Messages

1

Web Proxy Filtering and Caching / Large squid and i-cap access logs

« on: September 16, 2024, 10:55:17 pm »

Opnsense is in the latest version (24.7.4) and today I run into issue of completely filled disc.
After running following command I could have seen:

Code: [Select]

root@OPNsense:/ # du -mah | sort -rh | head -n 10
 37G .
 28G ./var
 25G ./var/log
 16G ./var/log/squid
9.5G ./var/log/squid/access.log
8.0G ./usr
7.8G ./var/log/c-icap/access.log
7.8G ./var/log/c-icap
7.4G ./usr/local
7.0G ./var/log/squid/store.log


So, squid and i-cap access logs were enormous; I had to manually delete them and restart services. I use squid + I-cap + clamav to scan web data.


What could cause creation of such a big access logs?

2

24.7 Production Series / Re: puzzled by the ISC/KEA DHCP direction

« on: July 29, 2024, 04:36:20 pm »

 I'm puzzled too - I don't understand implementing KEA when it doesn't match functionalities in ISC. Issues in 24.7 with OpenVPN UDP server (at least in my case) plus removing functionality in ISC dhcp in 24.7 made me reverting upgrade back. to version 24.1.10...

3

24.7 Production Series / Re: Openvpn Server interface: dco_set_ifmode: failed

« on: July 25, 2024, 11:00:02 pm »

One more thing.
Openvpn TCP server (legacy) was fully running.
But UDP server (legacy) was running but there was no connectivity. I mean netcat was showing replies from hosts on various ports but nothing could go through browser.
I gave up and restored 24.1.10...

4

24.7 Production Series / Re: Openvpn Server interface: dco_set_ifmode: failed

« on: July 25, 2024, 08:16:35 pm »

Thanks, but what keeps stopping me from migration is missing TLS authentication (TLS Shared Key) in instances config.
Will it be added there?

5

24.7 Production Series / Re: Openvpn Server interface: dco_set_ifmode: failed

« on: July 25, 2024, 07:56:40 pm »

Not going to be in legacy client/server, sorry.

Thus I need to migrate to "instances"?

6

24.7 Production Series / Re: Openvpn Server interface: dco_set_ifmode: failed

« on: July 25, 2024, 07:49:35 pm »

disable-dco

Yes, that restored UDP server...
But how to change config to use DCO?

7

24.7 Production Series / Openvpn Server interface: dco_set_ifmode: failed

« on: July 25, 2024, 07:12:43 pm »

After upgrading to 24.7 (for test purposes  ) openvpn UDP server (legacy) doesn't work anymore and throws following errors:

Code: [Select]

2024-07-25T19:06:21 Warning openvpn_server9 dco_set_ifmode: failed to set ifmode=00008002: Invalid argument (errno=22)
2024-07-25T19:06:21 Warning openvpn_server9 Failed to create interface ovpns9 (SIOCSIFNAME): File exists (errno=17)

Ho to fix it?

8

24.1 Legacy Series / ipv6 - tunnelbroker - connectivity issues

« on: February 29, 2024, 12:31:55 pm »

I have setup, in a few of my vlans, some time ago ipv6 through tunnelbroker.
It's been working fine until now. Still I can ping WAN hosts, unbound resolves AAAA queries:

% dig google.com AAAA       

; <<>> DiG 9.10.6 <<>> google.com AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4210
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.         IN   AAAA

;; ANSWER SECTION:
google.com.      40   IN   AAAA   2a00:1450:401b:804::200e

;; Query time: 2 msec
;; SERVER: X001:XXX:XXXX:4::1#53(X001:XXX:XXXX:4::1)
;; WHEN: Thu Feb 29 12:00:35 CET 2024
;; MSG SIZE  rcvd: 67

But any tests I do via browsers (Safari, Chrome), fail miserably. For example, https://test-ipv6.com/, says there's no ipv6 address discovered.
With exception of my OpenvPN road warrior connection. When I connect via VPN, all is ok. 
FW has of course ipv6 enabled and respective vlan also has rule allowing all "IN" ip4+ip6 traffic - as same as group openvpn interface. How to troubleshoot it???


EDIT:
It seems like I can think better when I write post :-). I had/have caching (squid, icap) enabled on couple of vlans. And this was filtering out my ipv6. Is it possible to configure caching for ipv6?

