"
I'm still running on OPNsense 24.1.9_4-amd64 but will update it soon.
I guess that the error will be there, even after the update.
I guess that the error will be there, even after the update.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.1, 25.4 Production Series / VoucherController issue
April 02, 2025, 03:22:50 PM
Hi,
I'm getting the following error when entering /ui/captiveportal/voucher:
Too few arguments to function OPNsense\CaptivePortal\Api\VoucherController::listVouchersAction(), 1 passed and exactly 2 expected
Voucher generation works. But I cannot display the already existing vouchers. This error persists since multiple updates.
Is there any known issue? I didn't find anything.
Thanks
I'm getting the following error when entering /ui/captiveportal/voucher:
Too few arguments to function OPNsense\CaptivePortal\Api\VoucherController::listVouchersAction(), 1 passed and exactly 2 expected
Voucher generation works. But I cannot display the already existing vouchers. This error persists since multiple updates.
Is there any known issue? I didn't find anything.
Thanks
#3
General Discussion / Multifactor + Radius Auth?
November 12, 2021, 03:31:59 PM
Hi,
how is it possible to authenticate against a radius server that requires multifactor OTP or smartphone app approval?
I'm currently in a setup, where RSA multifactor is required, but the radius always rejects the authentication.
It seems that a special OTP feature within the radius protocol is required. In the worst case it would be also possible to choose another multifactor solution than RSA. But each time when I google for opnsense radius mfa I'm getting instructions how to enable MFA with the local user database on OPNsense. But I have to authenticate agains the active directory. The bad thing is, that die Radius server is not automatically asking the MFA application on the smartphone, but requiring the OTP somehow delivered via the protocol from OPNsense.
Any help is much appreciated.
Thanks a lot.
how is it possible to authenticate against a radius server that requires multifactor OTP or smartphone app approval?
I'm currently in a setup, where RSA multifactor is required, but the radius always rejects the authentication.
It seems that a special OTP feature within the radius protocol is required. In the worst case it would be also possible to choose another multifactor solution than RSA. But each time when I google for opnsense radius mfa I'm getting instructions how to enable MFA with the local user database on OPNsense. But I have to authenticate agains the active directory. The bad thing is, that die Radius server is not automatically asking the MFA application on the smartphone, but requiring the OTP somehow delivered via the protocol from OPNsense.
Any help is much appreciated.
Thanks a lot.
#4
General Discussion / Re: OpenVPN DNS not pushed
March 19, 2020, 07:46:35 PM
Hi,
I figured out that it seems to be a bug in Viscosity. With Tunnelblick it's working.
Thanks
I figured out that it seems to be a bug in Viscosity. With Tunnelblick it's working.
Thanks
#5
General Discussion / Resolved: OpenVPN DNS not pushed
March 19, 2020, 04:58:25 PM
Hello,
I always used the setup with "Redirect Gateway", which pushed the DNS of the OPNsense to the clients.
Now I'm trying to change this, because I don't like all traffic going over the gateway, except of the internal services.
But when I untick the box "Redirect Gateway", the DNS is not pushed to the clients. So they cannot reach the internal service names. I also tried to put push "dhcp-option DNS 10.0.0.1" to the advanced options, but it doesn't help.
All internal services are reachable via IP and the firewall + unbound is correctly configured. When I use dig with @ from the client, I can resolve the internal addresses. But it's not pushed to the /etc/resolv.conf
Any hints?
Thank you very much.
I always used the setup with "Redirect Gateway", which pushed the DNS of the OPNsense to the clients.
Now I'm trying to change this, because I don't like all traffic going over the gateway, except of the internal services.
But when I untick the box "Redirect Gateway", the DNS is not pushed to the clients. So they cannot reach the internal service names. I also tried to put push "dhcp-option DNS 10.0.0.1" to the advanced options, but it doesn't help.
All internal services are reachable via IP and the firewall + unbound is correctly configured. When I use dig with @ from the client, I can resolve the internal addresses. But it's not pushed to the /etc/resolv.conf
Any hints?
Thank you very much.
#6
19.1 Legacy Series / OPNsense<->AWS VPC ipsec VPN
June 24, 2019, 02:14:42 PM
Hi,
I'm running multiple tunnels to AWS via IPSEC.
But the problem is, that the connection drops after ~one day.
It's never coming back before I restart it manually.
I'm not able to see the log, because it's too short...
