Hello guys,
I am new for opnsense and this is my first topic.
I was using CP firewall for a long time(maybe 8 years), when I played VM and installed the opnsense, I found it's amazing and powerful...
Now I am planning to replace the CP, the opnsense now is all-in-one 8) FW,VPN,DNS,AD-BLOCK,AV,PROXY... and one more important thing is that I can easily customize all the settings :D
And I do need some advice on two difficult problem. The first is about certificate, I set a windowd AD CA to the Authorities and issued some certificates from the AD CA, configured the openvpn to use windows AD users auth + certificate, it works perfectly. But the CRL makes me crazy :( the windows CA CRL published every 7 days, so I need to update the CRL data in opnsense every week. I'd like to ask if there is any way to set up the opnsense auto download the CRL?
The second is about web proxy, the parent proxy feature setting is not what I want, this settings allow all traffic to the parent proxy exclude the local domain or IPs, but I want to invert this, I only want some domains or IPs going to the parent proxy. My question is if I make changes to the config file '/usr/local/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf' , will it be overwrite in the next packages update? Is there a better way to keep the file persistence?
Thanks and good day!
hello wincent,
Can't give you a full answer right now, but I can give a couple of hints of how to do it.
QuoteI'd like to ask if there is any way to set up the opnsense auto download the CRL?
- Setup Windows to export the CRL to a share, FTP/HTTP server periodically.
- Grab the CRL with tools like wget, smbget, CURL, etc (Opnsense is based on freeBSD so search how to install the required package)
- Add a cron job that imports the CRL every week
QuoteIs there a better way to keep the file persistence?
templates overrides persist over updates but they are harder to configure and if your override wasn't compatible with the new update -for example the new squid version deprecated a configuration directive ex: cache_peer - then it'll most likely break.
Opnsense provide three directories that are included in squid.conf and doesn't get overwritten by updates:
- /usr/local/etc/squid/pre-auth
- /usr/local/etc/squid/auth
- /usr/local/etc/squid/post-auth
you can drop a conf file in these directories and they will persist (you need too back them manually tho, with a cron job, or better yet use a configuration management software)
ps: parent proxy is called cache_peer in squid's docs.
hello Amr,
Thanks for your hints.
Quote
- Setup Windows to export the CRL to a share, FTP/HTTP server periodically.
- Grab the CRL with tools like wget, smbget, CURL, etc (Opnsense is based on freeBSD so search how to install the required package)
- Add a cron job that imports the CRL every week
Yes, I added a CRL distribution point for Microsoft CA and used IIS to expose the CRL file, on Opnsense created a sh script CURL update the '/var/etc/openvpn/server1.crl-verify' file, good for me now ;D
Quoteyou can drop a conf file in these directories and they will persist
Looks like that's the way, will do it manually and make a backup before packages update!
Thanks again!