Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mokaz

Pages: [1]

Virtual private networks / Re: WireGuard service traffic routing/force unique gateway

« on: August 24, 2024, 10:01:33 am »

Hi again all,

So after troubleshooting a notch more, it turns out that:

- source port UDP:51820 packets flying out over the overlay only occurs upon peer "disconnection" (when turning WG tunnel OFF on the client device).
- the time frame while this is occuring is always around 900 seconds, I suspect CLOSE_WAIT and TIME_WAIT sessions perhaps.

Thanks for any possible advice here.

Cheers,
m.

Virtual private networks / WireGuard service traffic routing/force unique gateway

« on: August 22, 2024, 01:45:20 pm »

Hi all,

I'll try to summarize my setup:

- wg0 instance reachable through the WAN interface + peers + config + unbound DNS etc etc (all working super duper fine)
- ovpnc1 interface where I'm routing wg clients 0.0.0.0/0 type of traffic (working super duper)

My only current concern is that this setup as somewhat of an asymmetrical routing issue, as either WAN or ovpnc1 could reach 0.0.0.0/0 -- I sometimes have witnessed some UDP:51820 source port bound packets to fly out over the overlay/ovpnc1 interface, which is unwanted. I did countermeasure that through the firewall but I'd been hunting for a cleaner solution.

Would it be possible to bound a specific and unique gateway to the WireGuard service itself? Hence always receiving and sending WireGuard tunnel service traffic over the exact same interface/gw combo at the opnsense level.

Let me know,
Regards,
m.

Web Proxy Filtering and Caching / Re: Squid 6.9 has been released

« on: May 16, 2024, 08:26:02 pm »

Hi Franco, team,

Clean fix indeed =) I've just seen the 24.1.7 announcement, thanks for all the work.
Quick question: should I revert to the "original" status / edit

Code: [Select]

/usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf to it's original status prior to apply 24.1.7 ?

Thanks,
Regards,
m.

Web Proxy Filtering and Caching / Re: Squid 6.9 has been released

« on: May 09, 2024, 10:23:22 am »

Hi Franco, team,

Tested this workaround with prior to that, re-enabling Squid 6.9 on 24.1.6.
All fine here, config parses all good.

Thanks guys!
Cheers,
m.

Web Proxy Filtering and Caching / Re: Squid 6.9 has been released

« on: May 07, 2024, 11:15:51 pm »

Quote from: franco on May 07, 2024, 01:52:22 pm

I think all later 6.x are affected. Come to think of it it may be an OpenSSL 3 incompatibility...

Hi Franco,

Yes, I've carefully read the github issue and comments and hum well, even with 6.8 it still SEGFAULT's. I'll need to read more about the latest findings; squid's legacy openssl issue.

On another frontline, I'm here running different proxies all running squid 6.8 + ssl bumping all over + a really bigger and rather complex configuration which doesn't show any of such artifacts.. Theses are running on Debian though.

Anyways, let's hope for a fix at some point as I do think that transparent proxy on opnsense is extremely sexy TBH.

Cheers,
m.

Web Proxy Filtering and Caching / Re: Squid 6.9 has been released

« on: May 03, 2024, 09:52:00 pm »

Hi Franco, all,

Thanks for the lead =) Here is what I've done to get it back to "work", which is a workaround/downgrade:

Code: [Select]

root@opnsense:/ # opnsense-revert -r 24.1.5 squid
Fetching squid.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240105... done
squid-6.8: already unlocked
Installing squid-6.8...
package squid is already installed, forced install
...

This obviously after having passed the OPNsense 24.1.6-amd64 update.

Thanks,
m

Web Proxy Filtering and Caching / Re: Squid 6.9 has been released

« on: April 26, 2024, 07:37:54 am »

Hi there,

Updated to 6.9 rendering a no start of the squid daemon. Conf is pretty slick here, transparent only.
Cloned the VM for troubleshooting, could you perhaps head me towards the squid daemon startup logs?

Code: [Select]

tail -f dmesg.today 
pid 37033 (squid), jid 0, uid 100: exited on signal 11
pid 43233 (squid), jid 0, uid 100: exited on signal 11
pid 56327 (squid), jid 0, uid 100: exited on signal 11
pid 71492 (squid), jid 0, uid 100: exited on signal 11
pid 82282 (squid), jid 0, uid 100: exited on signal 11
pid 90846 (squid), jid 0, uid 100: exited on signal 11
pid 84958 (squid), jid 0, uid 100: exited on signal 11
pid 93956 (squid), jid 0, uid 100: exited on signal 11
pid 1971 (squid), jid 0, uid 100: exited on signal 11
pid 13146 (squid), jid 0, uid 100: exited on signal 11

Thanks,
m.

