Messages

Sorry - now I got something -> configd.py   [0522a5b3-486c-4aa4-98bf-8de52602e250] Script action failed with Command '/usr/local/opnsense/scripts/unbound/stats.py totals --max '10'' died with <Signals.SIGABRT: 6>. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 44, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/unbound/stats.py totals --max '10'' died with <Signals.SIGABRT: 6>.

Hm - what files or something else do you need to look at?

Basically I restart unbound to get the reporting back and after a couple hours it"s stops again...

Thank you.

Hello,

for some reason Reporting stops until I restart unbound service - anyone out there with the same issue?

Running on V23-7.5-amd64

Thank you.

V: OPNsense 22.7.4-amd64

Since the last upgrade I am facing issues with unbound ... is there something I missed since moving to latest version?

[17a89939-128a-4063-818f-d691d6181385] Script action failed with Command ' /usr/local/opnsense/scripts/unbound/blocklists.py && /usr/local/opnsense/scripts/unbound/wrapper.py -b ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 482, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command ' /usr/local/opnsense/scripts/unbound/blocklists.py && /usr/local/opnsense/scripts/unbound/wrapper.py -b ' returned non-zero exit status 1.

--
2022-09-12T09:49:27   Notice   unbound    blocklist download done in 4.33 seconds (424057 records)
2022-09-12T09:49:27   Notice   unbound    blocklist download http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&mimetype=plaintext (lines: 3674 exclude: 0 block: 3674)
2022-09-12T09:49:27   Notice   unbound    blocklist download https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (lines: 145840 exclude: 15 block: 138719)
2022-09-12T09:49:26   Notice   unbound    blocklist download https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt (lines: 38 exclude: 0 block: 34)
2022-09-12T09:49:26   Notice   unbound    blocklist download https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt (lines: 2705 exclude: 0 block: 2701)
2022-09-12T09:49:25   Notice   unbound    blocklist download https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt (lines: 15078 exclude: 0 block: 15051)
2022-09-12T09:49:25   Notice   unbound    blocklist download https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt (lines: 1283 exclude: 0 block: 1265)
2022-09-12T09:49:25   Notice   unbound    blocklist download https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt (lines: 108693 exclude: 0 block: 108675)
2022-09-12T09:49:24   Notice   unbound    blocklist download https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt (lines: 154726 exclude: 0 block: 154563)
2022-09-12T09:49:23   Notice   unbound    blocklist download https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt (lines: 48005 exclude: 3 block: 48002)
2022-09-12T09:49:23   Notice   unbound    blocklist download https://adaway.org/hosts.txt (lines: 11616 exclude: 2 block: 7253)
2022-09-12T09:49:23   Notice   unbound    blocklist download https://threatfox.abuse.ch/downloads/hostfile (lines: 1904 exclude: 0 block: 1895)
2022-09-12T09:49:23   Notice   unbound    blocklist download : exclude domains matching xxxx.xx|^(?![a-zA-Z_\d]).*|libro.local|.*localhost$
2022-09-12T09:48:03   Notice   unbound    blocklist download done in 5.87 seconds (424057 records)

Any idea?
Switched to pfsense 2.4.4-RELEASE-p3 (amd64)  :-\
same hardware (Sophos SG 230) .. now its working without any interruption ....  :)

Hello,

since a couple of days I get a lot of mtu size errors in the firewall log:

XXX.XXX.XXX.XXX.655 > xxx.xxx.xxx.xxx.655: UDP, length 1508
00:00:00.001556 rule 91/0(match): pass out on lo0: (tos 0x0, ttl 64, id 51338, offset 0, flags [none], proto ICMP (1), length 56)
127.0.0.1 > XXX.XXX.XXX.XXX: ICMP xxx.xxx.xxx.xxx unreachable - need to frag (mtu 1500), length 36
(tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1536, bad cksum 4321 (->1f19)!)
XXX.XXX.XXX.XXX.655 > xxx.xxx.xxx.xxx.655: UDP, length 1508
00:00:00.000703 rule 91/0(match): pass out on lo0: (tos 0x0, ttl 64, id 4189, offset 0, flags [none], proto ICMP (1), length 56)
127.0.0.1 > XXX.XXX.XXX.XXX: ICMP xxx.xxx.xxx.xxx unreachable - need to frag (mtu 1500), length 36
(tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1536, bad cksum ef3e (->1f19)!)



tinc is now running on the same version on both sites - never had this issues before the setup is running over a year since

/sbin/tincd --version
tinc version 1.0.35

any suggestions?

thank you

Hi,

that's in my conf too ... but it looks like freebsd does ignore it  :(


on linux (debian) the device changes to vpns+

vpns0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:192.168.1.1  P-t-P:192.168.1.222  Mask:255.255.255.255
          UP POINTOPOINT RUNNING  MTU:1406  Metric:1
          RX packets:192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:91 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:66337 (66.3 KB)  TX bytes:42741 (42.7 KB)

on freebsd (opnsense) it stays with tun+

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   inet 192.168.1.1 --> 192.168.1.222  netmask 0xffffffff
   inet6 fe80::20c:29ff:fece:c63b%tun0 prefixlen 64 scopeid 0x3
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: tun
   Opened by PID 7786

thank you

could provide packages build on OPNsense 18.1 devel this weekend ...

ocserv-0.11.10.txz
gnutls-3.5.17.txz
protobuf-c-1.3.0_1.txz
talloc-2.1.10_1.txz
radcli-1.2.8.txz
oath-toolkit-2.6.2.txz

....

the device name would not hurt if there is a way to allow incomming traffic on it ...

