Messages

Hi all, I have created 2 different certificate authorities: one for site to site VPN (Site_2_Site_VPN_CA) and one for Road Warrior VPN (Road_Warrior_VPN_CA). The first created authority is the one for site to site VPN. Both VPNs are managed with VPN:OpenVPN:Instances.

Now, if I use a server certificate signed by Road_Warrior_VPN_CA for the Road Warrior VPN and create a user with a certificate also signed by the same CA (Road_Warrior_VPN_CA), I receive the following error when I'm trying to connect the user:

Code Select Expand

2025-01-23 17:19:16 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2025-01-23 17:19:16 UDP link local (bound): [AF_INET][undef]:0
2025-01-23 17:19:16 UDP link remote: [AF_INET]x.x.x.x:1194
2025-01-23 17:19:16 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-01-23 17:19:16 VERIFY ERROR: could not extract CN from X509 subject string ('C=xx, ST=xx, L=xx, O=xx, OU=xx, emailAddress=xx@xx.xx') -- note that the username length is limited to 64 characters
2025-01-23 17:19:16 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2025-01-23 17:19:16 TLS_ERROR: BIO read tls_read_plaintext error
2025-01-23 17:19:16 TLS Error: TLS object -> incoming plaintext read error
2025-01-23 17:19:16 TLS Error: TLS handshake failed
2025-01-23 17:19:16 SIGUSR1[soft,tls-error] received, process restarting

But if I use a server certificate signed by the first CA (Site_2_Site_VPN_CA) and a user with a client certificate also signed by Site_2_Site_VPN_CA, the VPN connects without problems.

I'm using the following version:
 
OPNsense 24.10.1-amd64 - Business Edition
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

Thank you in advance.

Regards.

Hi all, I've configured a site to site VPN (TAP mode) between 2 OPNsense appliances and I've noticed that on the client side of the VPN in System:Gateways:Configuration now there are 2 more gateways related to the VPN, one for IPv4 and one for IPv6.

Is it normal? I've disabled these 2 gateways, but I'm not able to delete them.

The VPN is bridged with a LAN interface and is working without problems.

These are some information about my installation on both OPNsense appliances:

OPNsense 24.10.1-amd64 (Business Edition)
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

Many thanks in advance for your replay.

Cheers.

Hi, I've followed this tutorial to obtain a site to site VPN (OpenVPN):

Setup SSL VPN site to site tunnel

At some point in the tutorial I've found this:

Copy the public part of the certificate authority to the firewall at Site A (use the download button and copy the contents into a new CA on this host)

If I do as suggested, the VPN cannot be established and I receive an error saying the check of the CA is failing.

So I've tried importing the public part of the certificate authority along with the private part and then it worked.

May i have any problem with this kind of configuration? Is the tutorial correct?

Many thanks in advance for your replies.

Cheers

Hi all, I'm trying to realize a site to site VPN throught OpenVPN. I'm following this link:

Setup SSL VPN site to site tunnel

At some point in the page it states the following:

Leaf Certificate - Type Server - Site B: Set the Common Name to the FQDN of this machine.

Is it mandatory to insert a real DNS name as the FQDN or is it possible to use a public static IP address?

Many thanks in advance.

Cheers

Hi all,

is there something similar to the Linux netstat-nat command in OPNsense? It would be very handy for me.

Thank you in advance.

Cheers.

Perfect! Many thanks Franco.

Cheers

I don't know why, but the following firewall rule was preventing other rules from loading:

Code Select Expand


pass in quick on pppoe2 route-to ( pppoe2 <provider_gateway_ip> ) reply-to ( pppoe2 <provider_gateway_ip> ) inet proto icmp from $My_static_IP to {(pppoe2)} keep state label "0107958196d99255f51b8d5dc140fd65"


This firewall rules was intended to permit ping to the gateway IP from outside.

I was able to find the problem with the following command:

Code Select Expand


root@OPNsense:~ # pfctl -n -f /tmp/rules.debug
/tmp/rules.debug:171: syntax error


After removing this rule from the firewall the rules for "Outbound NAT" of the PPPoE gateway have been restored correctly.

