Messages

I had to re-open an older back door to our network since somehow the RADIUS based IPSec VPN suddenly was not working anymore.
So I removed the disabled section in the firewall rules and then tried to reload the config from the CLI. I only had CLI access as I was using an even older back door from another location and was using various SSH and Telnnet "jump servers" to get to the CLI of the opnsense...

Our VPN IPSec service just broke today at 16:00 CEST due to Microsoft requiring the config change.
"RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more."

So enabling the requirement to send RequireMsgAuth breaks the OPNsense Client - disabling it on the Windows Server NPS gives above error message.

I think a quick patch is required here!

I tried reloading my adjusted config in /conf/config.xml with option 11 and it just hangs at the VLAN interfaces (see attachment)...

How can I make the output more verbose???

Sorry for finding this so late.

The workaround mentioned here still works for me.
https://github.com/opnsense/core/issues/3291#issuecomment-479827420

My current add on config looks like this:

Code Select Expand


root@opnsense01:~ # cat /usr/local/etc/strongswan.opnsense.d/strongswan.ikev2.conf
charon {
# See https://wiki.strongswan.org/issues/1216
    make_before_break = yes
# See https://github.com/opnsense/core/issues/3291
    retransmit_tries = 10
    retransmit_timeout = 2
    retransmit_base = 1
}
root@opnsense01:~ #


Maybe you should get in touch with this guy here...
https://forum.opnsense.org/index.php?topic=41194.0

Recently upgraded from 22.7.11 to 24.1.8 and the configuration is now completely in the gui.

I followed the official https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Per user group one connection.
Per user group a dedicated v4 and v6 IP address pool that gets assigned per connection.

Rekey set to 0 where available in advanced settings.

Ok, I am sorry, you are right.

Code Select Expand


root@opnsense01:~ # cat /usr/local/opnsense/service/templates/custom/Unbound/+TARGETS
custom_server_options.conf:/usr/local/etc/unbound.opnsense.d/custom_server_options.conf
root@opnsense01:~ # rm /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /usr/local/etc/unbound.opnsense.d/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound check
no errors in /var/unbound/unbound.conf
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # nslookup m.s.test 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

root@opnsense01:~ #
root@opnsense01:~ # ls -al /var/unbound/etc/custom_server_options.conf
-rw-r-----  1 unbound  unbound  100 Apr 15 18:40 /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # scp -r /usr/local/opnsense/service/templates/custom opnsense02:/usr/local/opnsense/service/templates/
custom_server_options.conf                                                                                                                                                                                                                            100%  101   316.8KB/s   00:00
+TARGETS                                                                                                                                                                                                                                              100%   88   299.2KB/s   00:00
root@opnsense01:~ #


And it now works on both nodes. I believe I first started using the directory in the +TARGETS file from the configuration - so on the primary it was already correct and in the proper place. That did not happen on the secondary - so there it was missing and then it failed after a proper restart...

The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.

I very much doubt that. Have a look at the generated config in use by unbound:

Code Select Expand


root@opnsense01:~ # ps aux | grep unbound
unbound 39061    0.0  1.0 356572 163636  -  Ss   18:11         0:02.11 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    38534    0.0  0.0  12748   2364  1  S+   18:14         0:00.00 grep unbound
root@opnsense01:~ # cat /var/unbound/unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python validator iterator"
num-threads: 16
msg-cache-slabs: 32
rrset-cache-slabs: 32
infra-cache-slabs: 32
key-cache-slabs: 32
auto-trust-anchor-file: /var/unbound/root.key



# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf

# Forwarding
forward-zone:
    name: "."
        forward-addr: 10.20.30.254
        forward-addr: 10.20.30.22
        forward-addr: 10.20.50.5
        forward-addr: 10.20.50.6


python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem
root@opnsense01:~ #


But it works on the primary HA partner...

Code Select Expand


root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ #


Eieieiei, I am starting to loose my trust...

And the template system looks broken as well...

Code Select Expand


root@opnsense02:~ # configctl template reload custom/Unbound
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense02:~ # configctl unbound restart
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
cat: /var/unbound/etc/custom_server_options.conf: No such file or directory
root@opnsense02:~ #


A restart of Unbound just deletes the custom config file...

What the heck...
...first time I see the template system...
Instead of Custom options in the gui lets complicate the process and do not allow syncing to the HA partner automatically...

Looks like a step down to me...

In case you haven't heard of Contoso yet...
https://de.wikipedia.org/wiki/Contoso
I use that to replace our own organisations URLs...

The problem is surely the test tld and the handling of unbound of it. But I doubt that OPNsense will allow free text user customisations of it...

So, no, it does not work.

Windows nslookup does not know how to use a different port than 53...

Using Linux it shows...

Code Select Expand


admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.254
Server:         10.20.30.254
Address:        10.20.30.254#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=54 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#54

** server can't find m.s.test: NXDOMAIN

admin@linux:~$


...a NXDOMAIN for unbound where on bind9 and dnsmasq on the same host I get the expected reply.

So I changed the config from attachment one to attachment two and started the unbound on port 54 to keep the DNSmasq running while testing...

And indeed:

Code Select Expand


PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=54 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>


...it just works!!! NOT!!!

See next post...

Hi,
we use the .test domain internally configured on four Bind DNS servers.

A nslookup using one of those is successful:

Code Select Expand


PS C:\Users\admin> nslookup m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>


The OPNsense unbound uses all four Bind servers as forward servers, but the nslookup is not successful

Code Select Expand


PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  UnKnown
Address:  10.20.30.1

*** m.s.test wurde von UnKnown nicht gefunden: Non-existent domain.
PS C:\Users\admin>


Switching back to DNSmasq it just works:

Code Select Expand


PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  private-access.muc-fw01.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>


How can I enable the .test domain for unbound?

Already tried with "Private Domains" and  "Insecure Domains" on the Advanced tab - did not help...

Thanks
Rainerle