Messages

1

23.1 Legacy Series / Re: OpenVPN Clients Able to Talk To Each Other

« on: February 27, 2023, 05:20:46 pm »

Got it sorted, thanks Patrick - your example worked perfectly (for me personally!) - I didn't use the interface in the end, I just made an alias of the IP subnet's that I don't want talking to each other and it's doing the job nicely.

2

23.1 Legacy Series / Re: OpenVPN Clients Able to Talk To Each Other

« on: February 27, 2023, 05:01:44 pm »

Thanks Patrick, that's really helpful!!

Just want to check with the explicit interface for the openvpn server - do I need to give that interface an IP address as per the OpenVPN subnet? - for example 192.168.0.1/24 - or will that break the OpenVPN Server?

If I leave it without an IP address it knows it should be 192.168.0.1 - but I don't think it knows what subnet its in.

Thanks again!!

3

23.1 Legacy Series / Re: OpenVPN Clients Able to Talk To Each Other

« on: February 27, 2023, 04:12:37 pm »

So both 192.168.0.10 and 11 hosts are connected to the same tunnel - I assumed that the traffic wouldn't route between them - and would be handled by the tunnel? - not sure how I would go about adding a firewall rule stopping comm's on the same subnet? - I assumed the firewall only triggered on traffic entering the interface?

4

23.1 Legacy Series / OpenVPN Clients Able to Talk To Each Other

« on: February 27, 2023, 12:57:51 pm »

Hi All,

I've just setup a new OpenVPN server on the latest Opnsense build and i noticed that 2 clients connected to the same server are able to ping each other, even though the Inter-client communication box is not checked. - is this a bug with the latest build or am i missing something?

The IPV4 Tunnel Network is 192.168.0.0/24 and I have noticed that 2 clients, 192.168.0.10 and 0.11 are able to ping each other.

Thanks
Leacho

5

General Discussion / Hosting Unifi Controller behind HAProxy

« on: May 11, 2022, 03:18:28 pm »

Hi All,

Apologies if this isn't the right forum - please move if I've got it wrong!

Has anyone successfully hosted a Unifi controller behind HAProxy running on OpnSense? - I've got a working config at the moment acting as a web proxy, allowing me to access internal resources via external URLs and Lets Encrypt - but if I want to use it as a 'inform URL' for my access points I need to be able to forward UDP/3478 and TCP/8080 - I'm pretty sure I can't forward UDP? I would do this via normal port forwarding rules, but I have a requirement for different rules depending on the URL they are hitting.

Thanks
Leacho

6

General Discussion / Re: How to setup FreeRadius to bind to Windows AD with LDAP

« on: April 25, 2022, 02:15:17 pm »

Hi All,

I was wondering if anyone got this working - I am trying to setup an always on VPN with Windows 11 and AzureAD - I can authenticate to AzureAD using the Radius server using the 'tester' page within the OpnSense GUI - however, if I try and authenticate via an IPSEC VPN connection using EAP-RADIUS and then set windows 11 to use logged in credentials - I get the following error (as seen further up this thread):

Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [AzureAD\MyUserName/<via Auth-Type = eap>

Worth noting I am using the FreeRadius Plugin

There may very well be a better way around this to setup an always on VPN with OpnSense and Windows 11 - but this is the only way I could think of getting it working if anyone can advise on the above?

Thanks
Leacho

7

21.7 Legacy Series / Re: Route OpenVPN Server Traffic Out of Different Gateway

« on: December 31, 2021, 10:59:57 am »

Ah this is perfect @koushun - I'll give it a go this weekend. I shall report back if this works as intended!

Thanks
Leacho

8

21.7 Legacy Series / Route OpenVPN Server Traffic Out of Different Gateway

« on: December 30, 2021, 05:59:51 pm »

Hi All,

Is it possible to route OpenVPN traffic out of a different gateway other than the default one that is created when a connection is made? - etc 192.168.0.1 as the GW when connecting on a 192.168.0.x address?

I have tried assigning the OpenVPN interface and giving it an IP, but I can see how that wouldn't work with multiple servers, as you get ovpn1, 2 etc etc.

I'm trying to get NetFlow data out of OpenVPN connections, which I know isn't natively supported so I'm trying to send it through another collector, which requires routing it outside the OPNSense appliance.

Thanks
Leacho

9

21.7 Legacy Series / Re: CRL Storage Location

« on: December 15, 2021, 03:37:45 pm »

Thanks @Franco - That could work actually

Do you know if there is a way via API or other method to automate the user creation and deletion for OpenVPN out of interest?

Cheers
Leacho

10

21.7 Legacy Series / CRL Storage Location

« on: December 15, 2021, 01:04:41 pm »

Hi All,

Does anyone know where the CRL's are stored in OpnSense once written to the file system, and is it possible to manually copy a new version over when an external CRL has been updated?

I have an external CA which generates and revokes certs via a number of scripts, and I would like to update the CRL every time that the external CA does by SCP'ing a new CRL file over to my OpnSense server.

Thanks
Leacho

11

21.7 Legacy Series / ACME Client - Validation Failed

« on: December 05, 2021, 06:18:50 pm »

Hi All,

I've recently reinstalled my ACME client and removed the existing config - when I now try and request certificates, I am getting validation failed due to the HTTP-01 check using the custom port that I am using for the GUI as the lookup rather than the normal 443/SSL connection - I see the following in the logs:

Verify error:Fetching https://my.domain.com:12345/.well-known/...........

Normally I would expect the verify URL to just hit https://my.domain.com/.well-known/....

I have the HAProxy integration installed and working ok - no port forwards are set for the management port, so I'm at a loss to what is going on.

Thanks
Leacho

12

21.7 Legacy Series / User Certificate Creation via API

« on: December 05, 2021, 06:02:18 pm »

Hi All,

I was just wondering if it was possible to create user certificates automatically via an API on OPNsense 21.x.x?

I’ve got a requirement where I would like to create users and certificates remotely - whilst wanting to sign certificates using the built in CAs

If it’s not possible via API - is it possible to extract the CAs and sign certificates externally using OpenSSL as an example?

Thanks

13

21.7 Legacy Series / Re: Remove Old HAProxy Config

« on: December 04, 2021, 06:20:58 pm »

Thank you for the quick reply - all removed, and all sorted! 

14

21.7 Legacy Series / Remove Old HAProxy Config

« on: December 04, 2021, 05:44:21 pm »

Hi All,

My HAProxy config has got itself in a bit of a mess after I was playing with the ACME client and SSL certificates.

Is it possible to remove the config completely from my OpnSense install? I've tried removing the files from /usr/local/etc/haproxy and the haproxy.conf file from /usr/local/etc - but even after reinstalling the plugin, all of my existing settings are still there and thus I cannot start the service, or remove any of my old config via the GUI.

Thanks
Leacho

15

21.7 Legacy Series / Re: Unbound Custom Options

« on: December 01, 2021, 09:23:59 am »

Spot on - thank you!!