On the production firewall, I was able to resolve the issue as follows:

openvpnctrl -k
rm /var/run.openvpnserver.log
openvpnctrl -s

The file was then created with the proper permissions.

I have no idea why it was writing to /var/log/openvpnserver.log, but
simply restarting the service appeared to fix it. After the upgrade the
other day, I did restart the whole firewall.

By the way, I don't know who wrote this, but I want to publicly thank
you for doing it. It is so much nicer to be able to read the graphs and
see which of the users and net-to-net connections are using up our
bandwidth. This is an excellent addition to the firewall. Thank you for
all the hard work that must have gone into it.

And, I apologize for not testing this sooner. I just never thought to
test it (I never vpn into my test machine; something I will definitely
do in the future).

Rod

On 04/23/2015 01:08 AM, Jacques Hylkema wrote:
> Confirmed. This is a core 88 updated to core 89. Changing 
> *status /var/log/ovpnserver.log 30 *
> to 
> *status /var/run/ovpnserver.log 30*
> and restarting the openvpn server works.
> 
> Also, just stopping and starting the net-to-net vpn's made the
> net-to-net statistics working.
> 
> Met vriendelijke groet,
> With kind regards,
> 
> Jacques Hylkema
> ICT Manager
> Tel +31 (0)342-407040
> E-mail j.hylkema(a)intronics.nl <mailto:j.hylkema(a)intronics.nl>	
> <http://www.linkedin.com/company/intronics>	LinkedIn
> <http://www.linkedin.com/company/intronics>
> 
> <mailto:sales(a)intronics.nl>	Email <mailto:sales(a)intronics.nl>
> 
> <http://www.intronics.nl/>	Website <http://www.intronics.nl/>
> 
> 
> Intronics
> Member of the TKH-group
> Intronics b.v.
> Postbus 123, 3770 AC
> Koolhovenstraat 1E
> 3772 MT  Barneveld	Computer Connectivity
> Industrial Connectivity
> Audio/Video
> Retail	Tel. +31 (0)342-407040
> Tel. +31 (0)342-407080
> Tel. +31 (0)342-407001
> Tel. +31 (0)46-4269000	Fax +31 (0)342-412114
> sales(a)intronics.nl <mailto:sales(a)intronics.nl>
> www.intronics.nl <http://www.intronics.nl/>
> 
> 
> Disclaimer:
> This message (including any attachments) is confidential and may be
> privileged. If you have received it by mistake please notify the sender
> by return e-mail and delete this message from your system. Any
> unauthorised use or dissemination of this message in whole or in part is
> strictly prohibited. Please note that e-mails are susceptible to change.
> Intronics b.v. shall not be liable for the improper or incomplete
> transmission of the information contained in this communication nor for
> any delay in its receipt or damage to your system. Intronics b.v. does
> not guarantee that the integrity of this communication has been
> maintained nor that this communication is free of viruses, interceptions
> or interference.
> 
> 
> P	Please consider the environment before printing this e-mail
> 
> 
> 	
> 
> 
> 2015-04-22 13:23 GMT+02:00 Alexander Marx <alexander.marx(a)oab.de
> <mailto:alexander.marx(a)oab.de>>:
> 
>     Hi
> 
>     please check your /var/ipfire/ovpn/server.conf file.
> 
>     if you have the lines:
> 
>     status-version 1
>     status /var/log/ovpnserver.log 30
> 
>     change them to
> 
>     status-version 1
>     status /var/run/ovpnserver.log 30
> 
>     and restart openvpn server. Does that help?
> 
>     Alexander Marx
> 
>     Fachinformatiker Systemintegration
> 
> 
>     Ostangler Brandgilde
> 
>     Versicherungsverein auf Gegenseitigkeit
> 
> 
> 
>     Flensburger Str. 5
> 
>     24376 Kappeln
> 
>     Tel.: (04642) 91 47 - 62
>     Fax: (04642) 91 47 - 823
>     Web: http://www.ostangler.de
> 
> 
>     Die Ostangler Brandgilde VVaG ist TÜV-Nord zertifiziert nach ISO
>     9001:2008
>     Aufsichtsratvorsitzender: Hans-Walter Jens
> 
>     Vorstandsvorsitzender: Jens-Uwe Rohwer, Vorstand: Andreas Schmid
>     Amtsgericht Flensburg *HRB-Nr.: *158 KA
>     *USt-IdNr.: *DE164624941
>     Am 22.04.2015 um 13:17 schrieb Mathias Schneuwly:
>>
>>     Hi guys
>>
>>
>>     I can confirm this problem. I updated from core 88 to 89 and the
>>     statistics do not work. The permission is also different in my system:
>>
>>     -rw-r--r-- 1 root nobody 0 Apr 22 09:37 /var/run/ovpnserver.log
>>
>>
>>     I changed the ownership to nobody.nobody but till now I don't have
>>     any data in it.
>>
>>
>>     Restarting openvpn will change the ownership back to root.nobody...
>>
>>     
>>
>>     It seems that openvpn does still write into
>>     /var/log/ovpnserver.log in my case. I also can't see the status of
>>     a openvpn roadwarrior in the gui. They are all marked as
>>     "Getrennt" event /var/log/ovpnserver.log says that two
>>     roadwarriors are connected.
>>
>>
>>     My /var/ipfire/ovpn/server.conf looks like this:
>>
>>     #OpenVPN Server conf
>>
>>     daemon openvpnserver
>>     writepid /var/run/openvpn.pid
>>     #DAN prepare OpenVPN for listening on blue and orange
>>     ;local XXXXX
