Ive recently setup an OpenVPN server on my home network to allow me to connect remotely. I’ve always been quite hesitant to open up any ports on my home firewall as I know it can lead to trouble if done incorrectly.
I have setup OpenVPN Access server, and checked all the configurations to ensure that it is setup securely, all users have strong passwords and MFA is being used to allow access. I still wanted that additional precaution in place. In the very rare chance my ovpn certificate and password is leaked, and the MFA is somehow bypassed allowing an attacker to login, i want to be notified that it has happened. This is what i am going to describe in this post.
My first thought is how do i want to be notified. I figure if an attacker has connected, i want to be made aware very quickly. I did initially think of setting up an email alert, but I sometimes don’t check my emails for many hours at a time. Ultimately I decided to use a service called ntfy.sh
This service allows you to send messages via HTTP PUT/POST to a “Topic” you create on your account. This topic can then be monitored either through the web browser or through the android/iphone app. (The android app is the method I will be using in this case). When a HTTP PUT/POST message is sent to the topic, a notification on the phone is created.
So, the first step is to create an account and create a topic you want to use for the OpenVPN notifications. The topics are not password protected, this means the topic name is essentially the password. Make sure you create a hard to guess topic name to prevent other users viewing it. I would also strongly recommend that any data you send to it is non-sensitive. You will also want to download the ntfy app on your phone to receive the immediate alert when someone connects to the VPN server.
Once you have created a topic, you need a way of making OpenVPN send data to it when someone connects. To achieve this, I used a post-auth script. You can read more about them HERE if interested, they are essentially scripts that are run once a user has proceeded past the authentication stage of connecting to the VPN server. It can be used to add additional user connection requirements or custom checks to the authentication process. Although we are just going to use it to generate the notification.
The post-auth scripts can be created in python. the code below is a very simple script I am using for this example. It essentially captures the username and IP address of the client that has logged in to the VPN server. These two values are then sent via a POST request to ntfy.sh.
1
2
3
4
5
6
7
8
9
10
11
import os
import requests
def post_auth(authcred, attributes, authret, info):
username = authcred.get('username')
clientIP = authcred.get('client_ip_addr')
requests.post("https://ntfy.sh/[TOPIC NAME]",
data="The following client has connected to the VPN:\r\n\r\n Username: " + username + "\r\n IP Address: " + clientIP,
headers={
"Title": "Client Connected to VPN",
})
return authret
This python script is then loaded into OpenVPN using the following two commands:
1
2
sacli --key "auth.module.post_auth_script" --value_file="[PYTHON FILE LOCATION]" ConfigPut
sacli start
You should now find, when you connect to the OpenVPN server, a notification is generated on your phone, immediately alerting you that a successful connection has been made.