Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - breakaway

Pages: [1]

Virtual private networks / Re: Site to Site wireguard - service will not start.

« on: October 28, 2022, 02:21:39 am »

You're right now that I look back on it. However, if you read the rest of my post I say I can't even get the service to start. It turns out the reason the service wouldn't start was because I had /32s as my address under Allowed IPs as alluded to in the documentation https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Virtual private networks / Re: Site to Site wireguard - service will not start.

« on: October 28, 2022, 01:17:44 am »

Port is not required. If it isn't supplied, it defaults to the default wg port which is 51820.

Anyway, I got this working. I had a lot of trouble with it. Documentation is inconsistent, and it seems this randomly breaks after firmware updates. Here's an example https://forum.opnsense.org/index.php?topic=27092.msg131768#msg131768

Anyway my ultimate config that works.

The config files as located in /usr/local/etc/wireguard

SIDE A

Code: [Select]

[Interface]
PrivateKey = < REDACTED >
Address = 10.64.12.1/24
ListenPort = 51820

[Peer]
PublicKey = < REDACTED >
Endpoint = < SIDE B WAN IP >:51820
AllowedIPs = < Enter CIDRs of the networks at remote side >
PersistentKeepalive = 60

SIDE B

Code: [Select]

[Interface]
PrivateKey = < REDACTED >
Address = 10.64.12.2/24
ListenPort = 51820

[Peer]
PublicKey = < REDACTED >
Endpoint = < SIDE A WAN IP >:51820
AllowedIPs = < Enter CIDRs of the networks at remote side >
PersistentKeepalive = 60

Once I got all that working, on Side B, I found if I went to Firewall -> Rules I couldn't see "Wireguard (Group)" which I could see on Side A. I thought it was a caching issue, but it was not as the issue persisted when using incognito mode. A reboot of the opnSense fixed it.

That was a fairly painful experience. At first I used /32s in my "Address" field under the "Local" config, because the documentation implies you must do so. Maybe this documentation should be updated to make it a bit more clear exactly what is needed https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Virtual private networks / Site to Site wireguard - service will not start.

« on: October 27, 2022, 04:21:18 pm »

Hi all

I have tried using this guide https://www.youtube.com/watch?v=RoXHe5dqCM0 and also read this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html however I cannot get my site to site wireguard to even start.

Side A is running
OPNsense 22.1.10_4-amd64
os-wireguard   1.11
wireguard-go   0.0.20220316_2,1
wireguard-tools   1.0.20210914_1

Side B is running
OPNsense 22.7.6-amd64
os-wireguard   1.12
wireguard-go   0.0.20220316_6,1
wireguard-tools   1.0.20210914_1

LAN Network of Subnet behind Side A: 10.13.254.0/24
LAN Network of Subnet behind Side B: 10.12.254.0/24

Side A Settings - Local

Code: [Select]

Name: S2StoSideBLOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.1/24
Peers: SideB

Side A Settings - Endpoint

Code: [Select]

Name: S2StoSideBEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.12.254.0/24 192.168.0.1/32
Endpoint Address: <IP address of side B>
Endpoint Port: 
Keepalive: 60

Side B Settings - Local

Code: [Select]

Name: S2StoSideALOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.2/24
Peers: SideB

Side B Settings - Endpoint

Code: [Select]

Name: S2StoSideAEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.13.254.0/24 192.168.0.2/32
Endpoint Address: <IP address of side B>
Endpoint Port: 
Keepalive: 60

If I do that, I can't get the wireguard tunnel to establish. When I check "List Configuration" on side B, I see no mention of this new local/endpoint. On Side B (where this WG config is the only one), I can see the service is not even starting. If I try to manually start wireguard:

Code: [Select]

root@router:~ # service wireguard start
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2 (wg): Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
[#] ifconfig wg1 inet 192.168.0.1/24 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[#] route -q -n add -inet 192.168.0.1/32 -interface wg1
[#] rm -f /var/run/wireguard/wg1.sock

Any ideas?

Virtual private networks / Re: Bug: IPSEC VPN - PRF_AES128_XCBC isn't working any more

« on: June 08, 2022, 02:24:32 am »

Confirmed, fixed for me also.

General Discussion / Re: How do I use AES-NI acceleration for IPSEC to pfSense?

« on: June 08, 2022, 02:10:44 am »

@franco - I see, I have hit that very same bug. I obviously missed that thread and it didn't come up on the googles when I searched.

Anyway this command (along with a reboot for good measure) and I am now connected with AES_GCM_16 (128) PRF_AES128_XCBC MODP_2048

Code: [Select]

pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/misc/strongswan-kdf.pkg

General Discussion / Re: How do I use AES-NI acceleration for IPSEC to pfSense?

