FR: OpenVPN respects Framed-IP-Address from Radius

[mimugmail]

To achieve there should be

• authentication wrapper script should recognize Framed-IP-Address attribute (already done: https://github.com/opnsense/plugins/pull/485#issuecomment-357460986)
• In CSC a checkbox "Respect Radius IP" and then write value from Framed-IP-Address and Framed-IP-Network in csc file:

ifconfig-push Framed-IP-Address Framed-IP-Network

Since ifconfig-push is the same as "IPv4 Tunnel Network" in CSC, the checkbox should disable "IPv4 Tunnel Network" or a if check when enabled to alter the value of "IPv4 Tunnel Network" when set.

[AdSchellevis]

For reference, the basic idea so far looks like this, we refactor auth-user.php

To fetch the authenticator object in auth-user.php#L115 and then use getLastAuthProperties() on it when authenticated.

If we received any parameters or there is a csc defined for this user, we generate a new one, using some of the logic found in openvpn.inc#L1071-L1075

We probably need to change the cleanup or remove it from openvpn.inc#L1083-L1091

One question remains, if we hook in the csc generation into the login sequence, is there any reason left to generate all of them after configuration, using the openvpn_configure_csc() function? I'm not sure if there's an access path missing where auth-user.php isn't called, but the csc will be used when there. ideas?

[mimugmail]

I'm also not really sure how to handle existing CSC's because there are some options missing from Radius which might be essential to a working setup like pushing specific networks.

If it's not too complicated I'd just search for ifconfig-push in an existing CSC and replace it, otherwise add it, or lastly create a new CSC.

When not possible there is the limitation that a radius setup can only inherit options from general server config (which is also fine I'd say).

[AdSchellevis]

I actually meant the other non user logins, the configured override should be merged with the radius attributes in my opinion. Let me get back to you as soon as I have something functional.

If you have the change, could you test https://github.com/opnsense/core/commit/f50c9266fd71152a4ee80f46a2f8071156e1710f and https://github.com/opnsense/core/commit/017b00ee9b2b9ca1a65c7dd38f3f6c86e987cb72 for me to check if it didn't break the normal operation?

[mimugmail]

A simple test with local user auth worked fine on latest master. Is there some specific to test?

[AdSchellevis]

The first commit is only about authentication, so that should be good. The second one covers the csc generation. Testing a user with a csc, then remove it and retest should be enough, the contents of the file haven't changed.

Thanks so far anyway :)

[mimugmail]

csc creation and login works, but deleting it doesn't remove the file, nor disables it.

[AdSchellevis]

@mimugmail ok, I'll have to look at that, weird, the cleanup should be unchanged.

[mimugmail]

@AdSchellevis ok, deletion of the csc doesn't trigger a delete on the filesystem, neither with a restart or openvpn daemon. I have to restart the machine .. but this is also the normal behaviour in stable. So this should be ok.

[AdSchellevis]

@mimugmail ok, thanks for testing.

[AdSchellevis]

@mimugmail ok, next test, https://github.com/opnsense/core/commit/41cbf22e8e917a890fee93d2a680318b901a347d https://github.com/opnsense/core/commit/a71318907652153c1fd9c48aff771e7371ff3e64 https://github.com/opnsense/core/commit/e2bd521ffa5f6537cc6c27cf45f3c17226e825b8 contains some minor cleanups and integrates the radius properties.

There are some questions left to be handled:

• [ ] How / where to handle client specfic overrides which don't require a user/pass, so we can ditch the bruteforce generation
• [ ] IPv6 and radius, which attributes are used there?
• [ ] radius Framed-Route should still land somewhere, does your Freeradius plugin already support that (and how do I set it)?

