Decoding Encoded VPN SDK Logs
VPN SDK logs on user devices are encoded to protect sensitive information and comply with Apple requirements. However, there may be times during development, debugging, or support when you need to decode these logs. This article explains how to set up your environment and run a Python script to decode VPN SDK logs.
Prerequisites
To decode the logs, you will need:
Python 3
PyCryptodome library
Encoded VPN SDK logs from the user's device
Decryption key and initialization vector (obtained from your Pango account representative)
Environment Setup
Install Python 3 using your preferred method. For example, using Homebrew:
brew install python3
Ensure the path for python3 is added to your PATH variable and pip is set to pip3.
Set up your environment with:
python3 -m venv env
. env/bin/activate
Install the PyCryptodome library:
pip install pycryptodome
If you encounter an "externally-managed-environment" error:
try:
pip install pycryptodome --break-system-packages
Obtaining Encoded Logs
The user's device stores logs for the 10 latest VPN sessions. Refer to this guide for detailed instructions on enabling debug logging, obtaining logs, and real-time debugging.
Decoding Logs
Save the
decode_logs.py
script (provided below) in a convenient folder.
Move the encoded logs to a separate folder containing no other files. This can be a subfolder of the script's location.
Create an output folder for the decoded logs. The decoded files will have a "_decrypted" suffix added to their names.
In the Terminal, navigate to the script's folder and run it with the following parameters:
python3 decode_logs.py -i <path_to_logs_folder> -o <path_to_output_folder> -k '<decoding_key>' -v '<decoding_initialization_vector>'
Replace the placeholders with the appropriate paths and decryption parameters.
If successful, you will see output like:
✅ vpnsdk_log
Adding Log Encoding Credentials
Starting from version 6.8.0 of Unified VPN SDK for Apple, it is possible to add CryptographicCredentials
for Hydra and WireGuard configurations, as well as Combined configurations. These credentials are used in the process of encoding logs for secure transmission and later decoding them for analysis.
To add custom CryptographicCredentials
, you need to create an instance of the CryptographicCredentials
class, providing the necessary key and iv values. Then, pass this instance to the logCryptographicCredentials: CryptographicCredentials?
property of your configuration:
let logCryptographicCredentials = CryptographicCredentials(
key: "YOUR_CRYPTOGRAPHIC_KEY",
iv: "YOUR_CRYPTOGRAPHIC_IV")
let validatedLogCryptographicCredentials = logCryptographicCredentials.isValid ?
logCryptographicCredentials : nil
var hydraConfiguration = HydraConfiguration(
// ...
logCryptographicCredentials: validatedLogCryptographicCredentials,
// ...
)
It is important to note that the logCryptographicCredentials
property is optional in any configuration and can be omitted. If no custom credentials are provided (i.e., the property is set to nil), default credentials will be used for log encoding. In this case, the encoded logs can only be decoded by the Apple VPN SDK Team upon request from the Partner's development team.
To ensure the validity of the provided CryptographicCredentials
, it is recommended to check the isValid property before assigning the credentials to the logCryptographicCredentials property. If the credentials are invalid, you can set the property to nil to use the default credentials.
Troubleshooting
When executing the decode_logs.py
script, the following error traceback is observed:
Traceback (most recent call last):
File "../Scripts/decode_logs.py", line 79, in <module>
main(sys.argv[1:])
~~~~^^^^^^^^^^^^^^
File "../Scripts/decode_logs.py", line 70, in main
decodeFile(file.path, outputPath, decodingKey, decodingVector)
~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "../Scripts/decode_logs.py", line 16, in decodeFile
with open(inputFile, 'rb') as f:
~~~~^^^^^^^^^^^^^^^^^
IsADirectoryError: [Errno 21] Is a directory: '../logs/decoded'
The error indicates that the script is attempting to open a directory ('../logs/decoded'
) as a file, resulting in an "IsADirectoryError".
To resolve the "IsADirectoryError", follow these steps:
Locate the logs source folder (
../logs/
). Identify the decoded logs output folder (../logs/decoded/
) within the logs source folder.Move the decoded logs output folder outside of the logs source folder to a separate location.
Update the
decode_logs.py
script to point to the new location of the decoded logs output folder.Re-run the
decode_logs.py
script to verify that the error has been resolved.
Last updated
Was this helpful?