OpenVPN Client OS Tracking

TL;DR

Yes, an OpenVPN server can track the client operating system (OS) type, but not directly. It relies on identifying characteristics sent by the client during connection negotiation. This information isn’t foolproof and can be spoofed, but it’s generally reliable.

How OpenVPN Identifies Client OS

OpenVPN doesn’t have a built-in ‘OS detection’ feature. Instead, it looks at the client configuration file and the strings sent during the TLS handshake process. Here’s how:

1. Examining Client Configuration Files

1. Client Config Contents: The client config file (.ovpn) often contains clues about the OS. For example, Windows configs will have specific directives and settings that Linux or macOS configs won’t.
2. Example: Look for references to mssfix (common in Windows), or specific paths used by different operating systems.

2. Analyzing TLS Handshake Strings

The most common method is to examine the strings sent during the TLS handshake. These strings often reveal OS-specific information.

1. Server Logs: OpenVPN server logs are your primary source of data. The location varies depending on your setup (e.g., /var/log/openvpn/openvpn.log or similar).
2. Identifying Strings: Look for strings like:
   • Windows: You might see references to ‘Windows NT’, ‘Win32’, or specific Windows versions in the TLS handshake logs.
   • Linux: Common strings include ‘Linux’ and distribution names (e.g., ‘Ubuntu’, ‘Debian’, ‘CentOS’).
   • macOS: Look for ‘Darwin’ or ‘Mac OS X’.

3. Using verb 3 in Server Configuration

Increase the verbosity level of your OpenVPN server logs to capture more detailed TLS handshake information.

1. Edit Server Config: Open your OpenVPN server configuration file (e.g., server.conf).
2. Add/Modify Verbosity: Add or modify the following line:

   verb 3

3. Restart Server: Restart your OpenVPN server for the changes to take effect.
4. Check Logs: Examine the logs again. You should see more detailed TLS handshake information, making OS identification easier.

4. Scripting for Automated Detection (Advanced)

You can write scripts to parse OpenVPN server logs and automatically identify client OS types based on the strings found.

1. Log Parsing: Use tools like grep, awk, or scripting languages (Python, Bash) to search for OS-specific strings in the logs.
2. Example (Bash):

   grep -i 'Windows NT' /var/log/openvpn/openvpn.log | wc -l

   This command counts the number of lines containing ‘Windows NT’ in the logs, giving you an indication of how many Windows clients have connected.

5. Limitations and Spoofing

• Spoofing: Clients can modify their configuration files or TLS handshake strings to appear as a different OS. This is relatively easy for advanced users.
• Accuracy: The identification isn’t always 100% accurate, especially if the client config file is heavily customized.
• Privacy Concerns: Be mindful of privacy regulations when collecting and storing this information. Inform your users about data collection practices.