Messages

I am trying to use an internal opnsense CA to create a certificate for another device. I've created the certificate and exported the cert + key in the PKCS #12 format, however the device won't allow an import without supplying the password for the private key. If I leave it blank, it just tells me I have to include the password -- there is no option to "import certificate without a password".

I've gone through the certificate screens in opnsense and I don't see a way to encrypt a key with a password prior to export. Is this something that can be done?

Looks like I can answer my own question here. I'll post the solution for posterity in case anyone else ever comes up with this.

I had sort of forgotten that I set up an Alias containing a bunch of domains and IP addresses (a little over 3,000) that I had intended to blacklist. I never ended up using the Alias for anything so I didn't think much of it and figured it was harmless to just leave it sitting there. What I didn't count on is that there is a Python script (update_tables.py) that runs on a given interval and basically refreshes the Alias lists using DNS.

As nearly as I can figure, the default refresh is every five minutes. I'm assuming that my list was long enough that it took close to 5 minutes to complete... which effectively resulted in a never-ending string of DNS updates for sites that I was considering "bad" (advertising, adult, junk, etc). So I'm a victim of my own desire to be protected from those domains.    8)

I deleted two Aliases early this morning (there was another one I had as well with several hundred IP addresses) and the effect on DNS lookups is fantastically clear:


The arrow is pointing at the hour interval in which I deleted the Alias lists. I've dropped from almost 50,000 DNS lookups per hour to around 500, which is much more in line with what I would expect.

Whoops.  ;D

So I've got opnsense configured to use OpenDNS for lookups, and I've been shocked to find millions of DNS requests per day hitting the service and originating from my opnsense box. This is for a home nework with less than 20 devices attached; my first thought was that someone's phone or laptop had been popped with a virus or spyware or something and was just making all the requests via opnsense (I have it set as the default DNS server via DHCP).

However, I've reviewed packet captures from my LAN interface and there are no unusual requests showing up from attached devices, and the frequency is relatively low or normal. If I do a packet capture on the WAN interface, though, I get a constant stream of DNS lookups that really look like they're just originating from opnsense itself.

According to OpenDNS, I've been averaging about 1.1 million lookups each day for the past week, which works out to about 46,000 per hour. The vast majority of these look like they are advertising related, but there are some pretty raunchy-looking "adult" domains in there as well. As an example, here's the top 30 from yesterday that OpenDNS blocked:


I downloaded the dnstop application (http://dns.measurement-factory.com/tools/dnstop/) for a real time view of DNS activity. Here's what it shows for a 60 second period (I've blocked out my IP address and domain):


The Source address is the same for all of them, and it is my current WAN address. Note the cumulative percentage, that what's showing on the screen is only 18.7% of the total lookups in that 60 seconds.

Anyone have any ideas what might be going on? Is there some kind of adware/spyware/virus stuck in opnsense somewhere? Is there an installed service that's doing these constant lookups? I originally thought it might be related to either the web proxy or tor, but I've disabled them both and the lookups are continuing.

I think this may be something of a doozy. Appreciate any insight or advice.

I have three separate "LAN" interfaces configured, one of which is WiFi and the other two are ethernet. For my purposes at the moment, I am treating these all equally with respect to configuration (though I will eventually use them differently).

I have an OpenVPN client connection set up and working properly with an external VPN service. I configured an interface (VPN_DHCP) and set it as a gateway. I've got the appropriate Outbound NAT rules configured and all network traffic destined for the Internet is going through the VPN gateway.

I also have a transparent proxy configured for all 3 LAN interfaces, for both port 80 and 443. The correct port forwarding is in place, and the proxy/filtering is working as expected.

So up to this point, all Internet-destined traffic from any of the three LAN networks is forwarded through the proxy, and then directed through the VPN gateway to the Internet. This makes me about 95% happy.

However... there are some Internet destinations that I want to access directly from my WAN interface (with my true IP address) and NOT have them use the VPN gateway. I have set up an Alias containing these destinations, but I cannot find a way to have them use the WAN gateway instead of the VPN gateway.

Here's a list of what I have tried:
* Set up a FLOATING "pass" rule specifying the WAN gateway for destinations in my Alias list
* Set up a LAN interface "pass" rule specifying the WAN gateway for destinations in my Alias list
* Set up a VPN interface "pass" rule specifying the WAN gateway for destinations in my Alias list
* Set up a FLOATING "block" rule to deny outbound traffic to destinations in my Alias list
* Configured NAT to explicitly avoid my Alias list when translating VPN traffic

...and you may have already guessed that I wouldn't be posting here if any of those worked. They either shut off connectivity completely, or ignored the policy-based routing and just used the VPN gateway for everything.

I have a hunch that the squid proxy may be the culprit -- once I forward the HTTP/S traffic into the squid ports on 127.0.0.1, I'm not really sure where they come "out" and continue on their way. It seems as though squid is simply hardwired to use the VPN gateway (even though WAN is specified as the default) and I can't find any way to convince it to do otherwise *sometimes*.

I think it was working as expected when I disabled transparent proxying and manually added the proxy info to the computers on the network -- this isn't ideal for me, though, since one of these LAN networks is eventually going to be for guest users and I'd prefer to have the transparent proxy enforced.

There are a lot of moving parts, so my apologies for the lengthy post. If anyone actually read this far, I'd appreciate any ideas or sympathy.