Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - netshi

Pages1
#1
23.1 Legacy Series / Re: Import existing config but have the root password reset to default
October 07, 2023, 08:31:37 PM
Hi Trebax,

What exactly did you do to fix the login. I am in the same situation. I rebuilt my OPNsense and when I restored the backup config.xml, the credential was not working anymore. I even tried to reset the root account via the "opnsense-shell password" command but it didn't do anything. I could not login to the web UI, SSH or the console.

I opened the .xml file and deleted the  <password>hashed-password</password> line, and restored the config using this modified .xml, but I still could not login.

Any ideas?
#2
23.1 Legacy Series / Re: No route to host
August 24, 2023, 06:45:43 PM
Weird thing. After removing the 0.0.0.0/1 via wgra, I lost connectivity to the web UI. The local user could not reach the web UI as well. I could WireGuard in but cannot access the web UI like I used to. The site-to-site VPN (WG and IPSec) are up, but cannot reach the web UI. Today, I was able to access the web UI again on both remote access and site-to-site.

#3
23.1 Legacy Series / No route to host
August 23, 2023, 03:39:20 PM
I am having issues updating one of my OPNsense firewalls. The firewall is currently at 23.1.11. What is happening is whenever the traffic is going to the Internet, somehow the firewall is forwarding the traffic out of my WireGuard remote access (wgra) interface. It should be the out of the WAN interface. This is also true when I ran a ping.

I found a 0.0.0.0/1 via wgra under the System/Routes/Status and deleted it. However, nothing has changed.

My route table doesn't show a default route via WireGuard interface. The only default route is on the WAN interface from my ISP.

Why OPNsense is forcing itself to take the WireGuard remote access path?
#4
Web Proxy Filtering and Caching / Re: Need help creating a NAXSI whitelist
July 08, 2023, 11:55:22 AM
If it was me, yes, I would use the vpn; unfortunately, my have family members are not home labbers and has no desire to keep flipping the vpn button. For some services, vpn is not the answer for my use case.
#5
Web Proxy Filtering and Caching / Re: Need help creating a NAXSI whitelist
July 08, 2023, 12:30:09 AM
My use case is I change IP all the time because of mobile devices. Is there a way to whitelist a different way?
Here is one of the HTTP error logs from my Firefly III instance. Here I am using my mobile phone.

Code Select
*1712 NAXSI_FMT: ip=180.33.22.180&server=firefly.domain.tld&uri=/api/v1/autocomplete/accounts&config=block&rid=985213e2f5sd7b1de583b1fc56f7864557d&cscore0=$policy3a02eef8b50142fda2792das7e66c008547&score0=22&zone0=HEADERS&id0=1002&var_name0=cookie&zone1=ARGS&id1=1015&var_name1=types, client: 180.33.22.180, server: firefly.domain.tld, request: "GET /api/v1/autocomplete/accounts?types=Asset%20account,Expense%20account,Loan,Debt,Mortgage&query= HTTP/2.0", host: "firefly.domain.tld"
#6
Web Proxy Filtering and Caching / Need help creating a NAXSI whitelist
July 07, 2023, 02:10:43 PM
I switched from NGINX Proxy Manager to the OPNsense nginx and acme plugins.
I have enabled the learning mode of the WAF, but I am trying to figure out how to decipher the HTTP error logs, so that I can create a whitelist. My assumption at this point is creating a whitelist is located in Nginx / Configuration / HTTP(S) / Naxsi WAF Rule.

Here is one of my logs:
Code Select
*14984 NAXSI_FMT: ip=10.0.11.22&server=search.domain.tld&uri=/autocomplete&config=block&rid=feb5f386b80b994a5416fada8d76524e38&zone0=BODY&id0=11&var_name0=, client: 10.0.11.22, server: search.domain.tld, request: "POST /autocomplete HTTP/2.0", host: "search.domain.tld"

How do you guys create your whitelist for your specific service behind the NGINX?
The sample HTTP error logs is from my Whoogle container. The 10.0.11.22 is my laptop. But I am not sure how I can create a whitelist based on this sample log.
#7
23.1 Legacy Series / Upgraded to 23.1.1 and OpenVPN has stopped working
February 18, 2023, 03:47:32 PM
I have three OPNsense firewalls, so far, I have upgraded mine to 23.1.1, one remote to 23.1 and other to 22.7.11_1. Currently, the 23.1 and 22.7.11_1 are the only firewalls with a working OpenVPN. The main firewall with 23.1.1 is acting weird. Two issues that I am seeing currently with OpenVPN. I am using FQDN via Duckdns.org DDNS as my destination to connect to the OPNsense OpenVPN

1. When I am connected to my WiFi network and run the OpenVPN, the client resolving the FQDN to 100.2.3.4 address. I double checked my DNS and it resolving to the correct WAN IP, but OpenVPN. I have no idea where the 100.2.3.4 is coming from. Disconnecting from WiFi, the FQDN points to the correct WAN IP.
2. While disconnected from the WiFi and connected to the LTE or 5G, I could not connect to the OpenVPN - see logs below

This is all started at 23.1.1. I was able to VPN-in while connected to WiFi and never had issues with OpenVPN while on LTE / 5G.

