Messages

# opnsense-revert -z openssh-portable

works here, thx !

thx very much :)

hi.

i stumbled over
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
also see
https://nvd.nist.gov/vuln/detail/CVE-2023-48795

as far as i (try to) understand the attack needs to be MITM and can downgrade the secure channel(s) to unsecure/observable.
but i dont quite grasp how to interpret the relation to the "ssh client" CVE's (f.e. CVE-2023-46445).

researching further i find that my opnsense 23.7.10_1 uses openssh-portable 9.3.p2_2,1 - for which at least the repo for the 9.3 version (https://github.com/openssh/openssh-portable/tree/V_9_3) seems to be unchanged since july - but i obviously know nothing about the dev process of opensense so i cant see if "our" package is already patched against this kind of attacks.

can someone more knowledgeable step up and help me out here ?

tia,tja...

hi,


i would like to install a newer version of a plugin:

on my production box:
...
os-dyndns-1.23_2               Dynamic DNS Support
...

devel version is
...
New packages to be INSTALLED:
   os-dyndns-devel: 1.23_2
...

github shows:
...
PLUGIN_NAME=      dyndns
PLUGIN_VERSION=      1.24
PLUGIN_COMMENT=      Dynamic DNS Support
PLUGIN_MAINTAINER=   franco@opnsense.org

.include "../../Mk/plugins.mk"
...


how could i install the github version without going full opnsense development version ?


tia,tja...

[<vpnid>N</vpnid>]

hi gauss,

thx for the explanation.
i looked into config.xml and there i found <vpnid>N</vpnid> inside the tunnel config where the number relates to ovpnc<N> - so as long as i not remove and recreate the tunnel the assignments seem to be sticky.

yes, the tunnels work fine now and will use the correct source address every time confirmed by tcpdump.

thx for all the help,
wbr,tja...

thx gauss,

i didnt even know that u can assign ovpn interfaces - that worked perfectly !

one last question:
is it possible that these tunnels will get another ovpncX after a reboot or some config change (f.e. after removing a tunnel) as there is no visible config link between the NAT settings where i choose the interface and the openvpn client/server tunnels ?

tia,tja...

hi gauss,

u find me confused ;)
as i wrote in the OP i use "Interface address" as i expected that to be the right choice.
but i cant select a openvpn interface name there ... how did u name the openvpn interface for a specific client connection and get it to appear in that "Translation / target" dropdown in the outbound NAT config ?

tia,tja...

hi gauss.

how do you use the "named interface address" ? i would not know the interface adress till the other side assigns one to my side ?!? ...

and: i dont understand what u try to say about rules ... ofc i have fw rules but thats beside the point as i dont think these could cause the described problems ...

tia,tja...

[from]

hi,

i have a very strange phenomenon on my 21.1.1 home gw.

i had a openvpn tunnel (client) to my employer which i used permanently the last year thanks to these strange times.

as i added a second client to another site the fun started: every other connection attempt - may it be icmp or ssh or whatever - fails as if it hangs on one of the firewalls inbetween. the working attempt is ok.

i checked the routing table on my side and the routing is ok. every vpn client has its own interface and the routing table entries are correct.

i need to (outbound) NAT on both sites and have (manual) configured both sites accordingly and seems to be ok as it works (half the time).

after some hours of search i used tcpdump on both openvpn interfaces and i can see that the failing attempts will be sent from the wrong interface.
what i mean is that f.e.
- the first (failing) attempt for a ping to a host in net B will be sent from the ovpn if for net A
- the second (working) attempt for a ping to a host in net B will be sent from the ovpn if for net B

the routing table is ok and the only thing i could think of to explain this behavior is something in the NAT process.
i suspect that i could tinker with "Translation / target" in the NAT settings (which is "Interface Address" now) - but i will get a different ip from the other side each time so how do i correctly set this ?

im not used to pf - is there a command to show outbound NAT settings ?

tia, tja...

Is the WAN a DHCP interface? Is the host you're trying to connect from in the WAN subnet? If yes and yes, try 'disable reply-to' in the firewall rules.

thx very much, that did it !

hi,


for lab usage i installed 20.1 as guest on a debian KVM host.

if i try to add a rule to open https/443 & ssh/22 on the WAN side i cannot connect either service regardless if i add the rule to the WAN rules or to floating.

block private networks is unchecked (the WAN side is in a 10.x.x.x net).
if i use logging on the rule i can see that it is used and passed/green.

if i manually disable pf via pfctl -d i can connect from the WAN side thou so the networking aspect seems to work fine.

i tried to start anew with a fresh install but the problem is there right at the start.


tia,tja...

The linked version is correct. Sorry .. still cannot reproduce, I created a new user:
...

hmm, i will reinstall the machine asap - hopefully the problem wont come up again.

thx for you patience.

Sorry, I cannot reproduce. Do you have "Enabled" in "General" ticked? The authorize file will be empty when the service isn't enabled.

hi mimugmail,


thats not the issue. maybe i stated the problem poorly:

problem:
creating or updating users in freeradius seldom works without restarting the machine.

steps to reproduce:

• create or change a user in freeradius UI
• try to use the created/modified user f.e. login or login with changed VLAN ID - FAILS (new user doesnt work or changed data is not reflected at login)
• check config.xml - created / changed  is correctly stored
• check users aka authorize - created / changed  is NOT correctly stored

i tried this very moment - created a new user but the new user is not stored in raddb/users.

you wrote that you are usure if users is a link to mod-config/files/authorize - is this correct ?


wbr,tja...

did you apply the changes?

hi fabian,


ähh - which changes ?


wbr,tja...

I'm not on a computer right now, mit sure If this should really be a link

hi mimugmail,


could you check on your end ?


wbr,tja...