OpenVPN

  • Updated on Feb 6, 2025
  • Published on May 29, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

OpenVPN logs

✅

openvpn_logs

Text

S3

Overview

imageOpenVPN is an open-source VPN (Virtual Private Network) solution that provides secure point-to-point or site-to-site connections. It uses SSL/TLS for encryption and supports various authentication methods, such as certificates, username/password, and multi-factor authentication (MFA). OpenVPN is highly customizable, making it ideal for organizations of all sizes to securely connect remote users or branch offices to a central network. It works across a wide range of platforms and can be deployed in both cloud and on-premises environments, offering a flexible and scalable solution for protecting data in transit.

Supported data types

OpenVPN logs

Table name: openvpn_logs

OpenVPN logs contain detailed records of the VPN server's activities, user connections, and security events. These logs help administrators monitor the health of the VPN connection, troubleshoot issues, and enhance security. OpenVPN logs typically include information on client connections, authentication attempts, encryption status, IP address assignments, and errors. They can also capture warnings related to failed login attempts, certificate issues, or network problems. By reviewing OpenVPN logs, administrators can track usage, identify unusual behavior, and ensure that the VPN is functioning properly and securely.

Send data to Hunters

Hunters supports the ingestion of OpenVPN logs via an intermediary AWS S3 bucket.

To connect OpenVPN logs:

  1. Export your logs from OpenVPN to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Text format.

2021-09-20T12:55:29+0000 [stdout#info] [OVPN 3] OUT: "2021-09-20 12:55:29 99.65.122.296:60360 TLS: Username/Password authentication deferred for username 'sample@test.com' "
2021-09-20T12:55:29+0000 [stdout#info] AUTH SUCCESS {'status': 0, 'user': 'sample@test.com', 'reason': 'SESSION_ID HMAC session continuation succeeded', 'session_id': '[redacted]', 'create_new_session': True, 'proplist': {'prop_autogenerate': 'true', 'prop_superuser': 'false', 'prop_autologin': 'false', 'prop_deny': 'false', 'user_auth_type': 'radius', 'type': 'user_connect', 'conn_group': 'bi', 'prop_google_auth': 'false'}, 'common_name': 'sample@test.com', 'serial': '219', 'serial_list': []} cli='mac'/'2.4.3'/'Viscosity_1.9.3_1600'
2021-09-20T12:55:29+0000 [stdout#info] [OVPN 3] OUT: "2021-09-20 12:55:29 MANAGEMENT: CMD 'client-auth 26699 0'"
2021-09-20T12:55:29+0000 [stdout#info] [OVPN 3] OUT: '2021-09-20 12:55:29 99.65.122.296:60360 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256'
2021-09-20T12:55:29+0000 [stdout#info] [OVPN 3] OUT: '2021-09-20 12:55:29 99.65.122.296:60360 [sample@test.com] Peer Connection Initiated with [AF_INET]99.65.122.296:60360 (via [AF_INET]1.2.3.4%eth0)'