"Quote from: Q-Feeds on October 06, 2025, 10:41:47 PMGot them. Thanks !Quote from: cookiemonster on October 06, 2025, 10:34:43 PMI'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.
The more, the merrier! :) Details are in your inbox.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.7 Series / Re: Looking for testers Q-Feeds plugin
October 06, 2025, 10:45:03 PM #2
25.7 Series / Re: Looking for testers Q-Feeds plugin
October 06, 2025, 10:34:43 PM
I'm interested in giving it a go if there's space for another tester.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.
I'm currently using Zenarmor on a trunk with two VLANs, and Crowdsec for my internet-facing haproxy, and it has been working quite well.
#3
General Discussion / Re: Creating a Whitelist using Firewall Aliases and Rules for Zscaler Client Connect
October 06, 2025, 06:53:48 PM
Isn't your laptop the one initiating the traffic OUT from your LAN ? In which case you would want the rule on the interface LAN, direction IN.
#4
General Discussion / Re: UK TalkTalk with Draytek modem and OPNSense router - Help Needed
October 06, 2025, 06:25:30 PM
I've never until now seen VLANs for TT for contemporary FTTP services. I knew some business ones did.
Are you receiving a residential or business service? Is it FTTP or otherwise what is?
Edit: Rethinking what might also be needed to help.
If you have successfully setup your vigor to be your main router, then presumably you want then to have OPN as a router behind another router. Seems plausible for a homelab. If so, this might help https://homenetworkguy.com/how-to/use-opnsense-router-behind-another-router/
Are you receiving a residential or business service? Is it FTTP or otherwise what is?
Edit: Rethinking what might also be needed to help.
If you have successfully setup your vigor to be your main router, then presumably you want then to have OPN as a router behind another router. Seems plausible for a homelab. If so, this might help https://homenetworkguy.com/how-to/use-opnsense-router-behind-another-router/
#5
25.7 Series / Re: Moving to new 25.7 machine how do I preserve my crowdsec configurations - Agents
October 06, 2025, 06:16:33 PM
I did have it on an OPN re-install. Few machines so it was simple to re-register.
Best I can think of is to suggest to ask their channels referenced here: https://docs.crowdsec.net/u/getting_started/health_check
That said and without wanting to lead you astray, from my limited understanding https://doc.crowdsec.net/docs/next/local_api/intro , it needs them re-registering for it to be clean, but for what you want (which I think is reasonable) maybe I can help you compare. My setup is currently working. I suspect (do not actually know) that is not only the config that is needed but a collection of files in the /usr/local/etc/crowdsec/ directory. Maybe you can get away with the same local_api_credentials.yaml if all else is identical. Worth a comparison I think.
Best I can think of is to suggest to ask their channels referenced here: https://docs.crowdsec.net/u/getting_started/health_check
That said and without wanting to lead you astray, from my limited understanding https://doc.crowdsec.net/docs/next/local_api/intro , it needs them re-registering for it to be clean, but for what you want (which I think is reasonable) maybe I can help you compare. My setup is currently working. I suspect (do not actually know) that is not only the config that is needed but a collection of files in the /usr/local/etc/crowdsec/ directory. Maybe you can get away with the same local_api_credentials.yaml if all else is identical. Worth a comparison I think.
#6
Virtual private networks / Re: VLAN linked to VPN client, latest 25.7
October 02, 2025, 11:10:23 PM
But do you have a managed switch to tag the traffic of this VLAN, and have setup your interface in OPN to act as the trunk from it?
If not, you don't have a VLAN but perhaps a separate network on a separate interface in OPN? I'm a bit unclear.
If not, you don't have a VLAN but perhaps a separate network on a separate interface in OPN? I'm a bit unclear.
#7
General Discussion / Re: DNS queries for a non-existent domain in Unbound
September 03, 2025, 12:04:06 PM
Nope. Is the client ip making the query not available to trace it ?
#8
Virtual private networks / Re: Unable to stablish first IPSec VPN
September 02, 2025, 05:03:28 PM
Understood. Thank you Cedrik.
#9
Virtual private networks / Re: Unable to stablish first IPSec VPN
September 02, 2025, 12:25:22 PM
Problem is Cedrik that I also need to be able to connect to home network from time to time when using work devices. OpenVPN is not allowed but IPSec is. Not my policies.
I appreciate the input, I do. However I fail to understand why core functionality seems to not work despite following the documentation, and suggestions are to not use it.
