Messages

1

German - Deutsch / Re: Tutorial für Hetzner Cloud (?)

« on: January 20, 2022, 03:21:48 pm »

OK, böser Anfängerfehler. Das Hetzner-Gateway war als Standardgateway gesetzt. Ich habe in System->Gateways->Single das LAN_DHCP Gateway deaktiviert (wird sich noch herausstellen ob das notwendig oder eine gute Idee war), die beiden WAN_DHCP und WAN_DHCP6 auf active geschaltet, und das WAN_DHCP als Upstream eingestellt. Jetzt geht es.

2

German - Deutsch / Re: Tutorial für Hetzner Cloud (?)

« on: January 17, 2022, 02:26:32 pm »

> Woher kommt die? Hast du ein zusätzlich privates internes Subnetz bei Hetzner selbst für den Host konfiguriert?

Nein. Ich bin nach der Anleitung für pfsense gegangen, und habe ein privates Subnet "private" mit der Range 10.0.0.0/16 angelegt. Die OPNS VM habe ich an das Netzwerk angehangen, und ihr im Cloud-Interface die 10.0.0.2 zugewiesen. Im LAN IF habe ich "IPv4 Configuration Type: Static IP" eingetragen, und dann halt die 10.0.0.2/32 eingetragen, weil die OPNS ja nur eine IP hat, und keine Range. Hätte ich da 10.0.0.2/16 eintragen sollen?

> Wenn du im Gateway aber auf Advanced gehst und den Haken setzt, dass das GW nicht "direkt" erreichbar ist (ist es eigentlich doch aber zumindest in CIDR Speak ist es nicht direkt verbunden), sollte das kein Thema sein.

Nun, das hatte ich schon mal versucht, allerdings ohne Erfolg.

> Zudem wird das eigentlich per DHCP vergeben, du kannst also LAN einfach auch per DHCP konfigurieren, dann sollte eh schon alles gehen. Da du im Hetzner Interface das interne Netz/IP statisch zuweisen kannst, sollte das auch später kein Problem geben.

Ich hab das LAN mal auf DHCP gestellt, deine Begründung erscheint mir schlüssig.

> Einfach in Routing rein, statische Route für 10.0.0.0/24 via dem LAN GW das du per DHCP eigentlich bekommst anlegen und gut.

OK, auch das habe ich getan.

Der aktuelle Status ist aber: Die anderen VMs in dem Subnetz erreichen nicht das Internet.

Ich bin da auch nach dem Tutorial für pfsense gegangen, und habe nun eine Debian VM. Dort habe ich in der Interface-Config die Direktive "post-up route add default via 10.0.0.1" für das ens10 Interface eingetragen. Das ens10 bezieht seine IP via DHCP.

Wenn ich von der VM auf 8.8.8.8 trace, sehe ich, dass der erste Hop das Hetzner-Gateway 10.0.0.1 ist. Das wiederum routet korrekterweise den zweiten Hop auf die OPNS VM, wie durch den einen hcloud-Befehl beim Anlegen des Netzes auch konfiguriert wurde.

Der dritte Hop ist wiederum die 10.0.0.1. Hier bin ich etwas stutzig geworden, aber nehm das erstmal so hin. Weiter als bis zum dritten Hop kommt der Trace nicht. Ich vermute mal, weil sowohl OPNS als auch das Hetzner-Gateway den jeweils anderen Host als Gateway drin stehen haben, spielen die einfach nur Pingpong mit dem Traffic.

Irgendwo da ist noch der Wurm drin, aber ich habe noch keine Ahnung, wo. Da das Hetzner-Gateway sich eigentlich korrekt verhält, ist das Problem, dass die OPNS den Traffic den sie vom Hetzner-GW bekommt, nicht korrekt routet.

Wo ist der Fehler?

3

German - Deutsch / Re: Tutorial für Hetzner Cloud (?)

