Messages

Solved!  It was primarily my fault.  Steps to Install a Certificate Chain.

1. Create the CSR and send to provider, receive cert package.
2. Combine the certificate and the bundle (cert first, then bundle below) in a text editor (like notepad).
3. Copy the combine chain back into OpnSense in response to the CSR.

Part of my issue is that I followed the instructions by namecheap and did a 'cat bundle >> cert' which didn't create a new line between them, thus causing OpnSense to fail when I tried to use it in response to the CSR.

But it's not a self signed cert.. It's a public cert issued by NameCheap. I create a CSR, which is sent to Name Cheap, they issue a certificate and include the bundle.  I can only supply the certificate in response to the CSR in OpnSense (I can't combine it with the bundle).  I can import the bundle into the Authorities section, but that doesn't do anything as far as I can tell.

I did try to see if I could do as you suggested, but the bundle didn't come up as a provider.

This doesn't appear to be sending the bundle with the cert in HAProxy.  If I do a wget, I get Unable to locally verify the issuer's authority.  It works fine in the web browser though.  Other apps are having issues.  How do I turn it "on" for HAProxy.

What about LibreSSL?  My OpnSense is currently on LibreSSL 3.3.6.  I see version 3.6.1 was just released but not sure if this vuln applies.

Are there any instructions for how to install a CA Bundle?  Is this imported under the Certificate Authority or do you import it as a normal certificate?  If certificate, how do I get the key? 

I get from namecheap a domain.ca file and a domain.ca-bundle and also a domain.p7b file.  When I go to import a certificate, it asks for the "Certificate data" and the "Private Key".  I'm just not sure what to do here and I can't find instructions.

For now, I just created a cron job that runs every minute to add the static route.  It's ignored if it already exists.

I'm using an OpenConnect VPN that occasionally loses connectivity, which it is able to re-establish without issue.  However, I have a static route defined using that gateway for a system outside of the subnet.  When the VPN drops, the static route does not function when it comes back up.  I have to go to the Routes Configuration and hit Apply again - then all is well.  Some settings I've tried to use to resolve the problem "Interface can not be removed", "Disable Gateway Monitoring".. anything that might allow the route to stay in place.

Any suggestions on how to force this static route to stick around when the VPN / gateway / interface drops?  I'm having to reapply it multiple times a day.

I experienced this message as well when using Dnsmasq.

Error message: ** server can't find xxxxxx REFUSED

In particular, when I would connect with WireGuard, I could not get out to the internet.  A restart of Dnsmasq would not fix it, but changing the config and resaving would fix it.

Since OPNsense has moved to Unbound DNS as the default, I figured I'd try that.  So far, I haven't had the issue with Unbound DNS.  Though as a configuration note for Unbound DNS with WireGuard, you have to add the WireGuard network to the Access List.

As a side note, if Unbound is the preferred DNS, might it make sense to move Dnsmasq out of Core and into Plugins?

I'm also failing to upgrade my ESXi guest from 20.1 to 20.7.  The system just keeps rebooting over and over.  I didn't have any hangs on configurated logging.  It appeared to upgrade fine prior to going into a loop.

Just wondering my creating a CA authority defaults to 1 year.  Just had my CA expire for all my VPN and I have to go through the process of creating a new one and sending out new client files to everyone.  1 year seems like a very short time for the CA.

Done - https://github.com/opnsense/plugins/issues/1359
Yeah, would be great if you could ignore that error and continue on.

Also added a question about NAT, since I'm fumbling with that.  I'll rewrite it here in case you prefer to respond here.

I'm trying to understand how best to NAT.  [In this documentation](https://www.routerperformance.net/using-openconnect-with-newly-released-opnsense-18-1-1/), it states to use the OpenConnect "interface" (which doesn't show up as an Interface, but does show up under Firewall Rules).  However, in other places [1,](https://forum.opnsense.org/index.php?topic=12144.msg55621#msg55621) [2](https://github.com/opnsense/plugins/issues/1135), it is suggested creating an interface and locking it.  But then you end up with two things under Firewall rules.  I just need this thing to be persistent after reboot where it starts up automatically and NAT rules apply.

I'm getting this error on startup, which appears to prevent OpenConnect from starting.  I have to start it manually.

kernel: ocvpn0: link state changed to DOWN
kernel: ifa_maintain_loopback_route: deletion failed for interface ocvpn0: 3
kernel: OK
kernel: tun30000: changing name to 'ocvpn0'
kernel: tun30000: link state changed to UP

Yes, when running openconnect via the console, I get this in response:

To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:SDqgu8gcbxiE487woYrZPslpdoib7+R4Xrgsj3vn8yA=

And on the default gateway, it's doing this...

stablished DTLS connection (using OpenSSL). Ciphersuite DHE-RSA-AES256-SHA.
add host VPNSRV: gateway WANIP
add net 10.10.1.0: gateway 10.10.1.102
delete net default: gateway WANIP
add net default: gateway 10.10.1.102

Public-Key-Pinning I think...  using sha256 with the fingerprint hash fails.  So I gave it what the log was asking for.
https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/

[1)]

I have two OpenConnect issues.

1) The Certificate Hash will not accept my hash, but it works fine if I directly write it to the config.  The log is telling me what it wants (Server SSL certificate didn't match: pin-sha256:SD.....), but it gets reset upon reboot.  Here is the Certificate Hash (modified).

Code Select Expand

pin-sha256:SDqgu8gcbxiE487woYrZPslpdoib7+R4Xrgsj3vn8yA= (obfuscated)

2) When I do connect to the Cisco VPN, all my traffic is being routed through it, instead of just the VPN subnet.  The OpenConnect VPN is assuming the default route.  How can I fix this?  :)