I appreciate the input, I do. However I fail to understand why core functionality seems to not work despite following the documentation, and suggestions are to not use it.
#10
Virtual private networks / Re: Unable to stablish first IPSec VPN
September 02, 2025, 11:37:33 AM
thanks. It is a static "site" bimbar but technically is a road warrior setup. It is for my son to be able to connect to home now that he has moved out, so that he can backup to the home NAS.
For that I want to issue him certs he can then use on an apple mac but also on his iphone from time to time. There are other reasons I want to have this setup even if I have a wireguard setup working fine.
So I am mis-classifying it as S2S. It is road warrior.
Pesky certificates are not seemingly being accepted/found by OPN despite being setup as per documentation.
Any thoughts on what else to check, I'll be grateful.
For that I want to issue him certs he can then use on an apple mac but also on his iphone from time to time. There are other reasons I want to have this setup even if I have a wireguard setup working fine.
So I am mis-classifying it as S2S. It is road warrior.
Pesky certificates are not seemingly being accepted/found by OPN despite being setup as per documentation.
Any thoughts on what else to check, I'll be grateful.
#11
Virtual private networks / Re: Unable to stablish first IPSec VPN
September 01, 2025, 01:21:36 PM
Ok that's fair if you don't use it. Thanks for the inputs you've made to this thread.
#12
Virtual private networks / Re: Unable to stablish first IPSec VPN
August 28, 2025, 11:20:04 PMQuote from: Patrick M. Hausen on August 28, 2025, 07:03:55 PMThe symlinks are hash values of the content of the installed certificates. Each symlink should point to a valid file. There is a hash script to update/produce these, but of course in an appliance context all of this should "just work" without any orphaned ones.That is also very good information thank you Patrick. I definitively have sims to non-existing ones. No idea why. I haven't had any error messages when creating the CA and the other certs.
For reference: https://docs.openssl.org/3.5/man1/openssl-rehash/#description
I'll have a read to see if I should rehash them.
#13
Virtual private networks / Re: Unable to stablish first IPSec VPN
August 28, 2025, 11:16:15 PMQuote from: Monviech (Cedrik) on August 28, 2025, 06:55:54 PMI have never done the esp-tls setup.Exactly what I have Cedrik, and have done various times to ensure I weed out any mistakes but I keep failing.
From what I understand from a high level view, you need 3 certificates:
Self signed root
root signed leaf (server use)
root signed leaf (client use)
Best no lets encrypt anywhere.
The server and the client both need the signed root.
The server needs the server certificate. The client /must/ use an FQDN to contact the von server, and the FQDN must be in the server certificate, as SAN (subject alternative name) otherwise no match.
The client needs the client certificate. The eap username configured in the opnsense must match with the common name in the client certificate, otherwise no match.
In the remote and local authentication these certificates have to be set.
Im not 100% sure here but thats what I imagine.
The only element I'd like to validate is this one, where I feel I have a misconfiguration OR OPN is not matching a cert where it should:
QuoteThe client needs the client certificate. The eap username configured in the opnsense must match with the common name in the client certificate, otherwise no match.Where is that done? The remote section in the docs have no users to use
You cannot view this attachment.