« on: January 12, 2022, 10:11:50 pm »

Moin zusammen,

ich stehe gerade vor dem gleichen Problem, und nach Studium dieses Threads sind einige Fragen offen:

- Ich hab im LAN der OPNS halt die /32 Adresse eingetragen, zb 10.0.0.2/32.
- Die Route braucht als Gateway die 10.0.0.1, die außerhalb der /32 liegt, und deswegen erstmal von Webfrontend abgelehnt wird.
- Ich habe also ein Alias angelegt, Type: Network, Content: 10.0.0.0/24

Allerdings find ich jetzt gerade keine Option, diesen Alias mit dem Gatewaysetting zu verheiraten. Wie mach ich das?

Desweiteren diese "Default allow LAN to any rule", die sowohl im Tutorial für pfsense erwähnt wird, als auch hier im Thread. Die hatte ich gar nicht, unter Firewall -> Rules -> LAN war nichts vordefiniert. Ich habe hier eine Regel eingetragen, die halt auch Allow Any darstellt. Reicht das? Es ist nicht ganz ersichtlich, ob ich diesen Alias auch hier benötige.

4

19.7 Legacy Series / Re: HAProxy Frontend for IPv6

« on: September 04, 2019, 11:07:18 am »

No. I solved it by unchecking "disable reply-to".

Your bug is different. The HAproxy plugin does not follow the IPv6 IP:port notation rule. Just remove the brackets, so to make it listen on v6 port 443, write dead:beef::1:443

5

19.7 Legacy Series / Firewall VM not accessible via IPv6 on Hetzner

« on: August 06, 2019, 09:25:12 am »

Hi,

i have a problem with setting up the network on one of my servers, located at Hetzner. I want to have a OPNsense VM as a firewall for the other VMs and LXC containers. There is a HAproxy running on this firewall VM as well, and i have made the web frontend reachable from WAN side for easier config.

For setting up IPv4 i have followed https://pratt.is/hetzner-und-proxmox-pfsense-als-gateway/ - this works quite reliable. This is the complete config of the interfaces on the hypervisor: https://pastebin.com/xjcSUYpU

For IPv6 config i tried Dominic Pratt's way as well, but without success. Currently i have a static IPv6 on my WAN interface, it has the first IP from the /64 subnet Hetzner gave me. On the LAN end i took another IP from this subnet, and set the interface to /64 for SLAAC. As a result, the VMs get a v6 IP and can reach the internet via IPv6.

On the other side i have a problem. Of course i have set up an AAAA-Record in the DNS to access the firwall. I have also set up some firewall rules so that one can connect to the HAproxy. The proxy itself binds to the address i have set up on WAN side. Now the problem:

I can ping the firewall via its AAAA record perfectly well from the internet. However, it is not accessible via IPv6 at all, except the pings. Neither the web frontend, nor the HAproxy. The access from the LAN side works fine.

What is strange: The firewall has an Accept-rule for IPv6 traffic from the WAN side. I can see the connection attempts in the firewall log, they are marked as "Pass". However, i do not see any connection attempts in the HAproxy log. The web frontend isn't accessible either.

Where is my error? Has my interface config a mistake somewhere?

I think it isn't HAproxy's fault, it is reachable from the inside (via its WAN IP, though).
It isn't the firewall's fault. It logs the connection as "pass".
It cannot be due to missing IP forwarding in the hypervisor's kernel, since the VMs can communicate with the internet via IPv6. Strangely they were able to do so as well, when i had forgotten to activate net.ipv6.conf.all.forwarding in sysctl.

For information: I am using proxmox 6, the LXC containers are a fresh install from a Debian 10 template.

Maybe someone has an idea.

6

19.7 Legacy Series / Re: HAProxy Frontend for IPv6

« on: August 05, 2019, 01:57:01 pm »

I have to add: I am using OPNsense on a VM on a Hetzner server. It is configured like this: https://forum.netgate.com/topic/101501/anleitung-f%C3%BCr-hetzner-ipv6-mit-pfsense-als-router-vm-auf-esxi-server

For non-german speaking users: The WAN interface is set to DHCP, and it gets a link-local address. The LAN interface gets the public address Hetzner assigns me in their Robot tool. This is working in such a way that each VM can access the internet via IPv6, and i can ping the OPNsense VM on its public IPv6, which it has on its LAN address. However, i cannot access the HAProxy.

