MFAVPN Setup
Scott Henderson
Yoann Traut (RCDevs)
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] > Username: support
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] > Password: xxxxxxxxxxxx
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] > Client ID: MFAVPN
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] > Source IP: 192.168.3.217
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] > Options: NOVOICE,U2FMODE
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] Enforcing client policy: MFAVPN (matched client ID)
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] Registered openotpSimpleLogin request
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] Resolved LDAP user: CN=support,OU=SUPAdmins,DC=support,DC=rcdevs,DC=com (cached)
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] Resolved LDAP groups: nootp,domain admins,administrators,denied rodc password replication group,remote desktop users,kpdjhbvjh,rgreg (cached)
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] Access denied for client 'MFAVPN' (source not in allowed addresses)
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] User invalid or not found
[2024-01-30 12:00:20] [192.168.4.26:57268] [OpenOTP:8JYQXFAC] Sent failure response
Regards
Scott Henderson
Yoann Traut (RCDevs)
I got a config working with our MFAVPN and ccd config folder. In my test, I only pushed ifconfig directive per user but I assume if that one is working, the other parameters should also work.
ccd folder location:
[root@webadm1 ccd]# pwd
/opt/mfavpn/ccd
Permissions of ccd folder :
drwxrwx---. 2 root mfavpn 40 Jan 31 14:33 ccd
Content of ccd folder and permissions:
[root@webadm1 ccd]# ll
-rw-r-----. 1 root mfavpn 39 Jan 31 14:33 administrator
-rw-r-----. 1 root mfavpn 39 Jan 31 14:08 yoann
Content of files:
[root@webadm1 ccd]# cat administrator
ifconfig-push 10.8.0.115 255.255.255.0
[root@webadm1 ccd]# cat yoann
ifconfig-push 10.8.0.114 255.255.255.0
Declaration of ccd configuration in /opt/mfavpn/conf/openvpn.conf :
ccd-exclusive
client-config-dir /opt/mfavpn/ccd
(I putted here the ccd-exclusive directive in order to enforce it for my logins and to be required for all authentications. If not found for a specific user, then the authentication fail.)
Below the whole openvpn.conf file (for reference):
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;push "dhcp-option WINS 208.67.220.223"
;push "dhcp-option DOMAIN mydomain"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# Enable compression on the VPN link and push the
# option to the client (2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
tls-auth /opt/mfavpn/conf/ta.key 0
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
ccd-exclusive
client-config-dir /opt/mfavpn/ccd
openssl x509 -in administrator.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a0:5d:87:db:7d:89:25:6f:63:4c:d7:29:2b:27:48:fc
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=RCDevs Support CA, OU=IT, O=RCDevs Support SA, C=LU
Validity
Not Before: Jan 31 13:43:07 2024 GMT
Not After : Jan 30 13:43:07 2027 GMT
