azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf7079383f5e358cbb5fa5c8bd6fc4553b29a72c
claudetools/wiki/clients/peaceful-spirit.md
Mike Swanson dc2c75431d wiki: full recompile peaceful-spirit (Sonnet subagent) 
First live test of the Sonnet-subagent wiki recompile. Subagent absorbed
the recovered RADIUS log + 2026-05-27 work: added BridgettePSHomeComputer
agent, 3 new Patterns (NPS group membership, rasdial cmdkey, NAT-T key),
2026-05-27 + 2026-06-01 History rows, real Syncro ID 278525. Review step
stripped 3 raw secrets the draft had inlined (back to vault refs) and
verified the Syncro ID against the API; Patterns/History preserved.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-02 06:17:11 -07:00

17 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client peaceful-spirit Peaceful Spirit Therapeutic Massage 2026-06-02 GURU-5070/claude-main
clients/peaceful-spirit/session-logs/2026-05-10-recovered-setup-radius-authentication-for-vpn-access.md
clients/peaceful-spirit/session-logs/2026-05-10-session.md
clients/peaceful-spirit/session-logs/2026-05-11-session.md
clients/peaceful-spirit/session-logs/2026-05-22-session.md
clients/peaceful-spirit/session-logs/2026-05-27-session.md
clients/peaceful-spirit/server.sops.yaml (vault)
clients/peaceful-spirit/vpn.sops.yaml (vault)
projects/gururmm

Peaceful Spirit Therapeutic Massage

Massage therapy practice with at least two sites: Country Club (primary, all work performed here) and a Northwest (NW) site. On-premises Windows Server 2016 Essentials domain environment. Domain-joined workstations for Mara (owner/operator) and other staff. L2TP/IPsec VPN fully deployed to all known machines as of 2026-05-27.

Profile

  • Contract type: Break-fix / project [unverified — no contract details found in session logs]
  • Key contacts:
    • Mara — primary point of contact; owner/operator; personal Microsoft account mara.concordia@gmail.com (OneDrive). Domain user: mara (password reset to SpiritWalk26! on 2026-05-22, PasswordNeverExpires=true).
    • Bridgette — staff member with home computer (BridgettePSHomeComputer); domain user BridgetteSH. No contact details captured.
  • Billing rate: [unverified — not documented in session logs]
  • Syncro customer ID: 278525 (Peaceful Spirit Massage) — note the Syncro business name is "Peaceful Spirit Massage", not "...Therapeutic Massage", so a name search on "peaceful spirit" does not match; use the ID.
  • Active tickets: #32271 — "Bug - IKEv2 VPN drops and does not auto-reconnect" (the IKEv2-drops → L2TP-rebuild lineage)

Infrastructure

Servers & Services

Host IP Role OS Notes
PST-SERVER 192.168.0.2 DC, DNS, RRAS (L2TP/IPsec VPN), NPS, Enterprise Root CA (AD CS) Windows Server 2016 Essentials (build 14393) GuruRMM agent ID: 6b6106a7-8515-4b6b-857d-0dc6ede53f35. Win32-OpenSSH installed 2026-05-11 (C:\Program Files\OpenSSH\OpenSSH-Win64\). Machine cert: DB71981ABE4CBA1DE96FEEEAF178F6259663B543 (CN=PST-SERVER.PEACEFULSPIRIT.local, valid 5/9/2027).
UCG-PST-CC 192.168.0.10 (LAN) / 98.190.129.150 (WAN) UniFi Cloud Gateway — perimeter router + DNAT for VPN UniFi OS SSH: root@192.168.0.10 via key ~/.ssh/pst-cc-ucg (password-auth is keyboard-interactive; password: vault). WAN SSH (98.190.129.150:22) is NOT accessible remotely — timed out from all tested sources. UCG VPN (strongSwan/xl2tpd) abandoned 2026-05-22 in favor of RRAS on PST-SERVER. DNAT persistence: /data/on_boot.d/10-vpn-portforward.sh.

