Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file

2024-02-06 Thread David Sommerseth via Openvpn-users 

On 05/02/2024 13:38, Mathias Jeschke wrote:

Bo Berglund wrote:

I mean the logs being produced from these server.conf lines:

status /etc(openvpn/log/openvpn-status.log
log /etc(openvpn/log/openvpn.log
verb 4


Why do you insist on using legacy file based logs? Systemd's journal has 
much better options to filter/display log messages.


And the best - it's enabled by default on systemd based systems.


On top of that, using the --log option writing to file may impact 
OpenVPN's tunnel performance if there are issues writing log events to 
disk - because OpenVPN 2.x is single-threaded, so that happens in 
between parsing all the tunnel traffic, authentication and everything 
else it does.


When OpenVPN calls the syslog() call, the kernel ensures the log event 
is sent to the proper logging service (systemd-journald, rsyslog, 
syslog, etc) without delaying too much.


You can omit some of these performance issues by enabling DCO (kernel 
based OpenVPN Data Channel Offload)  but then you need OpenVPn 2.6+.


And just a few examples using journalctl ...


- Get the logs for the OpenVPN server config tun0.conf, just the last 4
  hours of log data

  # journalctl -u openvpn-server@tun0 --since -4h


- Similar to above, but "grep" for a specific IP address

  # journalctl -u openvpn-server@tun0 --since -4h -g 192.168.0.1


- Retrieve log events between 8 and 4 hours back in time

  # journalctl -u openvpn-server@tun0 --since -8h --until -4h


- Retrieve the first 100 log events happening yesterday

  # journalctl -u openvpn-server@tun0 --since yesterday -n 100


- Retrieve the log events for a specific PID

  # journalctl _PID=12345


- Retrieve log events sent from any "openvpn" process since the last
  boot

  # journalctl -b-1 SYSLOG_IDENTIFIER=openvpn


- Similar to the above, but only list log events from a specific PID
  in addition

  # journalctl -b-1 SYSLOG_IDENTIFIER=openvpn + _PID=12345


All of these examples can be combined.  And even more possibilities exists.

And of you add -o json-pretty ... you get to see all the additional meta 
data information you can match on.


If it's important for you to preserve log events for a longer time, 
ensure /etc/systemd/journald.conf has enabled Storage=persistent ... 
that will store all log events to disk, in the binary journal format. 
Otherwise it's memory-only logging.


And the systemd-journald has built-in log rotation, where you can define 
how much disk space the logs can consume.  Once it reaches that limit, 
it starts removing the oldest log data.  You may also want to consider 
ensuring log compression is enabled too.



That's why the --log option in OpenVPN should be avoided.  It has poorer 
performance, you need to do log rotation manually (requiring the openvpn 
to get reloaded, which interrupts tunnel) and without a quite powerful 
log query tool.



--
kind regards,

David Sommerseth
OpenVPN Inc




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Can a configuration item be cleared in the server.conf file

2024-02-06 Thread David Sommerseth via Openvpn-users 

On 05/02/2024 15:12, Bo Berglund wrote:

On Mon, 5 Feb 2024 14:04:38 +0100, Gert Doering  wrote:


Hi,

On Mon, Feb 05, 2024 at 12:25:51PM +0100, Bo Berglund wrote:

How old is your OpenVPN?


This is on the Ubuntu 20.04 LTS server:

Aug 21 2023:

$ openvpn --version
OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11]


Ah, yes.  So that's a bit of an antique :-)


$ apt policy openvpn
openvpn:
   Installed: 2.4.12-0ubuntu0.20.04.1
   Candidate: 2.4.12-0ubuntu0.20.04.1

Cannot get anything newer...


You can get newer ones via the OpenVPN community based repositories:





--
kind regards,

David Sommerseth
OpenVPN Inc




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users