Subject: CN=administrator, description=CLIENT, O=RCDevs Support, organizationIdentifier=VATLU-00000000
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f3:4f:c6:a0:6d:e6:14:db:0f:98:33:c2:5e:80:
9c:fb:80:0a:c5:f6:64:fd:8d:0c:82:8c:8d:de:db:
24:a3:56:d1:01:d2:27:88:6e:a1:29:23:09:8a:6b:
4b:b6:b7:8f:61:40:22:51:ac:af:fc:37:c9:b4:71:
93:b8:f2:77:7a:36:02:fb:a2:af:8d:04:f3:d8:a8:
a5:67:fa:80:45:23:ac:33:e6:94:9b:0c:ec:51:f7:
07:22:da:58:da:f5:07:70:b4:39:45:83:55:17:84:
c8:16:cd:0e:a7:26:bd:03:90:c5:33:48:a5:7a:36:
ed:69:7c:c3:41:c6:2a:0b:3b:fa:18:90:a9:19:c6:
93:71:43:3e:b2:ea:ed:ed:6e:fc:14:96:ea:3b:46:
7a:dc:9f:58:b6:71:75:c5:dc:97:f1:1a:8f:d9:bc:
2e:99:06:3d:b8:0b:b1:3d:af:96:b7:6b:6a:bb:be:
b3:8c:18:30:71:99:dd:f7:37:d7:30:32:85:f6:d4:
58:9a:60:97:af:ac:3c:a3:91:e2:be:b0:e3:e8:d7:
93:60:ab:64:5d:9f:d9:39:fa:de:69:30:e2:94:a1:
74:05:d3:bc:97:44:ee:ce:1f:ed:ea:81:a9:8e:55:
2d:4d:dd:cb:ce:a7:db:44:53:5b:a7:4f:0f:88:26:
fc:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://waproxy.support.rcdevs.com/ocsp/
CA Issuers - URI:http://waproxy.support.rcdevs.com/cacert/?format=der
X509v3 CRL Distribution Points:
Full Name:
URI:http://waproxy.support.rcdevs.com/crl/
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6e:cb:8c:be:25:cd:bd:96:18:53:08:5b:45:9f:d9:c4:14:47:
38:cd:da:aa:fa:e7:d4:19:9b:d7:e9:aa:09:96:b9:c3:bd:83:
4b:13:f5:ad:15:b6:dd:fe:f2:f3:b7:19:c2:6a:67:6c:8d:c4:
92:31:03:ff:4d:ff:5a:9c:76:93:66:c4:7d:20:fb:15:c4:af:
bd:b9:db:bc:35:ad:6d:48:37:f7:49:65:8f:87:7e:b9:29:35:
37:cc:9e:d5:fe:ab:0b:1d:e4:3f:3e:2e:ca:cb:03:21:19:b9:
10:c8:c1:a4:e1:dd:5c:1e:7d:c1:99:46:45:b0:27:80:19:18:
f8:7a:be:e1:95:5e:fa:7a:33:ff:c7:3f:ee:3c:89:9f:73:86:
fe:17:1e:20:78:1a:ac:75:08:23:f7:b8:95:a1:e1:7d:cb:83:
ca:1a:ca:f1:e9:21:f6:80:35:81:dd:e5:3a:94:14:37:aa:c2:
ac:a7:ff:6d:7d:44:1c:a7:ba:99:72:ac:71:c9:47:97:48:05:
e1:3b:80:ef:0e:0f:65:56:4f:ed:dd:b7:f3:b3:29:0c:22:f5:
47:8d:e3:2a:56:66:a9:a2:c2:85:c3:f8:ef:2c:e6:14:37:9c:
ef:0e:e8:7c:1d:bf:66:2b:a2:aa:68:ce:b8:83:07:99:14:71:
d5:3e:cb:73:56:c8:18:b7:5f:ae:b0:00:ac:74:91:7d:94:35:
4e:ce:ec:62:25:c7:a3:1f:6b:c0:a2:dc:93:a5:16:6c:d5:cd:
59:55:33:60:cb:03:95:b0:b4:08:85:b2:02:cd:65:d0:04:98:
16:17:ad:be:db:58:d5:fb:ab:79:ee:a2:30:4b:da:1b:37:1b:
bf:6f:08:b3:8a:5c:3b:53:c7:98:c4:dc:59:0e:76:88:10:a6:
3c:f5:14:1a:f9:84:a7:f3:05:b3:79:03:fd:cf:8c:82:30:e1:
fc:7b:83:70:1a:ea:2e:03:d7:b6:f4:fe:c3:a8:7f:86:df:d3:
14:30:65:26:6e:0a:40:8c:ba:ed:89:53:a7:5e:c2:3c:c1:45:
a4:39:40:a9:8a:b3:e2:86:76:e8:03:57:2c:ea:b2:04:08:7b:
b8:eb:45:00:33:8e:93:4c:e7:8a:30:d3:3d:af:d5:14:91:0c:
25:c1:a2:24:27:e5:48:d1:a2:41:81:db:d1:c9:2a:06:06:00:
9f:17:c6:02:dd:e6:65:3b:8c:6e:da:21:88:8c:7f:ed:02:33:
17:bd:9d:4a:bb:38:ba:f7:c9:bb:59:64:64:cf:1d:b6:6e:d7:
1b:a3:5f:22:43:e8:4e:1f:b1:4d:8d:4a:5d:11:0f:19:57:54:
55:8e:95:a7:60:a0:6e:bb
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
;remote-cert-tls server
remote webadm1.support.rcdevs.com 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
cert administrator.crt
key administrator.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
auth-user-pass
auth-retry interact
auth-nocache
reneg-sec 600
