track VPN requests

qwertyjjj · 05-30-2010, 11:03 AM

I have a proxy server with all relevant logs compiled by SARG.
I also have a VPN but am not sure how to go about creating logs of http access requests or any other requests from openVPN - any ideas?
Also, would the overhead created be too much?

huwnet · 06-01-2010, 04:31 AM

It would be fairly intensive to monitor http requests on a VPN as you'd have to examine each packet coming through. Have you considered installing Squid (an http proxy) and then setting it up as a transparent proxy so that all http requests pass through it? You could then use the various logs for squid to do what you want

linuxgurusa · 06-01-2010, 04:40 AM

Quote:

Originally Posted by huwnet

It would be fairly intensive to monitor http requests on a VPN as you'd have to examine each packet coming through. Have you considered installing Squid (an http proxy) and then setting it up as a transparent proxy so that all http requests pass through it? You could then use the various logs for squid to do what you want

+1 yes, by doing this you will see all web browsing.
You just need to make sure that the IP's on the VPN traffic stay the same so you can track back the users?

huwnet · 06-01-2010, 06:07 AM

Quote:

You just need to make sure that the IP's on the VPN traffic stay the same so you can track back the users?

I hadn't thought of this, but you'd certainly need to do this. Alternatively if your VPN is using RADIUS authentication/accounting you may be able to use RADIUS with squid too

qwertyjjj · 06-01-2010, 07:52 AM

Quote:

Originally Posted by linuxgurusa

+1 yes, by doing this you will see all web browsing.
You just need to make sure that the IP's on the VPN traffic stay the same so you can track back the users?

Each VPN client has a different IP although they are of the same 17.x.x.x variety.
At the moment my squid uses NCSA auth so not sure how I could apply a logon for the VPN?

linuxgurusa · 06-01-2010, 07:57 AM

Quote:

Originally Posted by qwertyjjj

Each VPN client has a different IP although they are of the same 17.x.x.x variety.
At the moment my squid uses NCSA auth so not sure how I could apply a logon for the VPN?

Howdy Bud
If your users are authenticating, then you should see the usernames when you run a browsing report, whether they are in or outside the VPN, so problem solved there then !

qwertyjjj · 06-01-2010, 08:17 AM

Quote:

Originally Posted by linuxgurusa

Howdy Bud
If your users are authenticating, then you should see the usernames when you run a browsing report, whether they are in or outside the VPN, so problem solved there then !

Well, they authenticate through using a cert.
But they are not given a proxy auth, I suppose I could ask them to but the proxy is not set up for transparency and can't be because of the separate proxy users using ncsa.

Also, I guess opening up the VPN to all traffic means it COULD be used for something that I cannot log

qwertyjjj · 06-10-2010, 06:01 PM

Any ideas?