[mimugmail]

I fetched the latest master but it doesn't seem to work:

• Login with Radius user without IP works, received only Pool IP, no CSC files
• Login with Radius user with IP in Radius works, received only Pool IP, no CSC files
• Login with Radius user witn IP/Netmask in Radius works, received only Pool IP, no CSC files
• Login with Radius user witn IP/Netmask in Radius works and created CSC manually, received only Pool IP, CSC file not overwritten

(0) Sent Access-Accept Id 93 from 127.0.0.1:1812 to 127.0.0.1:5165 length 0 (0) Framed-Protocol = PPP (0) Framed-IP-Address = 192.168.99.222 (0) Framed-IP-Netmask = 255.255.255.0 (0) Finished request

Apr 20 20:43:53 OPNsense openvpn: user 'test' authenticated using 'localradius' Apr 20 20:43:53 OPNsense openvpn[60721]: 81.24.66.132:50376 [test] Peer Connection Initiated with [AF_INET]81.24.66.132:50376 Apr 20 20:43:53 OPNsense openvpn[60721]: MULTI_sva: pool returned IPv4=192.168.99.6, IPv6=(Not enabled)

User: test authenticated successfully. This user is a member of these groups:

Attributes received from server: Framed-IP-Address => 192.168.99.222 Framed-IP-Netmask => 255.255.255.0

[AdSchellevis]

ok, that's weird can you try to add a csc for this user/common_name and see what happens with and without the framed-ip/netmask set?

It should at least write a new file on login then showing the file it created in the log https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/openvpn/auth-user.php#L123

[mimugmail]

No, I already created a csc without Tunnel Network and with, date of file doesn't change after login.

[AdSchellevis]

ok, I'll have to setup something to test it myself it seems, I'll get back on this.

[AdSchellevis]

@mimugmail I can't seem to replicate your issue, my csc file is always overwritten after authentication.

My log looks like this (relevant bits):

Apr 22 12:01:12 OPNsense openvpn: user 'test' authenticated using 'test_local_radius' cso :/var/etc/openvpn-csc/2/test
Apr 22 12:01:12 OPNsense openvpn[88406]: 10.37.129.2:61274 TLS: Username/Password authentication succeeded for username 'test' 
Apr 22 12:01:12 OPNsense openvpn[88406]: test/10.37.129.2:61274 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/2/test

Settings in my OpenVPN server:

• Server mode : Remote Access ( SSL/TLS + User Auth )
• Backend for authentication : test_local_radius
• Peer Certificate Authority : test_ca
• Server Certificate : server_cert (test_ca)

And Freeradius config is quite simple, when authenticated using "test" it returns:

User: test authenticated successfully.
This user is a member of these groups: 
admins test1234567890 

Attributes received from server: 
Framed-IP-Address => 192.168.0.1
Framed-IP-Netmask => 255.255.255.0

[mimugmail]

No other checkboxes ticked? Like Topology or something?

[AdSchellevis]

Not really, I've "Address Pool" set, but I doubt that makes a difference in running the auth part

[mimugmail]

And you test with latest master or stable with patches?

[AdSchellevis]

latest master, I'm still working on some other fixes, but this one seems pretty stable on my end so far.

[AdSchellevis]

hold on, I seem to have an issue too now. the $common_name seems to empty somehow, I'll get back on this.

[AdSchellevis]

@mimugmail can you try again? using https://github.com/opnsense/core/commit/3c46a4f7ca1e3440f0460300a40461a90c4bad93 as well

Although this shouldn't make a difference when the mode is "SSL/TLS + User Auth"..

[mimugmail]

I dont use SSL/TLS since this would mean I have to create a certificate for the user and use different exports. My goal with Radius is to have ONE config and do the separation only via User/PW. Also since FreeRadius is MVC, user mgmt would be scriptable.

With UserAuth (no SSL) it still doesn't work, but log looks good:

Apr 22 21:06:39 OPNsense openvpn: user 'test' authenticated using 'localradius' cso :/var/etc/openvpn-csc/1/test
Apr 22 21:06:39 OPNsense openvpn[47460]: 81.24.66.132:54423 [test] Peer Connection Initiated with [AF_INET]81.24.66.132:54423
Apr 22 21:06:39 OPNsense openvpn: client config removed @ /var/etc/openvpn-csc/1/test
Apr 22 21:06:39 OPNsense openvpn[47460]: MULTI_sva: pool returned IPv4=192.168.99.2, IPv6=(Not enabled)

Via Radius I assigned 192.168.99.222 ...

