Messages

Interesting forum here. Beside some obvious "help", no further dialog. I really would like to like opnsense - but you have to improve. At least if someone offers help, I would suggest to give him a start. But hey.. ;)

Well I use serveral OPNsense installations with current and older versions and most of them running OPNvpn.

Very important information

If configured correctly it does work.

Of course it does :).
Oh, wait, in complex systems and some IT systems, I heard of bugs and things alike. But yes, most bugs sit around 50cm in front of the monitor as we said 20 years ago in 2nd and 3rd level support. ;)

To get help here others need to see your configuration and log error messages to help to find the problem.
Please share screenshots of your configuration and firewall rules and log messages of OpenVPN server and client.

I'll get back to you with the screenshots. Do you mean the very short OpenVPN conf?
Firewall rules as written above "even with an IP4 allow any to any on ALL (but the WAN) interfaces." One rule, to rule them all (per interface) - it was a fresh installtion, just the pre latest version, updated shortly after install.

I had one special thing: VIP and forward to it. History showed me this is a more versatile setup, than using external
Screenshots will take some time, as I need the vpn and so I had to switch to my old poison ;)
Will virtualize it and screenshot.

I can second this.
This is currently - beside the medieval options set; stuck in 2017 - my main concern.

Relatetd to the problem MAY  "write UDP []: Network is unreachable (code101)
But again, this could also be just related to the mobile uplink.

I tried to add additional interface but no can do. It should be a no brainer, as connect and Internet access works fine. But you can't reach internal services, even with an IP4 allow any to any on ALL (but the WAN) interfaces.
DNS listing on interface is also set. Only HAProxy configured, no fancy stuff.

Connection seems fine, except "Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4:register-dns (2.5_master)].

All settings "default"m client export used, nothing modified, no Advanced params.

Firewall Logs show nothing, also VPN log on level 6 nothin unusual.

I migrated from XYsense as the last update went wrong. But seriously.. openVPN is an default app. I would bet it is a heavy used function.  I feel of getting from bad to worse, with the openvpn in opnsense and nearly regret my move. Beside I really would want to stay with opnsense, as it is more "sympathic" (and not from within a commercial company located in US) - but this... should just work and offer at least settings from 2018+.

Any help, where I can further look into the problem?

opnsense: libressl, latest stable version
clients: Android 10, latest OpenVpn, linux, latest (both stable)

Funny thing, I wanted to test it on my laptop, exported conf and... HMAC error on linux client, android works this way.
Realizing all the hickups, I wonder if OpenVPN on opnsense is still maintained?
(sorry for the maybe cynic comment - but I invested the last days to rebuild my setup in opnsense and with this basic failing, I fear I wasted my time - never thought such thing could be so... difficult and depricated and I use senses since 8+ years)

custom fields doesn't overwrite existing fields - it just adds new one.
If I, for example, set: "keepalive 30 180", it will be appended to the config, while the default value is still maintained some columns up - so I end up with this option two times in the conf.
Also tls-auth to tls-crypt won't work - it is one or the other.

Not being able to modify it manually is kind of counterproductive. I am willing to self-help me, but I am held back.
I now would have to setup another openvpn server and integrate it into my network. Only because I can't change 3-4 columns.

I understand that the GUI should be aligned with the conf or vice versa, but a asterisk or another notification would be enough to notify.



Why and from where is the config overwritten? (So I can maybe use this to modify the params accordingly to a secure OpenVPN 2.4 settings of 2020 instead to be frozen in 2017)


As user I want to make use of OpenVPN 2.4 settings, so I feel state-of-the-art protected and not wasting my time to setup another host for a service I already have. This don't have to done via GUI, but if done by manual changes, these changes need to survive at least reboots.

Acceptance criteria:
- tls-crypt is used instead of tls-auth
- keep alive can be set to save mobile power
- compress lz4 can be used, to save data without being vulnerable to lzo compression attack vectors

Bonus criteria:
- NCP can be used to let the client choose a most powerfriendly codec


Offer: I am willing to contribute to the OpenVPN GUI, but I don't know where to begin.

Hi,
I recently switched to OPNsense, as another update from another..uhm..sense product killed my setup.
Sadly the OPNsense OpenVPN GUI is kind of.. depricated.

No worries I thought and altered the /var/etc/openvpn/server[n].conf myself.
Restarted the demon and had to realize that my newly altered conf was overwritten.

I am willing to alter server and client(export) conf myself, as it is a onetime setup. OpenVPN >2.4 has some nice features, e.g. tls-crypt instead of tls-auth since.. 2018? compress lz4 and others.
In theory: OPNsense does have the latest stable, so altering the conf should be without side effect.


How can I prevent the destruction of my manual changes?