Messages

1

24.1 Legacy Series / Re: 24.1.1 upgrade system capped out

« on: February 19, 2024, 05:00:51 pm »

On console it shows libcrypt.so.12 missing and goes to single user mode.

At this stage did a fresh install / restore and of course back online. Was really hoping to figure it out, felt like this should be fixable since the device was fully operational and I still have a few updates in case another device gets hit with the same issue.
Will just plan to reinstall / restore.

thank you

2

24.1 Legacy Series / Re: 24.1.1 upgrade system capped out

« on: February 17, 2024, 05:48:56 pm »

Physical device - Protectli i5 6 ports and all ports being used.

The root password is not accepted on the console. The setting to disable login on the console via the web worked and I was able to reset the password for the management user to ssh but sudoers settings had no effect.

Did a reset the root password from console and could get logged in. Every time i would make any change via web the ssh passwords would stop working for all users.

Before digging into the device and the logs I decided to just see what would happen running an update again from the console, that said the same release updated to is available I guess because the OPNsense version shows as "-" in the web console. After the update the device no longer boots.

3

24.1 Legacy Series / Re: 24.1.1 upgrade system capped out

« on: February 17, 2024, 02:34:57 am »

Thanks, unfortunately does not appear to be my issue.

Cant seem to get on console or via SSH no matter what settings only web works. New user also does not work part of admin. Looks like this happens my devices with ZT installed.

4

24.1 Legacy Series / Re: 24.1.1 upgrade system capped out

« on: February 15, 2024, 09:31:53 pm »

What would cause ssh/ physical console login for root not work? I was able to connect via SSH before the upgrade.

I would like to take a look before I plan to drive 4 hours to update another device because of this.
The only error I see in the console is that Zerotier plugin is missing, I am unable to resolve or install, in fact the device is not able to check for updates.

The firewall still functions normal, no settings seem to take effect that I make via the web. Even adding another user set the password no erros can't login with that user ssh web or console.

This is a vanilla install with just added zerotier and SNMP.

5

24.1 Legacy Series / 24.1.1 upgrade system capped out

« on: February 13, 2024, 12:17:53 am »

Hello, upgraded to the latest release and now the firewall is unmanageable and unusable.

Via web management console the system lists "-" for the OPNsense version. The device is sitting at 13% CPU usage constant and a load average of over 1.

Unable to SSH and unable to login via console the root password is not accepted but works for web.

Is my only option to reinstall / restore?
What pain I at least have access to this device but have a few remote so looks canning all updated for time being.

6

Virtual private networks / Re: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)

« on: June 06, 2021, 05:50:34 pm »

Hi Franco,

I can't really say if killing the process would correct the issue because I deleted the openvpn server to reconfigure as stopping / starting or rebooting did not correct the issue. After reconfiguration I was getting the error in the subject. I deleted the config again so no servers were present in the console and was still able to connect with a local account.
When I looked at processes it would show openvpn --server1 (if I remember correctly) even though the openvpn server was deleted. Looking at the the processes in run I noticed the pid. Deleting the pid and killing the process I could configure a new openvpn server to use tun1 again.

This is not an occasional occurrence, but as soon as a few users attempt to connect this happens. As mentioned before we thought this was an issue with the VM we had deployed, but the same is happening on a dedicated device.
It appears the issues start after this error: WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255, but can't say for sure.

7

Virtual private networks / Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)

« on: June 04, 2021, 01:54:27 am »

I have posted a few times about issues we are seeing with using Openvpn when using radius authentication and it seems there is a major issue.

Again we are unable to restart openvpn I can delete it, recreate it, reboot the device nothing helps. This is the same issue we had with running it as a VM thinking it was isolated to that. Well now a device we purchased that shipped with Opnsense is doing the same thing.

In this state it still accepts connections that can authenticate locally, but looking at the connection status I see this: "[error]   Unable to contact daemon   Service not running?"  You can't tell who is still connected. Disabling OpenVPN still allows connections.

I think this is a pretty major concern that a few users unable to connect for whatever reason can get the service into this state, especially since it shows the service is down and it still allows connections even after a reboot.