[AdSchellevis]

what does your cso look like after connect? (/var/etc/openvpn-csc/1/test)

[mimugmail]

Hm, I started my test equip today and now it's working :/ csc now looks good, I'll test a bit.

Shall I add Framed-Route option to FreeRadius plugin?

[AdSchellevis]

sure, I use your plugin to test my end :) Works flawless by the way

[mimugmail]

For route and ipv6 can you try my branch? I dont want to merge into master yet since I'm not sure this will work.

git clone https://github.com/mimugmail/plugins
cd plugins
git checkout fr
cd net/freeradius
make upgrade

[AdSchellevis]

ok, thanks, it seems to work, first issues found :) (on my end)

[mimugmail]

Ah yes, Framed-Route is crazy summed in the tester :) So when Route and v6 works for you (in general) I'd open a PR for a new version.

[AdSchellevis]

@mimugmail https://github.com/opnsense/core/commit/6d0b93b856b74a62c1d99c57e9dc15947acefdd6 adds the Framed-route, which seems to function nicely on my end. IPv6 is more difficult it seems, I do receive an attribute 168 (Framed-IPv6-Address), but I can't find how to parse an ipv6 address response in the php library.

If these changes work on your end too, we probably can close this issue.

[mimugmail]

I'm not sure about Framed V6 Address, that's why I didnt open a PR. Perhaps Framed-IPv6-Prefix is correct.

[AdSchellevis]

To be honest, I kind of expect your setup to be correct, radtest tells me this:

 # radtest -x test test 127.0.0.1 1812 test
Sent Access-Request Id 255 from 0.0.0.0:12153 to 127.0.0.1:1812 length 74
    User-Name = "test"
    User-Password = "test"
    NAS-IP-Address = 10.211.55.100
    NAS-Port = 1812
    Message-Authenticator = 0x00
    Cleartext-Password = "test"
Received Access-Accept Id 255 from 127.0.0.1:1812 to 0.0.0.0:0 length 106
    Framed-IP-Address = 192.168.0.1
    Framed-IP-Netmask = 255.255.255.0
    Framed-Route = "192.168.2.0/24"
    Framed-Route = "192.168.1.1/32"
    Framed-Route = "192.168.254.0/24"
    Framed-IPv6-Address = fdb6:2c26:f4e4:0:21c:42ff:fefe:4a30
    Framed-Protocol = PPP

Which looks ok as far as I can see, but how to parse the response in pecl-radius.. I don't know.

[mimugmail]

Probably it doesn't make much sense without prefix-delegation together. I'll test today and send a PR for Radius. Thanks for your help! Nice step forward :)

[AdSchellevis]

@mimugmail can we close this issue?

[mimugmail]

@AdSchellevis Have you verfied what happens to existing CSC's? I could test this after business hours at a customer site already using P2P OpenVPN with CSC.

[mimugmail]

@AdSchellevis ok, customer was not in the office, all tests went fine, I'm closing this.

Thanks Ad! 🥇

[mimugmail]

Hi,

can we hold back this from going live? I had this patch on a production system for over 2 weeks now but yesterday a client VPN (also OPNsense with client config and static CSC) wasn't working. I restarted the service many tims on both sides and also rebooted the machines.

In the end I had to downgrade to 18.1.8 to let it work again.

I checked the CSC files and they were there with the same content as of now. Also I checked the routes in the system (server) and saw packets entering from server LAN to ovpns1 interface, but with inspecting traffic 1194 to the client I was not able to see outgoing packets, so OpenVPN probably discarded them.

What I saw was that in connection status there were no routes to see for the client:

Now with the stable version the networks are back:

First network is the one on the client lan, second one is the tunnel network

[AdSchellevis]

@mimugmail It's not scheduled for release yet.

[AdSchellevis]

could you gather some logs as well (from the client and server), if it worked before and it stops working now without a noticeable change that's odd.

