Topics

I was running behind on updates on my firewall because of some restarting issues and it being remote etc. So I ended up doing a 5-6 upgrades in a row.

That turned out to be a little problematic as I experienced weird errors like forgetting default route (which sucks on a remote firewall), deciding to ignore geom raid and just use one disk instead..

All of thouse are manageable so don't worry. The reason why I'm posting is that I can't upgrade to 24.7. I get the following message in the console after the upgrade has been initiated:

Code Select Expand

Version number mismatch, aborting.
Kernel: 13.2
Base: 14

After that, the box boots up and keeps spitting out error messages like these:

Code Select Expand

KLD nullfs.ko: depends on kernel - not available or version mismatch
linker_load_file: /boot/kernel/nullfs.ko - unsupported file type
KLD nullfs.ko: depends on kernel - not available or version mismatch
linker_load_file: /boot/kernel/nullfs.ko - unsupported file type

Fortunately, after a while where it keeps saying that another process is trying to update the repositry, it downgrades and the kernel/userland mismatch errormessages stop and my firewall is working as it should(ish). And if I restart the upgrade, the same happens.

So unfortunately rolling back doesn't solve the problem.

Any ideas? I understand the problem but not why it has surfaced or how I should fix it.

I have a video that shows the entire boot proces, screenshots of the error messages etc if needed.

Thanks

I have two OPNsense firewalls. One is 22.1.8_1 and one is 21.7.8. On the first one my OpenVPN logs are prepended with <29>1 if I ssh to it and prints the file raw. On the other one there's nothing weird looking with any of the log files. Why? And how do I fix it? I need my log files parsed by CrowdSec as I am building a parser for those files and looking like that they won't parse.

<29>1 2022-06-15T00:00:51+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="1"] MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
<29>1 2022-06-15T00:00:51+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="2"] MANAGEMENT: CMD 'status 2'
<29>1 2022-06-15T00:00:52+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="3"] MANAGEMENT: CMD 'quit'
<29>1 2022-06-15T00:00:52+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="4"] MANAGEMENT: Client disconnected
<29>1 2022-06-15T00:01:54+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="1"] MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock

Thanks for any help.

I guess this is unrelated to which version of OPNsense but I want to know how I can ssh using ssh key to OPNSense in a persistent way.

When I copy the public key via ssh-copy-id it stops working at some point; sometimes after an upgrade - other times right away. And I simply don't get it.

What do I do?

Thanks

/klaus

I just installed my new firewall on an aging i5 core dell workstation and put in a quad nic based on intel e1000. I don't think this has very much to do with the hardware, but whatever..

Anyways, I can't access SSH or HTTPS via WAN. I have enabled the services and sockstat says that the box listens on all interfaces on port 22 and 443 respectively. I have allowed the traffic and enabled logging. I can see in the log that my connection is allowed by the firewall. But I can't connect via either service. And honestly, I don't get it. To me, it defies logic. So I have no idea what the problem is and why it doesn't work.

Does anyone have an idea before I go out of my mind?

Thanks

/Klaus

Hi
I've had my Opnsense for a couple of years now, updated it regularly. After I changed the network so that the (not really physical) VLAN is now part of a bridge (I renamed the old interface, added the bridge and added the old interface to that bridge, weird stuff has started to happen:
- Some leases I can't delete or edit
- Some leases doesn't show up in the list. Example: I made a DHCP lease for my iPad to 10.20.30.60. That lease is inactive; instead the DHCP server assigned 10.20.30.115 to my ipad and doesn't show it on the list (it is in the dhcp log though).

Pretty freaking weird, I'd say. How do I fix it? Can I reset the dpcpd configuration (and only that?) or can I do something in the shell?

Thanks for any suggestions

/klaus

Hi

After upgrading to 18.1.8 one of my OpenVPN site-to-site tunnels no longer comes up. On the connection status page in Opnsense, it's in status waiting:

Name   Remote Host   Virtual Addr   Connected Since   Bytes Sent   Bytes Received   Status   
Box Server VPN UDP:1194      10.100.100.1   2018-05-19 23:28:56   0 bytes   0 bytes   waiting   

Remote site is running Debian Linux. Remote networks are 10.20.40.0/24 and 172.40.172.0/24 - 10.100.100.1 is tunnel interface ip on fw, 10.100.100.2 is remote tunnel ip (on client side)

Opnsense wan ip is 10.49.141.2 (don't ask)


Tunnel is configured more or less like in the manual: https://wiki.opnsense.org/manual/how-tos/sslvpn_s2s.html

