > systemctl daemon-reload I tried the service restart and it worked inasfar as the logs now look like this example: Mon Feb 5 09:42:42 2024 us=734354 succeeded -> ifconfig_pool_set() Now I just need to get it to display as -mm-dd hh:mm:ss so it would be useful for me. I really wonder why it uses this terrible illogical display with the day name first? So how can I change it to use the ISO 8601 format? -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file
Hello, On Mon, Feb 05, 2024 at 12:06:13AM +0100, Bo Berglund wrote: > restart the specific services or do I have to restart the server computer > itself? I am no systemd specialist, however, most of the times you change a systemd config file you should do: systemctl daemon-reload ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users