Messages

Thanks for the reply! I thought it sounded too good to be true. :(

I'll give those other products you mentioned a read over.

Thank you

When I was using Untangle, to get -FULL- visibility into all network traffic to/from my machines, I vaguely remember having to import a cert into each computer and it was just a manual, ugly, pain in the butt and never fully worked well and broke a lot of things so I eventually gave up on it.

With ZenA 1.17, would all that be a thing of the past and I'll be able to inspect everything without visiting each machine to install a cert and no fear of breaking apps? My kids are of the age where I want to have more visibility into what they're doing on the internet and I'm wondering if now is a time to give ZA 1.17 a try?

I was poking around in the Zenarmor web reporting tool and this error popped up:

critical: engine configuration error: cannot read any worker configuration from workers.map

I was able to dismiss it and things SEEMS ok? Any ideas?

BTW, I was in there testing out blocking pornographic sites and it did work but looking through the logs, I didn't see anywhere that told me the exact URL that was blocked. It would be nice to see this info because of the site possibly being mis-classified and if I know the URL, I could white list it.

Thanks

In Untangle, there was a spot you could go to and manually enter names for devices on your network. Looking at my DHCP leases: (see attached picture) ..... there's lots of blank hostnames.

Is it possible (without using the static DHCP feature), to go in and add some text to each of those devices that are missing the hostname so I know what they are?

UTC log file question..... in some of the logs, they have a UTC timestamp. Is there any way to remove UTC stamps and have -EVERY- log file use my current time zone's timestamp?

I have a Silicone Dust HDHomeRun TV tuner. It's currently at IP address 172.16.50.138. If I look at HDCP leases in the dashboard, it shows my tuner as active but offline (see attached picture).

I can ping it and watch TV with it so why does OPNsense think it's offline?

UPDATE: Never mind. I power cycled it and it's showing as online now. Guess if it hasn't talked to the OPNsense box in a while it's considered 'offline'.

I'm testing out OPNsense again and that link fixed my problem for my kids's Nintendo Switch, thanks buzz!

Ok... thanks for pointing that out (makes sense now) but here's what I still don't understand.

The first NAT>Port Forward rule I created was for Plex and the 'filter rule association' was set for 'pass' and an associated rule wasn't created in Firewall>Rules>WAN. (Expected behavior.)

When I duplicated that rule and changed the name to 'Emby' and switched the port #, I don't recall what I picked for 'filter rule association'.

When i edited the original Plex rule, I had the following options for the filter section:
none, pass and Emby rule (Odd that it had 'Emby rule' as an option?!)

I deleted the Emby rule from the NAT>Port Forward section and that auto-deleted the Firewall>Rules>WAN rule and this time around, I didn't duplicate the Plex rule but created a new one for Emby.

Something weird though.... for both rules, I only have the options of 'none' or 'pass' for the associated rule section. I don't see an 'Add associated filter rule' option. That a problem?

As it is, Plex and Emby appear to be working perfectly fine without associated rules in the Firewall>Rules>WAN section. Should I leave things alone or create associated rules in there for each?

In the Firewall>NAT section, I created a rule to allow Plex to work. Inbound 32400 and everything is working just fine.

Then, I duplicated that rule and created one for Emby in the same section. Again, no problem.

The weird thing (to me at least and probably due to my lack of understanding and general newbie'ness) is.... I spotted the Emby rule in the Firewall>Rules>WAN section. I didn't create an Emby rule in that section and it looks like OPNsense populated it there by itself?

BTW, how can I embed my pictures into the post vs. having them as attachments? (If I can figure that out, I'll edit my post. :) Or embedding only work when you link to pictures hosted off-site?

All fixed. :) Another user on here, Ramsense, sent me this guide: https://homenetworkguy.com/how-to/configure-openvpn-opnsense/ and following that (even though it was created on an older version of OPNsense and had a few, minor deviations) I was able to FINALLY get a valid .ovpn file that included the ca, key and cert!

The big difference from my point of view is I didn't use the OpenVPN wizard and did it manually and it's working perfectly now. But if you have the time, I'd be curious what your tests reveal..... wondering if the wizard is indeed busted and not doing something correctly on a fresh install?!

It creates the .ovpn file but it's invalid. (Missing the cert, key and ca sections.)

BUT, good news though. I was talking to another user on here about getting a referral code for Zenarmor and explained my problems getting OpenVPN working and he linked me to this guide: https://homenetworkguy.com/how-to/configure-openvpn-opnsense/ and.......... I was able to create a valid .ovpn file following those steps. :) Super happy now!

