Messages

1

24.7 Production Series / Re: Caddy Plugin - no certificate available for '10.10.19.2'

« on: October 01, 2024, 03:40:11 pm »

Hi Monviech

I disabled Auto HTTPS on Caddy Plugin, since I have a very intricate certificate system setup in ACME Client plugin, that runs automations and pushes certificates to servers within the LAN etc. Thus, I simply set all the Domains to look at the certificates in the Trust store of OPNsense that is generated by the ACME client

There is no issue per se, I simply check the logs (error) and came across this issue where there is "no certificate" for the WAN IP 10.10.19.2, that technically exists in the NAT network between my router and my public IP.

I don't like error messages in logs and thought I would reach out to see if anything can be done to correct the issue. But if it works.... don't _____ with it.

2

24.7 Production Series / Caddy Plugin - no certificate available for '10.10.19.2'

« on: October 01, 2024, 11:39:17 am »

Hi Everyone,

I recently switched from Nginx Reverse Proxy to Caddy on OPNsense.
Works really smart and everything seems to be working, However I get this entry in my logs as error:

"debug","ts":"2024-10-01T09:28:57Z","logger":"http.stdlib","msg":"http: TLS handshake error from 105.232.xxx.xxx:9078: no certificate available for '10.10.19.2'"}

This is in my home lab, so I have the Fiber Router NAT everything to the Firewall and obviously OPNsense then handles the tcp/80 tcp/433 within OPNsense.

So the connection looks like this:

<Public IP 197.188.xxx.xxx/32> to <OPNsense IP 10.10.19.2> to <LAN Network 192.168.200.0/24>

From my understanding, since 10.10.19.2 is not internet routable it cannot get a certificate, but it should not worry about that, it should be looking at the Public IP, but does not seem to get resolved or I cannot find any way to static it. I cannot bind it in custom conf's since 197.188.xxx.xxx is not on the firewall anywhere?

Any ideas?

3

24.1 Legacy Series / Re: WireGuard Site to Site | Alternative Internet Access

« on: June 13, 2024, 02:30:30 pm »

Hi Bob,

created the allowed IPs with 0.0.0.0/0?
I did add this in the peer configuration; however, this pushes a route in OPNSense that force all traffic over WireGuard from all clients in the LAN. I just need this for 1 client machine.

enabled NAT for WireGuard?
Outbound NAT rules was setup on both sides yes. This is needed for my "Road Warriors" using another WG instance




When doing a ping from client in Site B, and doing a packet capture I can see the client 192.168.200.220 is sending the ICMP request to 10.2.2.2 to 10.2.2.1 and then 10.2.2.1 immediately replies unreachable. So the issue is somewhere that 10.2.2.1 is not passing the traffic to the WAN on Site A

4

24.1 Legacy Series / WireGuard Site to Site | Alternative Internet Access

« on: June 13, 2024, 01:29:19 pm »

I have successfully created a Site-to-Site WireGuard VPN between two sites.

Site A
LAN: 172.16.1.0/24
WG: 10.2.2.1/24
Interface Assigned Manually and Allow IPV4* Rule Added


Site B
LAN: 192.168.200.0/24
WG: 10.2.2.2/24

Interface Assigned Manually and Allow IPV4* Rule Added
Added Gateway: 10.2.2.1/24

I can route flawlessly between A & B without any issues, but I have one host on Site B that must use the default WAN gateway of Site A to connect to the Internet (because of the public IP it needs to present outbound)

I created a rule to force use the Gateway Created on Site B to route over to 10.2.2.1 on Site A, but I cannot get Site A to forward that traffic via its WAN gateway. I just get Destination Host Unreachable.

How can I allow the traffic originating from the single host on Site B to pass to the gateway of Site A?

Any help would be appreciated.

5

23.7 Legacy Series / 23.7.7 - Set Priority on LAN Rules

« on: November 06, 2023, 05:16:28 pm »

I have a rule in my LAN interface for a device that I change the priority to Video of all packets and low delay (ACK packages matching any packet type.

With the latest update any change to priority causes the rule to not pass? Anyone else have this issue?

6

23.1 Legacy Series / Execute Command After Startup

« on: April 14, 2023, 02:37:11 pm »

Hi Guys,

I use a custom curl URL to notify me on my Telegram when my servers have completed startup. I am looking to do the same thing with OPNsense, but cannot figure out how to go about it.