<ca>
-----BEGIN CERTIFICATE-----
MIIFkTCCA3mgAwIBAgIUMkm0INgleJOVWrGHrYwTQ4WhrQMwDQYJKoZIhvcNAQEL
BQAwUjEaMBgGA1UEAwwRUkNEZXZzIFN1cHBvcnQgQ0ExCzAJBgNVBAsMAklUMRow
GAYDVQQKDBFSQ0RldnMgU3VwcG9ydCBTQTELMAkGA1UEBhMCTFUwIBcNMjMxMTE3
MTA1MDI1WhgPMjA3MzExMDQxMDUwMjVaMFIxGjAYBgNVBAMMEVJDRGV2cyBTdXBw
b3J0IENBMQswCQYDVQQLDAJJVDEaMBgGA1UECgwRUkNEZXZzIFN1cHBvcnQgU0Ex
CzAJBgNVBAYTAkxVMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqe0g
hnBKZZP8pas/ybplSDOTu6dv8zi1kTYUvc0tw7k7iT4xHNrzCzyat4kJKCnUa/Po
UxT1tGmmJWrEmMlBAhBIeTzNmvSS4zu1LjWe5cjCDitDHGiG/8FldyZhmx3JlZv+
aafIz+IbzLIDHuzjTsz3l+C3Ox1HQTHBJNG7dedK9r44E/T5tHxUn2fvpDDAbcEe
Zx6nB1o+gh+oO2Z8te1d2xMcxtwgE6m7wWQP3poLpABxNGx/QBbZ6CwWlNJUpSiQ
ks9fUY29MP/BLCvycnUmyEAcz4RQDDr3k+aRDgA+5dIPY2oKuB/onZkcj7a+kDAk
EpiZW+fCJVzF3g1d/yDLiKZDrJUfWqOMexAgtcmuslKqSFrurPdru2fruaSb/G1T
+G+m5L1KsW/tgwOWsCyEEkjNpQu/3srsya+A0ajAnaUHJlguwkfyJ+9VRJTJVr5g
KG94yIarP41uXzOumDLgAVIP8sWJlxYZtX0AgnRWtc4G7f3D0SgEKGPEt0M2BAHh
h7wujB0gzujTRTnfmoywKr+MV+My9b+OD2X8f5R38eEPigmBk5CO25Iv2qqHdmv+
1ItCT+5eJ+zb4DCUvo5Gem4ug0UkboZ3BWI3F56nSWvX47FNC6POKl7xToN1fBU2
UcY6twGt+vCuazLf1BpE9wq1xNzRUQMWEB5kj4ECAwEAAaNdMFswHQYDVR0OBBYE
FLrG3bwyzlfezj/J7U6NCGe/qfCMMB8GA1UdIwQYMBaAFLrG3bwyzlfezj/J7U6N
CGe/qfCMMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4ICAQADE49MXiFdGlFUe7eCO7JpcTSNtY1QUbS0mTjbnZVv4dtgdPfxyo6zeudD
2rBCT8iMkJFSL4hduWX4q/Hm2As9Th8EuHi+bupIF09mqP4g8V0UW3oMLBLszDyz
mR6u5uW7kGYk8OvTnuiyU1KIB31luenFEl2kYHg6rRuppg2oe3eD1kRFS4agKX3S
d8GWS3EsDc9qvuBxOYfHh2DIG/HerqxZgtogEs33NQhwVw7dJab4cvXNMwZ4qDIS
MwB+SuwxjrQ/HjvxmBQPkx7yZFB6/20Phw474GsCJEYFLEZZlJ/l3Zvc3n0nWJwS
2D0c0szQSpZFbUqpS90X5YpaMkOpOpSQxmHML3IzyctZD4UwIfkqHPevwUi+9RJ1
6vzDc0wVb2NA5OXth5JXI8WSux/6w6re/xZ1oCkMvsOxuy1nZ3Iis3ajTYhSzdy2
d2hsPGvP42s69QVx6GJMMG96RPCY97NUy7g9RkjwGn+4FZ3BbCvtamPgofwTx09A
GFsjlCwrBuHAxzuIcpCNHy48rz+JuJJOb+F2ZyPg6LCFpjPvN5HfYbx7bIgpctWq
S5ju9gMpNBBYSX5FCSKksksz9v2iG/dlbErsimH3Kh9KOd4EZDRg1/rBFavOskxN
ySiZx6w09Ermsk507JOHaUVedGfWULndNNSFqgBfHaTgdU1Now==
-----END CERTIFICATE-----
</ca>
==> /opt/mfavpn/logs/openvpn.log <==
2024-01-31 15:05:56 us=474232 MULTI: multi_create_instance called
2024-01-31 15:05:56 us=474513 192.168.3.205:53767 Re-using SSL/TLS context
2024-01-31 15:05:56 us=474674 192.168.3.205:53767 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-31 15:05:56 us=474742 192.168.3.205:53767 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-31 15:05:56 us=474958 192.168.3.205:53767 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2024-01-31 15:05:56 us=474991 192.168.3.205:53767 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2024-01-31 15:05:56 us=475045 192.168.3.205:53767 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2024-01-31 15:05:56 us=475062 192.168.3.205:53767 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2024-01-31 15:05:56 us=475189 192.168.3.205:53767 TLS: Initial packet from [AF_INET]192.168.3.205:53767, sid=ad733a7c dd03c3bf
2024-01-31 15:05:56 us=490966 192.168.3.205:53767 VERIFY OK: depth=1, CN=RCDevs Support CA, OU=IT, O=RCDevs Support SA, C=LU