One thing I did not do this time around was use the wizard to create the OpenVPN server. Maybe there's a bug in that code?

I made this post https://forum.opnsense.org/index.php?topic=32152.0 over in the VPN forum and for the life of me, I can not get an .ovpn file generated that has the CA data in there. I want to use the OpenVPN Client and not Viscosity.

I re-read the documentation on setting up the OpenVPN server and deleted everything and started fresh but I always end up with a .ovpn file that lacks the CA info. Heck, it even lacks the key and cert info.

I had an Asus router before and setting up OpenVPN on that thing was a breeze. Clicked a few buttons and minutes later, I had a properly formatted .ovpn file that imported into the OpenVPN client and away it went. I was comparing the Asus generated .ovpn file to the one created in OPNsense and I don't see any of those 3 sections I mentioned above (ca, key, cert) in the OPNsense .ovpn file.

I put the Asus in access point mode and want to use OPNsense but something is messed up. Either I totally suck at following directions, the OPNsense documentation is wrong or there's a bug somewhere with 23.1. :)

BTW, this is a fresh install of 23.1.

Does OPNsense offer fee based tech support for one-off issues? I just need somebody on a TeamViewer session for like 5 minutes to walk me through this. Anything cheaper than the $300/year option? Like $50 per incident? I'm just a single user at my house and want to use OpenVPN to get into my network when I'm on the road.

Thanks for sticking with me but I tried your guide and I re-did the OPNsense guide and same, exact end result. My .ovpn file looks like this every time:

Code Select Expand


dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
auth SHA512
client
resolv-retry infinite
remote x.x.x.x xxxxx tcp
lport 0
verify-x509-name "C=US, ST=Ohio, L=XXXXX, O=HomeVPN, emailAddress=nobody@cares.org, CN=HomeVPN Server Certificate" subject
remote-cert-tls server
auth-user-pass
pkcs12 VPN_access_HomeVPN_Server_Certificate.p12
tls-auth VPN_access_HomeVPN_Server_Certificate-tls.key 1


Since your resulting .ovpn file has all the CA stuff in it, I'm curious if we're doing an apples to apples comparison? Are you using a fresh install of 23.1 like I am or did you upgrade to it or are you stilling an older version of OPNsense?

Both client and server need to agree on a certificate chain. Have you imported the root CA cert and any intermediate cert(s)?

The most portable way is to add them to the ovpn file inside <ca> ... </ca>

Bart...

I followed the instructions in the OPNsense documentation and it isn't working. If I need to manually add something to that ovpn file, this tells me the documentation is wrong or how OPNsense is generating the .ovpn file is broken and I should report this as a bug.

In the mean time, please forgive my ignorance but, can you give me some step-by-step commands on adding the cert inside the file?  I have no idea what needs pasted in there. :(

With my ASUS router, setting up OpenVPN was dead simple. The resulting .ovpn file it generated was correctly imported into my OpenVPN connect client and away I went. With OPNsense, something appears to be broken.

When i had my ASUS router up and running, I enabled OpenVPN in it, set everything up and exported the .ovpn and imported in into the OpenVPN Connect Client (v3.x) and everything worked perfectly.

I put the ASUS router in AP mode and put it behind a fresh install of OPNsense (23.1) and am trying to setup OpenVPN. I followed the guide on setting it up (not using MFA or anything fancy....just username/pass) and I'd like to use the OpenVPN client and not Viscosity.

I can import the .ovpn file into the OpenVPN client but when I try to connect, I get a 'missing external certificate' error. If I click 'continue', I get the following error: SSL_context_error: OpenSSLContext: CA not defined

I found some fixes from a year or two ago but the parts in the .ovpn file that are usually referenced don't exist in the file that OPNsense 23.1 creates.

Next up, I found somebody talking about using the OpenVPN GUI version (aka, community edition). I installed that and imported my .ovpn file and I'm getting this error: (from the client)

Code Select Expand


2023-01-28 23:47:18 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-01-28 23:47:18 Cannot pre-load keyfile (VPN_Server_SSLVPN_Server_Certificate-tls.key)
2023-01-28 23:47:18 Exiting due to fatal error


Any ideas? (Besides using Viscosity :) )

Getting ready to take the plunge back into OPNsense. Anyone have a referral code for Zenarmor?

If we're not allowed to ask for those, sorry. :(