Messages

I think I have narrowed down the problem: Adding aliases to aliases does only then not work if the added alias name includes an underscore _ character.

If something doesn't work as expected please let us know.  :)

That's why I posted.
I created my VPN IP aliases as "host(s)" type. Then I create another host(s) alias, start entering an existing name, getting the suggestion box, select the alias I want.. but as soon as I hit the Save button, it gets marked in red with a message "not a valid IP address".

Hi all,
is there any valid method for nesting aliases, or to create host groups without listing IPs?
I'm designing the ruleset for my new OPNsense-as-VPN-concentrator appliance,
and I noticed that things tend to get unwieldy rather quickly.
If I have five people requiring access to ticketing, that's five separate rules IFF I want to adress them by alias instead of by IP address. I would much prefer to create a group alias Ticket_Users and shove the five user aliases in there, condensing all into one rule only.
I know that that's not a trivial feature, as it brings error cases like circular nesting with it, but it would be a great improvement over pfSense and other similar projects.
Best regards,
Woo

... the client certificate that is included in the OpenVPN profile, exported by OPNsense...?
so, what do I put in there?

Thanks a lot for that info! Somehow I didn't realize that the "client specific overrides" are the CSCs described in the OpenVPN documentation.. I had this mentally connected to the OpenVPN Client section just above it.

The X509 Common Name is just the OpenVPN username?

You can dump this right into the Advanced section for the CSC to make it permanent (at the bottom).

How?
That field is global for the whole VPN server instance - I need a different setting (IP) for every single user..

I couldn't find anything like a "match user" directive for the OpenVPN config..

This might be something that could go onto the user profile page, though..

a) assign static IPs to each OpenVPN client, or

so, I got this part working via the console, using OpenVPN's "ifconfig-push" directive in the client-config-dir /var/etc/openvpn-csc/1, but I'm not sure how persistent this is across server config changes, or whether this directory will be rewritten every now and then. Testing continues...

meh.. at least the OpenVPN client is free and OSS, while Viscosity costs 9$ per client.
Well, as long as the profile export for the OpenVPN client stays, I'm kinda OK with it. Gonna bundle it myself then.

and Hi again..
Since I couldn't find useful hints on the wiki, I'll have to ask here..
Is there any method to..
a) assign static IPs to each OpenVPN client, or
b) use the VPN username in a firewall rule?
I've got quite a lot of road warriors, and need to limit their access to internal systems based on either username or department/group membership, same as it's done on the LAN already. Does OPNsense have a solution for that?

Regards
~woo

Just an opinion to the 2FA concept:
Having the token number before the password puts the user into a certain time constraint, having to enter more or less complex passwords within the 30 seconds refresh time. That's why many (most?) other 2FA concepts either have a separate field for the token (won't be possible with the current OpenVPN client), or ask for the token after the password.
Perhaps use this an an improvement suggestion for future releases...

nevermind.. I had the wrong authentication backend in my OpenVPN server config.. apparently forgot to save the changes.

Hi,
I just did my first OpenVPN test runs on 16.7 (after having worked around my earlier reported issue with the client export), and I noticed that VPN dialin does not seem to use 2FA tokens even though I have configured one for the users. I can just connect with username and password. When I try to append the 2FA token string after or before the password, as is customary for that method, the authentication fails.
Is this not supposed to work like that, or is there something broken? If it's the latter, how could I go about finding and fixing the cause?

Regards
~woo

Hi OPNsense team,

I've recently installed 16.7 as what is going to be our upcoming VPN concentrator,
and so far the configuration etc all worked really fine - thanks for all that!
Just the OpenVPN client exporter seems to produce invalid archive files.
I've tried all four Windows clients (XP and 6, both 32 and 64 bit), and the resulting exes all produce a window "Extraction Failed - Unsupported Method" on execution.
The clients work fine when I manually extract them with 7zip and then run the files inside, but I can't trust our users to get this right.
How exactly is OPNsense generating these customized installers, and is there any way I can assist with debugging this issue? I'd really like to see this working.

Thanks,
~woo