2024-01-31 15:05:56 us=491507 192.168.3.205:53767 VERIFY OK: depth=0, CN=administrator, description=CLIENT, O=RCDevs Support, organizationIdentifier=VATLU-00000000
2024-01-31 15:05:56 us=491817 192.168.3.205:53767 peer info: IV_VER=3.8.2connect3
2024-01-31 15:05:56 us=491848 192.168.3.205:53767 peer info: IV_PLAT=mac
2024-01-31 15:05:56 us=491860 192.168.3.205:53767 peer info: IV_NCP=2
2024-01-31 15:05:56 us=491868 192.168.3.205:53767 peer info: IV_TCPNL=1
2024-01-31 15:05:56 us=491876 192.168.3.205:53767 peer info: IV_PROTO=990
2024-01-31 15:05:56 us=491884 192.168.3.205:53767 peer info: IV_MTU=1600
2024-01-31 15:05:56 us=491893 192.168.3.205:53767 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2024-01-31 15:05:56 us=491901 192.168.3.205:53767 peer info: IV_GUI_VER=OCmacOS_3.4.8-4792
2024-01-31 15:05:56 us=491909 192.168.3.205:53767 peer info: IV_SSO=webauth,crtext
2024-01-31 15:05:56 us=492000 192.168.3.205:53767 TLS: Username/Password authentication deferred for username 'administrator'
2024-01-31 15:05:56 us=493069 192.168.3.205:53767 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-01-31 15:05:56 us=493197 192.168.3.205:53767 [administrator] Peer Connection Initiated with [AF_INET]192.168.3.205:53767
2024-01-31 15:05:56 us=493256 192.168.3.205:53767 PUSH: Received control message: 'PUSH_REQUEST'
2024-01-31 15:05:56 us=903197 MANAGEMENT: CMD 'client-auth-nt 16 0'
R2024-01-31 15:05:57 us=493577 192.168.3.205:53767 PUSH: Received control message: 'PUSH_REQUEST'
2024-01-31 15:05:57 us=493775 administrator/192.168.3.205:53767 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
2024-01-31 15:05:57 us=493941 administrator/192.168.3.205:53767 OPTIONS IMPORT: reading client specific options from: /opt/mfavpn/ccd/administrator
2024-01-31 15:05:57 us=494109 administrator/192.168.3.205:53767 MULTI: Learn: 10.8.0.115 -> administrator/192.168.3.205:53767
2024-01-31 15:05:57 us=494142 administrator/192.168.3.205:53767 MULTI: primary virtual IP for administrator/192.168.3.205:53767: 10.8.0.115
2024-01-31 15:05:57 us=494235 administrator/192.168.3.205:53767 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-01-31 15:05:57 us=494271 administrator/192.168.3.205:53767 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
2024-01-31 15:05:57 us=494423 administrator/192.168.3.205:53767 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-31 15:05:57 us=494453 administrator/192.168.3.205:53767 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-31 15:05:57 us=494552 administrator/192.168.3.205:53767 SENT CONTROL [administrator]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.115 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2024-01-31 15:07:57 us=435266 192.168.3.205:52537 Re-using SSL/TLS context
2024-01-31 15:07:57 us=435344 192.168.3.205:52537 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-31 15:07:57 us=435358 192.168.3.205:52537 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-31 15:07:57 us=435449 192.168.3.205:52537 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2024-01-31 15:07:57 us=435476 192.168.3.205:52537 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2024-01-31 15:07:57 us=435548 192.168.3.205:52537 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2024-01-31 15:07:57 us=435572 192.168.3.205:52537 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