Cheers

I would like to add these instructions to pf.conf manually, but I'm not able to find this file:

Code Select Expand


nat on pppoe2 inet from (em0:network) to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from (lo0:network) to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from 127.0.0.0/8 to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from 10.10.0.0/24 to any port = isakmp -> (pppoe2:0) static-port
nat on pppoe2 inet from (em0:network) to any -> (pppoe2:0) port 1024:65535
nat on pppoe2 inet from (lo0:network) to any -> (pppoe2:0) port 1024:65535
nat on pppoe2 inet from 127.0.0.0/8 to any -> (pppoe2:0) port 1024:65535
nat on pppoe2 inet from 10.10.0.0/24 to any -> (pppoe2:0) port 1024:65535


Don't know why they're not loaded automatically. The difference between this and the other gateway, for which these rules are loaded, is that this link is a PPPoE one...

Thank you for your help.

Cheers

Hi all,

after upgrading to 22.1.5 I'm not anymore able to surf the web from LAN. The problem seems to be the lack of Outbound NAT rules for WAN interfaces (I'm using Multi-WAN, but for single WAN the problem is the same).

In the page "Firewall: NAT: Outbound" (I'm using "Automatic outbound NAT")  I can see all the rules, but the output of the command "pfctl -sn" shows nothing in regards. In another OPNsense installation, where I did not upgrade to 22.1.5, I can see these rules launching the same command ( "pfctl -sn" ) from shell.

Is there a way to add these rules manually from the command line, so I can state that this is the problem?

Many thanks in advance.

Cheers

Hi, I had the same issue and disabling "Firewall->Settings->Advanced->Multi-WAN->Sticky connections" solved the problem. No issues with HTTPS sites.

Cheers,
Svenny

Your USB dongle could have 2 modes of switching depending on the firmware version: one is stick mode and the other is Hilink mode. With the first mode you have got a modem, with the second mode you have got a virtual ethernet device.

The following link describes it better:

https://jtanx.github.io/2018/12/28/huawei-e8372h-a5-v11-notes/

Cheers,
Svenny

Thanks for your advices. I disabled "Sticky connections" and now I have load balancing working. Some kind of speedtest is doubling my bandwidth speed while others show only one link, but I think it depends on the speedtest page.

I had some problems with VoIP, so I forced it on a specific gateway and now it works well.

I'm wordering if I could have problems with OpenVPN disabling "Sticky connections" in global settings... It seems to be working nicely till now.

Cheers,
Svenny

Forgot to say that the gateways work perfectly using policy based routing.

Cheers,
Svenny

Hi all,

I am experiencing connection problems trying to get load balancing between 2 gateways: 1 PPPoE and 1 RCF1918.

These are my gateways:

Name                 Interface    Protocol    Priority                     Gateway    Monitor IP    
PPPOEGW (active)    PPPINT    IPv4    253 (upstream)    1.2.3.4            1.1.1.1    
RFC1918GW            RFCINT    IPv4    255 (upstream)    192.168.8.1    8.8.8.8

This is my group of gateways:

Group Name    WANGWGROUP

Gateway            Tier
PPPOEGW          1
RFC1918GW      1

Trigger Level  Member down

Sticky connections are enabled under "Firewall->Settings->Advanced" and I've got the rule for DNS on LAN tab as the first rule.

In "System->Settings->General" I have got this:

DNS Server
1.1.1.1 PPPOEGW
8.8.8.8 RFC1918GW

and this:

Gateway switching    Allow default gateway switching  (enabled)

Then I have set the Gateway field to WANGWGROUP for the rule "Default allow LAN to any rule".

Now when I navigate the web I'm experiencing strange issues: sometimes it works, sometimes it timeouts...

Is there anything I'm missing with this setup? How could I troubleshoot this problem?

Versions:

OPNsense 21.7.5-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021

Thank you in advance.

Cheers,
Svenny

Really simple answer: the DHCP was not enabled on VLAN20!

Cheers,
Svenny