2021-06-03T18:47:22   openvpn[11088]   Exiting due to fatal error   
2021-06-03T18:47:22   openvpn[11088]   Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)   
2021-06-03T18:47:22   openvpn[11088]   TUN/TAP device ovpns1 exists previously, keep at program end
 
Looks like there is a process pid left behind once deleted and then kill the process with config for server1 in my case allowed the newly configured openvpn server to start.

8

Virtual private networks / Re: OpenVPN issues

« on: May 27, 2021, 12:59:34 am »

I was using a VM, but have since purchased a device that shipped with OPNsense and connected it directly to the internet. I also did not restore the config and manually configured the device, but I have the same result.
I can be connected for days, as soon as another user try to connect, it disconnects and try to reconnect (not always however, I would say 60% of the time.)

I can connect from multiple devices and it seems to work fine, but as soon as a different user tries to connect is when the issue occur. Many times it takes 5+ attempts to reconnect after that happens. 

Radius authentication is being used that also requires a MFA prompt so connections cannot reestablish automatically.

This is the client config: (not sure if you wanted the server config, I don't know how to export that from command line)

client
dev tun
reneg-sec 0
proto udp
remote <*.*.*.*> 1194
nobind
persist-key
persist-tun
ca MyCA.crt
cert User.crt
key User.key
remote-cert-tls server
cipher AES-256-GCM
auth SHA224
auth-user-pass
auth-nocache
verb 3
reneg-sec 0

9

Virtual private networks / Re: OpenVPN issues

« on: May 23, 2021, 04:40:35 pm »

It is being used for a small company.
I did use the same cert for all the users and allow duplicate connections, but even changing one user to their own cert still have the same issues. I am sending all the logs to a syslog server and it there is no indication of any issues other than the VPN server saying the client connection timed out and it then kicks the user off. After that happens it can take a number of tries to actually get connected where traffic is passed. It is using radius authentication with 2FA.
I will have to look at a commercial offering to test.

10

Virtual private networks / OpenVPN issues

« on: May 21, 2021, 06:01:56 pm »

I am having a tough time with OpenVPN.

I posted about issues before with no response so I assume I am the only one with these issues.

When I posted before I was using a VM for Opnsense behind a NAT using a single interface. Since then I purchased a device from Protectli and now have an interface directly on the internet and still experience strange behavior.

As soon as users connect other connected will get disconnected and then they are not able to reconnect, or it will get connected but then not pass any traffic and then be disconnected after 1 min and then its a struggle to get reconnected with multiple attempts.
I had one machine connected for 5 days and also continued to connect / disconnect with my laptop periodically without any issues.
I asked one user to switch to this VPN again and boom I got disconnected and then unable to get reconnected, well I get connected buy the no traffic is passed and after a min it disconnected me and then I have to try again and again as mentioned.
 
It really does not seem right that another user trying to connect can disconnect other connected users.   

What could be causing this behavior? 

11

Virtual private networks / Strange OpenVPN behavior

« on: May 07, 2021, 12:27:50 am »

OPNsense 21.1.5

I have been struggling with strange OpenVPN behavior

1. The service will stop responding, but I can still see the port is available doing a nmap scan.
Client will get TLS handshake failure and I don't see anything being logged server side.
Restarting the service or rebooting does not help.
The only way to get it to respond again is to delete the openvpn service entirely and then recreate it, but I have to use a different tunnel address range. Using the same tunnel address again will cause the same result where it does not respond to client requests.


2. After a 1/2 day - 1 day connections will be dropped all at the same time and the server logs indicate this is due to client inactivity. This will start to become more frequent until I am back to the what's described above.


3. If I recreate the service and forget to set one setting for example forget to set renegotiate to zero, going in after again and changing it, it does not seem to take effect; restating or rebooting it still now disconnects the clients after 3600 seconds which prompts a MFA request to authenticate.


I have used OPNsense in the past successful as an openvpn server, but never as a primary openvpn server for users community but only 12 users uses this server.

Few things I do want to note:

1. I am using the same cert for all the users and allowing duplicate connections. Since a password and MFA approval is required, I don't see the need for cert management as this is a break-fix customer.

2. NAT to external.
I would like to add that even trying to connect to the internal interface inside the network, I still see the same TLS handshake failures until I delete the openvpn service and recreate it.

3. Its a virtual appliance


Any ideas here would be appreciated.