1
24.7 Production Series / Re: slow download and upload behind opnsense
« on: October 11, 2024, 03:29:26 pm »
Hi. Maybe you can stop the service "Suricata - Intrusion Detection" and test the speed again.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.7 Production Series / Apply button always remains visible
« on: October 10, 2024, 12:51:02 pm »
Hello,
I have a question, and maybe you'll find it strange, but I have worked with several firewalls before.
When I create or change any rule in OPNsense, I click the Apply button. However, the Apply button always remains visible, which can be really confusing. Sometimes, people think they haven't clicked Apply. It is not so in Pfsense.
How to fix it, is there any settings for it?
I have a question, and maybe you'll find it strange, but I have worked with several firewalls before.
When I create or change any rule in OPNsense, I click the Apply button. However, the Apply button always remains visible, which can be really confusing. Sometimes, people think they haven't clicked Apply. It is not so in Pfsense.
How to fix it, is there any settings for it?
3
24.7 Production Series / Re: Data Ciphers are missing in OpenVPN export configuration. Is it a bug?
« on: September 24, 2024, 04:09:40 pm »
Hello Franco,
I've read that the latest OpenVPN server no longer needs to export Data Ciphers, as OpenVPN now supports cipher negotiation between the server and client. That's great news.
I also checked the OpenVPN server logs and confirmed that it uses AES-256-GCM when a client is connected, which is fine.
When I use OpenVPN Connect, there are no errors. However, when I use the OpenVPN client, it complains about missing Data Ciphers, even though the OPNsense OpenVPN log shows that AES-256-GCM is being used.
It would be much better if the issue causing the OpenVPN client to generate this message could be resolved.
I've read that the latest OpenVPN server no longer needs to export Data Ciphers, as OpenVPN now supports cipher negotiation between the server and client. That's great news.
I also checked the OpenVPN server logs and confirmed that it uses AES-256-GCM when a client is connected, which is fine.
When I use OpenVPN Connect, there are no errors. However, when I use the OpenVPN client, it complains about missing Data Ciphers, even though the OPNsense OpenVPN log shows that AES-256-GCM is being used.
It would be much better if the issue causing the OpenVPN client to generate this message could be resolved.
4
24.7 Production Series / Re: Data Ciphers are missing in OpenVPN export configuration. Is it a bug?
« on: September 24, 2024, 10:14:10 am »
Thank you for your replies.
In the client logs, I couldn't see "PUSH' line ...".
In the server logs, when the client is connected, it shows that the client uses AES-256-GCM.
However, in the Client logs, it complains that the Data Ciphers are missing. I will create a ticket.
In the client logs, I couldn't see "PUSH' line ...".
In the server logs, when the client is connected, it shows that the client uses AES-256-GCM.
Code: [Select]
openvpn_server1 xxx.xxx.xxx.xxx:55396 Data Channel: cipher 'AES-256-GCM', peer-id: 0However, in the Client logs, it complains that the Data Ciphers are missing. I will create a ticket.
Code: [Select]
Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case.
If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
5
24.7 Production Series / Re: Data Ciphers are missing in OpenVPN export configuration. Is it a bug?
« on: September 23, 2024, 09:25:17 pm »
Could you please answer my last question?
6
24.7 Production Series / Re: New dashboard does not play well with mobile device.
« on: September 23, 2024, 03:53:51 pm »
Hello. We have similar concerns regarding the new dashboard design. The current layout feels cluttered and lacks clarity, giving the impression of being designed by someone with limited experience. We believe it could benefit from a more streamlined and user-friendly approach to improve the overall user experience.
7
24.7 Production Series / Re: Data Ciphers are missing in OpenVPN export configuration. Is it a bug?
« on: September 23, 2024, 01:53:04 pm »
Hello,
It started to connect without "Data Ciphers", however I haven't changed anything.
If I use Openvpn Connect, I see that it uses AES256-GCM. No errors.
But if use OpenVPN client v2.6.12 (Community edition), it gives the following error, but it connects successfully.
Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
We are using Openvpn client (Community edition), because it has a Windows service that can start automatically on Windows start.
I would like to make sure if it really uses "Data Ciphers AES256-GCM" with OpenVPN client (Community edition)?
It started to connect without "Data Ciphers", however I haven't changed anything.
If I use Openvpn Connect, I see that it uses AES256-GCM. No errors.
But if use OpenVPN client v2.6.12 (Community edition), it gives the following error, but it connects successfully.
Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
We are using Openvpn client (Community edition), because it has a Windows service that can start automatically on Windows start.
I would like to make sure if it really uses "Data Ciphers AES256-GCM" with OpenVPN client (Community edition)?
8
24.7 Production Series / Re: Data Ciphers are missing in OpenVPN export configuration. Is it a bug?
« on: September 22, 2024, 10:16:20 am »
Thank you for your replies. I am using OpenVPN client v2.6.12. But it can't connect and complains that data ciphers are missing. If I add the data ciphers "cipher AES-256-GCM" manually in the config file, then it connects.
If "Data Ciphers" are deprecated and they are not needed to be exported, why I could setup it in Openvpn Instance server then? There is "Data Ciphers" and "Data Ciphers Fallback" in the menu.
If "Data Ciphers" are deprecated and they are not needed to be exported, why I could setup it in Openvpn Instance server then? There is "Data Ciphers" and "Data Ciphers Fallback" in the menu.