The value for "Automatically ping host" is set to a IP within the AWS VPC and the local IP for the OPNsense box is part of the local network.
See the screenshots in the attachment for parameters.
I'm running multiple tunnels to AWS via IPSEC.
But the problem is, that the connection drops after ~one day.
It's never coming back before I restart it manually.
I'm not able to see the log, because it's too short...
The value for "Automatically ping host" is set to a IP within the AWS VPC and the local IP for the OPNsense box is part of the local network.
See the screenshots in the attachment for parameters.
#7
19.1 Legacy Series / Re: Multiple Radius Server for OpenVPN
June 11, 2019, 09:58:45 AM
Thank you for the idea. But UDP via nginx is failing. Any access is denied. I don't know why. Maybe nginx is not the right tool to balance the radius protocol.
Backend NPS:
Only difference in the error log is:
Security ID: NULL SID
Backend NPS:
Only difference in the error log is:
Security ID: NULL SID
#8
19.1 Legacy Series / Multiple Radius Server for OpenVPN
June 04, 2019, 04:57:53 PM
Hi,
authentication trough radius server is working fine. I have two Microsoft NPS attached, for the case, when one goes down.
Now I tested to deactivate the first Radius server. The problem is, that OpenVPN is still waiting for the first Radius Server, forever. It's not asking the second one. Only when the first Radius Server is rejecting the access, the second one will be asked. But I like to use this in a HA Scenario.
Any clue?
config:
thanks
authentication trough radius server is working fine. I have two Microsoft NPS attached, for the case, when one goes down.
Now I tested to deactivate the first Radius server. The problem is, that OpenVPN is still waiting for the first Radius Server, forever. It's not asking the second one. Only when the first Radius Server is rejecting the access, the second one will be asked. But I like to use this in a HA Scenario.
Any clue?
config:
Code Select
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Active Directory RADIUS DC1,Active Directory Radius DC2,Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'my+company+OpenVPN+Server' 1"thanks
#9
19.1 Legacy Series / Re: Client Specific Overrides + Radius Auth + OpenVPN
May 22, 2019, 11:34:26 AM
Hi,
I finally managed to solve my issue by going trough the sourcecode. I left a debug file, with the same username as in the freeradius test, in the ccd dir *facepalm*. Radius attributes never worked during my tests.
The solution is:
1. Select "Force CSO Login Matching" in the GUI of the server Configuration
2. Use Framed-IP-Address AND Framed-IP-Netmask
After this, the files are being created in the folder:
/var/etc/openvpn-csc/3/
The only thing is, that they aren't removed. But no matter, it works 8)
I finally managed to solve my issue by going trough the sourcecode. I left a debug file, with the same username as in the freeradius test, in the ccd dir *facepalm*. Radius attributes never worked during my tests.
The solution is:
1. Select "Force CSO Login Matching" in the GUI of the server Configuration
2. Use Framed-IP-Address AND Framed-IP-Netmask
After this, the files are being created in the folder:
/var/etc/openvpn-csc/3/
The only thing is, that they aren't removed. But no matter, it works 8)
#10
19.1 Legacy Series / Re: Client Specific Overrides + Radius Auth + OpenVPN
May 22, 2019, 10:36:40 AM
radsniff gives details about the difference:
Freeradius Reply:
NPS Reply:
Does the Class, MS-Link-Utilization-Threshold, MS-Link-Drop-Time-Limit break some functions in the opnsense scripts? I'm really wondering what's happening here.
Freeradius Reply:
Code Select
Framed-Protocol = PPP
Framed-IP-Address = 10.69.14.222
Framed-IP-Netmask = 255.255.255.252
Authenticator-Field = 0xbfe77857212958100f5edfc83775f335NPS Reply:
Code Select
Framed-Protocol = PPP
Framed-IP-Address = 10.69.14.222
Framed-IP-Netmask = 255.255.255.252
Class = 0x8f4908ef00000137000102000af014140000000028451f2733b4e06501d50a53e29d8d4300000000000066ca
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
Authenticator-Field = 0xca44113b745f5b92f3da7058f3b512c6Does the Class, MS-Link-Utilization-Threshold, MS-Link-Drop-Time-Limit break some functions in the opnsense scripts? I'm really wondering what's happening here.
#11
19.1 Legacy Series / Re: Client Specific Overrides + Radius Auth + OpenVPN
May 22, 2019, 09:45:26 AM
i'm debugging further....