Note: An NW (Northwest) site exists with a separate UCG that previously had an OpenVPN server at 64.139.88.249:1194 (TCP). No further NW site details are documented.

Domain & Identity

  • Domain: PEACEFULSPIRIT.local
  • Domain admins: sysadmin (password: vault) — this is the domain admin account. pst-admin is a domain user (not domain admin) with VPN dial-in permission.
  • AD domain SID base: S-1-5-21-1105246401-3156558273-4088333098
  • CA: PEACEFULSPIRIT-PST-SERVER-CA — Enterprise Root CA on PST-SERVER. Thumbprint: 56DAF43C60F246BF2C80A671EE9812C727D8C298 (valid to 3/8/2061).
  • VPN-eligible users (WseRemoteAccessUsers, SID ...-1113): Domain Admins (group), PSTAdmin, pst-admin, LMT, Mara, BridgetteSH (added 2026-05-27). NPS network policy grants VPN by group membership in WseRemoteAccessUsers — msNPAllowDialin=TRUE alone is not sufficient.
  • OneDrive: pst-admin uses personal OneDrive (mara.concordia@gmail.com, cid: 25f0851177ceabfd). Per-machine OneDrive (v26.063.0405.0002) deployed to Maras-HP-Laptop on 2026-05-11 via /allusers install.
  • Email / M365: [unverified — no M365 tenant found; practice likely uses personal or third-party email]

Network

  • WAN IP: 98.190.129.150 (Country Club site, UCG)
  • LAN subnet: 192.168.0.0/24
  • DNS / DC: 192.168.0.2 (PST-SERVER)
  • VPN (current — L2TP/IPsec):
    • Endpoint: PST-SERVER RRAS at 192.168.0.2, exposed via UCG DNAT (UDP 500, 4500, ESP)
    • PSK: vault (clients/peaceful-spirit/vpn.sops.yaml)
    • Auth: MSCHAPv2. Mara's machines connect as shared user pst-admin; BridgettePSHomeComputer connects as BridgetteSH via SSO (no stored shared credential).
    • NPS RADIUS shared secret for client UCG-PST-CC (192.168.0.10): in vault (clients/peaceful-spirit/server.sops.yaml)
    • IP pool: 192.168.0.240+ (observed: .241, .243, .248, .249 during testing)
    • VPN profile name on clients: "Peaceful Spirit VPN" (AllUserConnection, split tunnel, 192.168.0.0/24 route, NRPT for .peacefulspirit.local → 192.168.0.2)
    • PST-SERVER registry: AssumeUDPEncapsulationContextOnSendRule=2 (PolicyAgent), DefaultPSK set in L2TP parameters
    • UCG persistence: /data/on_boot.d/10-vpn-portforward.sh
  • GPO: "Block New Outlook" — GUID {577028AF-0901-4BDF-A283-CD1156F313D9}, linked to domain root. Disables new Outlook experience across all domain machines.

Client Workstations

Machine Role GuruRMM Agent ID Notes
MaraHomeNew Mara's home desktop c778b6a3-c646-4454-a065-8c8bdcb1578e Domain-joined. VPN working (confirmed via rasdial 2026-05-11). Machine cert installed (D067E07B, CN=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027). Connects as pst-admin.
Maras-HP-Laptop Mara's HP laptop 13cb3629-5043-4bd6-b977-6968eeccf804 Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). OneDrive per-machine deployed 2026-05-11. pst-admin profile wiped and rebuilt 2026-05-11. Connects as pst-admin.
PST-SURFACE Surface device 4a993b61-59b3-42f4-bdb5-d4362941f7d6 Domain-joined. VPN deployed 2026-05-22 (PSK set on-site by Mike). Connects as pst-admin.
BridgettePSHomeComputer Bridgette's home PC 074141d7-bd96-49ff-8f64-edf31159c00b Domain-joined. VPN deployed remotely 2026-05-27 via GuruRMM user_session. Connects as BridgetteSH (SSO). Logon scheduled task Connect Peaceful Spirit VPN auto-connects ~20s after sign-in. NAT-T key was missing — set and rebooted 2026-05-27.

