I am running pptpd on a Centos 5 machine but I didnt set up any logging.
In case of an abuse, I need to determine which of my users did the bad things, meaning I need to log all the traffic. I may have up to 20 users which will use the VPN connection at least 3 hours per day.
Is tcpdump a solution ?
Best Answer
I have no experience with pptpd, but I do have pptp running on a CentOS machine which acts as a client connecting outward to a DrayTek router.
So, I would imagine, that for each connected user, there will be a corresponding ppp network interface created on the server to service that user. You could setup some iptables rules which log all packets from these ppp interfaces. The the final thing you have to correlate (log) from pptpd is the times when specific users were assigned particular IP addresses. This would then allow you to log the traffic and link it to the corresponding VPN user (even easier if you force VPN users to be assigned a static IP).
You would need to make sure you apply the logging rules in each direction, on the FORWARD chain most likely (to record traffic destined to other hosts on the VPN network, that is routed by the VPN server). Add INPUT and OUTPUT chains if you want to include logging for the server itself (the + denotes all ppp interfaces):
And obviously, you can tailor the above iptables rules to be more protocol specific, if you are wishing to monitor particular types of traffic.
Using tcpdump to capture PCAPs on a per interface basis would prove a nightmare to implement. You would need to invent some radical way of having a tcpdump process fork and die for each ppp interface that is created and deleted, as users log in and log off. I cannot think of a nice way to do that, and it seems a bit of an overkill anyway to be trying to log the packet contents across each session. Better to have further security measures on the devices they may possibly be connecting to on the private network itself.