Re: [Openvpn-users] figuring out connection interface

Fri, 04 Jun 2021 09:19:26 -0700 

Hi,

On 04/06/21 12:20, Aleksandar Ivanisevic wrote:



On 3. Jun 2021, at 14:36, Jan Just Keijser <janj...@nikhef.nl 
<mailto:janj...@nikhef.nl>> wrote:
from reading the 2.5.1 sources I cannot find any environment 
variables being set that reflect the "incoming" IP address or 
interface;   I would think that during 'client-connect' time you can 
determine from which IP the client is connecting, e.g. by looking at 
the connection details at the OS level.  This may not be fool proof, 
however.



how would you suggest to do that? Nothing comes to mind except 
inspecting the conntrack table or logging at the firewall level, which 
boils down to grepping different logs. Not to mention that not 
everyone is running the vpn server on the firewall, noone shouldn’t 
actually ;)



you could use the conntrack tool to check the *local* UDP connections 
(e.g. on the server on which OpenVPN is running). The downside is that 
you will most likely need root privileges

It may be best to actually grep the logs, especially as you can 
easily grep for "Peer Connection Initiated".


Not so easily for tunnels running longer than the logs are kept though.


that's a non-argument as the same applies when doing this via a 
client-connect script; I guess  you can run a "grep the server log" at 
'client-connect' time with a small delay and write out the result to a 
file/database. That way you can look for the "Peer Connection Initiated" 
text , say, 15 seconds after the client logs in. Or you could set up 
periodic monitor of the server log file to look for "Peer Connection 
Initiated" and distill the connection from that.





PS now waiting for Gert to prove me wrong ;)



Please be wrong ;) Or can we have a feature request for server IP and 
interface to be passed in connect script env or in one of the status 
reports in management interface or in —status file or at all three 
places ;)



Unless I missed something in the (v2.5.1) sources I think a change 
request might be in place for this - seems non-intrusive.


cheers,

JJK


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to