7

19.7 Legacy Series / HAProxy Frontend for IPv6

« on: August 04, 2019, 10:06:16 am »

Hi,

i have Opnsense in a DualStack Network. Inside this network there are some docker containers with IPv4 only, and i want to have HAProxy acting as a reverse proxy and as an "IPv6 offloader". I have configured IPv6 on the docker host and it can reach the internet via IPv6, so my Interface configuration in OPNsense seems to be correct.

I have created a firewall rule which allows IPv4 and v6 traffic on port 443 to enter the firewall. I have configured the docker container as a backend, and a matching frontend which has the v4 and the v6 listen address in the settings.

As a result, the service is reachable via v4, but not via v6. I do not see any v6 connections in the HAproxy log, however, when i enable logging in the appropriate firewall rule, i see the inbound traffic.

What am i missing here?

8

18.7 Legacy Series / Re: Peer-to-peer OpenVPN IP configuration

« on: December 17, 2018, 12:05:49 pm »

As i have said, this is not possible.

To be honest, i am a bit disappointed that someone should "fix" a quite normal configuration to fit the need of an additional wrapper which just doesn't have the appropriate tools to generate a standard configuration. I think i'll go with a dedicated host behind the OPNsense and do some port forwarding.

9

18.7 Legacy Series / Re: Peer-to-peer OpenVPN IP configuration

« on: December 17, 2018, 11:21:44 am »

The following input errors were detected:

The field Tunnel Network is required.


I had the same idea a few days ago and tried it. Besides that: If i would have had the ability to configure ifconfig via the advanced options, i would have had no idea of how to configure "IPv4 Local Network" and "IPv4 Remote Network", since in a p2p config you don't have Local Network and Remote Network, but hosts only. But i think i could solve this with a /32 network each.

10

18.7 Legacy Series / Re: Peer-to-peer OpenVPN IP configuration

« on: December 17, 2018, 10:12:35 am »

This depends. I want to establish a p2p or site-to-site configuration with OpenVPN. Contrary to the common "Road warrior" setup where one server has many clients and usually does its auth via a CA, in p2p mode each server has exactly one client, or peer. Therefore you can create auth via pre shared key, and one does only need a config like
- where is the key file located
- where do i need to connect to (is only needed on one peer)
- what is my tunnel ip address, what is the remote tunnel ip address

So a very basic configuration would be:

Code: [Select]

mode p2p
remote foo.bar.tld
rport 42003
port 42005
secret secret.key
ifconfig 172.23.211.129 172.23.211.1

This config would tell OpenVPN:
- Do a p2p connection
- Connect to foo.bar.tld:42003
- Bind to local port 42005
- Authenticate with secret.key
- My tunnel IP is 172.23.211.129, the other side has 172.23.211.1

The other side wouldn't even need the remote line, since it acts as a "server". however, both peers are equal.

So my current situation are several of these configurations. Some of them have a remote option, so OPN would connect to them. Some of them do not have them, so OPN would get an incoming connection. This is not a problem, i have created a testing entry on OPN, as "OpenVPN -> Server Mode Peer-to-peer (Shared Key)". The plain VPN connection with auth succeeds.

The only problem is the ifconfig option. The peer connects with its immutable (for me) ifconfig setting, and expects me to have a matching configuration on my side, that is: The same line with switched IP addresses, since their remote is my local, and my local is their remote.

For now i have discovered that the tunnel network setting in the server settings web form somehow modifies the ifconfig line in the real OpenVPN config that the web frontend generates, but unfortunately the web form only accepts a subnet. Also, in a plain p2p configuration, you do not need a dedicated tunnel network, since you can specify the local and remote IP address directly, as shown in the example config. Also: In my example both IP addresses happen to be in the same /24 subnet, but this is only an example. Other peers are different and can theoretically have IP addresses from all over the IPv4 range, so just specifying a subnet is not enough. Just specifying a subnet doesn't ensure my tunnel endpoint to have exactly the ifconfig setting the remote peer expects me to have.

