4.7.6. Operation

The purpose of this document is to explain the most relevant characteristics regarding the operation.

4.7.6.1. Check the status of VPN connections

This section shows how to use the system’s Business Profiles to view active connections, and how to get more information about a device. The Business Profiles are groups of connections based on the associated policies, they are customizable and we can create as many as we want, simply giving a name and selecting the policy or policies we want to be included. Go to the ON NAC -> Business Profiles in the Default View.

../../_images/2sra-op.png


Let’s focus on the VPN Business Profile (green box) from our example. At the bottom you can see the total number of devices you have registered with the VPN TAG. At the top, we have another counter, which indicates the total number of devices that are connected. In each connection, horizontal line, if we go to the Status column we can see that there is a flag, which helps us identify the current connection status of the selected device.

  • Green flag indicates that the device is connected (login)

  • Red flag indicates a problem and that could not connect

  • Black flag indicates that the device is not connected (logout)

If we click on the icon that appears in the Policy column, we are able to obtain more information about the selected connection.

../../_images/2sra-op2.png


Another way to view more information about the connection, is to use the + icon on the right end, which will display all the information from the different sources of information related to the device.

../../_images/2sra-op3.png


In the green box, you can see that there are two sources of information and two connections. The first refers to the data of the device through the public IP, information received through the internet and sent by the agent. The second source is from the VPN connection itself since its IP is a private address that matches the pool of IPs configured in the RoadWarrior VPN tunnel.

In this same view, we can see more information about the VPN connection. We can highlight the information inside the orange boxes, which provide useful information about the status of the connection. For example, the current status of the connection is indicated, the source from which it comes (in this case VPN and IP are assigned), the policy accessed by the device, and a message regarding the status.

../../_images/2sra-op4.png


The image shows a case where the connection was rejected. Its status is Reject, there is a message of the cause of the error No logon servers, the source becomes VPN and reject, and the policy is maintained.

4.7.6.2. Check connected client in VPN gateway

We can check them for Wireguard and for OpenVPN.

4.7.6.2.1. Wireguard

The two ways that exist to check which clients are connected to a Wireguard VPN will be explained: Through the system’s frontend web portal and by accessing via SSH.

4.7.6.2.1.1. Via web portal

Access the CMI via the web interface and access the Manage -> Appliances menu, then select the VPN gateway and press the Manage button.

../../_images/2sra-op5.png


At this point, the VPN gateway web interface should open.

Access the Manage -> VPN RoadWarrior menu to see the VPN you want to manage.

../../_images/2sra-op6.png


To access user management, select the VPN and press the Manage Users button. From now on, VPN users can be managed.

../../_images/2sra-op7.png


In the table, you can see the information of each connected user. This includes username, dynamic zone, IP, TTL, status icons (connected, standalone, dynamic/static), and the date the connection was established. If you click the + button, more detailed information will be displayed.

The Search box will allow you to search for any user data. For example, you can filter by the username user_test and as a result, a single row will appear with the user user_test.

Note

A standalone user is one that can connect from an openNAC agent or from a native WireGuard agent. A user NOT standalone can only connect from an openNAC agent.

4.7.6.2.1.2. Via SSH

From the command line of the VPN gateway we can also observe information about the users.

  1. SSH into the CMI.

Note: Remember that there is NOT a rule that allows traffic to access the VPN gateway via SSH from any source. However, it can only be accessed from the CMI.

  1. SSH into the VPN gateway.

  2. In the VPN gateway run the following command:

wg show <VPN_name>

This command will show us the connected users and the standalone users (whether they are connected or not).

Example of the user with IP 172.16.250.5 connected to the VPN. The information under interface pertains to the VPN configuration while the information under “peer” will give us user information:

../../_images/2sra-op10.png


  1. In the VPN gateway, run the following command:

cat /etc/wireguard/<VPN_name>_clientData

This command will show us the static users and the standalone users.

Example of the static user with IP 172.16.250.4:

../../_images/2sra-op11.png


4.7.6.2.2. OpenVPN

The two ways that exist to check which clients are connected to a Wireguard VPN will be explained: Through the system’s frontend web portal and by accessing via SSH.

4.7.6.2.2.1. Via web portal

Access the CMI via the web interface and access the Manage -> Appliances menu, then select the VPN gateway and press the Manage button.

../../_images/2sra-op12.png


At this point the VPN gateway web interface should open.

Access the Manage -> VPN RoadWarrior menu to see the VPN you want to manage.

../../_images/2sra-op13.png


To access user management, select the VPN and press the Manage Users button.

../../_images/2sra-op14.png


In the table you can see the information of each connected user. This includes the username, Virtual IP, real IP, day and time the connection was established, and the data sent and received.

The Search box will allow you to search for any user data. For example, you can filter by the username user8 and as a result a single row will appear with the user user8.

The actions available on this screen are:

  • Disconnect: Disconnect the user.

  • Refresh: Reloads the information of the users in the table.

  • Export All data: A file in CSV format containing the user data will be downloaded.

4.7.6.2.2.2. Via SSH

From the VPN gateway command line we can also see information about connected users.

1) SSH into the CMI. Note: Remember that there is NOT a rule that allows traffic to access the VPN gateway via SSH from any source. However, it can only be accessed from the CMI. 2) SSH into the VPN gateway. 3) In the VPN gateway run the following command:

echo "status" | nc 127.0.0.1 6000
../../_images/2sra-op15.png


4.7.6.3. VPN gateway status

At the top right of the VPN gateway is the VPN RW section.

This is a direct access to the VPN gateway management without having to open the VPN RoadWarrior tab.

The dropdown will show a summary of the VPN information that is considered most important, as well as a set of actions:

../../_images/2sra-op16.png


Next to the text VPN RW in the dropdown there is a number:

../../_images/2sra-op17.png


This number indicates how many changes have been made to the VPN and have not been applied. The changes will be applied when you restart the VPN.

By clicking on the text [Commit X changes] we can see what change has been made to the VPN.

In this example you can see that the VPN has been modified 1 time. The data that appears is the most recent:

../../_images/2sra-op18.png