跳至正文
KYRA MDR KYRA MDR Docs

OpenVPN

Overview

OpenVPN provides SSL/TLS-based VPN tunneling for remote access and site-to-site connectivity. KYRA MDR collects OpenVPN server logs including authentication events, client connect/disconnect activity, certificate validation results, and tunnel status to detect unauthorized access and VPN abuse. Supports OpenVPN Community and Access Server.

Prerequisites

  • KYRA MDR account (MDR tier or above)
  • KYRA Collector installed and reachable from the OpenVPN server (TCP 514)
  • Root or sudo access on the OpenVPN server host
  • OpenVPN 2.4+ (2.5+ recommended for improved logging)

Configuration

Step 1: Configure OpenVPN Server Logging

Edit /etc/openvpn/server.conf (or /etc/openvpn/server/server.conf):

# Log to a dedicated file (log-append keeps history across restarts)
log-append /var/log/openvpn/server.log


# Verbosity level (0=silent, 3=normal, 4=security monitoring, 9=debug)
verb 4


# Mute repeated messages
mute 20


# Status file with active connections, updated every 60 seconds
status /var/log/openvpn/status.log 60
status-version 2


# Enable timestamps
log-timestamp

Step 2: Enable Client Connect/Disconnect Scripts

# In server.conf
script-security 2
client-connect /etc/openvpn/scripts/client-connect.sh
client-disconnect /etc/openvpn/scripts/client-disconnect.sh

Create /etc/openvpn/scripts/client-connect.sh:

#!/bin/bash
logger -t openvpn-audit -p local5.info \
  "CLIENT_CONNECT user=$common_name remote_ip=$trusted_ip:$trusted_port \
  vpn_ip=$ifconfig_pool_remote_ip dev=$dev"

Create /etc/openvpn/scripts/client-disconnect.sh:

#!/bin/bash
logger -t openvpn-audit -p local5.info \
  "CLIENT_DISCONNECT user=$common_name remote_ip=$trusted_ip \
  vpn_ip=$ifconfig_pool_remote_ip duration=${time_duration}s \
  bytes_in=$bytes_received bytes_out=$bytes_sent"
Terminal window
sudo chmod +x /etc/openvpn/scripts/client-connect.sh
sudo chmod +x /etc/openvpn/scripts/client-disconnect.sh

Step 3: Forward Logs via rsyslog

/etc/rsyslog.d/30-openvpn.conf
module(load="imfile" PollingInterval="5")


input(type="imfile"
  File="/var/log/openvpn/server.log"
  Tag="openvpn"
  Facility="local5"
  Severity="info")


# Forward both file logs and script audit messages
local5.*  @@<COLLECTOR_IP>:514
Terminal window
sudo systemctl restart rsyslog

Step 4: OpenVPN Access Server Configuration

For Access Server, configure syslog via the Admin UI:

  1. Navigate to Configuration > Log Settings
  2. Set Syslog Server to <COLLECTOR_IP>
  3. Set Syslog Port to 514, Protocol to TCP
  4. Enable Log User Authentication and Log User VPN Sessions
  5. Click Save Settings and Update Running Server

Step 5: Restart and Verify

Terminal window
sudo systemctl restart openvpn@server
# Check log output
sudo tail -20 /var/log/openvpn/server.log
# Check active connections
cat /var/log/openvpn/status.log

Step 6: Verify on KYRA Collector

Terminal window
kyra-collector status
kyra-collector logs --source openvpn --tail 10

Collected Log Types

Log TypeDescriptionSecurity Use
AuthenticationTLS handshake, certificate validation, username/password authCredential abuse detection
Client ConnectClient IP, assigned VPN IP, certificate CNRemote access monitoring
Client DisconnectSession duration, bytes sent/received, disconnect reasonData exfiltration, session audit
Certificate EventsVerification failures, expiration warnings, CRL checksPKI integrity
Tunnel EventsTunnel up/down, renegotiation, keepalive timeoutsAvailability monitoring
Status FileConnected client list with real IP and VPN IPActive session inventory

Key Log Patterns

PatternMeaning
TLS: Initial packet from [AF_INET]1.2.3.4:portNew TLS handshake
VERIFY OK: depth=0, CN=usernameCertificate verified
VERIFY ERROR: depth=0, error=certificate has expiredExpired certificate
AUTH_FAILEDPassword auth rejected
MULTI: multi_create_instanceNew client instance
Connection reset, restartingAbrupt client disconnect
MULTI: bad source address from clientClient spoofing VPN IP

Environment Variables in Scripts

VariableDescription
$common_nameCertificate Common Name (username)
$trusted_ipClient real IP address
$trusted_portClient source port
$ifconfig_pool_remote_ipAssigned VPN IP address
$time_unixConnection start (Unix timestamp)
$time_durationSession duration in seconds
$bytes_receivedBytes received from client
$bytes_sentBytes sent to client

Troubleshooting

  • No log output: Verify verb is 3+ and log-append path is writable. Run sudo mkdir -p /var/log/openvpn && sudo chown openvpn:openvpn /var/log/openvpn.
  • Scripts not executing: Requires script-security 2 in server.conf. Scripts must be executable and owned by root.
  • Status file empty: Only populated after first client connects. Verify status-version 2 for machine-readable format.
  • rsyslog not forwarding: Check imfile module is loaded and file path matches. Test with logger -t openvpn-test "test".
  • Access Server logs: Logs at /var/log/openvpnas.log. Configure rsyslog to tail this file if not using built-in syslog.

Contact kyra@seekerslab.com for integration support.