[mimugmail]

@AdSchellevis I updated the screenshots ... c+p from GH is crazy :)

[AdSchellevis]

@mimugmail I thought it was my end :)

[mimugmail]

With patch:
May 24 08:47:45 pme-fw openvpn[27658]: X.X.X.X:45151 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 24 08:47:45 pme-fw openvpn[27658]: X.X.X.X:45151 [csc-cn] Peer Connection Initiated with [AF_INET]X.X.X.X:45151
May 24 08:47:45 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 MULTI_sva: pool returned IPv4=192.168.99.2, IPv6=(Not enabled)
May 24 08:47:45 pme-fw openvpn: client config created @ /var/etc/openvpn-csc/1/csc-cn
May 24 08:47:45 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_5dde7ad76623d6eeb1a5992e47679d7.tmp
May 24 08:47:45 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 MULTI: Learn: 192.168.99.2 -> csc-cn/X.X.X.X:45151
May 24 08:47:45 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 MULTI: primary virtual IP for csc-cn/X.X.X.X:45151: 192.168.99.2
May 24 08:47:46 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 PUSH: Received control message: 'PUSH_REQUEST'
May 24 08:47:46 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 SENT CONTROL [csc-cn]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,route-gateway 192.168.99.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.99.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
May 24 08:47:46 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 Data Channel: using negotiated cipher 'AES-256-GCM'
May 24 08:47:46 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 24 08:47:46 pme-fw openvpn[27658]: csc-cn/X.X.X.X:45151 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

With 18.1.8
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 [csc-cn] Peer Connection Initiated with [AF_INET]X.X.X.X:61888
May 24 08:52:15 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/1/csc-cn
May 24 08:52:15 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 MULTI: Learn: 192.168.99.0 -> csc-cn/X.X.X.X:61888
May 24 08:52:15 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 MULTI: primary virtual IP for csc-cn/X.X.X.X:61888: 192.168.99.0
May 24 08:52:15 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 MULTI: internal route 10.0.38.0/24 -> csc-cn/X.X.X.X:61888
May 24 08:52:15 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 MULTI: Learn: 10.0.38.0/24 -> csc-cn/X.X.X.X:61888
May 24 08:52:15 pme-fw openvpn[22652]: MULTI: Learn: 10.0.38.11 -> csc-cn/X.X.X.X:61888
May 24 08:52:16 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 PUSH: Received control message: 'PUSH_REQUEST'
May 24 08:52:16 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 SENT CONTROL [csc-cn]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,route-gateway 192.168.99.1,topology subnet,ping 10,ping-restart 60,route 10.0.0.0 255.0.0.0,ifconfig 192.168.99.0 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
May 24 08:52:16 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 Data Channel: using negotiated cipher 'AES-256-GCM'
May 24 08:52:16 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 24 08:52:16 pme-fw openvpn[22652]: csc-cn/X.X.X.X:61888 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

It looks identical, besides the learned route from the CSC and the options import, one time from /tmp, other one from /var/etc.

[AdSchellevis]

@mimugmail is there anything above the " /tmp/openvpn_cc_5dde7ad76623d6eeb1a5992e47679d7.tmp" in the version with patch?

[mimugmail]

Sure, but it's identical on both side, so I removed it:

May 24 08:52:14 pme-fw openvpn[22652]: TCP connection established with [AF_INET]X.X.X.X:61888
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 TLS: Initial packet from [AF_INET]X.X.X.X:61888, sid=6a7d1abd d274fa63
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 VERIFY SCRIPT OK: depth=1, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=internal-ca
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 VERIFY OK: depth=1, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=internal-ca
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 VERIFY SCRIPT OK: depth=0, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=csc-cn
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 VERIFY OK: depth=0, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=csc-cn
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_VER=2.4.6
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_PLAT=freebsd
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_PROTO=2
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_NCP=2
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_LZ4=1
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_LZ4v2=1
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_LZO=1
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_COMP_STUB=1
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_COMP_STUBv2=1
May 24 08:52:15 pme-fw openvpn[22652]: X.X.X.X:61888 peer info: IV_TCPNL=1

[AdSchellevis]

ok, thanks, I seem to be missing the point why the openvpn file is instantly being imported from /tmp, this needs some more investigation, although I can't reproduce this myself it seems.

