Messages

I'm also getting this issue. Put a bandaid on it as suggested with monit. When I search for the ip6 address I see it listed as link#11 and link#12 with Flags "UHS" and Use "0" under System:Routes:Status.

Anyway to figure out what this address is?

Alright! I got it working. Dummy me disabled the ability to ping my client (home) router. But if I try to ssh the IP directly it works.

Somewhat related, when I connected throught my home vpn I could not access resources on the server's net. Adding 10.1.10.0/24 next to Remote networks for both the server and client specific over rides did the trick.

Actually I think my issue is related to this: https://forum.opnsense.org/index.php?topic=4476.0

On further inspection it looks like I can ping the server from the client but not the other way around.

And I don't know how exactly to execute "So i changed the tunnel network address and set the route at the server box manually...and it works." as suggested by siegfried.

Is this a known bug?

I'm looking to use aes-256-gcm to improve performance between my two OPNsense routers. According to this: https://github.com/opnsense/core/issues/1959 report aes-256-gcm only works when Peer to Peer (SSL/TLS) is selected.

Right now I have a working Peer to Peer (Shared Key) setup using aes-256-cbc; all devices are ping-able between both networks.

I first created a certificate authority in the server by going to System:Trust:Authorities-->Add or Import CA

Descriptive Name: OpenVPN Tunnel Authority
Method: Create an internal Certificate Authority
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common Name: internal-openvpn-tunnel

Then I created a new certificate (System:Trust:Authorities-->Certificates)

Method: Create an internal Certificate
Descriptive name
Certificate authority: OpenVPN Tunnel Authority
Type: Server Certificate
Key length: 4096
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel

Modified my existing server to use certs (VPN:OpenVPN:Servers)

Description: OpenVPN Tunnel Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: WAN1
Local port: XXXX
TLS Authentication: Enabled and key copied to client
Peer Certificate Authority: OpenVPN Tunnel Authority
Peer Certificate Revocation List: None
Server Certificate: OpenVPN Tunnel Server (OpenVPN Tunnel Authority)
DH Parameter Length: 2048
Encrytion Algorithm: AES-256-GCM
Auth Digest Algorithm: SHA512
Hardware Crypto: No
Certificate Depth: Do Not Check
Tunnel Settings: 10.10.0.0/24
IPv4 Local Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
IpV4 Remote Network: 10.0.10.0/24
Compression: Enabled with Adaptive Compression
Client Settings: Address Pool checked
DNS Servers: #1) 10.0.0.1, #2) 10.0.10.1
Force DNS cache update: checked
Verbosity: 3

Then under Client Specific Overrides (VPN:OpenVPN:Client Specific Overrides)

Servers: OpenVPN Tunnel Server (XXXX / TCP)
Common name: internal-openvpn-tunnel
Description: OpenVPN Tunnel Server
IPv4 Remote Network: 10.0.10.0/24

On the Client System Imported Certificate Authority by copy-pasting Certificate data and Certificate Private Key

Under Certificates issued a Client Certificate using OpenVPN Tunnel Authority

Method: Create an internal Certificate
Descriptive Name: OpenVPN Tunnel Client
Certificate Authority: OpenVPN Tunnel Authority
Type: Client Certificate
Key lenght: 2048
Digest Algorithm: SHA512
Lifetime: 3650
<contact info>
Common name: internal-openvpn-tunnel


Modified Client (VPN:OpenVPN:Clients)

Description: OpenVPN Tunnel to Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device mode: tun
Interface: WAN
Remote server: <IP>: XXXX

TLS Authentication: Enabled and copied from server
Peer Certificate Authority: OpenVPN Tunnel Authority
Client Certificate: OpenVPN Tunnel Client (CA: OpenVPN Tunnel Authority)
Encryption algorithm: AES-256-GCM
Auth digest Algorithm: SHA512
IPv4 Tunnel Network: 10.10.0.0/24
IPv4 Remote Network: 10.0.0.0/24,10.0.1.0/24,10.0.2.0/24,10.1.0.0/24
Compression: Enabled with Adaptive Compression
Don't add/remove routes: <tried with and without)
Verbosity level: 3