I have been using the client cert (.p12 bundle of cert and private key & password protected), with the client also of course having the public cert of the CA installed and made trusted. The CN on this client (leaf) cert and SAN for DNS also is signed by the CA on OPN. But you can still see that the IPSec failure log still says "certificate unknown"
Code Select
2025-08-27T23:24:39 Informational charon 14[MGR] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> checkin and destroy IKE_SA 1c9aaddd-79af-41d2-9b2b-db85ae839384[33]
2025-08-27T23:24:39 Informational charon 03[NET] sending packet: from 92.26.121.196[4500] to 192.168.5.235[4500]
2025-08-27T23:24:39 Informational charon 14[NET] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> sending packet: from 92.26.121.196[4500] to 192.168.5.235[4500] (80 bytes)
2025-08-27T23:24:39 Informational charon 14[ENC] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> generating IKE_AUTH response 5 [ EAP/FAIL ]
2025-08-27T23:24:39 Informational charon 14[IKE] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> EAP method EAP_TLS failed for peer penguin-vpn1
2025-08-27T23:24:39 Informational charon 14[TLS] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> received fatal TLS alert 'certificate unknown'
2025-08-27T23:24:39 Informational charon 14[ENC] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> parsed IKE_AUTH request 5 [ EAP/RES/TLS ]
2025-08-27T23:24:39 Informational charon 14[NET] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> received packet: from 192.168.5.235[4500] to 92.26.121.196[4500] (96 bytes)
2025-08-27T23:24:39 Informational charon 14[MGR] IKE_SA 1c9aaddd-79af-41d2-9b2b-db85ae839384[33] successfully checked out
2025-08-27T23:24:39 Informational charon 14[MGR] checkout IKEv2 SA by message with SPIs 65ce1e4934bf1455_i c22f661e67a203da_r
2025-08-27T23:24:39 Informational charon 02[NET] waiting for data on sockets
2025-08-27T23:24:39 Informational charon 02[NET] received packet: from 192.168.5.235[4500] to 92.26.121.196[4500]
2025-08-27T23:24:39 Informational charon 03[NET] sending packet: from 92.26.121.196[4500] to 192.168.5.235[4500]
2025-08-27T23:24:39 Informational charon 14[MGR] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> checkin of IKE_SA successful
2025-08-27T23:24:39 Informational charon 14[MGR] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> checkin IKEv2 SA 1c9aaddd-79af-41d2-9b2b-db85ae839384[33] with SPIs 65ce1e4934bf1455_i c22f661e67a203da_r
2025-08-27T23:24:39 Informational charon 14[NET] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> sending packet: from 92.26.121.196[4500] to 192.168.5.235[4500] (832 bytes)
2025-08-27T23:24:39 Informational charon 14[ENC] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> generating IKE_AUTH response 4 [ EAP/REQ/TLS ]
2025-08-27T23:24:39 Informational charon 14[ENC] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> parsed IKE_AUTH request 4 [ EAP/RES/TLS ]
2025-08-27T23:24:39 Informational charon 14[NET] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> received packet: from 192.168.5.235[4500] to 92.26.121.196[4500] (80 bytes)
2025-08-27T23:24:39 Informational charon 14[MGR] IKE_SA 1c9aaddd-79af-41d2-9b2b-db85ae839384[33] successfully checked out
2025-08-27T23:24:39 Informational charon 14[MGR] checkout IKEv2 SA by message with SPIs 65ce1e4934bf1455_i c22f661e67a203da_r
2025-08-27T23:24:39 Informational charon 02[NET] waiting for data on sockets
2025-08-27T23:24:39 Informational charon 02[NET] received packet: from 192.168.5.235[4500] to 92.26.121.196[4500]
2025-08-27T23:24:39 Informational charon 03[NET] sending packet: from 92.26.121.196[4500] to 192.168.5.235[4500]
2025-08-27T23:24:39 Informational charon 14[MGR] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> checkin of IKE_SA successful
2025-08-27T23:24:39 Informational charon 14[MGR] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> checkin IKEv2 SA 1c9aaddd-79af-41d2-9b2b-db85ae839384[33] with SPIs 65ce1e4934bf1455_i c22f661e67a203da_r
2025-08-27T23:24:39 Informational charon 14[NET] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> sending packet: from 92.26.121.196[4500] to 192.168.5.235[4500] (1104 bytes)
2025-08-27T23:24:39 Informational charon 14[ENC] <1c9aaddd-79af-41d2-9b2b-db85ae839384|33> generating IKE_AUTH response 3 [ EAP/REQ/TLS ]And that is the CN on the certYou cannot view this attachment.
So, is there another place I must put the user on ?
#14
Virtual private networks / Re: Unablel to stablish first IPSec VPN
August 28, 2025, 06:06:52 PM
I might be on the wrong path but see this. Some certs are soft linked in /usr/local/etc/swanctl/x509ca/ . I assume this is the place for CAs only.
But then if for instance I try to look in one with a link to a file that does not exist, of course it fails.
So why are there seemingly incorrect symlinks and is that an explanation for not finding the client cert? I don't know either but looks strange.
Code Select
penguin@OPNsense:~ $ ls -alh /usr/local/etc/swanctl/x509ca/
total 55
drwxr-xr-x 2 root wheel 22B Aug 27 22:35 .
drwxr-xr-x 16 root wheel 19B Jul 5 01:03 ..
