Show Posts - vividou

Profile Info
- Summary
- Show Stats
- Show Posts...

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - vividou

Pages: [1] 2

1

General Discussion / OpenVPN client DNS from unbound+DNSCrypt?

« on: March 19, 2019, 08:54:43 am »

Hello,

As DNS, I am using unbound with the DNSCrypt plugin as described is this post: https://forum.opnsense.org/index.php?topic=10670.0

Currently to force the DNS to my OpenVPN clients, I register the DNS in the DNS Servers fields of the OpenVPN settings, but I would like to use the one privided by my opnsense setting (unbound+DNSCrypt).

Is it possible to force my OpenVPN clients to use the DNS provided by this setup?
How to do that?

Thanks

2

General Discussion / Re: No internet with OpenVPN clients

« on: May 24, 2018, 10:08:31 pm »

Yes the address return by the link on the client when connected through openvpn is the correct address, the ip address of the opnsense box.

3

General Discussion / Re: No internet with OpenVPN clients

« on: May 24, 2018, 06:40:37 pm »

Yes, I can ping using dns names.

$ nslookup google.com 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.214.110

$ nslookup google.com
Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.214.78

But no internet. Which opnsense settings could block the traffic despite having a passing rule on the firewall?

When increasing the verbosity on the client side to 6 and trying browsing the internet, I can see lot of traffic as follow:

Thu May 24 19:40:18 2018 us=366858 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367395 UDPv4 READ [161] from [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=160
Thu May 24 19:40:18 2018 us=367685 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367881 TUN READ [1328]
Thu May 24 19:40:18 2018 us=368478 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424
Thu May 24 19:40:18 2018 us=368823 TUN READ [1328]
Thu May 24 19:40:18 2018 us=369423 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424

In the same time, wireshark listening on the tun0 interface provides such kind of messages a lot that I do not observe when browsing the internet without openvpn:

1018	115.665848000	10.0.8.2	34.217.184.213	TCP	1328	[TCP Retransmission] 54801→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499056 TSecr=1287031960
1023	119.121651000	10.0.8.2	34.217.184.213	TCP	1328	[TCP Out-Of-Order] 54802→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499920 TSecr=1287031998
1029	122.384418000	93.184.220.29	10.0.8.2	TCP	52	[TCP Keep-Alive ACK] 80→48290 [ACK] Seq=2365 Ack=1375 Win=148480 Len=0 TSval=1070943662 TSecr=488092
1030	123.153667000	10.0.8.2	34.217.184.213	TCP	52	[TCP Keep-Alive] 54804→443 [ACK] Seq=1198 Ack=3189 Win=36608 Len=0 TSval=500928 TSecr=1287042247

4

General Discussion / Re: No internet with OpenVPN clients

« on: May 23, 2018, 09:02:56 pm »

Hello,

a quick refresh on my current setup:

Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked

then the client file is obtained from the client export section:

Verify Server CN        Automatic-Use verify-x509-name
Use Random Local Port   checked

Exporting the others file

Firewall: Rules: WAN

pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard
Firewall: Rules: OpenVPN

pass, IPv4 *, OpenVPN net, *, *, *, *, OpenVPN wizard
With this configuration I am able to ping 8.8.8.8. With wireshark running on the client, I can see that the traffic goes to the tun0 in clear then to the internet encrypted with OpenVPN protocol.
However, it is not possible to display web pages.

I am suspected that the traffic is not reemitted by opnsense to satisfy the request.
What could be the reason?

When looking the Firewall/Log Files/Live View, I do not see any traffic to/from the openvpn interface.

How to monitor the traffic going in/out a specific interface? Is this Live View the only way?

Thanks,

5

18.1 Legacy Series / update 18.1.3: audit security problem?

« on: March 05, 2018, 07:18:01 pm »

Hello,

After updating Opnsense to the version 18.1.3, the security audit returns the following message:

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
isc-dhcp43-client-4.3.6 is vulnerable:
isc-dhcp -- Multiple vulnerabilities
CVE: CVE-2018-5733
CVE: CVE-2018-5732
WWW: https://vuxml.FreeBSD.org/freebsd/2040c7f5-1e3a-11e8-8ae9-0050569f0b83.html

1 problem(s) in the installed packages found.
***DONE***

Is it a bug?

6

General Discussion / Re: No internet with OpenVPN clients

« on: March 03, 2018, 07:59:20 pm »

The "nslookup -q=soa google.com 8.8.8.8" command on a client connected to the vpn server provides a result:

$ nslookup -q=soa google.com 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
google.com
	origin = ns1.google.com
	mail addr = dns-admin.google.com
	serial = 187645724
	refresh = 900
	retry = 900
	expire = 1800
	minimum = 60

Authoritative answers can be found from:

It is the same result when the command is not connected to the vpn server.

