Hacking openvpn to use syslog with something other than facility = daemon

I don’t see a way to specify the syslog facility for OpenVPN – perhaps I can change that in the code. It would allow logging openvpn to a specific file and being able to rotate that log file. –log-append does not allow for log rotation.

In this post:

FreeBSD 15.0
OpenVPN 2.6.19

Signals sent to OpenVPN do not affect logging. Thus, I must rely upon syslog and newsyslog to achieve log rotation.

At present, a default install of security/openvpn will results in logs to two files:

/var/log/messages
/var/log/daemon.log

Although disk space is not an issue in this, I prefer to keep OpenVPN logs in one file, and not duplicated. It also reduces the “noise” in /var/log/messages.

It not trivial (or perhaps possible, show me how) to stop these duplicate. I would prefer a better way.

Last night, I thought: why not change the code? It can’t be that hard.

Let’s look at the OpenVPN code.

The syslog open

I found this around line 475 of src/openvpn/error.c:

void
open_syslog(const char *pgmname, bool stdio_to_null)
{
#if SYSLOG_CAPABILITY
    if (!msgfp && !std_redir)
    {
        if (!use_syslog)
        {
            pgmname_syslog = string_alloc(pgmname ? pgmname : PACKAGE, NULL);
            openlog(pgmname_syslog, LOG_PID, LOG_OPENVPN);
            use_syslog = true;

That openlog call, I see it defined on the man page as:

openlog(const char *ident, int logopt, int facility);

facility. Right there.

What is LOG_OPENVPN defined as?

[11:30 pkg01 dvl ~/ports/head/security/openvpn/work/openvpn-2.6.19] % grep -r LOG_OPENVPN * 
src/openvpn/error.c:#ifndef LOG_OPENVPN
src/openvpn/error.c:#define LOG_OPENVPN LOG_DAEMON
src/openvpn/error.c:            openlog(pgmname_syslog, LOG_PID, LOG_OPENVPN);

Looking again in the same file, I find:

#ifndef LOG_OPENVPN
#define LOG_OPENVPN LOG_DAEMON
#endif

That’s it. It also seems if it’s already defined, it will use that definition, not LOG_DAEMON

When running my grep for LOG_DAEMON, I was fortunate that I did that from the port directory. Which meant I also found this::

[11:32 pkg01 dvl ~/ports/head/security/openvpn] % grep LOG_OPENVPN *   
Makefile:.ifdef (LOG_OPENVPN)
Makefile:CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
Makefile:.ifdef (LOG_OPENVPN)
Makefile:	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
Makefile:	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
Makefile:	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"

Well, that’s interesting.

Rebuilding openvpn

Let’s try adding this to /usr/local/etc/poudriere.d/make.conf:

# can I build openvpn to use syslog with something other than facility=daemon
# re: https://cgit.freebsd.org/ports/tree/security/openvpn/Makefile#n125
LOG_OPENVPN=LOG_LOCAL6

Then I rebuilt:

[11:45 pkg01 dvl /usr/local/etc/poudriere.d] % sudo poudriere bulk -j 150amd64 -p default -z primary -C security/openvpn

Checking the log, I found:

/usr/bin/sed -i.bak 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' /wrkdirs/usr/ports/security/openvpn/work/openvpn-2.6.19/configure
Building with LOG_OPENVPN=LOG_LOCAL6
configure: loading site script /usr/ports/Templates/config.site

On the server

I was testing this on my OpenVPN server. I made these changes to /etc/syslog.conf:

[11:51 gw01 dvl ~] % diff -ruN /etc/syslog.conf~ /etc/syslog.conf
--- /etc/syslog.conf~	2026-03-13 18:57:56.000000000 +0000
+++ /etc/syslog.conf	2026-03-15 11:48:24.178756000 +0000
@@ -5,7 +5,7 @@
 #	may want to use only tabs as field separators here.
 #	Consult the syslog.conf(5) manpage.
 *.err;kern.warning;auth.notice;mail.crit		/dev/console
-*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local3.none	/var/log/messages
+*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local3.none;local6.none	/var/log/messages
 security.*					/var/log/security
 auth.info;authpriv.info				/var/log/auth.log
 mail.info					/var/log/maillog

Specifically, I added ;local6.none to that line. FYI, I use local3 for ddclient logging.

Then, I created this file: /usr/local/etc/syslog.d/openvpn.conf

local6.*		/var/log/openvpn.log

With those changes in place, I restarted syslogd to pick up those changes:

[11:49 gw01 dvl /usr/local/etc/syslog.d] % sudo service syslogd restart
Stopping syslogd.
Waiting for PIDS: 1651.
Starting syslogd.

Next, I cleared local package cache for the openvpn packages. The new package I built had no change to PORTVERSION, PORTREVISION, or to OPTIONS. Thus, it would not automatically be seen as an upgrade. The lack of a locally cached copy of the package would force a download.

[11:50 gw01 dvl ~] % sudo rm /var/cache/pkg/openvpn-*

The install:

[11:51 gw01 dvl ~] % sudo pkg install -f openvpn
Updating local repository catalogue...
local repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
	openvpn-2.6.19 [local]

Number of packages to be reinstalled: 1

639 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching openvpn-2.6.19: 100%   639 KiB 654.2 kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Reinstalling openvpn-2.6.19...
===> Creating groups
Using existing group 'openvpn'
===> Creating users
Using existing user 'openvpn'
[1/1] Extracting openvpn-2.6.19: 100%
=====
Message from openvpn-2.6.19:

--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.

It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.

After a restart, which is sometimes risky (at least in my mind) given the host is at the other end of town:

[11:51 gw01 dvl ~] % sudo service openvpn restart
Stopping openvpn.
Waiting for PIDS: 1533.
Starting openvpn.

However, despite my concerns about restarting OpenVPN, logging to /var/log/messages and to /var/log/daemon.log stoped. OpenVPN was logging only to one file: /var/log/openvpn.log

Success.

Log rotation

This is how I do log rotation:

[12:34 gw01 dvl ~] % cat /usr/local/etc/newsyslog.conf.d/openvpn.conf 
# Only .conf files /usr/local/etc/newsyslog.conf.d/ are pulled in by newsyslog
#

# logfilename                       [owner:group]   mode count size when   flags [/pid_file] [sig_num]
/var/log/openvpn.log                root:logcheck   640  50    *    $D0    B