Messages

Hi,

I have a question on setting the tunnel interface opt1

When trying to select DCHP I get:

The following input errors were detected:
      Cannot assign an IP configuration type to a tunnel interface.

Was there a change from 19.1 to 19.7?

It will not save unless I choose 'None' in the IPv4 Configuration Type field.

Can anyone suggest where I start looking?

All was working until I upgraded, Now I have to disable everything in the VPN and Firewall to get out on the internet

Thanks for any time spent on this issue

Another note to watch out for when setting up your own client.

The guide state to use:

AES-256-GCM

When using that cipher you may get this error:

openvpn[24738]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'

So be sure to check inside the .ovpn file. The server I choose uses:

AES-256-CBC

The guide does not mention some servers may use a different cipher:

They already corrected one after contacting them

It showed in one of the images: 'Don't Pull Routes' was selected.
They updated that image.

Another issue that is not there, is Outbound DNS does not respect the System:Settings:General DNS entries when using the NordVPN interface. We had to enter them under each interface DHCPv4 DNS settings in order to get a resolve for hostnames.

I'm unsure if this causes each client to bypass Unbound DNS and resolve directly for each site visited.

In the advance options for the NordVPN client setup the guide mention to add:

remote-random;
reneg-sec 0;

When there is a setting for that in the GUI?
Renegotiate time: leave blank;
Select remote server at random

You can select the too settings above right in the in the GUI.

Renegotiate time: 0
Select remote server at random: checked

Inside the .ovpn file 'fast-io' is listed and should be put in the advance options as well. But I would check the server .ovpn file you are going to use. I also added the auth-nocache to prevent OpenVPN client from caching the user name and password in memory.

fast-io;
auth-nocache;

Mine looks like this:

tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
remote-cert-tls server;
fast-io;
auth-nocache;

They corrected the link:

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm

After many attempts to setup NordVPN as a client I called tech support and pointed out there are errors in that guide. I received an email stating they had updated the guide.

You can find it here:

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm

Notice the link still states 18.7 and I noticed a couple errors still remain. But others were fixed.

Is there an 'arpwatch' type package that will email admin?

I found the os-arp-scan but one must run it manually.

Thanks for any guidance,

James

Hello All,

How can I reset Suricata? I need to get back to the state it was at after install.

Hello All,

I have a situation pertaining to Insight Aggregator will sometimes start then quit. Most of the time it will not start. This started happening a day ago.

Can someone give me some pointers on best course of action. I reset The RRD and clear all logs from the shell and that didn't work.

Here is a log from System/General

flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 151, in run aggregate_flowd(do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 86, in aggregate_flowd stream_agg_object.cleanup(do_vacuum) File "/usr/local/opnsense/scripts/netflow/lib/aggregate.py", line 278, in cleanup self._update_cur.execute('delete from timeserie where mtime < :expire', {'expire': expire_timestamp}) DatabaseError: database disk image is malformed

Thanks for any help or time spent on this issue,

James

Hello cardins2u,

I to use NordVPN and that is the document I used. Although, the settings differ in location it actually will work.

If you want to ask what settings I have in certain areas maybe we can get you up and running.

Hello,

I disabled the nginx service and notice it is still listed as running in the dashboard. Should it do that? Do I have to kill the service from the command line? Once the plugin is installed and enabled does the OPNsense core system use it for something?

Wow! Thank you, bartjsmit

That shorten my list significantly.

Does that approach work similar to the 'remote-random' that can be entered into the advance setting?

I can see that I can group clients that use the same certificate from the same city.

But when I add a few clients from another city in a new client group, the same thing happens.
It will connect, but no throughput. Even though, I shutdown the previous client.

But I like the idea of listing several clients under one city description.

Hello bartjsmit,

Thank you for the suggests. I will add the log-append.

No I do not control the server. It is a NordVPN server.

Also, I do not wish to have concurrent connections. I only need to switch to different NordVPN servers. In other words I added a few of their servers in the event one is down or faster. I shut down the client before connecting another one in the list I create.

The very first client I created connects no problem. It is the remaining clones that do connect but no data is passing.

So I was really asking if the clone feature has a bug maybe. I edited the clones to make sure the certificates were unique and a few were. So I made those changes. Still, will not work.

I'm starting to think the UDP protocol not releasing the client on my end, and the server end like you mention.

Thanks, juggle that got it working for me also

Hello sangesarel,

I have under NAT / Outbound

NordVPN    LAN net    *    *    *    Interface address    *    NO    NordVPN 

And under Rules I have

IPv4 *    LAN net    *    *    *    NORDVPN_DHCP       Default allow LAN to any rule

Hello Everyone,

I have an issue I need some help with. I created an OpenVPN client which is working. I also created three other clients by cloning the first client.

None of the clones work. They connect with the end result being: Initialization Sequence Completed and stay connected, but no data throughput.

I have verified all the settings are correct. From host address to certificate for each client. All three are different. The other settings are the same between the three clients. Is there another setting that must be made in order for all four clients to connect and have throughput? No at the same time but switching between them.

The first client connects and data flows as normal.

Another question, if I may?

Can all the clients remain active, while only one instance be connected. Currently I disable the previous client, but was curious whether I could leave them all enabled and just start on instance?

Thank you for any repsonses and time spent on this issue.