This is what I have tried so far...
  - Reinstalled OpenVPN via the System / Firmware / Packages.
  - Regenerated a new .ovpn files
  - Switched to TCP from UDP
  - Reupload OpenVPN backup config and reload

Below is the logs from OPNsense:

Code Select
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_SSO=webauth,openurl
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.0-8367
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_PROTO=30
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_TCPNL=1
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_NCP=2
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_PLAT=android
2023-02-18T13:50:51 Notice openvpn_server1 88.67.93.245:32762 peer info: IV_VER=3.git::d3f8b18b:Release
2023-02-18T13:50:50 Notice openvpn_server1 88.67.93.245:32762 TLS: Initial packet from [AF_INET]88.67.93.245:32762, sid=13a3b24a da95d37c
2023-02-18T13:50:50 Notice openvpn_server1 88.67.93.245:32762 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-02-18T13:50:50 Notice openvpn_server1 88.67.93.245:32762 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-02-18T13:50:50 Notice openvpn_server1 88.67.93.245:32762 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-02-18T13:50:50 Notice openvpn_server1 88.67.93.245:32762 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 TLS Error: tls-crypt unwrapping failed from [AF_INET]88.67.93.245:21288
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: packet replay
2023-02-18T13:50:49 Error openvpn_server1 88.67.93.245:21288 tls-crypt unwrap error: bad packet ID (may be a replay): [ #6 / time = (1676728208) 2023-02-18 13:50:08 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2023-02-18T13:50:49 Notice openvpn_server1 MANAGEMENT: Client disconnected
2023-02-18T13:50:49 Notice openvpn_server1 MANAGEMENT: CMD 'quit'
2023-02-18T13:50:49 Notice openvpn_server1 MANAGEMENT: CMD 'status 2'
2023-02-18T13:50:49 Notice openvpn_server1 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
2023-02-18T13:50:49 Notice openvpn_server1 88.67.93.245:21288 TLS: Username/Password authentication succeeded for username 'ron.jeremy' [CN SET]
2023-02-18T13:50:49 Notice openvpn user 'ron.jeremy' authenticated using 'freeipa.domain.local' CSO [USER]:/var/etc/openvpn-csc/1/ron.jeremy
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_SSO=webauth,openurl
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.0-8367
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_PROTO=30
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_TCPNL=1
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_NCP=2
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_PLAT=android
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 peer info: IV_VER=3.git::d3f8b18b:Release
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 TLS: Initial packet from [AF_INET]88.67.93.245:21288, sid=26f26c45 f9b588d1
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-02-18T13:50:08 Notice openvpn_server1 88.67.93.245:21288 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
#8
Virtual private networks / Re: Need help to get a site-to-site VPN working
September 03, 2022, 04:14:22 PM
I think I fixed my issue with IPsec route-based VPN. It seems like the option for duplicating the Phase 1 is a bad idea. The behavior was it will established the tunnel between two firewalls, but traffic-related wise it is a ship in the night behavior. After deleting the duplicated Phase 1, and recreated it from scratch, and restarting FRR, fixed my issues with IPsec.

I wish the WireGuard works again.
#9
Virtual private networks / Need help to get a site-to-site VPN working
September 03, 2022, 03:05:38 PM
I am going to deploy another OPNsense fw at other remote site. I planned on using WireGuard, but it has been a hassle to get it working. My sites primary site-to-site was WireGuard, but it has been very unstable, so I am switching to IPsec route-based.

I got the IPsec route-based tunnel up, but I could not pass any traffic or even ping between the two OPNsense (main fw and remote fw). Currently, I am staging the remote fw for deployment and it is currently directly connected to my security zone. So the IP of my main fw is 10.0.5.1 and the remote is 10.0.5.108. The bogons and rfc1918 has been disabled on the WAN interface of the remote fw for now.

I SSH-in to the main fw and pinged the remote fw's ipsec interface (192.168.1.6) and got this:
Code Select
92 bytes from 127.0.0.1: Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 cb89   0 0000  01  01 0000 127.0.0.1  192.168.1.6

I checked the routing table in CLI and it shows this:
Code Select
192.168.1.1        link#26            UHS         lo0
192.168.1.2        link#26            UH       ipsec1
192.168.1.5        link#27            UHS         lo0
192.168.1.6        192.168.1.5        UGHS        lo0

It doesn't make any sense. ipsec1 is my site-to-site to my other remote site (This one is working and has been deployed), but the second  (192.168.1.5 & 192.168.1.6) showing as lo0. When I run a ping, the Live View shows that the Interface is Loopback. I also have the Live View from the remote fw attached. At least at the remote site, it seems like it is using the correct interface which is ipsec1. It seems like a ship in the night situation here. The tunnel is up why can't these two firewalls pass traffic?

