Messages

1

24.7 Production Series / OpenVPN - Sometimes works, sometimes not

« on: September 01, 2024, 10:52:05 am »

Hi
I am using OpenVPN with OPNSense since many years. For some reasons we have multiple OpnVPN Servers running ("legacy mode"). The config is

WAN1: 1194 UDP
WAN2: 1195 UDP
WAN1: 443 TCP
WAN2: 443 TCP

The latter two servers are in the (from time to time happening case) that UDP connections are blocked by a firewall e.g. in a hotel.

Now, the fun part is: Depending on which server to connect, sometimes we cannot acces certain webservers in the company, and other times we can. Sometimes it happens on the UDP ports and sometimes on the 443. To be honest, I do not understand what the problem is - the firewall actually does not block it.

Maybe someone has an idea to debug this? Is it mandatory to move to the new "instances"  or can I continue to use the "old" setup?
Thanks

2

24.7 Production Series / Wireguard not working

« on: September 01, 2024, 10:34:27 am »

Hi
I am trying to setup wireguard as alternate VPN to the existing and running vpn. However, even if I religously follow the instruction in the documentation, i get an immediate connect (well, both linux and android claim to have connected), but nothing is accessible. i do not see anything from the inside network, not the ouside network.

Protocoll is set to "debugging" but does not even show entries (no new entries when somebody tries to connect I mean):

2024-09-01T10:21:54   Notice   wireguard   wireguard instance RoadWarrior (wg0) started   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,WireGuard))   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WireGuard)   
2024-09-01T10:21:54   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt4 interface gateway address: 'missing'   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt4'

I have no idea where to set the "gateway address" as I have set it under "Peers" with the correct IP of the outside address. However, the address is tested either to be the external IP to the internet (which is the IP of a router forwarding everything to the firewall) OR the IP of the firewall. Both do not make any difference.

I really do not understand what the problem is or how to debug it. There is literally no traffic via the wireguard interface.

Thank you for your help.

3

24.1 Legacy Series / Re: No Access to specific machines after Update, including ports 8000,8080,8100

« on: August 11, 2024, 11:50:37 am »

I have spent now a lot of time in these matters. But no results.

I am at a point were I can assume the following:

I run several OpenVPN Servers e.g. on port 1195, 1196, 443. Port 443 (TCP) operates on both internet landlines.

It seems as when I connect via port 443 one, and exactly one IP in the internal network of the VPN Firewall is not accessible. ALL other ports work fine. When I reconnect and connect to UDP Port 1195 for example - I can access it.

I am more than somewhat confused about it. All openVPN servers have different IP ranges (and are there for exactly this purpose - being stuck in a hotel that blocks our IP ranges, so I tried to avoid that problem by having differen VPNs that would allow in any case to use a private network).

I do see that the access from the VPN to the firefill is transferred to the IP address ("pass"). However, it does not seem to arrive.

Maybe it is of importance that the host "missing" is a virtual machine - on the other hand, all other virtual machines work fine.

It would be great if anybody has an idea where the problem could be based or at last, how I might be able to trace it. Currently my only option is to reconnect the VPN until I see the host again...

4

24.1 Legacy Series / No Access to specific machines after Update, including ports 8000,8080,8100

« on: June 30, 2024, 10:25:31 am »

Hi
since the latest update, I cannot access from my VPN services that are available at ports 8000, 8080, 8100 etc.
On hosts, providing those services, I cannot even get a ping (either direction) through or login.

This worked right before the last update (24.1.9_hf4).

I did not change anyhting a the firewall rules. I tried to loosen the rules, but no effect.

Specifically one virtual machine running in the main net 192.168.1.33 is not accessible. On any port.
My VPN runs (openVPN) at 192.168.21.x
I cannot ping in either direction or connect.

The Firewall seems to accept the cooection  ("pass") from the VPN - after that it is silence.

Within the main main net, the hosts in question (192.168.1.33) is reachable on any port, ping, ssh etc.

It seems as the packages send are just eaten up from the firewall.

I am runnign out of ideas how to find the problem. The hosts in question is a VM, but on that machine a number of identically configured VMs are present and all work.

Any idea where that comes from and how to solve?
Thanks.

5

24.1 Legacy Series / Re: Unbound Whitelisting not working

« on: February 14, 2024, 09:42:34 am »

Maybe it just took a veeeery long time (>30 min) to reload unbound... now it works.

6

24.1 Legacy Series / Unbound Whitelisting not working

« on: February 14, 2024, 09:21:15 am »

Hi
I recently have discovered blacklisting with unbound (yes, yes, I am slow sometimes), and now want to WHITELIST some pages, e.g. web.whatsapp.com
However, the whitelisting does not work at all

- *.whatsapp.com (despite the help below that field) is not accepted, according to protocol "invalid"
- (.*)?(\.)?whatsapp.com is accepted

However, none of them allow access to web.whatsapp.com

It seems as the Whitelisting is broken? I am on the current 24.1 version with todays updates (OPNsense 24.1.1-amd64).