[mimugmail]

It was also stable on my end for two weeks .. must be some rare case .. but since this impacts also installations with just using CSC and not radius stuff I'm unsure about releasing it.

[AdSchellevis]

yes, we should postpone for now. just to be sure, nothing did change on the box, OpenVPN still the same version, server modes like they used to be, right?

[mimugmail]

I reverted back to latest master and still cannot route traffic, so it's reproduceable. This is the complete log after update to master and reboot:

May 24 09:47:33 pme-fw openvpn[57158]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  2 2018
May 24 09:47:33 pme-fw openvpn[57158]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
May 24 09:47:33 pme-fw openvpn[59493]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock
May 24 09:47:33 pme-fw openvpn[59493]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 24 09:47:33 pme-fw openvpn[59493]: Diffie-Hellman initialized with 2048 bit key
May 24 09:47:33 pme-fw openvpn[59493]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 24 09:47:33 pme-fw openvpn[59493]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 24 09:47:33 pme-fw openvpn[59493]: ROUTE_GATEWAY 81.24.66.1/255.255.255.128 IFACE=igb1 HWADDR=00:10:f3:3b:f3:73
May 24 09:47:33 pme-fw openvpn[59493]: TUN/TAP device ovpns1 exists previously, keep at program end
May 24 09:47:33 pme-fw openvpn[59493]: TUN/TAP device /dev/tun1 opened
May 24 09:47:33 pme-fw openvpn[59493]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 24 09:47:33 pme-fw openvpn[59493]: /sbin/ifconfig ovpns1 192.168.99.1 192.168.99.2 mtu 1500 netmask 255.255.255.0 up
May 24 09:47:33 pme-fw openvpn[59493]: /sbin/route add -net 192.168.99.0 192.168.99.2 255.255.255.0
May 24 09:47:33 pme-fw openvpn[59493]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1624 192.168.99.1 255.255.255.0 init
May 24 09:47:33 pme-fw openvpn[59493]: /sbin/route add -net 10.0.38.0 192.168.99.2 255.255.255.0
May 24 09:47:33 pme-fw openvpn[59493]: /sbin/route add -net 10.0.91.0 192.168.99.2 255.255.255.0
May 24 09:47:33 pme-fw openvpn[59493]: Could not determine IPv4/IPv6 protocol. Using AF_INET
May 24 09:47:33 pme-fw openvpn[59493]: Socket Buffers: R=[65228->65228] S=[65228->65228]
May 24 09:47:33 pme-fw openvpn[59493]: Listening for incoming TCP connection on [AF_INET]81.24.66.48:1194
May 24 09:47:33 pme-fw openvpn[59493]: TCPv4_SERVER link local (bound): [AF_INET]81.24.66.48:1194
May 24 09:47:33 pme-fw openvpn[59493]: TCPv4_SERVER link remote: [AF_UNSPEC]
May 24 09:47:33 pme-fw openvpn[59493]: MULTI: multi_init called, r=256 v=256
May 24 09:47:33 pme-fw openvpn[59493]: IFCONFIG POOL: base=192.168.99.2 size=252, ipv6=0
May 24 09:47:33 pme-fw openvpn[59493]: MULTI: TCP INIT maxclients=1024 maxevents=1028
May 24 09:47:33 pme-fw openvpn[59493]: Initialization Sequence Completed
May 24 09:47:33 pme-fw openvpn[59493]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
May 24 09:47:34 pme-fw openvpn[59493]: MANAGEMENT: CMD 'status 2'
May 24 09:47:34 pme-fw openvpn[59493]: MANAGEMENT: CMD 'quit'
May 24 09:47:34 pme-fw openvpn[59493]: MANAGEMENT: Client disconnected
May 24 09:47:35 pme-fw openvpn[59493]: TCP connection established with [AF_INET]X.X.X.X:19833
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 TLS: Initial packet from [AF_INET]X.X.X.X:19833, sid=22291197 06c32ceb
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 VERIFY SCRIPT OK: depth=1, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=internal-ca
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 VERIFY OK: depth=1, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=internal-ca
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 VERIFY SCRIPT OK: depth=0, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=csc-cn
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 VERIFY OK: depth=0, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=csc-cn
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_VER=2.4.6
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_PLAT=freebsd
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_PROTO=2
