Messages

1

Virtual private networks / Re: "can't assign requested address" – opnSense on AWS

« on: October 24, 2024, 01:56:37 am »

Oh, I solved it. The local IP in OPNsense needs to be the private IP address and not the public Elastic IP. This is because the EIP is natted onto the EC2 instance and is not directly associated with any of the attached network interfaces.

When the traffic goes out from OPNsense, the other end of the connection only sees the EIP address, so it all works as expected.

2

Virtual private networks / Re: "can't assign requested address" – opnSense on AWS

« on: October 24, 2024, 01:29:02 am »

I am facing the exact same issue on AWS while trying to get IPsec working:

Code: [Select]

2024-10-24T00:09:04 Informational charon 04[NET1] error writing to socket: Can't assign requested address

Did you ever solve this?

The same IPsec configuration works fine on a hardware appliance in my office.

3

General Discussion / Re: Backup: Nextcloud configuration

« on: May 12, 2021, 01:22:20 am »

I went through the process of creating a CA and cert for Nextcloud in OPNsense and installing it on my Nextcloud instance. Still did not work. The reason is that the HTTPS communication is handed off to curl, so it is necessary to do the following:

Code: [Select]

vi /usr/local/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
add the following lines to the curl_setopt_array:

Code: [Select]

CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
This is how the array looks now:

Code: [Select]

curl_setopt_array($curl, array(
    CURLOPT_URL => $url,
    CURLOPT_CUSTOMREQUEST => $method, // Create a file in WebDAV is PUT
    CURLOPT_RETURNTRANSFER => true, // Do not output the data to STDOUT
    CURLOPT_VERBOSE => 0,           // same here
    CURLOPT_MAXREDIRS => 0,         // no redirects
    CURLOPT_TIMEOUT => 60,          // maximum time: 1 min
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_USERPWD => $username . ":" . $password,
    CURLOPT_SSL_VERIFYHOST => false,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_HTTPHEADER => $headers
));
After doing this, I was able to backup my config to my Nextcloud instance without error.

It would be nice if this was driven by a 'Skip SSL verification' checkbox in the UI, which would require the following changes in the PHP code:

Code: [Select]

public function curl_request(
        $url,
        $username,
        $password,
        $method,
        $error_message,
        $postdata = null,
        $headers = array("User-Agent: OPNsense Firewall"),
        $verify_ssl = true # additional parameter
    ) {
        $curl = curl_init();
        curl_setopt_array($curl, array(
            CURLOPT_URL => $url,
            CURLOPT_CUSTOMREQUEST => $method, // Create a file in WebDAV is PUT
            CURLOPT_RETURNTRANSFER => true, // Do not output the data to STDOUT
            CURLOPT_VERBOSE => 0,           // same here
            CURLOPT_MAXREDIRS => 0,         // no redirects
            CURLOPT_TIMEOUT => 60,          // maximum time: 1 min
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_USERPWD => $username . ":" . $password,
            CURLOPT_SSL_VERIFYHOST => $verify_ssl, // verify ssl unless explicitly asked not to
            CURLOPT_SSL_VERIFYPEER => $verify_ssl, // same here
            CURLOPT_HTTPHEADER => $headers
        ));

        // Code continues as before...   
    }

Alternatively, it is possible to tell curl which CA certificate to trust:

Code: [Select]

curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/cacert.pem');
That way, verification can be kept on, but a custom CA cert can be used.

One of these methods will be required when using a Nextcloud instance in an isolated network where Let's Encrypt won't work (because it requires a publicly-resolvable DNS record) and self-signed or private CA certs will not work out of the box.

4

21.1 Legacy Series / Re: Private domains with Unbound DNS

« on: May 06, 2021, 09:13:56 pm »

I still don't know why the 'Apply' button temporarily fixes things, but I realised that I was only having problems with host overrides for IPs that were already in the system due to their being dished out via DHCP...

Creating overrides for other IPs works fine in all cases

5

21.1 Legacy Series / Private domains with Unbound DNS

« on: May 06, 2021, 05:46:03 pm »

Hi,

I am observing some strange behaviour with Unbound DNS: I have added a domain override for a domain I am using solely within my local network, let's call it h.example.com. What I want is for queries for any subdomain records to be answered only by Unbound DNS, and not forwarded out to the Internet, as any responses coming back from outside will be incorrect.

The domain override for h.example.com goes to 192.168.1.1, which is the appliance LAN IP.

My DHCP hosts are correctly resolvable, but I am seeing mixed behaviour for host overrides: some resolve 100% of the time and others fail 100% of the time.

One thing that solves the resolution for all hosts is to go to the Miscellaneous page and enter my private domain in the 'Private Domains' field, then click 'Apply'. Once I do this, all my host overrides resolve correctly to addresses within my LAN.

But... if I then restart Unbound DNS, resolution for some of these overrides immediately begins to fail, until I go back to that Miscellaneous page and click 'Apply', even without making any changes.

I have also followed this tutorial on how to put an additional config file in the file system that contains my private domain, and I have verified that the config gets templated as expected, however this does not solve the problem.

Even clicking Apply on the Miscellaneous page, with no entries in Private Domains also fixes the issue. This may be because I have the config file in the system, not sure about that one.

My question now is, what does that 'Apply' button do, why it is able to fix these resolution issues, when everything else fails?