Messages

1

22.7 Legacy Series / Re: OpenVPN Speed

« on: December 11, 2022, 11:17:18 am »

Yes I am using VMXNET3 tried also the 1000E no change. In the end I dropped opensense and went for a linux with standard openvpn. I did some custom ansible scripts and google OTP and azure auth module.

Speed on that setup si around 14 Mbps same virtual hardware as the one in opnsense so I imagine that is a BSD issue somewhere. I don't have time and resources to investigate more on this.

2

22.7 Legacy Series / Re: OpenVPN Speed

« on: December 02, 2022, 01:42:53 pm »

Hi tried that also moved the VM to Vmware and disabled the the encryption all together. It looks like a network configuration issue. The openvpn on ubuntu out of the box is 10 x faster.

3

22.7 Legacy Series / Re: OpenVPN Speed

« on: November 24, 2022, 10:33:07 am »

As I said the opnsense is running on KVM AMD EPYC-Rome Processor (8 cores, 8 threads).
I measured simply by doing an wget of a 1 gb file from the internet with both VPN on and without VPN.

I am talking about the server OpenVPN running on Opnsense.

4

22.7 Legacy Series / OpenVPN Speed

« on: November 22, 2022, 12:42:41 pm »

I have an issue with the openvpn speed.

The speed that the VM where the Opensense is installed can support up to 45Mb/s while when I run via the OpenVPN the speed is capped at 1.5Mb/s

I have tried modifying the tunable, disabling encryption, tinkering with OpenVPN settings.

I am out of ideas on what I can do to make it work. The vm is running on KVM. I also configured all the KVM specific config to expose processor to VM and so on.

5

22.1 Legacy Series / No outgoing connection from the OPNsense vm

« on: June 22, 2022, 02:48:31 am »

I have an OpnSense vm running as transparent bridge firewall.
From the VM passing the bridge I can ping 8.8.8.8.

From the firewall VM I am not able to do that. I have an outgoing rule on WAN interface to allow all outgoing traffic. If ai disable the firewall it works. The web interface is available and it works only outgoing connection fails.

Any ideas what it can be?

I have attached a screen of the WAN rules.

6

21.7 Legacy Series / Re: Getting blocked by the firewall

« on: August 12, 2021, 04:11:39 pm »

Update.

Outgoing traffic is ok now.
What I did:
1. Moved all the rules on the WAN interface
2. Moved the management IP from bridge interface to the WAN interface.
3. Allowed traffic on Bridge and OPT interface.

7

21.7 Legacy Series / Re: Getting blocked by the firewall

« on: August 12, 2021, 12:47:53 pm »

Ok so for my first problem the issue was related to the alias that I have configured it was on URL(IP) and needed to be on hosts.

For 2 and 3 a still have now solution.

On top of that I realised that all outgoing traffic from the VMs is blocked.

my netplan is like this:

internet -> opnsense (I have 2 virtual networks WAN (connected to a vswitch) and OPT connected to an other vswitch) > VMs (also public IP no NAT)

Have also tried to move the rules from bridge to wan. Also important to mention is that also from Opnsense I don't have any outgoing connection.

Both WAN and OPT are configured in a bridge interface. The public IP of the opnsense is on the bridge and all the traffic rules are also configured on the bridge interface.

On the LAN and OPT interfaces all the traffic is allowed in both directions.

8

21.7 Legacy Series / Re: Getting blocked by the firewall

« on: August 06, 2021, 12:29:56 pm »

The firewall is a transparent bridge firewall there is no lan. The public IP used by me to access the firewall interface gets blocked.

9

21.7 Legacy Series / Getting blocked by the firewall

« on: August 06, 2021, 11:36:08 am »

We are trying to migrate from pfsense to opnsense and I encountered a few issues:
1. My Ip is getting blocked all the time and I am not able to connect to the interface if I don't disable the firewall.
I have created a rule for the IP to be allowed fully but I think is overwritten by the automated generated floating rules.

2. Where can I create a white list for the suricata IDS. On pfsense I can create an alias that I can use on all the services. On suricata I can not find where to add such alias.

3. Where can I clean IP blocked by the different services like virusprot, sshlockout list and so on.

10

20.7 Legacy Series / Re: OpenVPN slow

« on: October 30, 2020, 10:26:47 am »

The problem was an old version of KVM after the upgrade the speed went normal.

11

20.7 Legacy Series / OpenVPN slow

« on: October 24, 2020, 02:17:41 am »

I have a OpenVpn Server config that is very slow I get transfers of 800Kb/s via the VPN while without the VPN the speed is around 30 Mb/s

The VM is running on KVM.
AES-256-CBC
SHA256

The CPU is an Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (2 cores).

Any ideas on what it can be. I have tried also lower security encryption and different configurations but the speed is the same.

Is there anything that I can do to improve this?

The CPU is at 100%.

12

20.1 Legacy Series / OpenVPN disconnects 2FA

« on: June 18, 2020, 10:02:50 am »

I have the following problem:
I have configured the OpenVPN server with 2FA via Google Authenticator. The problem is that the connexion after some time it drops and because of the 2FA never reconnects back.

On the openvpn site got over an article that says to increase some values of the server:

vpn.server.inactive_expire 99999
vpn.server.session_expire 86400
vpn.server.session_ip_lock false

I am not sure if the variable are correct for Opnsense. I have added the values to advanced configuration but after adding the info is not working anymore. Any suggestions on a config that it will work?

Thanks

13

20.7 Legacy Series / Feature request

« on: June 16, 2020, 06:35:01 am »

In OpenVPN Server config there is an option to add IPv4 Local Network that it will add the IP to the route. Not the only possibility is to use the text field and add the IP's as comma separated. But if you use this and add several IP's it becomes almost impossible to manage. Is there any possibility of adding here an ALIAS as it possible in the firewall config.

It will make the whole process more easy to configure and specially maintain if you have many IPs

Thanks

14

20.1 Legacy Series / Many users for OpenVPN

« on: May 08, 2020, 09:33:30 am »

Hi,

I have 100 users that I need to import and use 2FA and OpenVPN. I have the following problems.

1. I don't want to user Radius or LDAP and want to import the users. Is there any way of doing this? I don't see an API for this and I was thinking to do it with ansible or a basc CSV import.

2. After I have the users I need a simple way of exporting, username, Openvpn file (that contains certificate and connection data) and the QR code image for 2fa. Again I can do this by hand but for 100 users is going to be a pain.

3. Is there a way for example to let the users download this data after they login, without giving access to the rest of the system. If I give them access to the OpenVpn Client Export page will see and can download the profiles of all the users.

I really like OPNsense and Pfsense but the fact that there is not an complete api or any way that can be automated it is making the project more for individual and hobbyist than enterprise.

We want to deploy 20 installs and be able to manage them from scripts (deploying ssh keys, users and firewall rules across all of them) Did somebody used OPNsense like this or for the moment I need to look for some other solution?

Thanks

15

General Discussion / Transparent firewall

« on: April 29, 2018, 10:12:44 pm »

I am trying to setup an filtering bridge following this guide: https://wiki.opnsense.org/manual/how-tos/transparent_bridge.html?highlight=transparent

If i put the ip on the bridge interface nothing works. If I put the ip on the wan interface I can get to the GUi but not to the ip of the server behind the bridge (WAN, LAN).

Not sure why is not working as on an other vmware machine I have the same setup and it works.

I have public IP on the wan and on the servers connected to the bridge.

Any ideas what I am doing wrong?