GuruRMM Enrollment

  • Client name in RMM: Peaceful Spirit
  • Client ID: 00015eae-50e5-4102-93fa-ab0fdb135c08
  • Site name: Country Club
  • Site ID: 7b32983d-982a-4a5c-af07-45a23453f589

Enrolled agents:

Host Agent ID Enrolled Last Known Status
PST-SERVER 6b6106a7-8515-4b6b-857d-0dc6ede53f35 2026-05-10 23:19 UTC Active (2026-05-11 01:29 UTC)
MaraHomeNew c778b6a3-c646-4454-a065-8c8bdcb1578e [unverified date]
Maras-HP-Laptop 13cb3629-5043-4bd6-b977-6968eeccf804 [unverified date]
PST-SURFACE 4a993b61-59b3-42f4-bdb5-d4362941f7d6 [unverified date]
BridgettePSHomeComputer 074141d7-bd96-49ff-8f64-edf31159c00b 2026-05-27 Confirmed active 2026-05-27

Access

  • PST-SERVER SSH: ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2 — requires OpenVPN or L2TP VPN to Country Club site active. Win32-OpenSSH at C:\Program Files\OpenSSH\OpenSSH-Win64\. SCP paths use Unix format (/C:/path/to/file).
  • UCG SSH (LAN only): ssh -i ~/.ssh/pst-cc-ucg root@192.168.0.10 — UCG requires keyboard-interactive auth (paramiko with a kb_handler, or an interactive terminal; plink with -pw fails). WAN IP (98.190.129.150) SSH is NOT accessible remotely from any tested location. Requires VPN to LAN, on-site, or UCG cloud portal (unifi.ui.com).
  • GuruRMM (external): https://rmm.azcomputerguru.com
  • Vault paths:
    • clients/peaceful-spirit/server.sops.yaml — PST-SERVER credentials (sysadmin) and UCG details (root, keyboard-interactive); raw secrets live in the vault entry, not here. Created during the 2026-05-10 recovered session.
    • clients/peaceful-spirit/vpn.sops.yaml — VPN PSK, pst-admin credentials, network details. Note: pst-admin password updated to SpiritWalk26! on 2026-05-22 — vault entry needs updating.