Please see the attached Live View screenshots.
#10
Virtual private networks / VPN and routing bug?
August 16, 2022, 12:17:56 PM
I have no idea what was going on. I could not get the wireguard wg2.conf working at my remote site. It was working earlier and it went down suddenly and it would not go up. I rebooted the firewall and still nothing. I ssh-in and restarted wireguard and it says:

wg-quick: `wg2' is not a WireGuard interface

wg2 was not visible in the Interfaces / Assignment section on the web UI. I am not exactly sure what to do with the wireguard situation at this point.

Another issue that I have is at my main site, I have a route-based IPSec as my site-to-site backup (wireguard is primary). It is up, but it is not routing. I checked the route table both CLI and web UI and the CLI is showing the route is reachable via the wireguard site-to-site interface which was currently down because of the issue I am having at my remote site. The web UI was showing that the remote site is reachable via the ipsec1.

The version that I am running is 22.1.10_4-amd64 on both firewalls.

I rebooted the remote site and it seems IPSec does not start after a reboot. Thankfully the wg1 was up and I was able to remote in.

I rebooted the remote site again and wg2 went up, but won't connect to the main site. I rebooted the main site's OPNsense and the wireguard is now up. Why does it require several reboots to get the wireguard working?
Also, when the wireguard was down, why the routing table is still pointing to use the wireguard to forward the traffic instead of the ipsec site-to-site? It seems like OPNsense is blackholing itself.

In addition, on the web UI, the route is showing on both firewalls that the route is reachable via ipsec1 learned from BGP, but the forwarding is happening via the wireguard link. The wireguard BGP is stuck in an active state. In CLI, "netstat -r" shows that the route is reachable via wireguard.

When I logged in to FRR and checked the routing table, it shows that the remote site is reachable via the ipsec1 (via BGP). At the remote site, using the CLI, the "netstat -r" shows that the main site is reachable via ipsec1. The remote site's FRR also shows the main site is reachable via ipsec1.

I am located at the main site and ran a traceroute from my workstation and sure enough, it took the ipsec path; however, the logs showing in Live View is wireguard as an interface. The traceroute from the remote site is taking the IPsec path.

#11
General Discussion / Re: LAGG interface's speed is incorrect
November 26, 2021, 11:50:16 AM
I have uninstalled sensei and the lagg interface speed reported has not changed.

I think you are misunderstanding the problem. It seems like you are taking about the throughput. The problem is the lagg0 set speed. I just want to clarify that the problem is the port (interface) speed not throughput. If the set speed is lower than what it should be, the throughput doesn't matter because I am limited to the bandwidth of set speed. Think of it as your Internet speed. If you're paying for 300 down and 300 up from your ISP, you are not going to get 1 Gbps from it.

However, in my case, I have full control of the environment. The physical interfaces on both sides are reporting 10 Gbps, but the LAGG is not. The LAGG is "should be" at 20 Gbps not 2.85 Gbps.
#12
General Discussion / Re: LAGG interface's speed is incorrect
November 25, 2021, 04:48:17 PM
It is not Bytes. It is bits
https://imgur.com/a/cqpOKQG
#13
General Discussion / Re: LAGG interface's speed is incorrect
November 25, 2021, 01:49:43 AM
It is 2.85 Gbps.
#14
General Discussion / LAGG interface's speed is incorrect
November 24, 2021, 11:19:45 PM
I migrated my network from VyOS to OPNsense. What I after was the sensei part and the fqdn option for alias. VyOS didn't have these feature.

I have two 10GbE ports. It is an Intel X520-DA2. I configured the LAGG/LACP with my Mikrotik switch. I am not sure how to check the speed and duplex from OPNsense LAGG interface, but LibreNMS is reporting the "Port Speed" of the lagg interface is at 2.85Gbps. Also, when I checked the VLANs, each one shows 1.41Gbps. 

The Port Speed should be 20Gbps. The physical interface ix0 and ix1 both shows 10Gbps each. Why the LAGG got degraded to 2.85Gbps?  I ran some iperf3 tests and highest speed I am getting is 1.15Gbps. When I removed one of the 10GbE cable, it cut the throughput in half. Basically, the LAGG is running at 1Gbps speed.  I have been using VyOS since 2018. When I was on VyOS,, the bond/LACP was showing as 20Gbps without any issue.

My hardware spec is this:
Supermicro A1SRI-2758F
8GB RAM
128GB SSD
Intel X520-DA2 2x 10Gbps interfaces

EDIT:
Here is thte screen shot of what LibreNMS is seeing
https://imgur.com/a/cqpOKQG
Pages1