The GUI CRON section has no support for a custom curl command, and adding the entry to /etc/crontab makes no difference.

on Debian and other Linux Distros I use the @reboot directive of cron to achieve this.

7

22.7 Legacy Series / Re: SSH Proxy / Jump Host

« on: February 07, 2023, 12:42:40 pm »

I did not take the decision lightly. But the connection on TCP/22 is controlled via GeoIP source only from my country, which is quite small and does not have a lot of people that know what SSH is.

Access to Firewall is done via 4096bit RSA Key & all machines behind it uses its own 4096bit RSA key, with password auth disabled.

Confident that this setup is secure enough for my setup 

8

22.7 Legacy Series / Re: SSH Proxy / Jump Host

« on: February 06, 2023, 12:42:05 pm »

Can be done via VPN yes.

However, I want to allow SSH access to Linux hosts behind the firewall without VPN, and restrict them in the firewall rules using the source directive in the rule.

I managed to get this going by simply allowing SSH to "This Firewall" on the WAN Rule, using SSH Key, I connect to the Firewall and then connect to the Linux host on the LAN.

9

22.7 Legacy Series / SSH Proxy / Jump Host

« on: January 23, 2023, 01:22:40 pm »

Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?

Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.

Would be great if OPNsense itself could be the Jumphost.

10

22.7 Legacy Series / IPFW not listed in service

« on: October 03, 2022, 01:50:28 pm »

I recently installed a new firewall V22.7 and I manipulated the backup files from my old firewall on the new firewall (completely different interfaces, lagg setup etc.)

Everything is working, but I cannot get the ipfw Shaper service to list in the services.
on the console when running service ipfw status I get "Cannot 'status' ipfw. Set firewall_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'."

I have complete removed the shaper and set it back up from scratch but the service does not enable, list or start.

Any ideas where I can check now?

11

22.1 Legacy Series / ACME Client - Linode DNS Verification Broken

« on: July 05, 2022, 11:14:30 am »

There seems to be an issue with the latest version of the ACME client using DNS-01 Verification.

Anyone know how to fix this?

<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 98916 - [meta sequenceId="1"] [Tue Jul  5 10:41:20 CAT 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 15494 - [meta sequenceId="2"] [Tue Jul  5 10:41:20 CAT 2022] Single domain='*.anything.com.na'
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 42590 - [meta sequenceId="3"] [Tue Jul  5 10:41:20 CAT 2022] Getting domain auth token for each domain
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 5764 - [meta sequenceId="4"] [Tue Jul  5 10:41:23 CAT 2022] Getting webroot for domain='*.anything.com.na'
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 52261 - [meta sequenceId="5"] [Tue Jul  5 10:41:23 CAT 2022] Adding txt value: 0Yfe1V7sfNU***********************hock71wr_GCqU for domain:  _acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 57425 - [meta sequenceId="6"] [Tue Jul  5 10:41:23 CAT 2022] Error add txt for domain:_acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 59624 - [meta sequenceId="7"] [Tue Jul  5 10:41:23 CAT 2022] Please add '--debug' or '--log' to check more details.
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 62170 - [meta sequenceId="8"] [Tue Jul  5 10:41:23 CAT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

12

22.1 Legacy Series / Re: Nginx Reverse Proxy Configuration Not Changing

« on: April 28, 2022, 10:05:07 am »

Maybe a bug in the configd template. Are there any log files which would indicate that?

It seems the issue is with the error pages, I have no idea how to fix this. Is there any way to completely purge the NGINX configuration and re-setup everything from scratch?

13

22.1 Legacy Series / Re: Nginx Reverse Proxy Configuration Not Changing

« on: April 23, 2022, 06:52:08 am »

This seems to be suspect. I have no clue what I am looking at but can see there is issues with nginx.conf and location.tmpl, so it seems you are on the right track with your thinking

