Messages

Hi

Just a note to everyone, I updated 4 different Opnsense firewalls and experienced the same thing. Before the upgrade, the policy was "moderate control", and all was blocking as it should. After the upgrade, "moderate control" is highlighted as this is what it was configured to. However, the actual option sliders are all set to "allowed". I had to reselect moderate control, which enabled the sliders, and then apply.

Just an FYI, as in my case this was for schools, and they could access naughty sites they could not access before.

Perhaps check your system routes and see what the default route is? Clear the routes and firewall states, reboot and try again?

Make sure you don't have overlapping IP's between ZT network and LAN.

Check your firewall rules config and make sure ZT isn't set as the gateway on your WAN rules,

Thought I'd update here as the issue came back. The config.xml config changed (by itself), and the tunnel broke again. One-way traffic issue came back. I was also unable to ping the public IP from one site to the other, so I contacted the ISP. They found a route filter that was misconfigured. Once this was resolved, everything worked perfectly, and has been for the last 2 weeks. Stock standard Wireguard config, as per the Opnsense guide, working 100% fine.

I'm trying to upgrade to 24.1, but I'm getting an error - anyone seen this before, and found a way to overcome it? I don't have direct access to the box, so need to fix this remotely.

"***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.12 at Sat Jan 21 04:38:19 SAST 2012
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
18314631475200:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
Waiting for another process to update repository OPNsense
Updating SunnyValley repository catalogue...
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:13:amd64/23.7/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:13:amd64/23.7/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/O=Google Trust Services LLC/CN=GTS Root R1
35076911104:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.zenarmor.com/opnsense/FreeBSD:13:amd64/23.7/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***"

Hi, could you elaborate on what you did to fix this? I'm trying to establish if it's the same problem preventing me from updating as I get this error when trying:

"***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.12 at Sat Jan 21 04:03:41 SAST 2012
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
998479523840:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error"

Thanks everyone...

https://forum.opnsense.org/index.php?topic=36403.msg177980

This was a weird one... I had to add my local WG tunnel IP/32 into config.xml manually (both sites). Immediately the handshake was confirmed on both ends, bidirectional traffic, and tunnel is stable.

Is this a bug? I followed every guide to the letter, watched multiple video tutorials, and all my settings were 100% correct. Anyway, just glad it's working now.

Thanks Monviech and spetrillo - I'll give these suggestions a try

Correct, I followed this guide, among others. I've tried both go and kmod. This makes me think there's a config somewhere that's preventing bidirectional traffic.

What terminal diags can I run to show some helpful output?

Have you checked every setting in reference with the documentation?

https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Are you using wireguard-kmod or wireguard-go? I had problems with wireguard-go not doing handshakes anymore. So wireguard-kmod is the choice to go imo.

For the port probe - check your port forwards perhaps.

As for the pinging - I found that sometimes I need to explicitly allow icmp on the LAN interface to be able to ping devices.

Thanks Steve, I changed allowing the tunnel IP from /24 to the individual /32. Didn't make a difference... Yes, I created a WG interface per site, set the dynamic gateway option and confirmed that outbound NAT is configured. I also ensured the firewall rules allow UDP port 51280 on the "WAN Address" of each site, and for now, allowed * on both the WG and WG (Group) interfaces.

Thinking about it, site 1 always had dual WAN...site 2 now has dual WAN. Not sure if there's anything I need to consider in terms of this new setup? I disabled site 2's second WAN during troubleshooting, but it made no difference.

Any other suggestions?

[transfer: 0 B received, 23.12 KiB sent]

Edit: Just a note that the s2s VPN was working perfectly on all versions before 23.7.10. The site is 800km away from me, so a little nervous to roll back to previous Opnsense version remotely.

At a total loss here...have checked every post, guide etc and can't figure out what I'm doing wrong.

Firewall rules on both sites are configured to allow connections on port 5180 and traffic from WG to LAN. There is a handshake, and this is the result.

However, I cannot ping from one site to the next.

Site 1 shows transfer rx and tx.
Site 2 shows zero transfer rx but traffic on tx. Any suggestions on what to check, or output I can share that will help?

Site1:
interface: wg2
  public key: pnRhuA2blsBbPLsaZCA3bgQcB36fJzpZTXPy5DvZVhg=
  private key: (hidden)
  listening port: 51820

peer: DjojsEKBxxxxxxxKzX6/Dk76Munatg4=
  endpoint: 102.xxx.xxx.15:51820
  allowed ips: 10.11.0.1/32, 192.168.1.0/24
  transfer: 23.41 KiB received, 16.87 KiB sent
  persistent keepalive: every 25 seconds

Site2:
interface: wg2
  public key: DjojsEKxxxxxxxxxx/Dk76Munatg4=
  private key: (hidden)
  listening port: 51820

peer: pnRhuxxxxxxxxxxfJzpZTXPy5DvZVhg=
  endpoint: 102.221.100.138:51820
  allowed ips: 10.11.0.2/32, 192.168.0.0/24
  transfer: 0 B received, 23.12 KiB sent
  persistent keepalive: every 25 seconds


Thanks

[transfer: 0 B received, 23.12 KiB sent]

If you could share the guide that helped you that would be appreciated. I'm having issues on 23.7.10 where there's a handshake between 2 sites, status shows config is good, but only 1 way traffic. Can't find a firewall rule that's causing any issues either:

Site1:
interface: wg2
  public key: DjojsEKxxxxxxxxxx/Dk76Munatg4=
  private key: (hidden)
  listening port: 51820

peer: pnRhuxxxxxxxxxxfJzpZTXPy5DvZVhg=
  endpoint: 102.221.100.138:51820
  allowed ips: 10.11.0.0/24, 192.168.0.0/24
  transfer: 0 B received, 23.12 KiB sent
  persistent keepalive: every 25 seconds

Site2:
interface: wg2
  public key: pnRhuA2blsBbPLsaZCA3bgQcB36fJzpZTXPy5DvZVhg=
  private key: (hidden)
  listening port: 51820

peer: DjojsEKBxxxxxxxKzX6/Dk76Munatg4=
  endpoint: 102.xxx.xxx.15:51820
  allowed ips: 10.11.0.0/24, 192.168.1.0/24
  transfer: 23.41 KiB received, 16.87 KiB sent
  persistent keepalive: every 25 seconds

Thank you for that clarity. Yes I agree that Mimecast is amazing, however, my client hasn't had the best experience (due to the previous integrator) so now that I'm taking over the environment, they've asked for alternatives. Using a combination of Suricata/Zenarmor and Mimecast will not be possible due to budget, but I may just scale down their unnecessary Mimecast adding, and take just S1 with Suricata/Zenarmor.

I've never used Upnp on Opnsense, but have had similar issues with other services. It's possible there's a tcp/udp port conflict, so try that. If you can't change the port it listens on, you may need to change the port of the conflicting service.

Hi

The environment is a campus network with 6 sites, all connected wirelessly to the main site where the Opnsense firewall and internet breakout is.

I have a client using Mimecast S1 for email and phishing security (onsite Exchange server), but we're looking for alternatives. Does anyone have any experience using Suricata ET Pro and/or Zenarmor Business? Will it provide the same/better level of protection?

TIA