Messages

Hello,

Thanks for the information.

Defining "Optional prefix ID" and "Optional interface ID" allows creating a second ipv6 but unfortunately the one with the MAC is still used on internet.


Configuring in System -> Settings -> Tunables:

Code Select Expand

net.inet6.ip6.use_tempaddr = 1
net.inet6.ip6.prefer_tempaddr = 1

effectively creates a random ipv6 used on internet.

Thanks

Hello,

My opnsense is configured for ipv6 as follow:

GUI:

Code Select Expand

Interfaces > WAN >  IPv6 Configuration Type = DHCPv6
                    Prefix delegation size = 56

But the WAN ipv6 contains the MAC address.

Shell:

Code Select Expand

# ifconfig
wan:
    inet6 xxxx::xxff:fexx:xxxx prefixlen 64 autoconf pltime 7200 vltime 21600


Is there a way to make it more random, without the MAC address?

Thanks

Hello,

As DNS, I am using unbound with the DNSCrypt plugin as described is this post: https://forum.opnsense.org/index.php?topic=10670.0

Currently to force the DNS to my OpenVPN clients, I register the DNS in the DNS Servers fields of the OpenVPN settings, but I would like to use the one privided by my opnsense setting (unbound+DNSCrypt).

Is it possible to force my OpenVPN clients to use the DNS provided by this setup?
How to do that?



Thanks

Yes the address return by the link on the client when connected through openvpn is the correct address, the ip address of the opnsense box.

Yes, I can ping using dns names.

Code Select Expand

$ nslookup google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.110

Code Select Expand

$ nslookup google.com
Server: 127.0.1.1
Address: 127.0.1.1#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.78

But no internet. Which opnsense settings could block the traffic despite having a passing rule on the firewall?


When increasing the verbosity on the client side to 6 and trying browsing the internet, I can see lot of traffic as follow:

Code Select Expand


Thu May 24 19:40:18 2018 us=366858 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367395 UDPv4 READ [161] from [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=160
Thu May 24 19:40:18 2018 us=367685 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367881 TUN READ [1328]
Thu May 24 19:40:18 2018 us=368478 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424
Thu May 24 19:40:18 2018 us=368823 TUN READ [1328]
Thu May 24 19:40:18 2018 us=369423 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424

In the same time, wireshark listening on the tun0 interface provides such kind of messages a lot that I do not observe when browsing the internet without openvpn:

Code Select Expand

1018 115.665848000 10.0.8.2 34.217.184.213 TCP 1328 [TCP Retransmission] 54801→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499056 TSecr=1287031960
1023 119.121651000 10.0.8.2 34.217.184.213 TCP 1328 [TCP Out-Of-Order] 54802→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499920 TSecr=1287031998
1029 122.384418000 93.184.220.29 10.0.8.2 TCP 52 [TCP Keep-Alive ACK] 80→48290 [ACK] Seq=2365 Ack=1375 Win=148480 Len=0 TSval=1070943662 TSecr=488092
1030 123.153667000 10.0.8.2 34.217.184.213 TCP 52 [TCP Keep-Alive] 54804→443 [ACK] Seq=1198 Ack=3189 Win=36608 Len=0 TSval=500928 TSecr=1287042247

Hello,

a quick refresh on my current setup:

Code Select Expand

Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked

then the client file is obtained from the client export section:

Code Select Expand

Verify Server CN        Automatic-Use verify-x509-name
Use Random Local Port   checked

Exporting the others file

Firewall: Rules: WAN

Code Select Expand

pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard

Firewall: Rules: OpenVPN

Code Select Expand

pass, IPv4 *, OpenVPN net, *, *, *, *, OpenVPN wizard

With this configuration I am able to ping 8.8.8.8. With wireshark running on the client, I can see that the traffic goes to the tun0 in clear then to the internet encrypted with OpenVPN protocol.
However, it is not possible to display web pages.

I am suspected that the traffic is not reemitted by opnsense to satisfy the request.
What could be the reason?

When looking the Firewall/Log Files/Live View, I do not see any traffic to/from the openvpn interface.

