Messages

1

21.1 Legacy Series / Very strange API

« on: June 29, 2021, 08:38:54 am »

Hello.

I heed to disable one of my routes by API. I run this command

curl -X POST -d '{"disabled":"1"}' -H "Content-Type: application/json" -k -u %KEY%:%SECRET% https://10.10.1.1/api/routes/routes/toggleroute/2c7375ab-2500-45a5-a952-50c34ea26b9d

and got {"result":"Disabled"}

But then I run this command again I got {"result":"Enabled"}

I run the one again and got {"result":"Disabled"}

Why? I thought I have to change command to {"disabled":"0"} for enabling. No?

2

21.1 Legacy Series / Re: OpenVPN timeout session [SOLVED]

« on: June 24, 2021, 08:03:17 am »

Yeah, You was right. I added this line into .ovpn file and it fixed a problem
reneg-sec 0

3

21.1 Legacy Series / OpenVPN timeout session

« on: June 23, 2021, 12:52:00 pm »

Hello.

I have an OpenVPN server and imported users from AD and  AD authentication and OTP. But every an hour user session is broken. Log says

openvpn[39817] user/8.22.8.11:59250 SIGUSR1[soft,ping-restart] received, client-instance restarting
openvpn[39817] user/8.22.8.11:59250 [UNDEF] Inactivity timeout (--ping-restart), restarting
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS handshake failed
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
openvpn[39817] MANAGEMENT: Client disconnected
openvpn[39817] MANAGEMENT: CMD 'quit'
openvpn[39817] MANAGEMENT: CMD 'status 2'
openvpn[39817] MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS handshake failed
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

I made next:
- set Renegotiate time to 0
- insert keepalive 10 120 into an Advanced field

But there aren't any results with an user session. Every an hour session is out any way.

User connect log

openvpn[39817]MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
openvpn[39817]user/8.22.8.11:59250 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[39817]user/8.22.8.11:59250 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[39817]user/8.22.8.11:59250 Data Channel: using negotiated cipher 'AES-256-GCM'
openvpn[39817]user/8.22.8.11:59250 SENT CONTROL [user]: 'PUSH_REPLY,route 172.16.0.0 255.255.252.0,dhcp-option DOMAIN sex.com,dhcp-option DNS 172.16.1.1,dhcp-option DNS 172.16.1.1,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
openvpn[39817]user/8.22.8.11:59250 PUSH: Received control message: 'PUSH_REQUEST'
openvpn[39817]user/8.22.8.11:59250 MULTI: primary virtual IP for user/8.22.8.11:59250: 10.0.0.6
openvpn[39817]user/8.22.8.11:59250 MULTI: Learn: 10.0.0.6 -> user/8.22.8.11:59250
openvpn[39817]user/8.22.8.11:59250 MULTI_sva: pool returned IPv4=10.0.0.6, IPv6=(Not enabled)
openvpn[39817]8.22.8.11:59250 [user] Peer Connection Initiated with [AF_INET]8.22.8.11:59250
openvpn[39817]8.22.8.11:59250 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
openvpn[39817]8.22.8.11:59250 TLS: Username/Password authentication succeeded for username 'user' [CN SET]
openvpn[72783]user 'user' authenticated using 'AD2FA'
openvpn[39817]8.22.8.11:59250 peer info: IV_GUI_VER=OpenVPN_GUI_11
openvpn[39817]8.22.8.11:59250 peer info: IV_TCPNL=1
openvpn[39817]8.22.8.11:59250 peer info: IV_COMP_STUBv2=1
openvpn[39817]8.22.8.11:59250 peer info: IV_COMP_STUB=1
openvpn[39817]8.22.8.11:59250 peer info: IV_LZO=1
openvpn[39817]8.22.8.11:59250 peer info: IV_LZ4v2=1
openvpn[39817]8.22.8.11:59250 peer info: IV_LZ4=1
openvpn[39817]8.22.8.11:59250 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-128-CBC
openvpn[39817]8.22.8.11:59250 peer info: IV_NCP=2
openvpn[39817]8.22.8.11:59250 peer info: IV_PROTO=6
openvpn[39817]8.22.8.11:59250 peer info: IV_PLAT=win
openvpn[39817]8.22.8.11:59250 peer info: IV_VER=2.5.2
openvpn[39817]8.22.8.11:59250 TLS: Initial packet from [AF_INET]8.22.8.11:59250, sid=8cd968f4 aa698363