-rw-r----- 1 root wheel 1.5K Aug 27 22:35 3285fdb3.0.crt
-rw-r----- 1 root wheel 1.5K Aug 27 22:35 462422cf.0.crt
lrwxr-x--- 1 root wheel 14B Aug 12 16:55 60b6690d48092.crt -> 7de19d92.0.crt
lrwxr-x--- 1 root wheel 14B Aug 12 16:55 6194f84831c68.crt -> 8d33f237.0.crt
lrwxr-x--- 1 root wheel 14B Aug 12 16:55 630e092f49140.crt -> 8a6584a6.0.crt
lrwxr-x--- 1 root wheel 14B Aug 12 16:55 66a5b16a759dd.crt -> 9aad238c.0.crt
lrwxr-x--- 1 root wheel 14B Aug 12 16:55 66f4cb6e54cc7.crt -> 462422cf.0.crt
lrwxr-x--- 1 root wheel 14B Aug 12 16:55 689a1e7ea53e7.crt -> 3e741b88.0.crt
lrwxr-x--- 1 root wheel 14B Aug 12 16:55 689a6ba3882ea.crt -> 781cea7a.0.crt
lrwxr-x--- 1 root wheel 14B Aug 21 16:05 68a72f50dfe82.crt -> 52ac0765.0.crt
lrwxr-x--- 1 root wheel 14B Aug 21 23:52 68a79cfebefc4.crt -> 3285fdb3.0.crt
lrwxr-x--- 1 root wheel 14B Aug 22 16:51 68a8904b6b0bd.crt -> f66f9cdd.0.crt
lrwxr-x--- 1 root wheel 14B Aug 26 17:28 68ada38035eb5.crt -> f66f9cdd.0.crt
lrwxr-x--- 1 root wheel 14B Aug 27 11:26 68aed70399f58.crt -> e755faf7.0.crt
lrwxr-x--- 1 root wheel 14B Aug 27 22:35 68af7828b4e69.crt -> 3285fdb3.0.crt
-rw-r----- 1 root wheel 1.2K Aug 27 22:35 7de19d92.0.crt
-rw-r----- 1 root wheel 1.4K Aug 27 22:35 8a6584a6.0.crt
-rw-r----- 1 root wheel 1.8K Aug 27 22:35 8d33f237.0.crt
-rw-r----- 1 root wheel 1.5K Aug 27 22:35 9aad238c.0.crt
-rw-r----- 1 root wheel 2.2K Aug 27 22:35 e755faf7.0.crtBut then if for instance I try to look in one with a link to a file that does not exist, of course it fails.
Code Select
penguin@OPNsense:~ $ pki --print --in /usr/local/etc/swanctl/x509ca/462422cf.0.crt
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
subject: "C=US, O=Let's Encrypt, CN=E5"
issuer: "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
validity: not before Mar 13 00:00:00 2024, ok
not after Mar 12 23:59:59 2027, ok (expires in 561 days)
serial: 83:8f:6c:63:ce:b1:39:8c:62:06:62:83:15:c9:fd:de
flags: CA CRLSign serverAuth clientAuth
CRL URIs: http://x1.c.lencr.org/
pathlen: 0
certificatePolicies:
2.23.140.1.2.1
authkeyId: 79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e
subjkeyId: 9f:2b:5f:cf:3c:21:4f:9d:04:b7:ed:2b:2c:c4:c6:70:8b:d2:d7:0d
pubkey: ECDSA 384 bits
keyid: e5:43:55:33:26:ce:0c:be:eb:cc:d6:37:1a:b5:c6:a2:8a:c0:89:07
subjkey: 99:cd:29:c3:a1:58:26:af:7a:7a:4c:84:5a:8f:73:88:60:b0:df:de
penguin@OPNsense:~ $ pki --print --in /usr/local/etc/swanctl/x509ca/3e741b88.0.crt
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
opening '/usr/local/etc/swanctl/x509ca/3e741b88.0.crt' failed: No such file or directory
building CRED_CERTIFICATE - X509 failed, tried 4 builders
parsing input failedSo why are there seemingly incorrect symlinks and is that an explanation for not finding the client cert? I don't know either but looks strange.
#15
Virtual private networks / Re: Unablel to stablish first IPSec VPN
August 28, 2025, 05:47:33 PM
NO no I found them now. They're in /usr/local/etc/swanctl/
Name Mismatch I need to drill into. I have a username (that does not exist on the OPN db) declared in the client cert that is not the same as anything else. What do you mean please?
Name Mismatch I need to drill into. I have a username (that does not exist on the OPN db) declared in the client cert that is not the same as anything else. What do you mean please?