« on: June 04, 2022, 07:01:04 am »

Also thought I'd add my "hardware - This OpnSense is running as a qemu VM on proxmox.

Also I did some testing for ipsec performance by copying a file from the remote side of the tunnel to my side (smb file transfer). The remote side has 500 mbps upload.

I found I couldn't get more than 4 MB/sec (~30 mbps). I tried adjusting the encryption to AES (128 bits) + SHA256 + DH Group 14 (for both P1 and P2) and found absolutely no change either - same sort of speed.

I've verified that aes-ni is available by checking dmesg as well.

I also did a speed test to internet - I have a 300 mbps down and 100 mbps up connection. That works perfectly, download comes out at 330 mbps, upload at 90 mbps.

Obviously something is wrong here. The Ubiquiti ERL (edge router lite) would do easily 100 mbps smb file transfer on ipsec until CPU bottlenecking.

General Discussion / How do I use AES-NI acceleration for IPSEC to pfSense?

« on: June 04, 2022, 06:27:18 am »

Long time pfSense user, I have many pfsense systems I look after but I am looking to make a switch.

I now have OPNsense 22.1.8_1-amd64 running in my lab. I am trying to connect IPSEC to a pfSense running 2.6.0 (latest) by using AES-NI acceleration.

I tried setting the same settings on both sides:
OpnSense:
Phase 1
-> Encryption algorithm 128 bit AES-GCM with 128 bit icv
-> Hash algorithm AES-XCBC
-> DH Group: 14

pfSense:
Phase 1
-> Algorithm: AES128-GCM
-> Key Length: 128 bit
-> Hash: AES-XCBC
-> DH Group: 14

But if I apply this, the IPSEC phase 1 won't connect. pfSense side shows timeout, and OpnSense side shows "key derivation failed".

If I set the "Hash" to SHA i.e. SHA512 on both sides (P1 & P2) it will connect. Why won't it connect with AES-XCBC on both sides?

Some log output below. Any ideas?

Code: [Select]

2022-06-04T16:08:22	Informational	charon	09[NET] <108> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)	 
2022-06-04T16:08:22	Informational	charon	09[ENC] <108> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]	 
2022-06-04T16:08:22	Informational	charon	09[IKE] <108> key derivation failed	 
2022-06-04T16:08:22	Informational	charon	09[IKE] <108> KDF_PRF with PRF_UNDEFINED not supported	 
2022-06-04T16:08:22	Informational	charon	09[CFG] <108> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048	 
2022-06-04T16:08:22	Informational	charon	09[IKE] <108> 126.33.25.61 is initiating an IKE_SA	 
2022-06-04T16:08:22	Informational	charon	09[ENC] <108> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]	 
2022-06-04T16:08:22	Informational	charon	09[NET] <108> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)	 
2022-06-04T16:08:18	Informational	charon	09[CFG] ignoring acquire for reqid 1, connection attempt pending	 
2022-06-04T16:08:18	Informational	charon	09[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}	 
2022-06-04T16:08:18	Informational	charon	09[NET] <107> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)	 
2022-06-04T16:08:18	Informational	charon	09[ENC] <107> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]	 
2022-06-04T16:08:18	Informational	charon	09[IKE] <107> key derivation failed	 
2022-06-04T16:08:18	Informational	charon	09[IKE] <107> KDF_PRF with PRF_UNDEFINED not supported	 
2022-06-04T16:08:18	Informational	charon	09[CFG] <107> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048	 
2022-06-04T16:08:18	Informational	charon	09[IKE] <107> 126.33.25.61 is initiating an IKE_SA	 
2022-06-04T16:08:18	Informational	charon	09[ENC] <107> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]	 
2022-06-04T16:08:18	Informational	charon	09[NET] <107> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)	 
2022-06-04T16:08:16	Informational	charon	09[NET] <106> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)	 
2022-06-04T16:08:16	Informational	charon	09[ENC] <106> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]	 
2022-06-04T16:08:16	Informational	charon	09[IKE] <106> key derivation failed	 
2022-06-04T16:08:16	Informational	charon	09[IKE] <106> KDF_PRF with PRF_UNDEFINED not supported	 
2022-06-04T16:08:16	Informational	charon	09[CFG] <106> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048	 
2022-06-04T16:08:16	Informational	charon	09[IKE] <106> 126.33.25.61 is initiating an IKE_SA	 
2022-06-04T16:08:16	Informational	charon	09[ENC] <106> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]	 
2022-06-04T16:08:16	Informational	charon	09[NET] <106> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)	 
2022-06-04T16:08:15	Informational	charon	13[CFG] ignoring acquire for reqid 1, connection attempt pending	 
2022-06-04T16:08:15	Informational	charon	13[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}	 
2022-06-04T16:08:14	Informational	charon	13[NET] <105> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)	 
2022-06-04T16:08:14	Informational	charon	13[ENC] <105> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]	 
2022-06-04T16:08:14	Informational	charon	13[IKE] <105> key derivation failed	 
2022-06-04T16:08:14	Informational	charon	13[IKE] <105> KDF_PRF with PRF_UNDEFINED not supported	 
2022-06-04T16:08:14	Informational	charon	13[CFG] <105> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048	 
2022-06-04T16:08:14	Informational	charon	13[IKE] <105> 126.33.25.61 is initiating an IKE_SA	 
2022-06-04T16:08:14	Informational	charon	13[ENC] <105> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]	 
2022-06-04T16:08:14	Informational	charon	13[NET] <105> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)	 
2022-06-04T16:08:12	Informational	charon	13[CFG] ignoring acquire for reqid 1, connection attempt pending	 
2022-06-04T16:08:12	Informational	charon	13[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}	 
2022-06-04T16:08:12	Informational	charon	13[NET] <104> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)	 
2022-06-04T16:08:12	Informational	charon	13[ENC] <104> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]	 
2022-06-04T16:08:12	Informational	charon	13[IKE] <104> key derivation failed	 
2022-06-04T16:08:12	Informational	charon	13[IKE] <104> KDF_PRF with PRF_UNDEFINED not supported	 
2022-06-04T16:08:12	Informational	charon	13[CFG] <104> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048	 
2022-06-04T16:08:12	Informational	charon	13[IKE] <104> 126.33.25.61 is initiating an IKE_SA	 
2022-06-04T16:08:12	Informational	charon	13[ENC] <104> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]	 
2022-06-04T16:08:12	Informational	charon	13[NET] <104> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)	 
2022-06-04T16:08:11	Informational	charon	09[CFG] ignoring acquire for reqid 1, connection attempt pending	 
2022-06-04T16:08:11	Informational	charon	09[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}	 
2022-06-04T16:08:10	Informational	charon	09[NET] <103> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)	 
2022-06-04T16:08:10	Informational	charon	09[ENC] <103> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: July 20, 2020, 03:21:38 am »

