Messages

You likely need to check that the NAT for the web server has reflection enabled, or you need to do split-DNS.
https://en.wikipedia.org/wiki/Split-horizon_DNS

The latter is generally preferred from a security, performance, and reliability perspective. I.e. your direct web traffic doesn't go outside your network, takes a shorter route, and works even if the firewall is down.

Bart...

Hi Julien,

A OpenVPN client connection can be configured with multiple 'remote' lines. Normal behaviour is for it to attempt a connection starting with the first line, and work its way down until it connects.

The remote-random option will randomise this sequence, and the remote-random-hostname will add a random subdomain to the FQDN of the server, to stop the client's resolver from caching the server's name to allow for DNS load balancing.

These are client options which you'll need to add to each user's profile. Naturally, the OpenVPN man page is compulsory reading  8)

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Bart...

Hi Julien,

Which VPN are you using? OpenVPN has features to do active/active load balancing between hosts:

--remote-random-hostname will prevent clients from caching the server DNS record
--remote-random will scramble the remotes list that the clients go through

You can spread the load on your MTA's with DNS MX records.

For IPSec you'll likely need CARP. In either case, your routing is going to be interesting ;-)

Bart...

Hi Julien,

I slapped a script together a wee while back: https://forum.opnsense.org/index.php?topic=2032

The script lives here: https://github.com/bartsmit/opnsense-update-email

Needs an external (linux) box though

Bart...

Change your server mode to include '(SSL/TLS)' in VPN: OpenVPN: Servers.

You will need to set up a PKI and update your client OVPN profile(s).

Bart...

If the recipient address domain is hosted by Office 365, you can send directly to the MX record for the domain without any authentication. You only need to authenticate if you want to relay to a different domain.

Bart...

Yes, more than likely. FreeBSD support for WiFi is not very good and tends to favour clients, rather than access points.

Bart...

Try PowerD under System: Settings: Miscellaneous.

Most BIOS let you set the fan speed, or you can try an in-line resistor/varistor to reduce the speed.

Bart...

The only data in OPNsense is stored in the config.xml file. System, Configuration, Backups.

If 'many users' means that you want to minimise downtime in a corporate environment then:

1. Build a new firewall with a larger disk
2. Back up the config from the old firewall
3. Import it in the new one
4. put the new one in the place of the old one.

You will have a short outage which you can plan out of hours. The web cache will start empty but will quickly fill to its previous size as users revisit their usual sites.

If you need to minimise cost, do the same but only swap out the hard disk. This will mean a longer outage, largely dependent on your hardware skills.

Bart...

Does it work with a client on the Fritzbox network?

Do you see the 443 TCP packets appear in a WAN packet trace?

I have my OpenVPN running on 443 TCP with just a WAN rule for HTTPS allow to the WAN address.

Bart...

I think OpenVPN only checks a certificate status (revoked/expired), not if the subject corresponds with the username.

https://blog.remibergsma.com/2013/02/27/improving-openvpn-security-by-revoking-unneeded-certificates/

Bart...

You don't need NAT between RFC1918 ranges. If both subnets have OPNsense as their default gateway, then routing cannot be the issue.

Any required firewall rule is likely to be on the WLAN interface, since the LAN interface is unrestricted by default.

Do you see any denies in your log? Can you curl to 192.168.2.2 from the OPNsense console? Does ping work?

Bart...

Can you set the router in bridge mode? That makes OPNsense responsible for the NAT and avoids having two firewalls.

Bart...

Consider a ups to protect the integrity of the firewall filesystem if you're doing this a lot

Bart...

"internet not working" covers a multitude of issues.

Which troubleshooting steps have you taken and what were their results? Ping/traceroute, nslookup, packet capture, etc.

Bart...