Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: wewall on April 03, 2022, 06:50:08 PM

Title: Firmware update via OpenVPN interface?
Post by: wewall on April 03, 2022, 06:50:08 PM
How can I set OpnSense to use only one given OpenVPN interface to make firmware updates?
Title: Re: Firmware update via OpenVPN interface?
Post by: zerwes on April 04, 2022, 09:17:57 AM
do you mean via in terms of routing (juts fetch the packages via the opnvpn interface in question) or in terms off accessing the opnsense device only from that interface?
Title: Re: Firmware update via OpenVPN interface?
Post by: wewall on April 04, 2022, 08:06:21 PM
Quote from: zerwes on April 04, 2022, 09:17:57 AM
do you mean via in terms of routing (juts fetch the packages via the opnvpn interface in question) or in terms off accessing the opnsense device only from that interface?

I would like to fetch the packages via an OpenVPN interface without set this interface as the default route.
Title: Re: Firmware update via OpenVPN interface?
Post by: zerwes on April 05, 2022, 08:11:48 AM
So you need a route for the pkg mirror. Steps:
Title: Re: Firmware update via OpenVPN interface?
Post by: wewall on April 05, 2022, 12:24:23 PM
Quote from: zerwes on April 05, 2022, 08:11:48 AM
So you need a route for the pkg mirror. Steps:

  • configure the desired openvpn interface (if not yet done) iface->assignements + iface config
  • configure a gateway on the ovpn interface
  • choose a fixed mirror (on that that is not resolving to multiple IP addresses in different networks)
  • create a route matching the mirror address and choosing the crfeated opvn gateway

Your suggestion sounds good but unfortunately doesn't work in practice .
I've tested it with Deciso's comercial mirror (https://opnsense-update.deciso.com).
I think there are 2 reasons why your suggestion does not work:

1) SSL certificate errors.

2) If I set the IP (178.162.136.178) of the mirror here: 'System/Firmware/Settings/Mirror/other' it is not possible to set my subscription code. So I get authentication errors.

Log of the firmware update:

Code Select
Fetching changelog information, please wait... SSL certificate subject doesn't match host 178.162.136.178
fetch: https://178.162.136.178/${SUBSCRIPTION}/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
pkg: https://178.162.136.178/${SUBSCRIPTION}/FreeBSD:12:amd64/21.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
pkg: https://178.162.136.178/${SUBSCRIPTION}/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Any suggestion?
Title: Re: Firmware update via OpenVPN interface?
Post by: Patrick M. Hausen on April 05, 2022, 12:39:24 PM
Don't set the IP of the mirror. Set the mirror the regular way, but lookup the IP and route the IP through your VPN tunnel. That's all.

May I ask WHY you want to do this?
Title: Re: Firmware update via OpenVPN interface?
Post by: wewall on April 05, 2022, 01:16:28 PM
Quote from: pmhausen on April 05, 2022, 12:39:24 PM
Don't set the IP of the mirror. Set the mirror the regular way, but lookup the IP and route the IP through your VPN tunnel. That's all.

And how could I set fix IP for the mirror (opnsense-update.deciso.com)? Unbound DNS/Overrides?
Otherwise if I would not set a fix IP for the mirror I had to lookup the IP every time before I start the update process to be sure it had not changed.


Quote from: pmhausen on April 05, 2022, 12:39:24 PM
May I ask WHY you want to do this?

Since a subscription code is associated with identification information I think it is good privacy and security practice to use random IPs to fetch firmware updates with a given subscription code.
Title: Re: Firmware update via OpenVPN interface?
Post by: Patrick M. Hausen on April 05, 2022, 01:28:44 PM
We assume that the IP for a given mirror will remain constant for months if not years.

And I honestly don't get your privacy concerns. The mirror operator will know that "user with subscription X" has downloaded "stuff" - so? Your IP address magic doesn't change that.

And outside adversaries will not be able to sniff your subscription - the updates are pulled over TLS.
Title: Re: Firmware update via OpenVPN interface?
Post by: wewall on April 05, 2022, 02:32:10 PM
Quote from: pmhausen on April 05, 2022, 01:28:44 PM
And I honestly don't get your privacy concerns.

That's exactly why I didn't even bring up this topic myself.
I just wanted to be polite so I answered your question.
Everyone has a different level of sensitivity to privacy/security.
Title: Re: Firmware update via OpenVPN interface?
Post by: zerwes on April 05, 2022, 07:57:47 PM
as already stated: assumption is that the IP of a given mirror will stay fixed
$ dig +noall +answer opnsense-update.deciso.com
opnsense-update.deciso.com. 898   IN   A   178.162.136.178
So the IP should be used for the routing

But to be honest, I would not use this for the reason you mentioned.
I can imagine other scenarios, where this might be worth or even necessary, but if you do not trust decisio in terms of privacy, you should not trust the packages you fetch from there ...
Text only | Text with Images