How to monitor the traffic going in/out a specific interface? Is this Live View the only way?

Thanks,

Hello,

After updating Opnsense to the version 18.1.3, the security audit returns the following message:

Code Select Expand

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
isc-dhcp43-client-4.3.6 is vulnerable:
isc-dhcp -- Multiple vulnerabilities
CVE: CVE-2018-5733
CVE: CVE-2018-5732
WWW: https://vuxml.FreeBSD.org/freebsd/2040c7f5-1e3a-11e8-8ae9-0050569f0b83.html

1 problem(s) in the installed packages found.
***DONE***

Is it a bug?

The "nslookup -q=soa google.com 8.8.8.8" command on a client connected to the vpn server provides a result:

Code Select Expand

$ nslookup -q=soa google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 187645724
refresh = 900
retry = 900
expire = 1800
minimum = 60

Authoritative answers can be found from:

It is the same result when the command is not connected to the vpn server.

I have also tried antoher command to see the gateway used when connecting to the server:

Code Select Expand

$ ip route get 8.8.8.8
8.8.8.8 via 10.0.8.1 dev tun0  src 10.0.8.2
    cache

The output is this time different when the client is not connected to the server.

Here is the result of another command whenc connected to the vpn server.

Code Select Expand

$ ip route show
0.0.0.0/1 via 10.0.8.1 dev tun0
default via 10.41.yyy.yyy dev wlp3s0  proto static  metric 600
10.0.8.0/24 dev tun0  proto kernel  scope link  src 10.0.8.2
10.41.0.0/18 dev wlp3s0  proto kernel  scope link  src 10.41.yyy.yyy  metric 600
10.255.255.254 via 10.41.0.1 dev wlp3s0  proto dhcp  metric 600
xxx.xxx.xxx.xxx via 10.41.0.1 dev wlp3s0
128.0.0.0/1 via 10.0.8.1 dev tun0
169.254.0.0/16 dev tun0  scope link  metric 1000


Just to make a point to my Opnsense config now according to the one provided at the beginning of the post, only the following has changed:
Firewall: Rules: OpenVPN

Code Select Expand

pass IPV4 *, OpenVPN net, *, *, *, *

Adding the OpenVPN network to the access list of Unbound DNS server do not change the status made here.

The nslookup command on my client connected to the openvpn never returns and nothing is displayed.

On my configuration Unbound DNS is enabled. Despite adding and allowing the OpenVPN network to the access list, no internet, no dns resolution.

I have read that some people changed the NAT settings, but not sure which settings to set then.

Thanks.

I have added the rule Firewall: Rules: OpenVPN
IPv4 *, *, *, *, *, *

This allows pinging the google dns servers (8.8.8.8).

However the nslookup still does not work.

Adding the advanced settings:
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"

does not provide better result. (by the way, is it possible to use the dns already provided in opnsense configuration instead of relisting them in the openvpn configuration?)

The pings to 8.8.8.8 fail.

Hello,

My OpenVPN is running and my client can connect to it.

However, the clients cannot connect to the Internet through the vpn.

My purpose is that the clients can connect to the vpn server to surf the Internet from it only (no connection to local network).

How to configure Opnsense for this purpose?


Here is my configuration with OPNsense 18.1.2_2-amd64

VPN: OpenVPN: Servers

Code Select Expand

Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked

Firewall: Rules: WAN

Code Select Expand

pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard

Firewall: Rules: OpenVPN
nothing

Firewall: NAT: Outbound
Automatic outbound NAT rule generation

Should I assign an interface for OpenVPN?

Thanks

After several attempts to configure, create certificates and in the meantime an update to 18.1.2, OpenVPN is now working.

I have noticed that the openvpn client on linux does not like when the ssl certificate for the same vpn changes. Once the certificate changes all following connection will contain the TSL error until the client is rebooted.

Actually, the creation of account and Dynamic DNS hostname is free. Just need to fill the form https://www.dtdns.com/

Hello,

If you mean that I could test your implemented service, yes sure!