I have also tried antoher command to see the gateway used when connecting to the server:

$ ip route get 8.8.8.8
8.8.8.8 via 10.0.8.1 dev tun0  src 10.0.8.2 
    cache

The output is this time different when the client is not connected to the server.

Here is the result of another command whenc connected to the vpn server.

$ ip route show
0.0.0.0/1 via 10.0.8.1 dev tun0 
default via 10.41.yyy.yyy dev wlp3s0  proto static  metric 600 
10.0.8.0/24 dev tun0  proto kernel  scope link  src 10.0.8.2 
10.41.0.0/18 dev wlp3s0  proto kernel  scope link  src 10.41.yyy.yyy  metric 600 
10.255.255.254 via 10.41.0.1 dev wlp3s0  proto dhcp  metric 600 
xxx.xxx.xxx.xxx via 10.41.0.1 dev wlp3s0 
128.0.0.0/1 via 10.0.8.1 dev tun0 
169.254.0.0/16 dev tun0  scope link  metric 1000

Just to make a point to my Opnsense config now according to the one provided at the beginning of the post, only the following has changed:
Firewall: Rules: OpenVPN

pass IPV4 *, OpenVPN net, *, *, *, *
Adding the OpenVPN network to the access list of Unbound DNS server do not change the status made here.

7

General Discussion / Re: No internet with OpenVPN clients

« on: March 03, 2018, 02:48:15 pm »

The nslookup command on my client connected to the openvpn never returns and nothing is displayed.

On my configuration Unbound DNS is enabled. Despite adding and allowing the OpenVPN network to the access list, no internet, no dns resolution.

I have read that some people changed the NAT settings, but not sure which settings to set then.

8

General Discussion / Re: No internet with OpenVPN clients

« on: March 03, 2018, 11:08:41 am »

Thanks.

I have added the rule Firewall: Rules: OpenVPN
IPv4 *, *, *, *, *, *

This allows pinging the google dns servers (8.8.8.

.

However the nslookup still does not work.

Adding the advanced settings:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

does not provide better result. (by the way, is it possible to use the dns already provided in opnsense configuration instead of relisting them in the openvpn configuration?)

9

General Discussion / Re: No internet with OpenVPN clients

« on: March 03, 2018, 10:36:53 am »

The pings to 8.8.8.8 fail.

10

General Discussion / No internet with OpenVPN clients

« on: March 02, 2018, 07:31:13 pm »

Hello,

My OpenVPN is running and my client can connect to it.

However, the clients cannot connect to the Internet through the vpn.

My purpose is that the clients can connect to the vpn server to surf the Internet from it only (no connection to local network).

How to configure Opnsense for this purpose?

Here is my configuration with OPNsense 18.1.2_2-amd64

VPN: OpenVPN: Servers

Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked

Firewall: Rules: WAN

pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard
Firewall: Rules: OpenVPN
nothing

Firewall: NAT: Outbound
Automatic outbound NAT rule generation

Should I assign an interface for OpenVPN?

Thanks

11

General Discussion / [SOLVED] OpenVPN not connecting from WAN

« on: March 01, 2018, 07:39:57 pm »

After several attempts to configure, create certificates and in the meantime an update to 18.1.2, OpenVPN is now working.

I have noticed that the openvpn client on linux does not like when the ssl certificate for the same vpn changes. Once the certificate changes all following connection will contain the TSL error until the client is rebooted.

12

General Discussion / Re: DtDNS Support

« on: February 13, 2018, 02:43:15 pm »

Actually, the creation of account and Dynamic DNS hostname is free. Just need to fill the form https://www.dtdns.com/

13

General Discussion / Re: DtDNS Support

« on: February 12, 2018, 08:39:23 pm »

Hello,

If you mean that I could test your implemented service, yes sure!

14

General Discussion / Re: DtDNS Support

« on: February 11, 2018, 10:41:49 am »

Indeed, with 'custom' it is possible to use DtDNS with the foolowing url https://www.dtdns.com/api/autodns.cfm?id=DNS_ADDRESS&pw=PASSWORD&ip=%IP% as described in http://www.dtdns.com/dtsite/updatespec.
Thanks for the tip.

Is there anything like %IP% which could be used to replace the hostname and the password?

Also I cannot figure out the exact result matching pattern. After updating, the returned message is <html><head><style></style></head><body>Host <Hostname> now points to %IP%.
</body></html>. But when I fill the result match box with that string there is an error

opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: (Error) Result did not match.

15

General Discussion / Re: DtDNS Support

« on: February 10, 2018, 06:44:13 pm »

it does not appear in the drop down list of 'Service type'.

Pages: [1] 2