azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/peaceful-spirit/session-logs/2026-05-27-session.md
Mike Swanson f3c7fcdb8f sync: auto-sync from GURU-5070 at 2026-05-27 16:54:37 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-27 16:54:37
2026-05-27 16:54:45 -07:00

9.1 KiB
Raw Blame History

Session Log — 2026-05-27

User

  • User: Mike Swanson (mike)
  • Machine: GURU-5070
  • Role: admin

Session Summary

Completed the last pending machine in the Peaceful Spirit L2TP/IPsec VPN rollout: BridgettePSHomeComputer (a.k.a. BridgetteHome), which was offline during the 2026-05-22 rebuild. The entire deployment — including steps previously documented as "must be done interactively on each machine" — was performed remotely through GuruRMM, with no on-site visit, exercising the new user_session command context.

Deployed the L2TP profile to match the three working siblings (removed the stale IKEv2 "Peaceful Spirit VPN" profile; added L2TP/MSChapv2/split-tunnel, route 192.168.0.0/24, NRPT for .peacefulspirit.local → 192.168.0.2, machine-store cred via cmdkey). Set the L2TP PSK via context: user_session — the exact command (Set-VpnConnection -L2tpPsk -AllUserConnection) that fails as SYSTEM with "NonInteractive mode" and had to be typed by hand on the other machines on 5-22. It succeeded remotely.

Hit and resolved a sequence of connection failures: 809 (client NAT-T key missing → set AssumeUDPEncapsulationContextOnSendRule=2, reboot required), then 691/812 on the cached-credential auto-connect path. Determined rasdial/the connection does not consult the cmdkey credential for PPP auth, so no-arg connects send the wrong principal (SYSTEM→691, BridgetteSH→812). Per Mike's direction, switched to per-user auth: Bridgette logs in as BridgetteSH, so the connection authenticates as her via SSO. The final blocker was that the NPS network policy grants VPN by group membership (WseRemoteAccessUsers, the Windows Server Essentials Anywhere-Access group) — pst-admin was a member, BridgetteSH was not. Added BridgetteSH to WseRemoteAccessUsers (+ msNPAllowDialin=TRUE) on PST-SERVER. Her connect then succeeded.

Finished by removing the troubleshooting pst-admin credential from BridgetteSH's user store (she uses SSO now) and creating a logon-triggered scheduled task (Connect Peaceful Spirit VPN) that auto-connects her ~20s after sign-in. Validated end to end: VPN connects, gets a pool IP, pings the DC (192.168.0.2), and resolves internal names.

Key Decisions

  • Per-user VPN auth for Bridgette (not the shared pst-admin account). Mike chose to authorize BridgetteSH herself for NPS so she connects with her own logged-in credentials via SSO — no shared password cached on her machine, no typing. Divergence from the 3 siblings (which connect as pst-admin); flagged for possible future alignment.
  • Grant VPN via the Essentials group WseRemoteAccessUsers, not just msNPAllowDialin. The NPS network policy condition is group-based (SID ...-1113 = WseRemoteAccessUsers); the dial-in attribute alone does not satisfy it.
  • Logon scheduled task for auto-connect instead of pre-login auto-connect. Pre-login runs as SYSTEM (would need the cmdkey/pst-admin path, which doesn't authenticate); a user-session logon task connects seamlessly as her.
  • All work via GuruRMM user_session — validated that previously-interactive-only commands (PSK) run remotely, eliminating the on-site requirement noted on 5-22.

Problems Encountered

  • Error 809 (server not responding): client-side NAT-T key AssumeUDPEncapsulationContextOnSendRule was MISSING (working sibling MaraHomeNew had =2). Set to 2; requires a reboot (IPsec caches it at boot). Rebooted via RMM, confirmed via fresh LastBootUpTime.
  • Error 691 (SYSTEM no-arg) / 812 (user no-arg): rasdial/the VPN connection does not use the cmdkey "Domain Password" credential (target = server address) for PPP auth. No-arg connects therefore send the wrong principal. -RememberCredential + an explicit rasdial connect did not persist the credential either (only the GUI "save credentials" / RAS API populates that slot). Abandoned the saved-shared-credential approach in favor of per-user auth.
  • Error 812 as BridgetteSH (the real one): NPS network policy grants by WseRemoteAccessUsers membership. She wasn't in it. RasClient event confirmed she dialed and the L2TP link established, but policy denied. Fixed by adding her to the group.
  • Concurrent connect attempts (me + Bridgette) produced a stale "already connected / no IP" state mid-troubleshooting; resolved by forcing a clean disconnect before each test.