Under connection status I see the connection as "up" but I cannot ping and browse the network like I did with shared key. In the client logs I see this:


May 7 15:06:25    openvpn[32982]: MANAGEMENT: Client disconnected
May 7 15:06:25    openvpn[32982]: MANAGEMENT: CMD 'status 2'
May 7 15:06:25    openvpn[32982]: MANAGEMENT: CMD 'state all'
May 7 15:06:25    openvpn[32982]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
May 7 15:06:25    openvpn[63961]: MANAGEMENT: Client disconnected
May 7 15:06:25    openvpn[63961]: MANAGEMENT: CMD 'status 3'
May 7 15:06:25    openvpn[63961]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
May 7 15:06:20    openvpn[32982]: Initialization Sequence Completed

I also noticed that the virtual address changes from 10.10.0.2 (shared key) to 10.10.0.6 (ssl/tls) and back to 10.10.0.2 if I switch back to shared key

I also tried with and without the client override

I don't anything glaring that's wrong. Am I misconfiguring something here? Are there additional settings I'm not aware of?

I've setup a site-to-site VPN connection between OPNsense servers A (server) and B (client) connecting networks A-Net0, A-Net1, A-Net2 to B-Net0.

VPN and firewalls are properly configured. I can ping clients within any net on Server B to any net on Server A and vice-versa.

I've setup DNS using unbound with overrides (same overrides on both servers) on both Servers A and Server B pointing to various servers through networks under both server A and server B. This way I'm able to resolve DNS properly though to any server on all networks from any client on all networks. A few of these servers that have internal overrides under Server A networks also face the internet though port forwarding of virtual IPs.

This is fine for now, as long as the VPN connection is up; but I'm wondering if there's a way to route DNS request from clients under network B-net0 for internet facing servers under network A-Net2 that have internal overrides to public DNS i.e 8.8.8.8 if the VPN connection goes down.

Right now if the VPN connection goes down then clients under network B-Net0 cannot resolve servers under network A-Net2 even though these servers under A-Net2 face the internet and resolve under public DNS.

I've tried enabling the "forward DNS queries" in unbound on Server B, disabling all overrides on Server B and setup DNS servers in general settings pointing first to Server B, then Server A then 8.8.8.8 but I still have the same issue as above.

I've also disabled Unbound on Server B, enabled DNAmasq (forwarder) and set DNS servers in general for Server B as: Server B, Server A, 8.8.8.8. This didn't work. I then tried enabling "rolling dns connection" but that didn't work. I finally tried removing Server B from the general DNS settings so the orders are: Server A then 8.8.8.8 and that worked. But the issue now is that page loading times have increased significantly when clients under B-Net0 access servers on A-Net2; probably because it's taking a long time to find that the first DNS server does not resolve before going to the next server that does.

I'm inclined to keep the unbound override setup that works and hope I respond quickly to downed VPN connections.

Any thoughts? Please let me know if something's not clear.

The new import settings button works! Thank you.

On another note, I couldn't get it to work with zoho. When sending notifications from the webgui, zoho worked, but not from monit. I switched to gmail mail and both works now.

The error in the log for zoho was:

Mail: Mailserver response error -- 553 Relaying disallowed as monit@subdomina.example.com

Hmm, apparently the monit plugin should pull the settings from notifications. I think because I had monit installed before I set my notifications it didn't pull correctly. How do I completely remove a plugin and it's settings?

Simply removing and installing the plugin doesn't work. It reverts to my previous settings. Where are the config files located so I can delete them?

I'm having a hard time getting monit to send email notifications on alert. I've setup system notifications and that works ok. Attached is the monit settings page.



I tried filling in the same smtp server, auth, and password that works for system notifications but when I hit apply, I get prompted with a "smtp server must be an IP address." I don't understand why it needs to be an IP address? Monit docs allow for FQDN. Is this a bug?