OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: comet on April 15, 2018, 02:11:30 am

Title: New install, having problems with WiFi and OpenVPN
Post by: comet on April 15, 2018, 02:11:30 am
Hello.  Today I installed OPNsense on a QOTOM Q330G4 (like one of these on Amazon's site (https://www.amazon.com/Barebone-Industrial-Gateway-Firewall-pfSense/dp/B06ZYG5ZQX)) but I am having two issues.

First, I cannot get the WiFi to work, it does not seem to be recognized by OPNsense.  I opened it up and the chip inside is a Broadcom model BCM943228HM4L (FCC ID: QDS-BRCM1054).  Do I need to load a driver of some kind, and if so, how?  This FreeBSD man page (https://www.freebsd.org/cgi/man.cgi?bwn(4)) seems to indicate that a Broadcom driver is available but I see no way to get it into OPNsense, even if that would fix the problem.  If there is no way possible to make this work, is there any replacement that is known to work with OPNsense?  Physically it looks like this: (http://oi68.tinypic.com/728u4k.jpg)

EDIT (the next day): Tried temporarily replacing that module with a similar Atheros module pulled from an old Acer Aspire Revo R3610.  It works and OPNsense recognizes it, but had to follow the instructions in this pfSense video (https://www.youtube.com/watch?v=52xEkwfuFfo) (starting at around the 18:30 mark) to get it to work. Naturally what you see there is not exactly what you see in OPNsense, in particular when you do the part of the setup from terminal window there is an initial question about DHCP that is not shown in the video, and you have to answer "no" to that.  Also found I got the best speed selecting 802.11g as the standard (802.11ng was considerably slower).  Note that if you have already created a wireless interface and you cannot go out to the Internet then you have to delete everything you added regarding wireless and completely start over, following the instructions in the video.  For me, at least, trying to set it up using just the Web GUI did not work - devices could connect but could not reach the Internet (I even tried the trick of bridging the Wireless and LAN interfaces and that did not work). YMMV, I am just saying what worked for me.  This probably isn't a long term solution, due to the age of the module and the apparent fact that it doesn't seem to support 802.11n. (End of edit)

Is there any page that lists what WiFi cards will work with OPNsense?  There are pages that list cards that are supported by FreeBSD but it appears that in at least some cases you have to specify which drivers are included when FreeBSD is built, so therefore my assumption is that I need to know what cards are actually supported by OPNsense (since I'm not building FreeBSD from scratch).

The other issue is that I tried to set up an OpenVPN server using the wizard, and everything seemed to be going smoothly until I tried to generate the client.ovpn file that will be used at the remote location.  I went to VPN: OpenVPN: Client Export and under Client Install Packages it shows my User Name and Certificate Name but when I click the Export dropdown and select "File Only" it returns this error:

"The following input errors were detected:

    Could not locate the CA reference for the server certificate.
    Failed to export config files!"

If I go to System: Trust: Certificates it shows two certificates, a "Web GUI SSL certificate" which is shown as in use by Web GUI and OpenVPN Server, and a cert with a name that matches the user name I created and is shown as in use by "User Cert".  So I am confused - is there supposed to be yet a third certificate, and if so, what might I have done wrong in the wizard?  Are there any more up-to-date instructions that show how to use the OpenVPN wizard properly to get this to work?

Under OpenVPN servers my settings are these:

General information:
Disabled    (unchecked)
Description    VPN
Server Mode    Remote Access (SSL/TLS + User Auth)
Backend for authentication    Local Database
Enforce local group    (none)
Protocol    UDP
Device Mode    tun
Interface    WAN
Local port    1194

Cryptographic Settings:
TLS Authentication    
Enable authentication of TLS packets. (checked)
(A 2048 bit OpenVPN static key is shown in the text box)
Peer Certificate Authority    VPN Certificate
Peer Certificate Revocation List    VPN Certificate (VPN Certificate)
Server Certificate    Web GUI SSL certificate *In Use
DH Parameters Length    4096 bits
Encryption algorithm    AES-192-CBC (192 bit key, 128 bit block)
Auth Digest Algorithm    SHA256 (256-bit)
Hardware Crypto    No Hardware Crypto Acceleration
Certificate Depth    One (Client+Server)
Strict User/CN Matching    (unchecked)

I believe the tunnel and client settings were left at the defaults.

If you see anything in those settings that might cause this issue please let me know.

What I am trying to do is not exactly covered by either of your tutorials, "Setup SSL VPN Road Warrior (https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html)" or "Setup SSL VPN site to site tunnel (http://wiki.opnsense.org/manual/how-tos/sslvpn_s2s.html)".  Besides the fact that both seem to have been written for older versions of OPNsense that do not include the "wizard", neither covers my situation exactly.  The first seems to require the use of use two-factor authentication, and the second seems to want to set up a peer-to-peer setup where users on either network can interact with the other.  What I want to do is more like a site-to-site tunnel except that I only want it to work in one direction, in other words I want to be able to come in remotely from one fixed location (always the same machine at the same IP address) and connect to the VPN server on the router, but I do NOT want users on the local network on the OPNsense router to be able to access the remote network.  But also, I need it setup so the remote end can login automatically with just the .ovpn file and a username and password. 2-factor authentication is not required nor desired in this case.