Log noise or configuration problem?

[Questionable SysAdmin]

Hey guys,

I recently took on my first job in IT and am replacing an admin who left this small business. My training is with Windows and Azure (got my degree earlier this year ) however my new job is for a small family business who's admin had to leave due to cancer and it's my first time dealing with Linux and OpenVPN.

The previous admin worked in the business for around 10 years or so and was apparently all for Linux and mostly decided to setup the systems almost entirely based on Linux and hosted on remote dedicated servers / private cloud for this business instead of a proper modern cloud setup.

Anyway, after spending all day figuring out how to login with "SSH", yup no GUI! And having to currently use the desktop he had setup for them for managing systems, apparently setup "for the next admin"

Thankfully, the guy wrote a full printed manual documenting the system setups!

Anyway I think I may have noticed some configuration problems, so I wanted to see if they were proper issues or if I'm just reading the logs wrong.

There are these two messages in the logs that concerned me, that are seen when an android mobile device connects to the OpenVPN server "portable device" profile (there are multiple instances of OpenVPN Server running on the systems) the guy had setup to allow their mobile to be connected so they could access emails and such..

Anyway, firstly there's this big warning:

Code: Select all

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1554'

Clearly a mis-configuration I think?

Also, I noticed this seems strange:

Code: Select all

++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication

Are these anything to worry about? Are these systems borked? As despite these errors everything is working?

Anyway, this was a full log from a client connecting after restarting the service, is this anything to worry about?

Code: Select all

Sep 04 19:53:45 server.hostname systemd[1]: openvpn-server@portables.service: Succeeded.
Sep 04 19:53:45 server.hostname openvpn[15260]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Sep 04 19:53:45 server.hostname openvpn[15260]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Sep 04 19:53:45 server.hostname openvpn[15260]: net_route_v4_best_gw query: dst 0.0.0.0
Sep 04 19:53:45 server.hostname openvpn[15260]: net_route_v4_best_gw result: via xx.xx.xxx.xx dev eth0
Sep 04 19:53:45 server.hostname openvpn[15260]: CRL: loaded 1 CRLs from file /etc/openvpn/server/cert/crl.pem
Sep 04 19:53:45 server.hostname openvpn[15260]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sep 04 19:53:45 server.hostname openvpn[15260]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sep 04 19:53:45 server.hostname openvpn[15260]: TUN/TAP device tun4 opened
Sep 04 19:53:45 server.hostname openvpn[15260]: net_iface_mtu_set: mtu 1500 for tun4
Sep 04 19:53:45 server.hostname openvpn[15260]: net_iface_up: set tun4 up
Sep 04 19:53:45 server.hostname openvpn[15260]: net_addr_v4_add: 10.66.5.1/24 dev tun4
Sep 04 19:53:45 server.hostname openvpn[15260]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Sep 04 19:53:45 server.hostname openvpn[15260]: Listening for incoming TCP connection on [AF_INET]xx.xx.xxx.xxx:443
Sep 04 19:53:45 server.hostname openvpn[15260]: Socket flags: TCP_NODELAY=1 succeeded
Sep 04 19:53:45 server.hostname openvpn[15260]: TCPv4_SERVER link local (bound): [AF_INET]xx.xx.xxx.xxx:443
Sep 04 19:53:45 server.hostname openvpn[15260]: TCPv4_SERVER link remote: [AF_UNSPEC]
Sep 04 19:53:45 server.hostname openvpn[15260]: GID set to nogroup
Sep 04 19:53:45 server.hostname openvpn[15260]: UID set to nobody
Sep 04 19:53:45 server.hostname openvpn[15260]: MULTI: multi_init called, r=256 v=256
Sep 04 19:53:45 server.hostname openvpn[15260]: IFCONFIG POOL IPv4: base=10.66.5.2 size=252
Sep 04 19:53:45 server.hostname openvpn[15260]: ifconfig_pool_read(), in='androida,10.66.5.2,'
Sep 04 19:53:45 server.hostname openvpn[15260]: succeeded -> ifconfig_pool_set(hand=0)
Sep 04 19:53:45 server.hostname openvpn[15260]: ifconfig_pool_read(), in='androidb,10.66.5.3,'
Sep 04 19:53:45 server.hostname openvpn[15260]: succeeded -> ifconfig_pool_set(hand=1)
Sep 04 19:53:45 server.hostname openvpn[15260]: ifconfig_pool_read(), in='androidc,10.66.5.4,'
Sep 04 19:53:45 server.hostname openvpn[15260]: succeeded -> ifconfig_pool_set(hand=2)
Sep 04 19:53:45 server.hostname openvpn[15260]: ifconfig_pool_read(), in='androidd,10.66.5.5,'
Sep 04 19:53:45 server.hostname openvpn[15260]: succeeded -> ifconfig_pool_set(hand=3)
Sep 04 19:53:45 server.hostname openvpn[15260]: IFCONFIG POOL LIST
Sep 04 19:53:45 server.hostname openvpn[15260]: androida,10.66.5.2,
Sep 04 19:53:45 server.hostname openvpn[15260]: androidb,10.66.5.3,
Sep 04 19:53:45 server.hostname openvpn[15260]: androidc,10.66.5.4,
Sep 04 19:53:45 server.hostname openvpn[15260]: androidd,10.66.5.5,
Sep 04 19:53:45 server.hostname openvpn[15260]: MULTI: TCP INIT maxclients=60 maxevents=64
Sep 04 19:53:45 server.hostname openvpn[15260]: Initialization Sequence Completed
Sep 04 19:54:13 server.hostname openvpn[15260]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sep 04 19:54:13 server.hostname openvpn[15260]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sep 04 19:54:13 server.hostname openvpn[15260]: TCP connection established with [AF_INET]xx.xx.xx.x:49768
Sep 04 19:54:13 server.hostname openvpn[15260]: Socket flags: TCP_NODELAY=1 succeeded
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 TLS: Initial packet from [AF_INET]xx.xx.xx.x:49768, sid=576c1e72 3c070168
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 VERIFY OK: depth=1, CN=(Company Name) CA
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 VERIFY KU OK
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 Validating certificate extended key usage
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 VERIFY EKU OK
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 VERIFY OK: depth=0, CN=androida
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_VER=2.6_master
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_PLAT=android
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_TCPNL=1
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_MTU=1600
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_CIPHERS=AES-256-GCM
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_PROTO=470
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_LZO_STUB=1
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_COMP_STUB=1
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_COMP_STUBv2=1
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.39
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 peer info: IV_SSO=openurl,webauth,crtext
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1554'
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Sep 04 19:54:13 server.hostname openvpn[15260]: xx.xx.xx.x:49768 [androida] Peer Connection Initiated with [AF_INET]xx.xx.xx.x:49768
Sep 04 19:54:13 server.hostname openvpn[15260]: androida/xx.xx.xx.x:49768 MULTI_sva: pool returned IPv4=10.66.5.2, IPv6=(Not enabled)
Sep 04 19:54:13 server.hostname openvpn[15260]: androida/xx.xx.xx.x:49768 MULTI: Learn: 10.66.5.2 -> androida/xx.xx.xx.x:49768
Sep 04 19:54:13 server.hostname openvpn[15260]: androida/xx.xx.xx.x:49768 MULTI: primary virtual IP for androida/xx.xx.xx.x:49768: 10.66.5.2
Sep 04 19:54:13 server.hostname openvpn[15260]: androida/xx.xx.xx.x:49768 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 04 19:54:13 server.hostname openvpn[15260]: androida/xx.xx.xx.x:49768 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 04 19:54:13 server.hostname openvpn[15260]: androida/xx.xx.xx.x:49768 SENT CONTROL [androida]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.66.5.1,dhcp-option DOMAIN (companydomain),route 10.66.6.0 255.255.255.0,route 10.6.66.0 255.255.255.0,route 10.7.66.0 255.255.255.0,route 10.8.88.0 255.255.255.0,route-gateway 10.66.5.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.66.5.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