General Discussion / Re: Please Make a Donation to OPNsense

« on: March 02, 2024, 11:33:55 am »

Hi all,

Just wired 50 Euros -- thanks for OPNsense !!

cheers,
m.

General Discussion / Re: Swap physical interfaces

« on: March 01, 2024, 08:32:19 pm »

Quote from: CJ on March 01, 2024, 04:55:02 pm

If you're adding an interface then normally it's relatively easy, if somewhat annoying to swap things around.

Can you post a diagram or list showing your desired before and after states? It sounds like you've got a lot of moving parts which can add to the complexity.

Thanks a lot for your help guys. Hence, I gave this a 2nd shot and now everything has been an home run from start to finish...

Basically to explain you what/why I wanted to change this scheme -- historically I've had all the traffic of that OPNsense (was something else before/big up for OPNsense, way better...) passing through another main NGFW. That main NGFW had all the needed objects/policies enabled to reach potential services behind the OPNsense... This was to simplify the design at the time (single WAN uplink).. Although, that main NGFW is somewhat of a personal playground which means that conducting maintenance on that one would had disrupted the OPNsense box connectivity -- fact which I wanted to change because newly so, there are now peoples behind the OPNsense box, whooohooo...

Well the problem here most likely lied in between the chair and the keyboard =)

Thanks a lot for your help,
Cheers,
m.

General Discussion / Swap physical interfaces

« on: March 01, 2024, 04:42:02 pm »

Hi there Team,

I recently wanted to do the following's on my OPNsense system:

add a new physical interface
swap my WAN interface with the newly added vtnet5 adapter (was vtnet1.xxx)
update my main gateway reflecting the changes
the old WAN interface (the vLAN as well as its parent interface) would have been moved toward a different Zone (keeping an IPsec tunnel through here)

Sadly, my testings went pretty south TBH =) -- I ended up restoring a VM backup.
One of the artifact I've seen was that my old (vLAN based) gateway configuration kept coming back in the GUI/XML configuration and traffic didn't seemed to flow through the newly assigned WAN member. DHCP client had been functioning on the newly assigned interface though.

Is there anything I need to pay attention to before attempting the shift again ?

Let me know,
Cheers,
m.

Zenarmor (Sensei) / Re: Integrating Zenarmor with Wazuh - A guide to SIEM integration using Syslog

« on: February 28, 2024, 02:28:29 pm »

Hi there team,

Is this "still" supposed to work with current versions of either Wazuh or OPNsense?
I can't get this to trigger any alerts in Wazuh, syslogs are coming through though.

Let me know,
Thanks & regards,
m.

Web Proxy Filtering and Caching / Transparent Proxy for Multiple Interfaces

« on: January 30, 2024, 10:28:23 am »

Hi all,

I just wanted to share how I've setup OPNsense to provide Transparent Proxy over multiples interfaces.
The idea was to provide TP over: LAN, Internal WiFi, Guest WiFi and SSLVPN Road Warriors as well.

01 - For the SSLVPN part, you first need to assign your OpenVpn interface as an assigned interface.
02 - Enable the Web Proxy and assign all the interfaces you want your Squid Proxy daemon to listen to.
03 - Create NAT rules: Firewall --> NAT --> Port Forward / I have here created two rules (TCP:80 & TCP:443) involving all the interfaces I wanted to be Transparently Proxied/redirected (to TCP:3128 & TCP:3129 respectively).
04 - Within the Web Proxy > Forward Proxy > Access Control List -- you need to specify your Allowed Subnet within the Forward Proxy > Allowed Subnet.
05 - IF you're using Unbound DNS, you'll need to create Access Lists according to your different subnets using the Unbound DNS services.

You can see my config's within the attachments below.

Hope this helps.
Cheers,
m.

PS: can I use the attached images within my own post? couldn't figure how/if possible...

Web Proxy Filtering and Caching / OpenVPN + transparent proxy

« on: June 22, 2020, 03:56:53 pm »

Hi all,

I've been trying to make my Squid transproxy to work for OpenVPN road warriors. Till now without success.
Has any of your got such a setup working ?

I've tried many things.. One idea was a loopback for squid and do the redirect to that IP instead of the 127.0.0.1 but no chance there either. At best I'd want to have a single loopback for squid if possible.

Attached a view of my vSSLVPN interface and the corresponding port forward NAT entries.

Thanks a lot,
mokaz

Pages: [1]