Configuration Changes

BridgettePSHomeComputer (agent 074141d7-bd96-49ff-8f64-edf31159c00b)

  • Removed stale IKEv2 "Peaceful Spirit VPN" profile; created L2TP profile: server 98.190.129.150, TunnelType L2tp, MSChapv2, EncryptionLevel Optional, AllUserConnection, SplitTunneling, DnsSuffix peacefulspirit.local.
  • Route 192.168.0.0/24 (AllUserConnection).
  • NRPT rule .peacefulspirit.local → 192.168.0.2.
  • rasphone.pbk: CacheCredentials=1, SaveCredentials=1.
  • Set L2TP PSK (via user_session).
  • Set-VpnConnection -RememberCredential $true.
  • Registry HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule = 2 (DWORD) — was missing; rebooted to activate.
  • Machine-store cmdkey cred for 98.190.129.150 (pst-admin) — left in place (matches build). Removed the pst-admin cred from BridgetteSH's user store after switching to SSO.
  • Scheduled task Connect Peaceful Spirit VPN: AtLogOn (BridgetteSH), 20s delay, runs rasdial.exe "Peaceful Spirit VPN" as BridgetteSH (Interactive/Limited), restart x3 @ 1 min.

PST-SERVER (192.168.0.2, DC + RRAS/NPS; agent 6b6106a7-8515-4b6b-857d-0dc6ede53f35)

  • AD: BridgetteSH msNPAllowDialin set to TRUE.
  • AD: added BridgetteSH to group WseRemoteAccessUsers (the group the NPS VPN network policy requires).

Credentials & Secrets

Item Value
VPN PSK (L2TP) z5zkNBds2V9eIkdey09Zm6Khil3DAZs8
VPN server (WAN) 98.190.129.150
Shared dial-in user pst-admin / SpiritWalk26! (siblings connect as this)
Bridgette VPN auth her own domain account PEACEFULSPIRIT\BridgetteSH via SSO (no stored shared cred)
GuruRMM API http://172.16.3.30:3001claude-api@azcomputerguru.com / ClaudeAPI2026!@#

No new secrets created. (These should be migrated to the SOPS vault — no clients/peaceful-spirit vault entry exists yet.)

Infrastructure & Servers

Host IP Role
UCG-PST-CC 192.168.0.10 / 98.190.129.150 UniFi Cloud Gateway, DNAT UDP 500/4500/ESP → PST-SERVER
PST-SERVER 192.168.0.2 Windows Server 2016 Essentials, DC, DNS, RRAS + NPS VPN endpoint
BridgettePSHomeComputer DHCP (Bridgette's home) Domain workstation, VPN client — NOW COMPLETE
  • VPN IP pool: ~192.168.0.240+ (observed .241/.243/.248/.249 during testing). Domain PEACEFULSPIRIT.local; DC/DNS 192.168.0.2.
  • NPS network policy grants VPN by membership in WseRemoteAccessUsers (Essentials Anywhere-Access group), SID S-1-5-21-1105246401-3156558273-4088333098-1113. Auth method MS-CHAP v2.
  • GuruRMM agent IDs: PST-SERVER 6b6106a7-8515-4b6b-857d-0dc6ede53f35, MaraHomeNew c778b6a3-c646-4454-a065-8c8bdcb1578e, BridgettePSHomeComputer 074141d7-bd96-49ff-8f64-edf31159c00b.

Commands & Outputs

  • GuruRMM command API: POST /api/agents/:id/command with {"command_type":"powershell","command":"...","context":"system|user_session"}; poll GET /api/commands/:id (fields: status/exit_code/stdout/stderr/context). Used base64 -EncodedCommand (UTF-16LE via py) to avoid shell-quoting issues.
  • PSK set (user_session): Set-VpnConnection -Name "Peaceful Spirit VPN" -L2tpPsk "..." -AllUserConnection -ForcePSK_SET_OK.
  • NAT-T: New-ItemProperty ...PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -PropertyType DWord -Force → reboot (shutdown /r /t 15) → confirmed new LastBootUpTime.
  • NPS grant: Set-ADUser BridgetteSH -Replace @{msNPAllowDialin=$true}; Add-ADGroupMember -Identity (Get-ADGroup <SID>) -Members BridgetteSH.
  • Final verify (user_session, no-arg): "Successfully connected"; vpnIP 192.168.0.241; PING_DC=OK; RESOLVE=192.168.0.240.
  • Auto-connect task validated: disconnect → Start-ScheduledTask "Connect Peaceful Spirit VPN" → reconnected; LastTaskResult=0.

Pending / Incomplete Tasks

  • Parity decision: siblings connect as shared pst-admin; Bridgette now connects as her own BridgetteSH. Consider switching the other users to per-user auth (cleaner) or aligning Bridgette to pst-admin.
  • Vault the Peaceful Spirit secrets (PSK, pst-admin) — no clients/peaceful-spirit SOPS entry exists; currently only in session logs.
  • Optional: confirm the auto-connect task behaves on a real logon (validated via Start-ScheduledTask; not yet observed through an actual sign-in cycle).

Reference Information

  • Syncro ticket lineage: #32271 (IKEv2 drops → L2TP rebuild). Customer: Peaceful Spirit Massage (Syncro customer 278525). Coord todo 4129ba17-53e9-4db5-b217-54007fb2de25 (Bridgette VPN) — marked done.
  • Prior rebuild detail: clients/peaceful-spirit/session-logs/2026-05-22-session.md.
  • New capability memory: .claude/memory/reference_gururmm_user_session_context.md.
  • VPN phonebook: C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk.
Reference in New Issue View Git Blame Copy Permalink