"
Got it sorted, thanks Patrick - your example worked perfectly (for me personally!) - I didn't use the interface in the end, I just made an alias of the IP subnet's that I don't want talking to each other and it's doing the job nicely.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
23.1 Legacy Series / Re: OpenVPN Clients Able to Talk To Each Other
February 27, 2023, 05:20:46 PM #2
23.1 Legacy Series / Re: OpenVPN Clients Able to Talk To Each Other
February 27, 2023, 05:01:44 PM
Thanks Patrick, that's really helpful!!
Just want to check with the explicit interface for the openvpn server - do I need to give that interface an IP address as per the OpenVPN subnet? - for example 192.168.0.1/24 - or will that break the OpenVPN Server?
If I leave it without an IP address it knows it should be 192.168.0.1 - but I don't think it knows what subnet its in.
Thanks again!!
Just want to check with the explicit interface for the openvpn server - do I need to give that interface an IP address as per the OpenVPN subnet? - for example 192.168.0.1/24 - or will that break the OpenVPN Server?
If I leave it without an IP address it knows it should be 192.168.0.1 - but I don't think it knows what subnet its in.
Thanks again!!
#3
23.1 Legacy Series / Re: OpenVPN Clients Able to Talk To Each Other
February 27, 2023, 04:12:37 PM
So both 192.168.0.10 and 11 hosts are connected to the same tunnel - I assumed that the traffic wouldn't route between them - and would be handled by the tunnel? - not sure how I would go about adding a firewall rule stopping comm's on the same subnet? - I assumed the firewall only triggered on traffic entering the interface?
#4
23.1 Legacy Series / OpenVPN Clients Able to Talk To Each Other
February 27, 2023, 12:57:51 PM
Hi All,
I've just setup a new OpenVPN server on the latest Opnsense build and i noticed that 2 clients connected to the same server are able to ping each other, even though the Inter-client communication box is not checked. - is this a bug with the latest build or am i missing something?
The IPV4 Tunnel Network is 192.168.0.0/24 and I have noticed that 2 clients, 192.168.0.10 and 0.11 are able to ping each other.
Thanks
Leacho
I've just setup a new OpenVPN server on the latest Opnsense build and i noticed that 2 clients connected to the same server are able to ping each other, even though the Inter-client communication box is not checked. - is this a bug with the latest build or am i missing something?
The IPV4 Tunnel Network is 192.168.0.0/24 and I have noticed that 2 clients, 192.168.0.10 and 0.11 are able to ping each other.
Thanks
Leacho
#5
General Discussion / Hosting Unifi Controller behind HAProxy
May 11, 2022, 03:18:28 PM
Hi All,
Apologies if this isn't the right forum - please move if I've got it wrong!
Has anyone successfully hosted a Unifi controller behind HAProxy running on OpnSense? - I've got a working config at the moment acting as a web proxy, allowing me to access internal resources via external URLs and Lets Encrypt - but if I want to use it as a 'inform URL' for my access points I need to be able to forward UDP/3478 and TCP/8080 - I'm pretty sure I can't forward UDP? I would do this via normal port forwarding rules, but I have a requirement for different rules depending on the URL they are hitting.
Thanks
Leacho
Apologies if this isn't the right forum - please move if I've got it wrong!
Has anyone successfully hosted a Unifi controller behind HAProxy running on OpnSense? - I've got a working config at the moment acting as a web proxy, allowing me to access internal resources via external URLs and Lets Encrypt - but if I want to use it as a 'inform URL' for my access points I need to be able to forward UDP/3478 and TCP/8080 - I'm pretty sure I can't forward UDP? I would do this via normal port forwarding rules, but I have a requirement for different rules depending on the URL they are hitting.
Thanks
Leacho
#6
General Discussion / Re: How to setup FreeRadius to bind to Windows AD with LDAP
April 25, 2022, 02:15:17 PM
Hi All,
I was wondering if anyone got this working - I am trying to setup an always on VPN with Windows 11 and AzureAD - I can authenticate to AzureAD using the Radius server using the 'tester' page within the OpnSense GUI - however, if I try and authenticate via an IPSEC VPN connection using EAP-RADIUS and then set windows 11 to use logged in credentials - I get the following error (as seen further up this thread):
Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [AzureAD\MyUserName/<via Auth-Type = eap>
Worth noting I am using the FreeRadius Plugin
There may very well be a better way around this to setup an always on VPN with OpnSense and Windows 11 - but this is the only way I could think of getting it working if anyone can advise on the above?
Thanks
Leacho
I was wondering if anyone got this working - I am trying to setup an always on VPN with Windows 11 and AzureAD - I can authenticate to AzureAD using the Radius server using the 'tester' page within the OpnSense GUI - however, if I try and authenticate via an IPSEC VPN connection using EAP-RADIUS and then set windows 11 to use logged in credentials - I get the following error (as seen further up this thread):
Login incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication): [AzureAD\MyUserName/<via Auth-Type = eap>
Worth noting I am using the FreeRadius Plugin
There may very well be a better way around this to setup an always on VPN with OpnSense and Windows 11 - but this is the only way I could think of getting it working if anyone can advise on the above?
Thanks
Leacho
#7
21.7 Legacy Series / Re: Route OpenVPN Server Traffic Out of Different Gateway
December 31, 2021, 10:59:57 AM
Ah this is perfect @koushun - I'll give it a go this weekend. I shall report back if this works as intended!