<11>1 2022-04-22T09:18:53+02:00 opnsense.badenhorst.com.na configd.py 448 - [meta sequenceId="45"] [1943752e-de03-4a5a-9c00-5ad11b7a976b] Inline action failed with OPNsense/Nginx OPNsense/Nginx/nginx.conf 'dict object' has no attribute 'statuscodes' at Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/template.py", line 270, in _generate     content = j2_page.render(cnf_data)   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 1304, in render     self.environment.handle_exception()   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 925, in handle_exception     raise rewrite_traceback_stack(source=source)   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/nginx.conf", line 21, in top-level template code     {%   include "OPNsense/Nginx/http.conf" %}   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/http.conf", line 328, in top-level template code     {%         include "OPNsense/Nginx/location.conf" ignore missing with context %}   File "/usr/local/opnsense/service/modules/../templates/OPNsense/Nginx/location.conf", line 47, in top-level template code     error_page {{ errorpage.statuscodes.replace(',', ' ') }} {% if errorpage.response is defined and errorpage.response != '' %}={{ errorpage.response }} {% endif %}{% if errorpage.redirect is defined and errorpage.redirect != '' %}{{ errorpage.redirect }}{% else %}/error_{{ errorpage_uuid.replace('-', '') }}.html{% endif %};   File "/usr/local/lib/python3.8/site-packages/jinja2/environment.py", line 474, in getattr     return getattr(obj, attribute) jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'statuscodes'  During handling of the above exception, another exception occurred:  Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 506, in execute     return ph_inline_actions.execute(self, inline_act_parameters)   File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 51, in execute     filenames = tmpl.generate(parameters)   File "/usr/local/opnsense/service/modules/template.py", line 347, in generate     raise render_exception   File "/usr/local/opnsense/service/modules/template.py", line 338, in generate     for filename in self._generate(template_name, create_directory):   File "/usr/local/opnsense/service/modules/template.py", line 273, in _generate     raise Exception("%s %s %s" % (module_name, template_filename, render_exception)) Exception: OPNsense/Nginx OPNsense/Nginx/nginx.conf 'dict object' has no attribute 'statuscodes'

14

22.1 Legacy Series / Nginx Reverse Proxy Configuration Not Changing

« on: April 22, 2022, 09:59:03 am »

I recently re-installed my OPNSense using OPNsense 22.1.6-amd64

Everything was working great up and until 2 days ago, I am attempting to add another Upstream Server to be used via the reverse proxy. However no matter what I do, the configuration does not change after clicking Apply. If I change the port of an already configured Upstream Server or simply add a new upstream server, the configuration remains completely unchanged.

After any change to upstreams / upstream servers are made, Services>Nginx>Traffic Statistic still shows the old uptream server and ports.

I have verified this by creating a MD5 hash of /usr/local/etc/nignx/nginx.conf and absolutely no change happens upon making changes in the GUI.

OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

os-nginx (installed)   1.26

15

21.7 Legacy Series / WireGuard - HTTP/S Traffic Issue

« on: October 27, 2021, 05:34:00 pm »

Dear All,

I have a bit of a weird issue that I cannot figure out for the life of me. I was hoping getting more sets of eyes on the problem someone can help me pin point where the issue might be.

I have 2x OPNsense Firewalls installed. 1x at the Office and 1x at Home. Both run the same version OPNsense 21.7.3_3-amd64 and both have same WireGuard installed (os-wireguard 1.7, wireguard-go 0.0.20210424,1, wireguard-tools 1.0.20210914)

The only difference...

Office I have a router from the ISP configured as PPPoE
Home I have a router with Static IP address and setup as exposed host (Forward all public traffic directly to OPNsense Firewall (Double Nat'ting)

From Home: Notebook PC on LAN > Office-WireGuard Tunnel > Office Debian Server - Everything works, SSH, DB Connections, FTP, SFTP etc. NO HTTP or HTTPS Traffic in any browser. Curl in CMD also not working - This is true for other locations / servers on different subnets behind the Office OPNsense Firewall, basically effecting all HTTP/S traffic regardless of destination.

From Home: Android Phone on LAN> Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Public Internet: > Notebook PC via Mobile Data or Public Wi-Fi > Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Android Phone via Mobile Data or Public Wi-Fi > Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Office: Notebook PC on LAN > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Office: Android Phone on LAN > > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Notebook PC via Mobile Data or Public Wi-Fi > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Android Phone via Mobile Data or Public Wi-Fi > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

I simply cannot understand why this condition, when connecting from my home network using my Notebook via the Office WireGuard Tunnel does not pass any HTTP/S traffic to the local webservers in the Office Network. This is true for devices that work on various webservers (Apache, Nginx and lighttpd) and even some of them on custom ports like 8443, 8080, 8006, 8007 etc. Obviously any traffic that bypasses the VPN Tunnel (split tunneling via "AllowedIPs") works without any issues.

Any help or insight to what the issue might be would be greatly appreciated.