Patterns & Known Issues

  • Set-VpnConnection -L2tpPsk cannot run via RMM (SYSTEM context). Windows enforces interactive mode for PSK registration. An admin must run this command manually on each machine in an interactive session. This is a one-time setup step per machine. Exception: the user_session command context in GuruRMM (added post-2026-05-22) does allow it — validated on BridgettePSHomeComputer 2026-05-27.
  • NRPT instead of VPN DNS suffix push. Add-VpnConnectionTriggerDnsConfiguration fails for AllUserConnection profiles. Use Add-DnsClientNrptRule -Namespace ".peacefulspirit.local" -NameServers "192.168.0.2" instead.
  • cmdkey as SYSTEM for pre-login credential persistence. Machine credential store entries (cmdkey in SYSTEM context) are available at the Windows login screen; per-user cmdkey entries are not.
  • Stale hosts file. During 2026-05-22 on-site, MaraHomeNew (and likely other machines) had a stale hosts entry mapping PST-SERVER to 72.194.62.5 (Mara's router's bogus DNS response). This caused name resolution failures even with VPN up. A GuruRMM cleanup script was deployed; verify no residual entries if name resolution issues recur. The hosts-file path encoding bug (driverstc artifact) means the cleanup script may not have fully run on all machines.
  • UCG iptables DNAT required — UniFi Traffic Rules are firewall-allow only, NOT DNAT. Port-forward rules must be placed via CLI in /data/on_boot.d/10-vpn-portforward.sh for persistence across reboots.
  • UCG SSH unreachable from office WAN. All remote UCG administration must go through GuruRMM (for PST-SERVER) or the UniFi cloud portal (for UCG itself). LAN SSH (192.168.0.10) requires keyboard-interactive auth — password auth via plink fails; use paramiko with kb_handler or interactive terminal.
  • GuruRMM PowerShell invocation quirk. Running command_type: powershell fails on PST machines with "-OutputEncoding is not recognized." Use command_type: cmd and call powershell.exe explicitly within the script body.
  • Machine cert template (PEACEFULSPIRIT-PST-SERVER-CA / Machine template). msPKI-Certificate-Name-Flag was changed from 0x18000000 to 0x1 (ENROLLEE_SUPPLIES_SUBJECT) on 2026-05-11. This is a domain-wide template change. New machine certs will use the CSR Subject/SAN rather than the submitting machine's AD DNS identity. RRAS UserAuthProtocolAccepted now includes Certificate (added 2026-05-11).
  • OneDrive KFM on WSE folder-redirected profiles. Machines formerly managed by Windows Server Essentials had WSE-specific non-standard GUID variants in User Shell Folders (different from standard Known Folder GUIDs). Direct HKU writes alone do not clear the shell's internal known folder policy state — SHSetKnownFolderPath must be called with flags=0 (not 0x4000) in user session context. If KFM still fails after registry cleanup, wipe the profile and redeploy with per-machine OneDrive (/allusers).
  • pst-admin vs sysadmin distinction. pst-admin is a domain user (in WseRemoteAccessUsers, VPN-eligible). sysadmin is domain admin. Many early session failures were caused by using pst-admin credentials for domain admin operations.
  • NPS grants VPN by WseRemoteAccessUsers group membership, not msNPAllowDialin alone. The NPS network policy condition is SID-based (WseRemoteAccessUsers, ...-1113). A user with msNPAllowDialin=TRUE but not in the group will get error 812 (policy denial). Both attributes are required.
  • cmdkey credential not used by rasdial for PPP auth. The machine-store cmdkey entry (target = server address) is NOT consulted for PPP authentication. No-arg rasdial calls send the wrong principal (SYSTEM → error 691; logged-in user without explicit credential → error 812). For non-interactive auto-connect, use the logon scheduled task approach (BridgetteSH) or the AllUserConnection cmdkey path (pst-admin machines).
  • NAT-T registry key required on all client machines. AssumeUDPEncapsulationContextOnSendRule=2 under HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent must be set AND the machine must be rebooted (IPsec caches at boot). BridgettePSHomeComputer was missing this key; error 809 until rebooted after setting it. Verify this key is present before troubleshooting any future VPN error 809.

Active Work

As of 2026-05-27 session end:

  • VPN rollout: COMPLETE. All four machines (MaraHomeNew, Maras-HP-Laptop, PST-SURFACE, BridgettePSHomeComputer) have working L2TP/IPsec VPN.
  • Vault update needed: pst-admin password was reset to SpiritWalk26! on 2026-05-22; vault entry clients/peaceful-spirit/vpn.sops.yaml needs updating. (2026-05-27 session confirmed no SOPS entry existed for PSK/pst-admin at that time — secrets only in session logs.)
  • Parity decision deferred: Mara's 3 machines connect as shared pst-admin; BridgetteSH connects as her own domain account via SSO. Consider aligning all to per-user auth (cleaner audit trail) or aligning Bridgette to pst-admin.
  • Pre-login VPN verification: Confirmed working on MaraHomeNew via rasdial. Maras-HP-Laptop and PST-SURFACE need verification at the Windows login screen specifically.
  • Hosts file cleanup verification: The GuruRMM cleanup script had a path encoding bug (driverstc instead of drivers\etc) — DNS was flushed but hosts entries may not have been removed on all machines. Verify if name resolution issues recur.
  • PST-SERVER temp file cleanup: C:\ProgramData\: gen_certs.ps1, fix_acl.ps1, acl_result.txt, verify_acl.ps1, acl_verify.txt, and all *.inf, *.req, *.cer, *.pfx files. Also remove temporary firewall rules TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535).
  • Machine cert VPN path (IKEv2) — deferred. Machine certs were generated for MaraHomeNew (D067E07B), Maras-HP-Laptop (4CADDE8F, CA RequestId 66), and PST-SURFACE (197FF22A, CA RequestId 67) and PFXs (password: PstVpn2026!) were created. This IKEv2 machine-cert approach was superseded by the L2TP/RRAS decision on 2026-05-22. The certs and PFXs remain on PST-SERVER and DESKTOP-0O8A1RL — determine if IKEv2 path should be completed, abandoned, or the certs revoked.
  • Auto-connect task on BridgettePSHomeComputer: Validated via Start-ScheduledTask; not yet observed through an actual sign-in cycle.