So i think the web form is unnecessary complicated, but i hope i am not the first and only one who just wants to create this in theorey really simple VPN configuration.

11

18.7 Legacy Series / Re: Peer-to-peer OpenVPN IP configuration

« on: December 17, 2018, 07:33:22 am »

This still isn't solved for me

12

18.7 Legacy Series / Re: Peer-to-peer OpenVPN IP configuration

« on: December 12, 2018, 01:29:29 pm »

I'm sorry, i think i didn't understand you correctly. No matter what server mode i select, the IP configuration form is the same. Also, P2P is the only way where i can use PSK. Since i have no access on the clients and just want to switch DNS after i have set up the connections, it is important to re-use "mode p2p" and the PSK setup.

13

18.7 Legacy Series / Re: Firewall shows pass to 443 port but can`t be reached.

« on: December 12, 2018, 01:10:33 pm »

Maybe your browser is confused. HTTP on Port 443 is very uncommon, so it tries to speak HTTPS or expects a HTTPS answer.

14

18.7 Legacy Series / Re: Haproxy and Letsencrpyt integration

« on: December 12, 2018, 01:01:59 pm »

I have a similar setup, so i'll describe what i did:

- Create a LE account. The values are up to you, just use an existing email address.
- Specify a validation method. For DNS validation you need to install the additional acme-validation package.
- Go to settings, enable the plugin and select "Production environment" as the environment, and enable HAPRoxy integration
- Create certificate. Fill out the correct Common Name, and select your LE account and validation method. Wait until your certificate was created.
- Create a HTTPS frontend for HAproxy, let it listen on port 443, and set the type to "HTTP / HTTPS (SSL offloading) [default]". Select the LE certificate in "SSL Offloading".

There you go. I am unsure if the acme client will restart my HAproxy via "HAproxy integration", or if i need to specify a restart action manually for certificate renewal, but at least this results in HAproxy doing SSL offloading with the LE certificate.

If you still get a cert error in your browser, inspect the cert. Is it signed by LE staging or production? Is the cert's common name matching the host part of the URL you are trying to access?

15

18.7 Legacy Series / Peer-to-peer OpenVPN IP configuration

« on: December 12, 2018, 12:54:31 pm »

I am trying to adopt a peer2peer OpenVPN configuration from a plain OpenVPN server config. The config file i am trying to rebuild on Opnsense looks like this:

Code: [Select]

dev tun3
proto udp
ifconfig 172.23.211.129 172.23.211.1
comp-lzo
port 42003
secret secret.key
log-append /var/log/openvpn/p2p.log
verb 4
persist-tun
persist-key
mode p2p

But i am struggling with the ifconfig option. For routing reasons later on i need my tunnel endpoint to be exactly 172.23.211.129 and the peer to be 172.23.211.1. On the peer's side both IP addresses are switched. This works good on the old config, but now i am somewhat confused by the IP settings fields in Opnsense's server config.

I have set up "General information" and "Cryptographic settings" so that the peer is generally able to open up the connection but is throwing an error that the ifconfig section is wrong. As far as i have checked the actual openvpn config file which is generated by Opnsense's web UI, the form fiel which controls this setting is "IPv4 tunnel network" - or at least the value given there specifies the value of "ifconfig".

However, just entering both IPs, comma-separeted, in this input field isn't accepted by the WebUI. Setting the "local network" and "remote network" values just results in adding a route command to the generated config, which isn't desired, since the routing will happen later on with OSPF.

Trying to set up the ifconfig value with the "Advanced options" textbox isn't working either, since i get an error that the Tunnel Settings are empty.

So, how can i set up a dead simple p2p VPN with no sophisticated settings in OPNsense which replicates the configuration i have posted above?