4

Russian - Русский / Re: Маршрутизация OpenVPN

« on: June 20, 2021, 02:02:29 pm »

В настройках OpenVPN сервера поставить чек-бокс в Inter-client communication и на клиентах настроить шлюзы в удаленные сети. Возможно, потребуется настроить еще Firewall для прохождения трафика. Надо будет смотреть лог.

5

Russian - Русский / Re: LDAP пользователи не логинятся

« on: June 20, 2021, 01:49:34 pm »

А ты права на веб пользователям выдал?

6

21.1 Legacy Series / Re: kick out from group (may be bug)

« on: June 18, 2021, 02:35:35 pm »

I have had set a checkbox here

Read properties
Synchronize groups

And I have Nothing selected for Limit groups.

ADD: Oh, I see. I added a group like AD name to the OPNsense and all work correctly. Thank you.

7

21.1 Legacy Series / kick out from group

« on: June 18, 2021, 02:21:31 pm »

I have the last version OPNsense 21.1.7_1-amd64.
I have imported an user from Active Directory and added him to a local group. This group has permissions for login to the Lobby:Password. But the user is member of this group until his GUI login. After a first login used is kicked out from the group immediately. It happened always with any AD imported users.

All users from the LocalDatabase don't have a problem like this.

8

21.1 Legacy Series / Disabled routers from shell

« on: June 10, 2021, 04:07:48 pm »

Hello.

I have some routers here System: Routes: Configuration
Can I disabled and enabled one from shell?

9

21.1 Legacy Series / Site to site OpenVPN like backup connection

« on: June 09, 2021, 09:08:22 pm »

Hello.

I have two offices and use two OPNsense instances like routers by direct connection over a dedicated access line (L2 VPN). I want to create a backup connection over Internet by OpenVPN. I created an OpenVPN Site-to-Site and created FailOver GW there is a dedicated access GW is main (Tair 1). I almost got all I want. But ff the dedicated access line is down then I need to restart an OpenVPN connect for recreate a routing table. And a connect between oficcess is restored again. How can I automatic restart or just start an OpenVPN connect by lost packets of a main GW?

10

21.1 Legacy Series / Re: OpenVPN + TOTP. How to get QR code?

« on: June 08, 2021, 03:51:15 pm »

Thank you so much for your help. Well done.

11

21.1 Legacy Series / Re: OpenVPN + TOTP. How to get QR code?

« on: June 08, 2021, 09:47:12 am »

Thank you.
But I didn't understand how it can helps me. Can you describe step by step?
What I did.
1. I created a new AD user.
2. I imported this one to Opnsens here System > Access > Users
3. I created a new group OTP and selected it here System> Settings> Administration > User OTP seed
4. I added a new user into this group
5. I tried to login by this user into Lobby and got Wrong username or password

The log file shows "user testvpn could not authenticate for WebGui. [using OPNsense\Auth\Services\WebGui + OPNsense\Auth\Local]"

What do I have to do?

12

21.1 Legacy Series / OpenVPN + TOTP. How to get QR code?

« on: June 07, 2021, 04:18:45 pm »

Hello.

I have OpenVPN server setup and TOTP authentication is enabled. But when user setups his Google Authenticator I have to make QR-code for him by myself. Is there way to get QR-code by an user himself without my action?

Thank you.

13

21.1 Legacy Series / No User Import Option when setting LDAP server

« on: June 05, 2021, 10:59:09 pm »

Hello.

ADD: So sorry. I have found solution. This topic can be deleted.