7

23.1 Legacy Series / Memory leak with 23.1.1_2?

« on: March 01, 2023, 03:45:36 pm »

Hi
Right after the last update I see that the memory consuption is very high on my system (>>90%).
Most of it is made up by "inactive processes". They form like a stepwise ladder during the day and are killed somewhere late in the evening.
The strange thing is, that if I look at a long term overview, this only.
It started around Jan 20 this year right after an update.
Since then it seems to get worse.

8

23.1 Legacy Series / TLS Inspection not working on all pages?

« on: January 31, 2023, 06:22:08 pm »

Hi
I tried to install the webproxy with TLS inspection and ICAP. However, this does not work on all pages.

While https://www.spiegel.de loads fine, https://faz.net is not loading at all (access denied by proxy). Many other pages, e.g. this forum work.

I cannot find the reason for that acutally. Even if I specifically insert an exception in the SSL inspection, or in the access lists, it still does not load faz.net.

Is there any way to find out what is actually blocking the page?

BTW: Funny enough, the EICAR test file is loaded both with https and with http....

9

22.7 Legacy Series / 22.7.4/Proxy ACL Blacklists (external)

« on: September 16, 2022, 02:30:22 pm »

Hi
I found that it seems a number of external ACL blacklists do not work anymore. So I searched for new ones and I wonder if I can test if they are good and active. Some pages (e.g. www.spiegel.de or www.faz.net) manage to dump a lot of advertisement on the page - that is funny enough not displayed on a reload of the page.

So I wonder if the ACL is working correctly.

Any way to test this?

10

22.7 Legacy Series / Proxy Errormessage

« on: September 16, 2022, 02:28:53 pm »

Hi
my proxy with 22.7.4 pops up regularly

 FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all

as error message. I do not know where it comes from and it does not seem to have any effect. But I would like to sure it is not a problem and preferably get rid of this error message.
Any idea?

11

22.7 Legacy Series / 22.7.3/4 Update ACME fails

« on: September 16, 2022, 02:27:37 pm »

Hi
I am using ACME to update some Let's Encrypt certificates. However, despite claiming to have the new signed certificate, the certificate in the certificate store is 2 months old and invalid now.

When I try to use the test signing facility of Let's encrypt it is no problem to get the new one. But with the "real" one he just sends "all right" but neither stores the correct one in the certificate store nor (obivously) copies it to the server in question.
Any idea?

12

22.7 Legacy Series / Re: Error after upgrade to 22.7.3

« on: September 05, 2022, 10:16:24 am »

Okay, after removing the CRL as a matter of fact, the VPN did connect again.

This is a very strange issue, no?

13

22.7 Legacy Series / Re: Error after upgrade to 22.7.3

« on: September 05, 2022, 10:14:25 am »

Hi
I saw here also a booting problem. OPNSense came up, but most services did not work. Proxy only erratic, no VPN, no ACME, no ICAP, no Scruita....
I had to physically power down the FW hardware, start it again and restart services until everything came back up.
HOWEVER, OPENVPN is not working with any client anymore.

I cannot connect.

I get in the protocol these messages:
2022-09-05T10:13:21   Error   openvpn   87.191.224.208:34795 TLS Error: TLS handshake failed   
2022-09-05T10:13:21   Error   openvpn   87.191.224.208:34795 TLS Error: TLS object -> incoming plaintext read error   
2022-09-05T10:13:21   Error   openvpn   87.191.224.208:34795 TLS_ERROR: BIO read tls_read_plaintext error   
2022-09-05T10:13:21   Error   openvpn   87.191.224.208:34795 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed   
2022-09-05T10:13:21   Error   openvpn   87.191.224.208:34795 VERIFY ERROR: CRL not loaded   

On the devices "NETWORK_EOF_ERROR" (Android), time out on various linux machines.

Please help! A minor upgrade should not brake the firewall so completely!

14

22.1 Legacy Series / Re: ACME CLient HTTP challenge - Token not found

« on: June 21, 2022, 08:57:57 am »

Something happened and it works again. No idea what changed. Certainly I did not change anything.

15

German - Deutsch / Re: os-acme-client in Verbindung mit Hochverfügbarkeit

« on: June 07, 2022, 08:56:54 am »

Das ist eine funktionierende 22er Version mit ACME und funktioniert?  Mit HTTP/TLS challenge? Bei mir geht seid der 22er Version gar nichts mehr mit dem ACME client. DNS challgenge geht nicht, mein provider kann das nur manuell (und das geht nicht mit opnsense).