9

Virtual private networks / [SOLVED]Re: OPNsense 24.1 - OpenVPN TLS handshake failed

« on: February 29, 2024, 11:55:13 am »

So, reason for issue in 24.1 were these options:

Code: [Select]

user openvpn
group openvpnMore likely this particular user/group

# id openvpn
uid=301(openvpn) gid=301(openvpn) groups=301(openvpn)

can't run:

tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '9'"

despite script is allowed to be executed by everybody:

-rwxr-xr-x  1 root  wheel  4522 Feb 21 12:49 ovpn_event.py

10

Virtual private networks / Re: OpenVPN server instance - no ipv4 access to WAN

« on: February 28, 2024, 05:02:28 pm »

I just tried to recreate the OpenVPN server using legacy config (I am on 24.1.2_1). To be honest, I feel they are quite similar:
1. both automatically create interface (both un-assigned though)
2. ipv6 (youtube) doesn't go through VPN for either (i think)
3. both leak ipv6 address (confirmed from https://ipleak.net/)
4. had to manually specify client DNS (to use Unbound) for both configs
5. had Unbound set to bind to ALL for both, and no need to do anything else

The only two diffs I see:
a. Unbound bind interfaces drop-down menu doesn't show VPN for new config. However this doesn't seem to matter as I set to bind to ALL so it just works (as long as I did 4 above)
b. SNAT is automatically generated for VPN interface for legacy config. Had to manually add it for new.

To your other question, I don't see a way to manually add OpenVPN options in new config either. However even in the legacy config, that option seems deprecated already - "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting."

I've just installed fresh Opnsense in new VM - and it's exactly like you said above (in bold) and like is in my main and multiple updated instance...
So, it is really big, backward step in OpenVPN functionality...

11

Virtual private networks / Re: OpenVPN server instance - no ipv4 access to WAN

« on: February 28, 2024, 02:17:55 pm »

Despite I haven't done any manual changes or installed 3rd party repo/software (with exception of Zenarmor), I think there's some error in my instance config.
I've just done reinstall with config restore - but still is the same: legacy servers have stopped working properly in 24.1 SNAT requires manual intervention.

It tempts me to start from scratch, but I'm afraid of amount of work and time required to get everything else up and working...

12

Virtual private networks / Re: OpenVPN server instance - no ipv4 access to WAN

« on: February 27, 2024, 11:36:58 am »

I had to manually create the exact same FW rule, and also this outbound NAT rule so that my road warrior client can access WAN (ipv4)

Thanks! Seems like it works with addition of SNAT including WAN address.
So, now questions are:
Why instance server works so differently from legacy config?
Is as per design or some sort of bug?
Why ipv6 works without SNAT rule?
I can't find documentation for instance OpenVPN, except this: https://docs.opnsense.org/manual/vpnet.html#openvpn-ssl-vpn
Have you seen one?


EDIT:
Is there any way to add manually other (missing in GUI) OpenVPN options to instance config? Not so many are available in GUI...


EDIT2:
Since I can't set in server instance:

Code: [Select]

tun-mtu-extra 32;
mssfix 1450;
fast-io;Connection over server instance is 7 times slower that connection over legacy config...


EDIT3:
After having done update done from 23.7.12 to 24.2 I noticed: Instance config doesn't create automatically interface - unbound DNS can't of course be configured to bind to it. After I manually created interface - it works.
But it looks like really 10 steps backwards!

13

Virtual private networks / OpenVPN server instance - no ipv4 access to WAN

« on: February 26, 2024, 04:00:31 pm »

As legacy config of VPN servers will be / is EOL, I would like to migrate to instance config my road warrior setup.
I used all available settings in Openvpn server instance to migrate settings from legacy config; but despite having set redirect gateway (default, block local and ipv6 default) I can connect only ipv4 to LAN hosts and nothing in WAN. ipv6 works.
Do I need to setup additional FW rule to what was done for legacy config under OpenVPN instance:

Code: [Select]

Allow IPv4+6 * OpenVPN net * * * * *  Default allow Openvpn to any rule


EDIT:
After enabling logging in above rule, I can see that request are being sent. So, is something wrong with SNAT or created instance interface? But having created outbound NAT rule doesn't help, thus issues with tun interface?

14

Virtual private networks / Re: Redirect Gateway not working with new Instances

« on: February 25, 2024, 01:12:35 pm »

Solution: Added outbound nat for the OpenVPN net (I use Manual outbound NAT rule generation). Redirect gateway is set to default.

I'm facing the same issue: after connecting to instance Server I'm able to reach only hosts in LAN and not in WAN.
Creating SNAT for Openvpn interface doesn't help. Could you please be more specific??


Legacy config works as it should - OK.

15

Virtual private networks / Re: OPNsense 24.1 - OpenVPN TLS handshake failed

« on: February 25, 2024, 12:14:50 am »

So, using the same certificates and crypt, and all available settings in Openvpn server instance let me to connect to server. 
But despite I have set redirect gateway (default, block local and ipv6 default) I can connect only to LAN hosts and nothing in WAN.
What's wrong in OpenVPN in 24 series?
Everything worked great in Opnsense 23...