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_NCP=2
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_LZ4=1
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_LZ4v2=1
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_LZO=1
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_COMP_STUB=1
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_COMP_STUBv2=1
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 peer info: IV_TCPNL=1
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 24 09:47:35 pme-fw openvpn[59493]: X.X.X.X:19833 [csc-cn] Peer Connection Initiated with [AF_INET]X.X.X.X:19833
May 24 09:47:35 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn-csc/1/csc-cn
May 24 09:47:35 pme-fw openvpn: client config created @ /var/etc/openvpn-csc/1/csc-cn
May 24 09:47:35 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_7ef7beaec8bf309353b36ac72322e07b.tmp
May 24 09:47:35 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 MULTI: Learn: 192.168.99.0 -> csc-cn/X.X.X.X:19833
May 24 09:47:35 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 MULTI: primary virtual IP for csc-cn/X.X.X.X:19833: 192.168.99.0
May 24 09:47:35 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 MULTI: internal route 10.0.38.0/24 -> csc-cn/X.X.X.X:19833
May 24 09:47:35 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 MULTI: Learn: 10.0.38.0/24 -> csc-cn/X.X.X.X:19833
May 24 09:47:36 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 PUSH: Received control message: 'PUSH_REQUEST'
May 24 09:47:36 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 SENT CONTROL [csc-cn]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,route-gateway 192.168.99.1,topology subnet,ping 10,ping-restart 60,route 10.0.0.0 255.0.0.0,ifconfig 192.168.99.0 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
May 24 09:47:36 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 Data Channel: using negotiated cipher 'AES-256-GCM'
May 24 09:47:36 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 24 09:47:36 pme-fw openvpn[59493]: csc-cn/X.X.X.X:19833 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 24 09:47:41 pme-fw openvpn: client config removed @ /var/etc/openvpn-csc/1/csc-cn
May 24 09:47:41 pme-fw openvpn[59493]: /sbin/route delete -net 10.0.38.0 192.168.99.2 255.255.255.0
May 24 09:47:41 pme-fw openvpn[59493]: /sbin/route delete -net 10.0.91.0 192.168.99.2 255.255.255.0
May 24 09:47:41 pme-fw openvpn[59493]: Closing TUN/TAP interface
May 24 09:47:41 pme-fw openvpn[59493]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown ovpns1 1500 1624 192.168.99.1 255.255.255.0 init
May 24 09:47:41 pme-fw openvpn[59493]: SIGTERM[hard,] received, process exiting
May 24 09:47:41 pme-fw openvpn[59915]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  2 2018
May 24 09:47:41 pme-fw openvpn[59915]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
May 24 09:47:41 pme-fw openvpn[60086]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock
May 24 09:47:41 pme-fw openvpn[60086]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 24 09:47:41 pme-fw openvpn[60086]: Diffie-Hellman initialized with 2048 bit key
May 24 09:47:41 pme-fw openvpn[60086]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 24 09:47:41 pme-fw openvpn[60086]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 24 09:47:41 pme-fw openvpn[60086]: ROUTE_GATEWAY 81.24.66.1/255.255.255.128 IFACE=igb1 HWADDR=00:10:f3:3b:f3:73
May 24 09:47:41 pme-fw openvpn[60086]: TUN/TAP device ovpns1 exists previously, keep at program end
May 24 09:47:41 pme-fw openvpn[60086]: TUN/TAP device /dev/tun1 opened
May 24 09:47:41 pme-fw openvpn[60086]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 24 09:47:41 pme-fw openvpn[60086]: /sbin/ifconfig ovpns1 192.168.99.1 192.168.99.2 mtu 1500 netmask 255.255.255.0 up
May 24 09:47:41 pme-fw openvpn[60086]: /sbin/route add -net 192.168.99.0 192.168.99.2 255.255.255.0
May 24 09:47:41 pme-fw openvpn[60086]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1624 192.168.99.1 255.255.255.0 init
May 24 09:47:41 pme-fw openvpn[60086]: /sbin/route add -net 10.0.38.0 192.168.99.2 255.255.255.0
