[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] odd log message

  • Subject: Re: [Openvpn-users] odd log message
  • From: <nobledark@xxxxxxxxxxxx>
  • Date: Wed, 14 Nov 2007 21:05:27 -0500

Any chance that one of your client certs was built on a template 
that used the root email address? I'd look over any log files for 
other systems that VPN users have access to after they connect - 
look for activity that corresponds time-wise to the VPN log entries 
for root and see if there is any additional information as to who 
is logging on. You might also consider blocking the external IP 
that the connecting client is using until you've got a better idea 
what's going on.

I had an issue like this a while back where my certs were based on 
machine names and not the users - all users for a given computer 
had the same local logon credentials (bad, I know, but necessary in 
this particular case). Prior to introducing user auth via RADIUS, I 
could never really tell who was logged onto the VPN, only which 
computer was connecting.

To make matters worse, I was using a template (xca) for my certs 
and left the same email address in there for a number of certs. It 
didn't matter when the certs were based on the machine name but as 
soon as I went over to the user name, I started noticing "odd log 
entries". There in fact was nothing wrong with the entries - it was 
my client certs that were the culprit. Once I added RADIUS auth, 
users had to log on to the VPN w/ their unique credentials and I 
could see who was connecting, even if the cert had weird 
information. An added bonus to the RADIUS auth was that I could 
then troubleshoot what certs had the bad info and re-issue them.

My 2 cents...hope this is all that is wrong in your case.

 - Nd

On Wed, 14 Nov 2007 20:24:42 -0500 JJB <onephatcat@xxxxxxxxxxxxx> 
>Ralf Hildebrandt wrote:
>> * JJB <onephatcat@xxxxxxxxxxxxx>:
>>> Hello
>>> I'm getting these errors as if our firewall/openvpn server is 
>>> into itself. Is this normal? Have sanitized the error (ip 
>address, org 
>>> name, etc.)
>>> Nov  7 15:19:47 aa-gateway openvpn[3945]: xxx.xxx.xxx.xxx:61518 
>>> OK: depth=1, 
>>> /C=US/ST=CA/L=Location/O=Name_Of_Org/CN=OpenVPN-
>> I don't see an error.
>> I see an "OK
>Hi Ralph, thanks for responding,
>It isn't an error, its an ok for user "root" to log in.
>Most of the OpenVPN log messages have usernames like 
>user@xxxxxxxxxxxxxx, not root:
>jvv/ VERIFY OK: depth=0, 
>Why would there be a log message for root@xxxxxxxxxxxxxx? Is this 
>evidence of someone gaining unauthorized access?
> - Joel
>This SF.net email is sponsored by: Splunk Inc.
>Still grepping through log files to find problems?  Stop.
>Now Search log events and configuration files using AJAX and a 
>Download your FREE copy of Splunk now >> http://get.splunk.com/
>Openvpn-users mailing list

Click here for free information on earning a criminal justice degree today.

Openvpn-users mailing list