Hi @rene_

EDIT: It appears this was a layer 8 issue After taking a couple minutes to boot up, I got an IP after plugging in my laptop to the ethernet port of the Pi. Thanks @rene_ for all your work on this!

I have finally managed to get a Raspberry Pi 3B+ (lots of supply issue due to corona virus). But unfortunately I don't have much success.

Downloaded the image OPNsense-201911290406-OpenSSL-arm-aarch64-RPI3.img.gz, unzipped it and wrote it to the sdcard from my mac using this command

Code: [Select]

dd if=OPNsense-201911250722-OpenSSL-arm-aarch64-RPI3.img of=/dev/disk2 bs=1m conv=sync
After doing this, I put the SDcard into my Pi3B+ but I get solid red light, no image on screen and no IP address if I plug my laptop into the network port. I have also tried Build 201911290406 (the latest one), with the same results. I've also tried several different SDCards too (Samsung Evo Plus 32GB).

Any ideas?

EDIT: It appears this was a layer 8 issue After taking a couple minutes to boot up, I got an IP after plugging in my laptop to the ethernet port of the Pi. Thanks @rene_ for all your work on this!

Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3

« on: March 21, 2020, 04:20:43 am »

Has anyone gotten this working with a Pi 4 w/ 2GB RAM?

I wrote rene's image

Code: [Select]

OPNsense-201911290406-OpenSSL-arm-aarch64-RPI3.img.gz to a SD card but my Pi 4 will not boot. Just shows a solid red light.

Hardware and Performance / Re: [Working] OPNsense Ported into ARM Devices

« on: March 17, 2020, 12:26:06 pm »

Quote from: franco on June 03, 2019, 04:03:20 pm

Long story short, the image for RPI-2 is here https://pkg.opnsense.org/FreeBSD:11:armv6/19.1/OPNsense-19.1-test-OpenSSL-arm-armv6-RPI2.img.bz2

Just tried writing this image to a sdcard and booting my raspberry pi 2 (Which I Just dusted off for this purpose) but I can't seem to get this thing to boot up.

I also tried a different SD card incase my first one was faulty. My Pi2 just shows a red light on boot and won't go any further. I know the pi works since I tried the debian image on it and that works.

Any ideas what that could cause that?

Also, I tried building my own by using the instructions shown here https://nekoprog.github.io/pieSense/ But obviously something went wrong and no image was produced unfortunately. I'm a bit lost as to where to go from here.

Pages: [1]