History Highlights

Date Event
2026-05-10 GuruRMM agent installed on PST-SERVER. UCG-PST-CC reconfigured for IKEv2 in prior (unlogged) session. IKEv2 error 812 diagnosed — NPS rejecting nonexistent user apst-admin (typo in stored credential). NPS order-0 test policy (PST-VPN-Test) added. Credential Manager corrected on DESKTOP-0O8A1RL.
2026-05-10 GuruRMM agents enrolled on MaraHomeNew, Maras-HP-Laptop, PST-SURFACE. AllUserConnection IKEv2 "Peaceful Spirit VPN" profiles deployed to all three Mara machines.
2026-05-11 AM PST-VPN-Test NPS policy removed. AutoEnroll ACL on Machine cert template fixed (Domain Computers, sysadmin scheduled task). Catch-22 identified: machine cert enrollment requires LAN access which requires a cert. OpenVPN on MaraHomeNew chosen as bootstrap path.
2026-05-11 PM Machine cert auth working on MaraHomeNew. Win32-OpenSSH installed on PST-SERVER. msPKI-Certificate-Name-Flag changed to 0x1 (ENROLLEE_SUPPLIES_SUBJECT). RRAS UserAuthProtocolAccepted updated to include Certificate. PFX certs generated for Maras-HP-Laptop and PST-SURFACE.
2026-05-11 PM Maras-HP-Laptop: OneDrive KFM "Capabilities: 0x101" error troubleshooting. WSE non-standard GUID variants in User Shell Folders identified and corrected. Shell Folders cache directly updated via SYSTEM/HKU. SHSetKnownFolderPath flags=0x4000 bug identified (root cause of all prior script failures).
2026-05-11 Evening pst-admin profile on Maras-HP-Laptop wiped entirely (WMI). Per-machine OneDrive deployed. "Block New Outlook" GPO created and linked to domain root.
2026-05-22 L2TP/IPsec VPN successfully deployed to MaraHomeNew, Maras-HP-Laptop, PST-SURFACE during on-site visit at Mara's house. UCG-hosted strongSwan/xl2tpd abandoned; RRAS on PST-SERVER became the VPN endpoint. UCG DNAT rules created for UDP 500/4500/ESP. Stale hosts file entries removed. pst-admin and mara passwords reset to SpiritWalk26!. BridgettePSHomeComputer offline — VPN pending.
2026-05-27 BridgettePSHomeComputer VPN deployed fully remotely via GuruRMM user_session context (no on-site visit). L2TP PSK set remotely. BridgetteSH added to WseRemoteAccessUsers and granted msNPAllowDialin. Logon scheduled task created for auto-connect. VPN rollout complete across all four machines.
2026-06-01 Crashed 2026-05-10 session transcript (9700a3c6) recovered by the auto-reconstructor. Primary-source log saved as clients/peaceful-spirit/session-logs/2026-05-10-recovered-setup-radius-authentication-for-vpn-access.md, cross-linked with the manual 2026-05-10-session.md. Covers UCG SSH key generation, paramiko tunneling, RADIUS/NPS extraction, and vault server.sops.yaml creation.

Backlinks

  • projects/gururmm — PST-SERVER, MaraHomeNew, Maras-HP-Laptop, PST-SURFACE, BridgettePSHomeComputer enrolled (site: Country Club)
Reference in New Issue View Git Blame Copy Permalink