R2024-01-31 15:07:57 us=435634 192.168.3.205:52537 TLS: Initial packet from [AF_INET]192.168.3.205:52537, sid=ad3835e0 18685af5
2024-01-31 15:07:57 us=449644 192.168.3.205:52537 VERIFY OK: depth=1, CN=RCDevs Support CA, OU=IT, O=RCDevs Support SA, C=LU
2024-01-31 15:07:57 us=450302 192.168.3.205:52537 VERIFY OK: depth=0, CN=yoann, description=CLIENT, O=RCDevs Support, organizationIdentifier=VATLU-00000000
2024-01-31 15:07:57 us=450697 192.168.3.205:52537 peer info: IV_VER=3.8.2connect3
2024-01-31 15:07:57 us=450733 192.168.3.205:52537 peer info: IV_PLAT=mac
2024-01-31 15:07:57 us=450745 192.168.3.205:52537 peer info: IV_NCP=2
2024-01-31 15:07:57 us=450754 192.168.3.205:52537 peer info: IV_TCPNL=1
2024-01-31 15:07:57 us=450762 192.168.3.205:52537 peer info: IV_PROTO=990
2024-01-31 15:07:57 us=450770 192.168.3.205:52537 peer info: IV_MTU=1600
2024-01-31 15:07:57 us=450778 192.168.3.205:52537 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2024-01-31 15:07:57 us=450810 192.168.3.205:52537 peer info: IV_GUI_VER=OCmacOS_3.4.8-4792
2024-01-31 15:07:57 us=450826 192.168.3.205:52537 peer info: IV_SSO=webauth,crtext
2024-01-31 15:07:57 us=450906 192.168.3.205:52537 TLS: Username/Password authentication deferred for username 'administrator'
2024-01-31 15:07:57 us=452030 192.168.3.205:52537 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-01-31 15:07:57 us=452060 192.168.3.205:52537 [yoann] Peer Connection Initiated with [AF_INET]192.168.3.205:52537
2024-01-31 15:07:57 us=452334 192.168.3.205:52537 PUSH: Received control message: 'PUSH_REQUEST'
2024-01-31 15:07:57 us=640406 MANAGEMENT: CMD 'client-auth-nt 17 0'
R2024-01-31 15:07:58 us=452524 192.168.3.205:52537 PUSH: Received control message: 'PUSH_REQUEST'
2024-01-31 15:07:58 us=452580 yoann/192.168.3.205:52537 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
2024-01-31 15:07:58 us=452642 yoann/192.168.3.205:52537 OPTIONS IMPORT: reading client specific options from: /opt/mfavpn/ccd/yoann
2024-01-31 15:07:58 us=452738 yoann/192.168.3.205:52537 MULTI: Learn: 10.8.0.114 -> yoann/192.168.3.205:52537
2024-01-31 15:07:58 us=452760 yoann/192.168.3.205:52537 MULTI: primary virtual IP for yoann/192.168.3.205:52537: 10.8.0.114
2024-01-31 15:07:58 us=452778 yoann/192.168.3.205:52537 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-01-31 15:07:58 us=452816 yoann/192.168.3.205:52537 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
2024-01-31 15:07:58 us=452888 yoann/192.168.3.205:52537 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-31 15:07:58 us=452910 yoann/192.168.3.205:52537 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-31 15:07:58 us=452958 yoann/192.168.3.205:52537 SENT CONTROL [yoann]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.114 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Yoann Traut (RCDevs)
The thing is with user certificate, the domain in contained in the CN.