#12
19.1 Legacy Series / Re: Client Specific Overrides + Radius Auth + OpenVPN
May 22, 2019, 09:22:08 AM
I finally managed it to deploy the new version to production.
The freeradius user is working fine (IP will be assigned), but the Microsoft NPS User doesn't (standard pool IP assigned). All users are stored in the active directory, so it makes no sense to create them additionally in freeradius.
Both arrays are containing the same value:
Array content:
Debug method:
As both arrays are identical, what can be the reason for the different behavior?
The freeradius user is working fine (IP will be assigned), but the Microsoft NPS User doesn't (standard pool IP assigned). All users are stored in the active directory, so it makes no sense to create them additionally in freeradius.
Both arrays are containing the same value:
Code Select
# diff -s radius-free radius-nps
Files radius-free and radius-nps are identicalArray content:
Code Select
Array
(
[tunnel_network] => 10.69.14.222/30
)Debug method:
Code Select
function parse_auth_properties($props)
{
$result = array();
if (!empty($props['Framed-IP-Address']) && !empty($props['Framed-IP-Netmask'])) {
$cidrmask = 32-log((ip2long($props['Framed-IP-Netmask']) ^ ip2long('255.255.255.255'))+1, 2);
$result['tunnel_network'] = $props['Framed-IP-Address'] . "/" . $cidrmask;
}
if (!empty($props['Framed-Route']) && is_array($props['Framed-Route'])) {
$result['local_network'] = implode(",", $props['Framed-Route']);
}
file_put_contents('/tmp/radius', print_r($result, true));
return $result;
}As both arrays are identical, what can be the reason for the different behavior?
#13
19.1 Legacy Series / Re: Client Specific Overrides + Radius Auth + OpenVPN
May 20, 2019, 04:51:19 PM
sorry, i think i found the root cause:
"Framed-IP-Netmask => 255.255.255.252" was missing on the NPS.
In my tests I switched between the 19.1.8 release (test) and the 18.7.8 release (productive).
I debugged with printing out the variables in /usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php with
file_put_contents('/tmp/debug.txt', print_r($result, true)); in parse_auth_properties.
In both versions, all attributes are available. But in release 18.7.8 it has no effect on the config.
I will schedule an upgrade of the productive instance and see if it will be fixed.
But the most important thing to find out, was that I had to read the source code, to understand, what attributes are needed.
There is an logic AND for Framed-IP-Address and Framed-IP-Netmask.
Otherwise it will not work.
I'm still wondering, why the bug is in 18.7.8, but no matter, I'll upgrade soon.
Thank you very much for the help :)
"Framed-IP-Netmask => 255.255.255.252" was missing on the NPS.
In my tests I switched between the 19.1.8 release (test) and the 18.7.8 release (productive).
I debugged with printing out the variables in /usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php with
file_put_contents('/tmp/debug.txt', print_r($result, true)); in parse_auth_properties.
In both versions, all attributes are available. But in release 18.7.8 it has no effect on the config.
I will schedule an upgrade of the productive instance and see if it will be fixed.
But the most important thing to find out, was that I had to read the source code, to understand, what attributes are needed.
There is an logic AND for Framed-IP-Address and Framed-IP-Netmask.
Otherwise it will not work.
I'm still wondering, why the bug is in 18.7.8, but no matter, I'll upgrade soon.
Thank you very much for the help :)
#14
19.1 Legacy Series / Re: Client Specific Overrides + Radius Auth + OpenVPN
May 20, 2019, 03:01:05 PM
fyi:
Attributes received from server:
Framed-IP-Address => 10.69.14.222
Framed-IP-Netmask => 255.255.255.252
Framed-Route => 10.69.14.0/23
This is delivered from the local freeradius Server. But Openvpn is ignoring it :-/
OPNsense 19.1.8-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2r 26 Feb 2019
UPDATE: This was a fail information. The setup worked in this version for the first time.
Attributes received from server:
Framed-IP-Address => 10.69.14.222
Framed-IP-Netmask => 255.255.255.252
Framed-Route => 10.69.14.0/23
This is delivered from the local freeradius Server. But Openvpn is ignoring it :-/
OPNsense 19.1.8-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2r 26 Feb 2019
UPDATE: This was a fail information. The setup worked in this version for the first time.
#15
19.1 Legacy Series / Re: Client Specific Overrides + Radius Auth + OpenVPN
May 20, 2019, 01:07:37 PM
I did it. Auth works, but no special IP will be assigned....