Opnsense Log:
May 19 23:50:20   openvpn[96107]: MANAGEMENT: Client disconnected
May 19 23:50:20   openvpn[96107]: MANAGEMENT: CMD 'state all'
May 19 23:50:20   openvpn[96107]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
May 19 23:50:14   openvpn[96107]: UDPv4 link remote: [AF_UNSPEC]
May 19 23:50:14   openvpn[96107]: UDPv4 link local (bound): [AF_INET]172.30.172.1:1194
May 19 23:50:14   openvpn[96107]: Socket Buffers: R=[42080->42080] S=[57344->57344]
May 19 23:50:14   openvpn[96107]: Could not determine IPv4/IPv6 protocol. Using AF_INET
May 19 23:50:14   openvpn[96107]: /sbin/route add -net 172.40.172.0 10.100.100.2 255.255.255.0
May 19 23:50:14   openvpn[96107]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
May 19 23:50:14   openvpn[96107]: /sbin/route add -net 10.20.40.0 10.100.100.2 255.255.255.0
May 19 23:50:14   openvpn[96107]: /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup ovpns1 1500 1605 10.100.100.1 10.100.100.2 init
May 19 23:50:14   openvpn[96107]: /sbin/ifconfig ovpns1 10.100.100.1 10.100.100.2 mtu 1500 netmask 255.255.255.255 up
May 19 23:50:14   openvpn[96107]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 19 23:50:14   openvpn[96107]: TUN/TAP device /dev/tun1 opened
May 19 23:50:14   openvpn[96107]: TUN/TAP device ovpns1 exists previously, keep at program end
May 19 23:50:14   openvpn[96107]: ROUTE_GATEWAY 10.49.141.1/255.255.255.0 IFACE=vtnet0 HWADDR=86:5f:50:ed:2a:0e
May 19 23:50:14   openvpn[96107]: Incoming Static Key Encryption: Using 512 bit message hash 'SHA512' for HMAC authentication
May 19 23:50:14   openvpn[96107]: Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
May 19 23:50:14   openvpn[96107]: Outgoing Static Key Encryption: Using 512 bit message hash 'SHA512' for HMAC authentication
May 19 23:50:14   openvpn[96107]: Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
May 19 23:50:14   openvpn[96107]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 19 23:50:14   openvpn[96107]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock
May 19 23:50:14   openvpn[95869]: library versions: LibreSSL 2.6.4, LZO 2.10
May 19 23:50:14   openvpn[95869]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 16 2018

Client log reveals absolutely nothing:
May 19 23:57:06 box ovpn-fw-udp-1194[3138]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
May 19 23:57:06 box ovpn-fw-udp-1194[3138]: WARNING: file 'fw-udp-1194.secret' is group or others accessible
May 19 23:57:06 box ovpn-fw-udp-1194[3138]: OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
May 19 23:57:06 box ovpn-fw-udp-1194[3138]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
May 19 23:57:06 box ovpn-fw-udp-1194[3139]: TUN/TAP device tun0 opened
May 19 23:57:06 box ovpn-fw-udp-1194[3139]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 19 23:57:06 box ovpn-fw-udp-1194[3139]: /sbin/ip link set dev tun0 up mtu 1500
May 19 23:57:06 box ovpn-fw-udp-1194[3139]: /sbin/ip addr add dev tun0 local 10.100.100.2 peer 10.100.100.1
May 19 23:57:06 box ovpn-fw-udp-1194[3139]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.49.141.2:1194
May 19 23:57:06 box ovpn-fw-udp-1194[3139]: UDP link local (bound): [AF_INET][undef]:1194
May 19 23:57:06 box ovpn-fw-udp-1194[3139]: UDP link remote: [AF_INET]10.49.141.2:1194

In all honesty, I have no idea WTF is goiong on since literally the only change I have done in this setup is the Opnsense update. The only obvious error is the route add that fails. It's weird that it does - and I don't get if that should prevent the tunnel from coming up. I can't ping any devices on either of the remote networks.

Can anyone please help me before I go nuts?

Thanks,

/klaus

Hi

I installed opnsense on NUC pc with VLAN and stuff a month ago or something like that. I 'upgraded' from pfsense.

I have two openvpn daemons configured. One does site-to-site VPN using certificates to my VPS. That tunnel is stable as a rock. The other is for my laptop and is used as a roadwarrior. I have configured it to authenticate via TLS+OTP.

It connects fine, but after an hour - almost on the second - it crashes so that I can't send any traffic through it. My VPN client tries to reconnect, but it can't.

The log on opnsense says this:
Nov 24 14:24:59   openvpn[50931]: klaus/xxx.xxx.xxx.xxx:16962 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:16962 [1]

I tried googling that, but it didn't really help me. Apparently noone on pfsense or opnsense have had this problem before :-p

Can anyone help?

/klaus