---
openwrt does the trick https://github.com/openwrt/packages/tree/master/net/ocserv


Firewall Log:
--------
Action
block
DataLength
0
DestIP
192.168.30.125
DestPort
80
Direction
in
FilterData
21,,,0,tun6,match,block,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.10.222,192.168.30.125,50338,80,0,S,3025539627,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
Flags
DF
ID
0
IPVersion
4
Interface
tun6
Length
64
Offset
0
Options
mss;nop;wscale;nop;nop;TS;sackOK;eol
Protocol
tcp
ProtocolID
6
Reason
match
RuleNumber
21
Sequence
3025539627
SourceIP
192.168.10.222
SourcePort
50338
TCPFlags
S
TOS
0x0
TTL
64
Tracker
0
Window
65535
facility
local0
full_message
<134>Feb  5 10:04:18 filterlog: 21,,,0,tun6,match,block,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.10.222,192.168.30.125,50338,80,0,S,3025539627,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
level
6
message
filterlog: 21,,,0,tun6,match,block,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.10.222,192.168.30.125,50338,80,0,S,3025539627,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol
source
zero.xxxx.com
timestamp
2018-02-05T09:04:18.000Z
-----------------

Thank you.

the issue is this does only the trick after the fist connection is established ...  :(

so the name part only works after the fist connection ...

---
root@zero:/usr/local/etc/rc.d # ./opnsense-ocserv start
starting ocserv
note: setting 'file' as supplemental config option
ifconfig: interface tun6 does not exist
ifconfig: interface ocvpn0 does not exist
--



tun6: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   inet 192.168.10.1 --> 192.168.10.222  netmask 0xffffffff
   inet6 fe80::201:2eff:fe70:6b4e%tun6 prefixlen 64 scopeid 0x11
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   groups: tun
   Opened by PID 6680

-->
root@zero:/usr/local/etc/rc.d # ifconfig tun6 name ocvpns0
ocvpns0
root@zero:/usr/local/etc/rc.d # ifconfig ocvpns0 group ocvpn
root@zero:/usr/local/etc/rc.d #

ocvpns0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   inet 192.168.10.1 --> 192.168.10.222  netmask 0xffffffff
   inet6 fe80::201:2eff:fe70:6b4e%ocvpns0 prefixlen 64 scopeid 0x11
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   groups: tun ocvpn
   Opened by PID 6680

---
ocvpns0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   groups: tun ocvpn
---

stopping the client connection destroys the interface ...

ocvpns0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   groups: tun ocvpn
tun7: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   inet 192.168.10.1 --> 192.168.10.222  netmask 0xffffffff
   inet6 fe80::201:2eff:fe70:6b4e%tun7 prefixlen 64 scopeid 0x12
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   groups: tun
   Opened by PID 6680
---

but without changing the interface name it stays ...

ocvpns0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   groups: tun ocvpn
tun7: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1406
   options=80000<LINKSTATE>
   inet 192.168.10.1 --> 192.168.10.222  netmask 0xffffffff
   inet6 fe80::201:2eff:fe70:6b4e%tun7 prefixlen 64 scopeid 0x12
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   groups: tun
   Opened by PID 6680

....

any idea ...

thank you

Hi,

the openconnect  client plugin inspired me to play with ocserv - got all necessary packages build and the service up and running but some troubles with the tunnel device name it looks like opnsense does not recognize those interfaces ... sbin/ifconfig tun0 name ocvpnc1 does the trick temporarily so I am asking the real greeks ...

Thank you!

OK ..

Thank you  ;)

Hi there,

I am not able to download new rulesets ... tried it over command line and got the error below:

/usr/local/opnsense/scripts/suricata # /usr/local/opnsense/scripts/suricata/rule-updater.py
From cffi callback <function _verify_callback at 0x4b73add1230>:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
    _lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/suricata/rule-updater.py", line 90, in <module>
    filename=rule['filename'], input_filter=input_filter, auth=auth)
  File "/usr/local/opnsense/scripts/suricata/lib/downloader.py", line 129, in download
    req = requests.get(**req_opts)
  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='rules.emergingthreats.net', port=443): Max retries exceeded with url: /open/suricata-1.3-enhanced/emerging.rules.tar.gz (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

Any Idea ...

Thx