>>     dev tun
>>     proto udp
>>     port 1194
>>     script-security 3 system
>>     ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
>>     client-config-dir /var/ipfire/ovpn/ccd
>>     tls-server
>>     ca /var/ipfire/ovpn/ca/cacert.pem
>>     cert /var/ipfire/ovpn/certs/servercert.pem
>>     key /var/ipfire/ovpn/certs/serverkey.pem
>>     dh /var/ipfire/ovpn/ca/dh1024.pem
>>     server 10.138.84.0 255.255.255.0
>>     tun-mtu 1500
>>     route 10.138.85.0 255.255.255.0
>>     route 10.138.86.0 255.255.255.0
>>     client-to-client
>>     mtu-disc yes
>>     keepalive 10 60
>>     status-version 1
>>     status /var/log/ovpnserver.log 30
>>     cipher BF-CBC
>>     push "dhcp-option DOMAIN XXXXX"
>>     push "dhcp-option DNS 192.168.2.1"
>>     max-clients 100
>>     tls-verify /usr/lib/openvpn/verify
>>     crl-verify /var/ipfire/ovpn/crls/cacrl.pem
>>     user nobody
>>     group nobody
>>     persist-key
>>     persist-tun
>>     verb 3
>>
>>
>>     Regards
>>
>>     Mathias
>>
>>
>>         -----Ursprüngliche Nachricht-----
>>         *Von:* Alexander Marx <alexander.marx(a)oab.de>
>>         <mailto:alexander.marx(a)oab.de>
>>         *Gesendet:* Mit 22 April 2015 11:30
>>         *An:* Michael Tremer <michael.tremer(a)ipfire.org>
>>         <mailto:michael.tremer(a)ipfire.org>; Rod Rodolico
>>         <rodo(a)dailydata.net> <mailto:rodo(a)dailydata.net>
>>         *CC:* development(a)lists.ipfire.org
>>         <mailto:development(a)lists.ipfire.org>; Alexander Marx
>>         <alexander.marx(a)ipfire.org> <mailto:alexander.marx(a)ipfire.org>
>>         *Betreff:* Re: Core 89 bug?
>>
>>         I think this issue is related to the box tracking the testing
>>         branch.
>>
>>         When Rod reinstalls the box and issue remains, this could be a
>>         bug, but i just updtaed some of my boxes to core 89 (no
>>         testing branch) and all seems very well.
>>         the ovpnserver.log (now under /var/run) has these permissions:
>>
>>         -rw-r--r--  1 nobody nobody    0 Apr 22 10:03 ovpnserver.log
>>
>>         Rod please report back after reinstalling.
>>
>>>         Let me ping Alex about this...
>>>
>>>         It should be fine that the file is owned by root. It just has to be
>>>         readable by collectd and writeable by openvpn itself. The status of the
>>>         RW connections is checked over the telnet management interface of the
>>>         openvpn daemon.
>>>
>>>         -Michael
>>>
>>>         On Wed, 2015-04-22 at 03:13 -0500, Rod Rodolico wrote:
>>>>         I was able to track it down to /var/run/ovpnserver.log having ownership
>>>>         root:root, but permissions 600, for some reason. I did the update on
>>>>         another router and it appears to have permissions set to 644, which is
>>>>         more logical since apache needs to be able to read it.
>>>>
>>>>         My office router is set to always go into testing branch, so maybe
>>>>         something happened there. I think I'll rebuild the router from scratch,
>>>>         but if anyone else reports something similar, have them look at the
>>>>         ownership of /var/run/ovpnserver.log.
>>>>
>>>>         Rod
>>>>
>>>>         On 04/21/2015 11:50 PM, Rod Rodolico wrote:
>>>>>         I have Core 89 installed on my router and just noticed something. When I
>>>>>         vpn in (OpenVPN, Road Warrior), it does not show up on the vpn list; the
>>>>>         entry on the web interface shows the user as disconnected.
>>>>>
>>>>>         Looking at /var/log/ovpnserver.log shows nothing also.
>>>>>
>>>>>         However, I am connected; I can ping a machine on the LAN.
>>>>>
>>>>>         I rebooted the firewall just to make sure I did not do anything weird,
>>>>>         but still no changes.
>>>>>
>>>>>         I see the login in /var/log/messages, and /var/log/ovpnserver.log shows
>>>>>         it was updated at the correct time, just no entries.
>>>>>
>>>>>         I have saved copies of the logs in question and have been able to
>>>>>         recreate the scenario.
>>>>>
>>>>>         Rod
>>>>>
>>
>>         _______________________________________________
>>
>>         Development mailing list
>>
>>         Development(a)lists.ipfire.org <mailto:Development(a)lists.ipfire.org>
>>
>>         http://lists.ipfire.org/mailman/listinfo/development
>>
>>
>>
>>     _______________________________________________
>>     Development mailing list
>>     Development(a)lists.ipfire.org <mailto:Development(a)lists.ipfire.org>
>>     http://lists.ipfire.org/mailman/listinfo/development
> 
> 
>     _______________________________________________
>     Development mailing list
>     Development(a)lists.ipfire.org <mailto:Development(a)lists.ipfire.org>
>     http://lists.ipfire.org/mailman/listinfo/development
> 
> 
> 
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
> 

-- 
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net