Topics

Hi all

I am looking for a quick&dirty way to setup some php plugin and hook it to the newwanip signal (to send emails on wan ip address change). It really should be simple in a way that future opnsense updates won't become a hassle.

I've got an idea how to create that plugin but I couldn't find any php mail libraries or something to send emails.

Does anyone have an idea or suggestion how to get this done by using php and keep the installation of new libs or patching the existing environment to a minimum?

Hi all

I have a self signed CA with the following structure

Code Select Expand

root ca
|
+--- intermediate1 - server certificates
+--- intermediate3 - client certificates for wifi and app authentication
+--- intermediate4 - site2site OpenVPN certificates
+-+- intermediate5 - for historical reasons: OpenVPN client certificates for road warriors
  +--- Server Certificate for OpenVPN server: "gw_openvpn4clients"
  +--- OpenVPN user 1
  +--- ...
  +--- OpenVPN user n


The opnsense server config for the OpenVPN server looks like:

Code Select Expand


Server Mode                     Remote Access (SSL/TLS)
Peer Certificate Authority      intermediate5
Server Certificate              gw_openvpn4clients


Clients can connect to the OpenVPN server using their client certificates issued by intermediate5.

Despite the setting of "Certificate Depth" also clients with client certificates issued by intermediate3 can connect - which I didn't expect as I thought the setting "Peer Certificate Authority" would limit access to certificates from this intermediate CA only.

In the Trust/Authorities section only the root CA, intermediate1, intermediate4 and intermediate5 are imported.

How can I configure OpenVPN to only allow clients with certificates issued by intermediate5 to connect?

Edit: I found a workaround by adding "verify-hash xx:xx:xx...;" to "Advanced" in the OpenVPN server setings. But it says that this option will be removed in future, so there might be a need for something else...
xx:xx:xx... is the fingerprint of intermediate5 in my case.

Thanks in advance,
spi

I'm on 21.1 with os-freeradius 1.9.9. OPNsense serves as a radius server on one internal interface.

Plain radius authentication against OPNsense works, testes with the tool radtest from a Linux node.
EAP-TTLS is configured with self-signed certificates and also works. Tested from same Linux node with the tool eapol_test. Access requests with certificates revoked by a CRL are successfully rejected. So that works too.

My issue though might be a misunderstanding, but I need the users to receive framed-ip and vlan id.

So if I define a user with password, framed-ip and vlan id and do a plain radius authentication with radtest I do get the right framed-ip and vlan id from freeradius.

If I do the same with EAP-TTLS I do get a framed-ip but the vlan is either not correct or somehow scrambled. I expect 1010 as a vlan ID but get 31303130 - it is surrounded by "3". The Mikrotik VLAN ID is scrambled at all.

The next issue I am having is that I need some users to be able to do just plain radius authentication via an authenticator with username/password. And I need other users doing certificate based authentication. Both groups of users need framed-ip and vlan id to be assigned. If I set up a new user for EAP-TTLS I also need to set their password (the freeradius users form requires it). But then that user could do plain authentication as well which they mustn't. The only workaround so far is to use a long complex password but that doesn't seem to be the right approach.

So somehow I miss a configuration option like a checkbox in user details what authentication methods a user might use. Or is there anything else I could use instead?

There is also an option "Check TLS Common-Name" in EAP options to check the CN against the username. Is there some way to check the CN against a user defined in the user list? I'd like to get the access request rejected as long there is no user defined in the user list or the user is disabled.