[root@webadm1 ccd]# ll
total 12
-rw-r-----. 1 root mfavpn 39 Jan 31 15:33 'SUPPORT\Administrator'
-rw-r-----. 1 root mfavpn 39 Jan 31 14:33 administrator
-rw-r-----. 1 root mfavpn 39 Jan 31 14:08 yoann
User certificate info:
openssl x509 -in administrator.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e7:93:c8:30:9a:76:0d:d8:27:8b:99:64:1b:c9:87:eb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=RCDevs Support CA, OU=IT, O=RCDevs Support SA, C=LU
Validity
Not Before: Jan 31 14:30:50 2024 GMT
Not After : Oct 26 14:30:50 2026 GMT
Subject: description=USER, CN=SUPPORT\Administrator, UID=Administrator, DC=SUPPORT, O=RCDevs Support, organizationIdentifier=VATLU-00000000
2024-01-31 15:34:48 us=45481 192.168.3.205:55468 Re-using SSL/TLS context
2024-01-31 15:34:48 us=45548 192.168.3.205:55468 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-31 15:34:48 us=45561 192.168.3.205:55468 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-31 15:34:48 us=45645 192.168.3.205:55468 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2024-01-31 15:34:48 us=45666 192.168.3.205:55468 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2024-01-31 15:34:48 us=45701 192.168.3.205:55468 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2024-01-31 15:34:48 us=45716 192.168.3.205:55468 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
R2024-01-31 15:34:48 us=45766 192.168.3.205:55468 TLS: Initial packet from [AF_INET]192.168.3.205:55468, sid=6c2ea23e 20e2ac4b
WRWWWWWRRRRWRWR2024-01-31 15:34:48 us=58250 192.168.3.205:55468 VERIFY OK: depth=1, CN=RCDevs Support CA, OU=IT, O=RCDevs Support SA, C=LU
2024-01-31 15:34:48 us=58918 192.168.3.205:55468 VERIFY OK: depth=0, description=USER, CN=SUPPORT\\Administrator, UID=Administrator, DC=SUPPORT, O=RCDevs Support, organizationIdentifier=VATLU-00000000
WR2024-01-31 15:34:48 us=59314 192.168.3.205:55468 peer info: IV_VER=3.8.2connect3
2024-01-31 15:34:48 us=59338 192.168.3.205:55468 peer info: IV_PLAT=mac
2024-01-31 15:34:48 us=59348 192.168.3.205:55468 peer info: IV_NCP=2
2024-01-31 15:34:48 us=59356 192.168.3.205:55468 peer info: IV_TCPNL=1
2024-01-31 15:34:48 us=59363 192.168.3.205:55468 peer info: IV_PROTO=990
2024-01-31 15:34:48 us=59371 192.168.3.205:55468 peer info: IV_MTU=1600
2024-01-31 15:34:48 us=59380 192.168.3.205:55468 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2024-01-31 15:34:48 us=59399 192.168.3.205:55468 peer info: IV_GUI_VER=OCmacOS_3.4.8-4792
2024-01-31 15:34:48 us=59408 192.168.3.205:55468 peer info: IV_SSO=webauth,crtext
2024-01-31 15:34:48 us=59485 192.168.3.205:55468 TLS: Username/Password authentication deferred for username 'administrator'
WRR2024-01-31 15:34:48 us=60347 192.168.3.205:55468 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-01-31 15:34:48 us=60372 192.168.3.205:55468 [SUPPORT\Administrator] Peer Connection Initiated with [AF_INET]192.168.3.205:55468
R2024-01-31 15:34:48 us=60605 192.168.3.205:55468 PUSH: Received control message: 'PUSH_REQUEST'
W2024-01-31 15:34:48 us=256051 MANAGEMENT: CMD 'client-auth-nt 22 0'
R2024-01-31 15:34:49 us=61133 192.168.3.205:55468 PUSH: Received control message: 'PUSH_REQUEST'
2024-01-31 15:34:49 us=61185 SUPPORT\Administrator/192.168.3.205:55468 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
2024-01-31 15:34:49 us=61249 SUPPORT\Administrator/192.168.3.205:55468 OPTIONS IMPORT: reading client specific options from: /opt/mfavpn/ccd/SUPPORT\Administrator
2024-01-31 15:34:49 us=70447 SUPPORT\Administrator/192.168.3.205:55468 MULTI: Learn: 10.8.0.115 -> SUPPORT\Administrator/192.168.3.205:55468
2024-01-31 15:34:49 us=70485 SUPPORT\Administrator/192.168.3.205:55468 MULTI: primary virtual IP for SUPPORT\Administrator/192.168.3.205:55468: 10.8.0.115
2024-01-31 15:34:49 us=70505 SUPPORT\Administrator/192.168.3.205:55468 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-01-31 15:34:49 us=70528 SUPPORT\Administrator/192.168.3.205:55468 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
2024-01-31 15:34:49 us=70603 SUPPORT\Administrator/192.168.3.205:55468 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-31 15:34:49 us=70623 SUPPORT\Administrator/192.168.3.205:55468 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-01-31 15:34:49 us=70664 SUPPORT\Administrator/192.168.3.205:55468 SENT CONTROL [SUPPORT\Administrator]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.115 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Regards