May 24 09:47:41 pme-fw openvpn[60086]: /sbin/route add -net 10.0.91.0 192.168.99.2 255.255.255.0
May 24 09:47:41 pme-fw openvpn[60086]: Could not determine IPv4/IPv6 protocol. Using AF_INET
May 24 09:47:41 pme-fw openvpn[60086]: Socket Buffers: R=[65228->65228] S=[65228->65228]
May 24 09:47:41 pme-fw openvpn[60086]: Listening for incoming TCP connection on [AF_INET]81.24.66.48:1194
May 24 09:47:41 pme-fw openvpn[60086]: TCPv4_SERVER link local (bound): [AF_INET]81.24.66.48:1194
May 24 09:47:41 pme-fw openvpn[60086]: TCPv4_SERVER link remote: [AF_UNSPEC]
May 24 09:47:41 pme-fw openvpn[60086]: MULTI: multi_init called, r=256 v=256
May 24 09:47:41 pme-fw openvpn[60086]: IFCONFIG POOL: base=192.168.99.2 size=252, ipv6=0
May 24 09:47:41 pme-fw openvpn[60086]: MULTI: TCP INIT maxclients=1024 maxevents=1028
May 24 09:47:41 pme-fw openvpn[60086]: Initialization Sequence Completed
May 24 09:47:46 pme-fw openvpn[60086]: TCP connection established with [AF_INET]X.X.X.X:56843
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 TLS: Initial packet from [AF_INET]X.X.X.X:56843, sid=bb0a4161 8da5a0be
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 VERIFY SCRIPT OK: depth=1, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=internal-ca
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 VERIFY OK: depth=1, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=internal-ca
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 VERIFY SCRIPT OK: depth=0, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=csc-cn
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 VERIFY OK: depth=0, C=DE, ST=Bayern, L=Muenchen, O=D, emailAddress=m.muenz@max-it.de, CN=csc-cn
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_VER=2.4.6
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_PLAT=freebsd
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_PROTO=2
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_NCP=2
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_LZ4=1
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_LZ4v2=1
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_LZO=1
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_COMP_STUB=1
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_COMP_STUBv2=1
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 peer info: IV_TCPNL=1
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 24 09:47:47 pme-fw openvpn[60086]: X.X.X.X:56843 [csc-cn] Peer Connection Initiated with [AF_INET]X.X.X.X:56843
May 24 09:47:47 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 MULTI_sva: pool returned IPv4=192.168.99.2, IPv6=(Not enabled)
May 24 09:47:47 pme-fw openvpn: client config created @ /var/etc/openvpn-csc/1/csc-cn
May 24 09:47:47 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_5143781c3b01897c137e154216b65db8.tmp
May 24 09:47:47 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 MULTI: Learn: 192.168.99.2 -> csc-cn/X.X.X.X:56843
May 24 09:47:47 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 MULTI: primary virtual IP for csc-cn/X.X.X.X:56843: 192.168.99.2
May 24 09:47:48 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 PUSH: Received control message: 'PUSH_REQUEST'
May 24 09:47:48 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 SENT CONTROL [csc-cn]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,route-gateway 192.168.99.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.99.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
May 24 09:47:48 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 Data Channel: using negotiated cipher 'AES-256-GCM'
May 24 09:47:48 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 24 09:47:48 pme-fw openvpn[60086]: csc-cn/X.X.X.X:56843 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

[mimugmail]

No, I'm the only guy on this machine and I was not in the office at this time. Only thing changed was enabling netflow/insight some days ago ...

[AdSchellevis]

ok, thanks, I'll get back on this

[AdSchellevis]

@mimugmail just to be sure, this connection is only using a cert, no user/password, that would narrow it down already.