OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of wschlich »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - wschlich

Pages: [1]
1
19.1 Legacy Series / Re: OPNsense 19.1: nginx.conf is only rewritten/updated upon disabling+re-enabling
« on: February 13, 2019, 02:01:38 pm »
Works fine :D To me that button looked like a "refresh" button (for just refreshing the web UI). Feeling stupid now m) Thank you!

2
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 13, 2019, 01:59:43 pm »
Whoohoo, fixed by AdSchellevis in https://github.com/opnsense/core/commit/67f49486708770633ca615ee41f53439e0a962ce and scheduled for 19.1.2 by franco :D

3
19.1 Legacy Series / Re: OPNsense 19.1: nginx.conf is only rewritten/updated upon disabling+re-enabling
« on: February 13, 2019, 10:31:24 am »
Nope, I didn't. Never noticed this kind of button before :) Is it an "Apply" button (which is labelled "Apply" in other places)?! Doesn't show a mouseover description :(

4
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 13, 2019, 10:19:43 am »
Seems there was already a github issue for this problem which should be reopened: https://github.com/opnsense/core/issues/1487

5
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 13, 2019, 10:19:00 am »
@newsense You don't seem to understand the basics here and I don't have the time and energy to explain (sorry about that). I'd recommend to read the documentation about the Certificate Depth option (or the OpenVPN --tls-verify option).

6
19.1 Legacy Series / OPNsense 19.1: nginx.conf is only rewritten/updated upon disabling+re-enabling
« on: February 13, 2019, 08:37:39 am »
Hi!

It seems that /usr/local/etc/nginx/nginx.conf is only rewritten/updated upon disabling+re-enabling the nginx service.

I added an HTTP server and a Location, but no server {} entry was visible in nginx.conf, even after re-starting the service.

Only after I disabled and re-enabled the service, the nginx.conf was rewritten/updated and contains the configured server {} entry.

I consider this a bug?

Cheers,
Wolfram

7
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 13, 2019, 08:33:29 am »
See my initial posting :)

8
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 13, 2019, 07:13:43 am »
The openvpn server process is using a single CA (namely the "VPN CA"), not the full local CA chain:
Code: [Select]
[root@opnsense ~]# ps auxwwf | grep [o]penvpn
root    28509   0.0  0.2 1062000  7576  -  Ss   07:04       0:00.09 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
[root@opnsense ~]# grep '^ca' /var/etc/openvpn/server1.conf
ca /var/etc/openvpn/server1.ca
[root@opnsense ~]# grep 'BEGIN CERTIFICATE' /var/etc/openvpn/server1.ca | wc -l
       2
[root@opnsense ~]# /usr/local/bin/openssl x509 -in /var/etc/openvpn/server1.ca -noout -subject
subject= /C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=xxx/CN=VPN CA
[root@opnsense ~]#

I consider this a (very annoying) bug in OPNsense, as the OpenVPN configuration logic should be intelligent enough to resolve the full local CA chain.

9
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 13, 2019, 07:03:19 am »
It's unchanged, obviously.

10
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 13, 2019, 06:07:20 am »
I'm talking about *server* log/error messages, not *client* ones.
The server complains that it cannot verify the client certificate.

11
19.1 Legacy Series / [SOLVED] OPNsense 19.1: OpenVPN and intermediate CA doesn't work
« on: February 12, 2019, 09:03:01 pm »
Hi!

I have created the following setup:

1. Created "Root CA" using the OPNsense trust manager
2. Created "Server CA" as intermediate of Root CA using the OPNsense trust manager
3. Created "VPN CA" as intermediate of Root CA using the OPNsense trust manager
4. Generated a server certificate "Server Cert" signed by "Server CA" using the OPNsense trust manager
5. Created an OpenVPN server using the wizard with the following settings:
5.1. Server Certificate: "Server Cert"
5.2. Peer Certificate Authority: "VPN CA"
5.3. Certificate Depth: "Do Not Check"
5.4. Strict User/CN Matching: (x)
6. Created a user "vpnuser" with a client certificate issued by "VPN CA"
7. Created an OpenVPN client export for the "vpnuser"

Then, I when I try to connect from the client, the server complains that it cannot verify an issuer certificate:

Code: [Select]
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS handshake failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS object -> incoming plaintext read error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS_ERROR: BIO read tls_read_plaintext error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=xx, ST=xxx, L=xxx, O=xxx, emailAddress=xxx, CN=VPN CA

The strange workaround, according to two other existing threads in this forum (https://forum.opnsense.org/index.php?topic=9888.0 and https://forum.opnsense.org/index.php?topic=4830.0), is to manually append the "Root CA" certificate data at the end of the "VPN CA" certificate data in the OPNsense trust manager.

That should not be required! OPNsense should configure OpenVPN to use the entire local CA certificate chain.

Cheers,
Wolfram

12
19.1 Legacy Series / OPNsense 19.1 VGA version on Sophos XG115 Rev 2
« on: February 10, 2019, 10:06:53 pm »
Hi!

When running the OPNsense VGA installer (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) on a Sophos XG115 Rev 2, I can see the console output on the VGA display until the line "Booting...".
From there on, all console output is only displayed on the serial port.

I thought the VGA version of OPNsense should be using VGA-only and the serial port not at all...?

Cheers,
Wolfram

13
19.1 Legacy Series / Re: cpdup failure in 19.1-rc1 installer
« on: February 07, 2019, 10:16:09 am »
According to https://github.com/pcengines/apu2-documentation/blob/master/docs/pfSense-install-guide.md the issue (which affects only mainline BIOS versions, not legacy 4.0.x) is solved in mainline BIOS versions *after* 4.6.7 (latest one currently is 4.9.0.1).

The installation of OPNsense 19.1 worked well using mainline BIOS 4.9.0.1 on my APU4C4 (which just arrived this week with BIOS 4.6.1 flashed, meh).

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2