Messages

1

Development and Code Review / Re: Reload config.xml without reboot

« on: October 20, 2024, 01:25:43 pm »

I had to re-open an older back door to our network since somehow the RADIUS based IPSec VPN suddenly was not working anymore.
So I removed the disabled section in the firewall rules and then tried to reload the config from the CLI. I only had CLI access as I was using an even older back door from another location and was using various SSH and Telnnet "jump servers" to get to the CLI of the opnsense...

2

24.7 Production Series / Re: FreeRadius Error - require_message_authenticator

« on: October 19, 2024, 05:54:49 pm »

Our VPN IPSec service just broke today at 16:00 CEST due to Microsoft requiring the config change.
"RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more."

So enabling the requirement to send RequireMsgAuth breaks the OPNsense Client - disabling it on the Windows Server NPS gives above error message.

I think a quick patch is required here!

3

Development and Code Review / Re: Reload config.xml without reboot

« on: October 19, 2024, 05:13:05 pm »

I tried reloading my adjusted config in /conf/config.xml with option 11 and it just hangs at the VLAN interfaces (see attachment)...

How can I make the output more verbose???

4

Virtual private networks / Re: DPD is not working properly with IKEv2

« on: September 22, 2024, 08:54:31 pm »

Sorry for finding this so late.

The workaround mentioned here still works for me.
https://github.com/opnsense/core/issues/3291#issuecomment-479827420

My current add on config looks like this:

Code: [Select]

root@opnsense01:~ # cat /usr/local/etc/strongswan.opnsense.d/strongswan.ikev2.conf
charon {
# See https://wiki.strongswan.org/issues/1216
    make_before_break = yes
# See https://github.com/opnsense/core/issues/3291
    retransmit_tries = 10
    retransmit_timeout = 2
    retransmit_base = 1
}
root@opnsense01:~ #


5

Hardware and Performance / Re: Sophos SG 450 Rev 1 - LCD - Anyone able to get it to work?

« on: July 11, 2024, 06:05:01 pm »

Maybe you should get in touch with this guy here...
https://forum.opnsense.org/index.php?topic=41194.0

6

Tutorials and FAQs / Re: HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group

« on: June 10, 2024, 11:48:38 am »

Recently upgraded from 22.7.11 to 24.1.8 and the configuration is now completely in the gui.

I followed the official https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Per user group one connection.
Per user group a dedicated v4 and v6 IP address pool that gets assigned per connection.

Rekey set to 0 where available in advanced settings.

7

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 15, 2024, 06:49:56 pm »

Ok, I am sorry, you are right.

Code: [Select]

root@opnsense01:~ # cat /usr/local/opnsense/service/templates/custom/Unbound/+TARGETS
custom_server_options.conf:/usr/local/etc/unbound.opnsense.d/custom_server_options.conf
root@opnsense01:~ # rm /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /usr/local/etc/unbound.opnsense.d/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound check
no errors in /var/unbound/unbound.conf
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # nslookup m.s.test 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

root@opnsense01:~ #
root@opnsense01:~ # ls -al /var/unbound/etc/custom_server_options.conf
-rw-r-----  1 unbound  unbound  100 Apr 15 18:40 /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # scp -r /usr/local/opnsense/service/templates/custom opnsense02:/usr/local/opnsense/service/templates/
custom_server_options.conf                                                                                                                                                                                                                            100%  101   316.8KB/s   00:00
+TARGETS                                                                                                                                                                                                                                              100%   88   299.2KB/s   00:00
root@opnsense01:~ #

And it now works on both nodes. I believe I first started using the directory in the +TARGETS file from the configuration - so on the primary it was already correct and in the proper place. That did not happen on the secondary - so there it was missing and then it failed after a proper restart...

8

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 15, 2024, 06:16:28 pm »

The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.

I very much doubt that. Have a look at the generated config in use by unbound:

Code: [Select]

root@opnsense01:~ # ps aux | grep unbound
unbound 39061    0.0  1.0 356572 163636  -  Ss   18:11         0:02.11 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    38534    0.0  0.0  12748   2364  1  S+   18:14         0:00.00 grep unbound
root@opnsense01:~ # cat /var/unbound/unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python validator iterator"
num-threads: 16
msg-cache-slabs: 32
rrset-cache-slabs: 32
infra-cache-slabs: 32
key-cache-slabs: 32
auto-trust-anchor-file: /var/unbound/root.key



# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf

# Forwarding
forward-zone:
    name: "."
        forward-addr: 10.20.30.254
        forward-addr: 10.20.30.22
        forward-addr: 10.20.50.5
        forward-addr: 10.20.50.6


python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem
root@opnsense01:~ #


9

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 15, 2024, 06:13:14 pm »

But it works on the primary HA partner...

Code: [Select]

root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ #

Eieieiei, I am starting to loose my trust...

10

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 15, 2024, 06:09:18 pm »

And the template system looks broken as well...

Code: [Select]

root@opnsense02:~ # configctl template reload custom/Unbound
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense02:~ # configctl unbound restart
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
cat: /var/unbound/etc/custom_server_options.conf: No such file or directory
root@opnsense02:~ #

A restart of Unbound just deletes the custom config file...

11

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 15, 2024, 05:24:03 pm »

What the heck...
...first time I see the template system...
Instead of Custom options in the gui lets complicate the process and do not allow syncing to the HA partner automatically...

Looks like a step down to me...

12

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 14, 2024, 10:10:17 am »

In case you haven't heard of Contoso yet...
https://de.wikipedia.org/wiki/Contoso
I use that to replace our own organisations URLs...

The problem is surely the test tld and the handling of unbound of it. But I doubt that OPNsense will allow free text user customisations of it...

13

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 13, 2024, 10:10:14 pm »

So, no, it does not work.

Windows nslookup does not know how to use a different port than 53...

Using Linux it shows...

Code: [Select]

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.254
Server:         10.20.30.254
Address:        10.20.30.254#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=54 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#54

** server can't find m.s.test: NXDOMAIN

admin@linux:~$

...a NXDOMAIN for unbound where on bind9 and dnsmasq on the same host I get the expected reply.

14

24.1 Legacy Series / Re: Unbound: Using domain .test internally and Unbound as caching DNS

« on: April 13, 2024, 09:51:42 pm »

So I changed the config from attachment one to attachment two and started the unbound on port 54 to keep the DNSmasq running while testing...

And indeed:

Code: [Select]

PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=54 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>

...it just works!!! NOT!!!

See next post...

15

24.1 Legacy Series / SOLVED: Unbound: Using TLD test. internally and Unbound as caching DNS

« on: April 12, 2024, 05:48:38 pm »

Hi,
we use the .test domain internally configured on four Bind DNS servers.

A nslookup using one of those is successful:

Code: [Select]

PS C:\Users\admin> nslookup m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>

The OPNsense unbound uses all four Bind servers as forward servers, but the nslookup is not successful

Code: [Select]

PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  UnKnown
Address:  10.20.30.1

*** m.s.test wurde von UnKnown nicht gefunden: Non-existent domain.
PS C:\Users\admin>

Switching back to DNSmasq it just works:

Code: [Select]

PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  private-access.muc-fw01.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>

How can I enable the .test domain for unbound?

Already tried with "Private Domains" and  "Insecure Domains" on the Advanced tab - did not help...

Thanks
Rainerle