Messages

1

24.7 Production Series / CPU Utilization went up after upgrade to 24.7.4

« on: October 14, 2024, 09:39:03 pm »

Hello,

After upgrading to 24.7.4 from 24.7.1 my CPU utilization went up. Looks like the "clock{clock (0)}" system process is the cause. It stays at about 4% - 6% most of the time.

2

Development and Code Review / Re: Testing open connect server ocserv

« on: August 20, 2019, 05:55:35 pm »

Have you removed lines with "iptables ..." from ocserv-script? OPNsense uses ipfw instead.
Was you able to run ocserv-script interactively from the shell?

3

Development and Code Review / Re: Testing open connect server ocserv

« on: March 16, 2018, 06:37:36 am »

With the following setting in the config file

Code: [Select]

connect-script = /usr/local/etc/ocserv/ocserv-script

it should not be a problem to rename tunX interface into something that is recognized by OPNsense. DEVICE is passed as a parameter to the script. See the note from the config.sample:

Code: [Select]

# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.

# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.


4

Development and Code Review / Re: Testing open connect server ocserv

« on: March 14, 2018, 08:13:23 am »

I was thinking about renaming tunX interfaces, but then found following note regarding OpenConnect server on pfsense (https://blog.dhampir.no/content/pfsense-as-a-cisco-anyconnect-vpn-client-using-openconnect). So I thought that it could cause an issue on OPNsense too.

About the CAUTION: pfSense will indeed detonate, as you say, on reboot. There will be a missing interface, as the VPN software hasn’t created it yet. This will kick pfSense into the interface assignment part of the setup, which you’ll have to skip out of to continue booting. Since this requires access to the console, I could not use this at the remote site I was deploying it at, since accessing the console, even over the network, would of course require the network to be there in the first place.

5

Development and Code Review / Re: Testing open connect server ocserv

« on: March 14, 2018, 06:10:11 am »

I have tried to install OpenConnect Server on my OPNsense running in Virtual Box and it seems to work.
This is what I had to do to make it cooperate with OPNsense:

 - Install OpenConnect Server and all dependencies from FreeBSD repository
 

Code: [Select]

    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libunistring-0.9.9.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn2-2.0.4.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libtasn1-4.13.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/p11-kit-0.23.10.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tpm-emulator-0.7.4_2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/trousers-0.3.14_2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/gnutls-3.5.18.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libev-4.24,1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libgpg-error-1.27.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libgcrypt-1.8.2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libxslt-1.1.29_1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/nspr-4.19.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/nss-3.36.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/xmlsec1-1.2.25.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/oath-toolkit-2.6.2.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/protobuf-3.5.1.1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/protobuf-c-1.3.0_1.txz
    pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ocserv-0.11.11.txz
 
 - Replace "/usr/local/etc/ocserv/conf" with the updated config from https://gitlab.com/ocserv/ocserv/blob/master/doc/sample.config
   Make changes accordingly and make sure that you enable connect-script as follow:

Code: [Select]

   
   connect-script = /usr/local/etc/ocserv/ocserv-script
   

 - Download connect script from https://gitlab.com/ocserv/ocserv/blob/master/doc/scripts/ocserv-script and place it into /usr/local/etc/ocserv/ directory.
   Modify it to assign tunX interface to the openvpn group. OpenConnect Server create new tunX interface for every new connected client. Assigning it to the
   openvpn group allow OpenVPN firewall rules to control ocserv VPN connection too.

Code: [Select]

    #!/bin/sh

    if [ "$REASON" = "connect" ];then
        # Assign tunX to openvpn group
        ifconfig $DEVICE group openvpn
        echo "User '$USERNAME' from '$IP_REAL' connected. Local IP is '$IP_REMOTE'"
    else
        echo "User '$USERNAME' from '$IP_REAL' disconnected (in: $STATS_BYTES_IN, out: $STATS_BYTES_OUT, time: $STATS_DURATION)."
    fi

    exit 0

 - Modify /etc/rc.conf.local and enable ocserv service

Code: [Select]

    echo "ocserv_enable=YES" >> /etc/rc.conf.local

After installation I was able to use OpenVPN firewall rules to control access of OpenConnect clients.

Regards,
-Andrew