[Pippin]

Hi,

you did not post config files:
viewtopic.php?t=22603

Code: Select all

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1554'

Unless there are MTU problems (traffic stalling, pages not properly loading, etc.) one can safely ignore this warning.
.

Code: Select all

++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication

It means exactly what is stated. If Extended Key Usage was not set in the client certificate the connection would fail.

Some food:
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html
https://community.openvpn.net/openvpn/wiki/HOWTO
.

it's my first time dealing with Linux and OpenVPN.

Time to eat some more... it can be satisfying
.

The previous admin worked in the business for around 10 years or so and was apparently all for Linux and mostly decided to setup the systems almost entirely based on Linux and hosted on remote dedicated servers / private cloud for this business

I 'd say that's cool but hey I' m not an admin...
.

Anyway, after spending all day figuring out how to login with "SSH", yup no GUI!

No GUI? All text? That's even cooler!
.

Thankfully, the guy wrote a full printed manual documenting the system setups!

Oh wow, thought it could not get cooler but hey look at that!
Credits to the admin that deserves it!


PS
I wonder what would happen if there would exist a knob, if pressed, would shutdown all Linux machines on the earth.... and in space... do you?

[TinCanTech]

OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021

Current version is:
OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 24 2022

The spurious MTU warning has been fixed.

++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication

The full message reads as:
2022-08-29 18:52:35 us=486708 10.1.101.107:62709 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2022-08-29 18:52:35 us=486729 10.1.101.107:62709 VERIFY EKU OK

If you want to support openvpn then this is a good start: https://community.openvpn.net/openvpn/w ... wtoOpenVPN