Messages

1

Virtual private networks / Re: WireGuard: description for endpoints possible?

« on: March 11, 2021, 03:35:19 pm »

I am not sure where to submit the feature request: to

https://github.com/opnsense/plugins

or to

https://github.com/opnsense/core

?

2

Virtual private networks / WireGuard: description for endpoints possible?

« on: March 10, 2021, 01:37:55 pm »

I wonder if someone can give me a hint on this problem:

- I have added a few dozens of WG endpoints;
- each of them is for a single user;
- the user ids (which I already have and cannot easily change) contain characters like -, _,.
- endpoint name can only contain only letters and digits
- I give each user a unique number, e.g. user-A => wg100, user-B => wg101, etc.
- it works, but from the UI I cannot tell which endpoint corresponds to which user

So I wonder if it is possible add a description field to each endpoint.

Another approach is to remove chars which is not letter/digit from user-ids, and then use that stripped user-id as name for endpoint. So I would end up with names like wg0userA, wg0userB etc. There is a danger that after stripping non letter/digit chars, there might be some name collision which is hard to control.

3

Virtual private networks / Re: WireGuard: how to add endpoints using command-line?

« on: March 08, 2021, 02:00:05 pm »

You can open /conf/config.xml and insert the xml part manually without a restore.
The API for Wireguard is already here, you just need to read the docs how to use it.

thanks for the hint. So it seems that I can edit /conf/config.xml as needed, make sure that it's valid and then run
/usr/local/etc/rc.d/wireguard restart ?

4

Virtual private networks / Re: WireGuard: how to add endpoints using command-line?

« on: March 08, 2021, 10:43:32 am »

You could add 2 or 3, then export the configuration, then try to understand the structure of the exported XML and edit that for re-import ...

yes that would be a workaround, thanks for the hint. I'd prefer to do partial restore for wireguard only, but it seems partial restore for WireGuard is not possible yet.

The xml fragment for a wg client seems fairly simple, so I am thinking of doing the following:

(1) export the entire config
(2) delete all existing wg endpoints
(3) add all desired wg endpoints
(4) re-import the entire config

When I add/remove an endpoint I can simply repeat the above procedure and have my wg server config correct. Does it seem reasonable/doable?

5

Virtual private networks / Re: WireGuard: how to add endpoints using command-line?

« on: March 08, 2021, 10:35:26 am »

No, you could write a script calling the needed API calls, but there is none available yet

so I guess my best bet is to wait till the API is avail.? Do you know when it might be supported (if at all)?

6

Virtual private networks / WireGuard: how to add endpoints using command-line?

« on: March 07, 2021, 10:08:37 pm »

Hello,

I am new to WireGuard. I have followed the official docs and could connect 1 client to WireGuard on my opnsense server. Now I would like to add a few dozens of endpoints for my users -- each user gets his/her own wg config. Can I do that via command line? Can I simply edit /usr/local/etc/wireguard/wg0.conf and then issue /usr/local/etc/rc.d/wireguard restart?

7

20.1 Legacy Series / Re: Added a static route to another host in LAN, traffic gets blocked by firewall

« on: August 10, 2020, 03:46:53 pm »

If someone had the same problem as I did, the solution is:

Firewall-Settings/Advanced/Static route filtering   

check "Bypass firewall rules for traffic on the same interface"

8

20.1 Legacy Series / Re: Added a static route to another host in LAN, traffic gets blocked by firewall

« on: August 07, 2020, 10:38:41 pm »

" w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule""
w/dest or from?

dest = 192.168.40.0/24, which is another private net but not the same as net on LAN (= 192.168.30.0/24)

"Default allow LAN to any rule" ferers to trafic from LAN subnet, not anything arriving on LAN interface.
Add firewall LAN rule to allow trafic from 192.168.40/24 subnet to LAN subnet.

yes I also added a rule on iface LAN to allow everything from LAN iface but it didn't seem to get triggered. Same for the floating rule which all traffic in/out on iface LAN.

Traffic from LAN to WAN triggers the rule "Default allow LAN to any rule", but traffic to net 192.168.40.0/24 (which is LAN to LAN) doesn't seem to trigger that rule. Nor the 2 rules I added.

Perhaps the static route I added 192.168.40.0/24 -> int_router causes something so that the rules no longer apply to packets to net 192.168.40.0/24 .

9

20.1 Legacy Series / Added a static route to another host in LAN, traffic gets blocked by firewall

« on: August 07, 2020, 05:26:01 pm »

Hello,

I have a very simple OPNsense setup with 1 iface WAN and 1 iface LAN 192.168.30.1/24. I have done just minimal configuration to get it work (= setting IPs, networks, DNS).

Now I am trying to achieve this: I would like to reroute packets  to net 192.168.40.0/24 to another host in LAN, IP = 192.168.30.5

I did the following:
- add a gateway int_router =  192.168.30.5, iface LAN
- add a route 192.168.40.0/24 -> int_router

However I get stuck at this point: packets w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule".

It seems there is already a default rule on LAN iface: "Default allow LAN to any rule", but this rule doesn't work as expected.

I also tried to add a floating rule which allows traffic on LAN iface, both in/out direction, but it doesn't work either.


Any hint what can I try?

Regards,
Tony

10

20.1 Legacy Series / Is it possible to use OpenVPN with my own PKI?

« on: June 15, 2020, 10:30:21 pm »

I am trying to setup OpenVPN using the certificates generated by my own PKI. I did the following:

- setup OpenVPN following the official docs to make sure it works using OPNsense own root CA

- use my root CA to create an intermediate CA (on another host)

- use the intermediate CA to generate certificates (1 for server + 1 for client) for OpenVPN

- copy the certs to OPNsense and import them using https://github.com/pluspol-interactive/opnsense-import-certificate

- create a user in OPNsense

- link the client cert to the user

- openvpn > Client export to get the client files. But I get stuck here: the user I created doesn't show in the list to be exported.

Perhaps I don't need the client cert on OPNsense, however I wanted to export the client from OPNsense to ensure the config is correct.

What am I missing here? Any hint/tip would be much appreciated.

11

20.1 Legacy Series / Load-balancing outgoing OpenVPN traffic -- is it possible?

« on: April 14, 2020, 10:00:41 pm »

Hi,

I am new to OPNsense and I hope this is the right place to post my question:

I have an OPNsense instance with multi-wan and OpenVPN. I have followed the excellent docs at https://docs.opnsense.org/manual/how-tos/multiwan.html and things seem to work fine, except this issue: the outgoing traffic always goes through the default gateway, which is picked by OPNsense randomly (?) at boot time.

I have already added the gateway group to Firewall > Rules > openvpn iface as the gateway for traffic coming into openvpn iface. According to the docs it seems that it should work but probably I am still missing some steps. I wonder if you could give me a hint how to process further:

(1) Is load-balancing outgoing OpenVPN traffic supported by OPNsense (I think it is, just double checking)
(2) What I could do to debug the problem? I am familiar with linux cli but I am willing to learn freebsd commands if needed.

thanks in advance for any hint.

Edit: the relevant policy based routing part looks as follows (output from pfctl, with IPs slightly changed). Yes pppoe1 and pppoe2 have the same gateway, it's not a mistake.

Code: [Select]

pass in quick on openvpn route-to { (pppoe2 10.20.30.1), (pppoe1 10.20.30.1), (em1 123.123.123.123 } round-robin sticky-address inet from (openvpn:network) to any flags S/SA keep state label "8ba5d5e9091ff2cd49e87a66cc467e3b"