Messages

Hello,

After upgrading to 24.7.4 from 24.7.1 my CPU utilization went up. Looks like the "clock{clock (0)}" system process is the cause. It stays at about 4% - 6% most of the time.

Have you removed lines with "iptables ..." from ocserv-script? OPNsense uses ipfw instead.
Was you able to run ocserv-script interactively from the shell?

With the following setting in the config file

Code Select Expand


connect-script = /usr/local/etc/ocserv/ocserv-script


it should not be a problem to rename tunX interface into something that is recognized by OPNsense. DEVICE is passed as a parameter to the script. See the note from the config.sample:

Code Select Expand


# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.

# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.


I was thinking about renaming tunX interfaces, but then found following note regarding OpenConnect server on pfsense (https://blog.dhampir.no/content/pfsense-as-a-cisco-anyconnect-vpn-client-using-openconnect). So I thought that it could cause an issue on OPNsense too.

About the CAUTION: pfSense will indeed detonate, as you say, on reboot. There will be a missing interface, as the VPN software hasn't created it yet. This will kick pfSense into the interface assignment part of the setup, which you'll have to skip out of to continue booting. Since this requires access to the console, I could not use this at the remote site I was deploying it at, since accessing the console, even over the network, would of course require the network to be there in the first place.

I have tried to install OpenConnect Server on my OPNsense running in Virtual Box and it seems to work.
This is what I had to do to make it cooperate with OPNsense:

- Install OpenConnect Server and all dependencies from FreeBSD repository

Code Select Expand


    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libunistring-0.9.9.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn2-2.0.4.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libtasn1-4.13.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/p11-kit-0.23.10.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tpm-emulator-0.7.4_2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/trousers-0.3.14_2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/gnutls-3.5.18.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libev-4.24,1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libgpg-error-1.27.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libgcrypt-1.8.2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libxslt-1.1.29_1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/nspr-4.19.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/nss-3.36.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/xmlsec1-1.2.25.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/oath-toolkit-2.6.2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/protobuf-3.5.1.1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/protobuf-c-1.3.0_1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ocserv-0.11.11.txz


- Replace "/usr/local/etc/ocserv/conf" with the updated config from https://gitlab.com/ocserv/ocserv/blob/master/doc/sample.config
   Make changes accordingly and make sure that you enable connect-script as follow:

Code Select Expand

   
   connect-script = /usr/local/etc/ocserv/ocserv-script
   

- Download connect script from https://gitlab.com/ocserv/ocserv/blob/master/doc/scripts/ocserv-script and place it into /usr/local/etc/ocserv/ directory.
   Modify it to assign tunX interface to the openvpn group. OpenConnect Server create new tunX interface for every new connected client. Assigning it to the
   openvpn group allow OpenVPN firewall rules to control ocserv VPN connection too.

Code Select Expand


    #!/bin/sh

    if [ "$REASON" = "connect" ];then
        # Assign tunX to openvpn group
        ifconfig $DEVICE group openvpn
        echo "User '$USERNAME' from '$IP_REAL' connected. Local IP is '$IP_REMOTE'"
    else
        echo "User '$USERNAME' from '$IP_REAL' disconnected (in: $STATS_BYTES_IN, out: $STATS_BYTES_OUT, time: $STATS_DURATION)."
    fi

    exit 0


- Modify /etc/rc.conf.local and enable ocserv service

Code Select Expand


    echo "ocserv_enable=YES" >> /etc/rc.conf.local


After installation I was able to use OpenVPN firewall rules to control access of OpenConnect clients.

Regards,
-Andrew