Messages

Code Select Expand

# Backend: filemanager_backend (File Browser)
backend filemanager_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: ipIsInLocalNetwork_condition
    acl acl_630bb0033adfc2.41301877 src 10.1.1.0/8

    # ACTION: ipIsInLocalNetwork_rule
    http-request deny if !acl_630bb0033adfc2.41301877
    http-reuse safe
    server filemanager_server 10.1.1.10:8000
Another solution where you don't have to deal with booleans

Hello, I'm trying to replicate this configuration for the ACL at the BE, but I can't find where. I'm now using the 25.1.3 version of OPNsense.

I can only do it using a condition and then mapping it to the rule for the BE, but this way, it appears on the FE rule ACL.

Thanks in advance.
JG
I think this has the same effect but I'm truing to simplefy the configs while I'm moving my HAproxy from a docker container to the OPNsense.

Hi, I ran into this issue and on my tests I was able to 'link' both user and cert by using the button '*'; on the users list, it says 'Search certificates by username'.
It will show an empty list, create the cert, notice the bottom, and have the 'common name' for the user.

Then do as usual, and export the OVPN profile.

JG

The import browser was merely a tool to list DN/CN.. All you need to do to "import" is match the CN on the LDAP as a user name? That's all there is to LDAP imports. The magic happens in the authenticator, not the user.


Cheers,
Franco

Trying to create the below user based on the AD info:

dn => CN=Jorge Gomes,OU=users,OU=office365,OU=Sede,DC=sample,DC=xpto

on the input field for the username, if I put 'Jorge Gomes' it says that 'must contain alphanumeric characters or a valid email', so it's not accepting the CN for the user, the samaccountname => jgomes.

You had a good solution with the import utility, but you made this more complex for most of us ...

So, how should I create a user on the OPNSense?

Thanks.
JG

-- Tested the following ---

On the GUI, I created the user with the following data:
username: jgomes
pwd: ticked the scrambled box
full name: Jorge Gomes

On the users list, clicked the 'search certificates by the username', gave me a empty result but I clicked the '+' and that opened a box to create the certificate for the user, with t common name as the user name, and then after saving it, it was then mapped to the user.

After going to VPN-Client Export and exporting the OPVPN config, I imported on my client and logged in with the username and PW from the AD user, Remember that I created the user with a 'scrambled' password, and it logged.
So I guess it's working ...

Can you validate this quick steps??
Thanks in advance.

Hi @all,

we operate a site network with about 30 opnsense devices and about 300 OpenVPN users. We regret the lack of an LDAP importer – that worked well for us (including manual addition of an OTP).

I have the following questions:

(1) with the new process, is it intended that the user account (without OTP) is synchronised from the LDAP server to the opnsense at the moment the user logs on to the manage GUI of the relevant opnsense?

If so, are there any example configurations for this? Our tests have not been successful so far - unless the user was previously created locally on the Opnsense (GUI).
But that is not practical for 300 users. If each user only had to log in to the portal once, that would not be a problem and would be a good solution.

(2) is there a way to import LDAP accounts to the opnsense outside of API scripts? Is this option planned for the future?

Well, this was a slap on my face ...
I also wish to know the solution for the above question, since I have a very large +100 AD users in sync with one of the OPNSense.

Thanks in advance.
JG

Issue:
Hi all, today I upgraded one of my OPS to 25.1.1 and the LDAP users sync and creation of user certificates are no longer available.
I can validate the already created users but can't either sync the AD new users. There is no cloud bottom or any to start the sync. Also, if I enter an already created user, I cannot issue a certificate for OpenVPN in the user edit settings GUI.

What changed?

All the other users created before the upgrade can use the OVPN and login.

Question or clarification:

1. Has the SYNC button disappeared? If so, is there any other way of synching the AD LDAP users?
2. How to create the user certificate to be used by the OpenVPN? using the 'system-trust-certificates' and create the user cert in there?


Thanks in advance for the help and support.
JG

Hi, I'm trying to figure out how to get this working, since you don't provide much info on how to deploy it.

Yes, you provide a way of installing it but nothing more, such as:
- which distros can be used?
- Which is the best approach, a bare metal system, or can it be deployed on a running system with docker, for instance?

Can you be more informative about this?

Appreciated.

JG

You would need to come up with a script that produces OPNsense standard XML. No direct import function, sorry.

Thanks for the reply.
JG

Hello all,
Is it possible to import a config file from a HAproxy server running on Alpine to OPNSense?

I have pretty much around 45 backends ...

Much appreciated.
JG

Hello all,

I'm setting up several OPNsenses boxes for several clients to replace existing ones from other vendors.

So, I have a box for testing and I've set OpenVPN using the new instances method, but this is causing all the VPN clients to keep restarting, my best guess is because of a lack of connectivity on the VPN tunnel, as only the traffic for the remote LAN is passed.
I couldn't find any settings for allow/disallow this on the configuration GUI and 'Google' points in so many directions that I decided to question here.

I have configured a 'legacy' server on the side of the instances, and that one does not disconnect the clients.

Where shall I start digging?
What shall I change on the .conf's files, if the case? since this probably gets overwritten on the updates/upgrades?

The idea is to have a POC box with the latest possible technologies for firewalling.

Thanks in advance.

JG

Hello all, but can't find any valid how to to setup this on OPNsense

I need to set up a domain wildcard on the OPN, is that possible?
I've tried several possibilities, but all I can get is a response saying that's and 'Invalid Domain'.

The API TOKEN is correctly set up, that I'm sure.
The account has 2 domains in it, but the token points to the correct setting allowing 'Edit' on all of them.

Can anyone point me in a good direction?
Trying to move away from PFSense but wo this I can't proceed.

Thanks and regards.
JG

Edit: After several hours, it managed to accept the cert creation ... not sure how, since the settings are the same ...