Thanks
Leacho
Thanks
Leacho
#8
21.7 Legacy Series / Route OpenVPN Server Traffic Out of Different Gateway
December 30, 2021, 05:59:51 PM
Hi All,
Is it possible to route OpenVPN traffic out of a different gateway other than the default one that is created when a connection is made? - etc 192.168.0.1 as the GW when connecting on a 192.168.0.x address?
I have tried assigning the OpenVPN interface and giving it an IP, but I can see how that wouldn't work with multiple servers, as you get ovpn1, 2 etc etc.
I'm trying to get NetFlow data out of OpenVPN connections, which I know isn't natively supported so I'm trying to send it through another collector, which requires routing it outside the OPNSense appliance.
Thanks
Leacho
Is it possible to route OpenVPN traffic out of a different gateway other than the default one that is created when a connection is made? - etc 192.168.0.1 as the GW when connecting on a 192.168.0.x address?
I have tried assigning the OpenVPN interface and giving it an IP, but I can see how that wouldn't work with multiple servers, as you get ovpn1, 2 etc etc.
I'm trying to get NetFlow data out of OpenVPN connections, which I know isn't natively supported so I'm trying to send it through another collector, which requires routing it outside the OPNSense appliance.
Thanks
Leacho
#9
21.7 Legacy Series / Re: CRL Storage Location
December 15, 2021, 03:37:45 PM
Thanks @Franco - That could work actually
Do you know if there is a way via API or other method to automate the user creation and deletion for OpenVPN out of interest?
Cheers
Leacho
Do you know if there is a way via API or other method to automate the user creation and deletion for OpenVPN out of interest?
Cheers
Leacho
#10
21.7 Legacy Series / CRL Storage Location
December 15, 2021, 01:04:41 PM
Hi All,
Does anyone know where the CRL's are stored in OpnSense once written to the file system, and is it possible to manually copy a new version over when an external CRL has been updated?
I have an external CA which generates and revokes certs via a number of scripts, and I would like to update the CRL every time that the external CA does by SCP'ing a new CRL file over to my OpnSense server.
Thanks
Leacho
Does anyone know where the CRL's are stored in OpnSense once written to the file system, and is it possible to manually copy a new version over when an external CRL has been updated?
I have an external CA which generates and revokes certs via a number of scripts, and I would like to update the CRL every time that the external CA does by SCP'ing a new CRL file over to my OpnSense server.
Thanks
Leacho
#11
21.7 Legacy Series / ACME Client - Validation Failed
December 05, 2021, 06:18:50 PM
Hi All,
I've recently reinstalled my ACME client and removed the existing config - when I now try and request certificates, I am getting validation failed due to the HTTP-01 check using the custom port that I am using for the GUI as the lookup rather than the normal 443/SSL connection - I see the following in the logs:
Verify error:Fetching https://my.domain.com:12345/.well-known/...........
Normally I would expect the verify URL to just hit https://my.domain.com/.well-known/....
I have the HAProxy integration installed and working ok - no port forwards are set for the management port, so I'm at a loss to what is going on.
Thanks
Leacho
I've recently reinstalled my ACME client and removed the existing config - when I now try and request certificates, I am getting validation failed due to the HTTP-01 check using the custom port that I am using for the GUI as the lookup rather than the normal 443/SSL connection - I see the following in the logs:
Verify error:Fetching https://my.domain.com:12345/.well-known/...........
Normally I would expect the verify URL to just hit https://my.domain.com/.well-known/....
I have the HAProxy integration installed and working ok - no port forwards are set for the management port, so I'm at a loss to what is going on.
Thanks
Leacho
#12
21.7 Legacy Series / User Certificate Creation via API
December 05, 2021, 06:02:18 PM
Hi All,
I was just wondering if it was possible to create user certificates automatically via an API on OPNsense 21.x.x?
I've got a requirement where I would like to create users and certificates remotely - whilst wanting to sign certificates using the built in CAs
If it's not possible via API - is it possible to extract the CAs and sign certificates externally using OpenSSL as an example?
Thanks
I was just wondering if it was possible to create user certificates automatically via an API on OPNsense 21.x.x?
I've got a requirement where I would like to create users and certificates remotely - whilst wanting to sign certificates using the built in CAs
If it's not possible via API - is it possible to extract the CAs and sign certificates externally using OpenSSL as an example?
Thanks
#13
21.7 Legacy Series / Re: Remove Old HAProxy Config
December 04, 2021, 06:20:58 PM
Thank you for the quick reply - all removed, and all sorted! 8)
#14
21.7 Legacy Series / Remove Old HAProxy Config
December 04, 2021, 05:44:21 PM
Hi All,
My HAProxy config has got itself in a bit of a mess after I was playing with the ACME client and SSL certificates.
Is it possible to remove the config completely from my OpnSense install? I've tried removing the files from /usr/local/etc/haproxy and the haproxy.conf file from /usr/local/etc - but even after reinstalling the plugin, all of my existing settings are still there and thus I cannot start the service, or remove any of my old config via the GUI.
Thanks
Leacho
My HAProxy config has got itself in a bit of a mess after I was playing with the ACME client and SSL certificates.
Is it possible to remove the config completely from my OpnSense install? I've tried removing the files from /usr/local/etc/haproxy and the haproxy.conf file from /usr/local/etc - but even after reinstalling the plugin, all of my existing settings are still there and thus I cannot start the service, or remove any of my old config via the GUI.
Thanks
Leacho
#15
21.7 Legacy Series / Re: Unbound Custom Options
December 01, 2021, 09:23:59 AM
Spot on - thank you!! :)