9
24.7 Production Series / Re: Data Ciphers are not added in export configuration
« on: September 22, 2024, 08:52:36 am »
Is it a bug or I am doing something wrong?
10
24.7 Production Series / Re: Data Ciphers are not added in export configuration
« on: September 21, 2024, 08:50:41 am »
Nobody has this problem?
11
24.7 Production Series / Data Ciphers are missing in OpenVPN export configuration. Is it a bug?
« on: September 19, 2024, 04:17:19 pm »
Hello,
We are using the latest version of OPNsense. I have setup OpenVPN instance. I export the config, but Data Ciphers are not added into the configuration. Could you please let me know, if it is a bug, or I am doing something wrong?
The config of the VPN file:
dev tun
persist-tun
persist-key
proto tcp-client
auth SHA256
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1149 tcp
lport 0
verify-x509-name "C=DE, ST=HESSEN, L=xxx, O=xxx, emailAddress=xxx, CN=WS-OPENVPN-CERTIFICATE" subject
remote-cert-tls server
We are using the latest version of OPNsense. I have setup OpenVPN instance. I export the config, but Data Ciphers are not added into the configuration. Could you please let me know, if it is a bug, or I am doing something wrong?
The config of the VPN file:
dev tun
persist-tun
persist-key
proto tcp-client
auth SHA256
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1149 tcp
lport 0
verify-x509-name "C=DE, ST=HESSEN, L=xxx, O=xxx, emailAddress=xxx, CN=WS-OPENVPN-CERTIFICATE" subject
remote-cert-tls server
12
General Discussion / Need help on One to One NAT configuration
« on: July 12, 2024, 10:24:48 am »
Hello,
I need your help on the following case.
We have IPsec VPN connections with our customers and our internal network.
Internal Network: 172.16.210.0/24
Recently we have prepared a new device on DMZ network.
DMZ network: 172.16.220.0/24
Linux OS machine: 172.16.220.1
The customer should communicate with a device on DMZ network through IPSec VPN. Since there a over 50 IPsec VPN connections, we can't add Phase 2 into the current VPN connection.
I have created a Virtual IP: 172.16.210.100/32
That's why we decided to use One to One NAT in IPsec Interface, that should work in this way: 172.16.210.100 <---> 172.16.220.1
I have created a Firewall rules in IPsec and DMZ interfaces to allow traffic.
If I telnet the port of the device located in DMZ, it doesn't pass through. The device has Linux OS and it shows that it has received a packet SYN_RECV.
root@mail:~# netstat -tulpan | grep :587
tcp6 0 0 :::587 :::* LISTEN 974/hbbr
tcp6 0 0 172.16.220.1:587 10.154.181.41:64203 SYN_RECV -
That's why I think. the Linux machine can't send SYN ACK to the customer IP address.
Most probably it still tries to reply from 172.16.220.1. But it should go through 172.16.210.100.
it should be:
DMZ 172.16.220.1 --> Virtual IP 172.16.210.100 --> customer network
customer network --> Virtual IP 172.16.210.100 --> DMZ 172.16.220.1
Could you please give me a hint where I have made a mistake?
I need your help on the following case.
We have IPsec VPN connections with our customers and our internal network.
Internal Network: 172.16.210.0/24
Recently we have prepared a new device on DMZ network.
DMZ network: 172.16.220.0/24
Linux OS machine: 172.16.220.1
The customer should communicate with a device on DMZ network through IPSec VPN. Since there a over 50 IPsec VPN connections, we can't add Phase 2 into the current VPN connection.
I have created a Virtual IP: 172.16.210.100/32
That's why we decided to use One to One NAT in IPsec Interface, that should work in this way: 172.16.210.100 <---> 172.16.220.1
I have created a Firewall rules in IPsec and DMZ interfaces to allow traffic.
If I telnet the port of the device located in DMZ, it doesn't pass through. The device has Linux OS and it shows that it has received a packet SYN_RECV.
root@mail:~# netstat -tulpan | grep :587
tcp6 0 0 :::587 :::* LISTEN 974/hbbr
tcp6 0 0 172.16.220.1:587 10.154.181.41:64203 SYN_RECV -
That's why I think. the Linux machine can't send SYN ACK to the customer IP address.
Most probably it still tries to reply from 172.16.220.1. But it should go through 172.16.210.100.
it should be:
DMZ 172.16.220.1 --> Virtual IP 172.16.210.100 --> customer network
customer network --> Virtual IP 172.16.210.100 --> DMZ 172.16.220.1
Could you please give me a hint where I have made a mistake?
13
General Discussion / Re: Openvpn asks for login & password often
« on: February 26, 2024, 02:12:28 pm »
It asks almost in 15 minutes, then connects by itself.
14
General Discussion / Re: Openvpn asks for login & password often
« on: February 22, 2024, 02:31:56 pm »
yes, these lines exist in the config file.
15
General Discussion / Openvpn asks for login & password often
« on: February 22, 2024, 11:04:01 am »
Hello. I am using the Opnvpn server in Opnsense. The Opnsense version and Openvpn Windows client are in the latest version. Openvpn works fine, but it asks for login & password often, however the credentials are already saved. Internet connection is stable. Does someone have this problem? Is it related to Opnvpn configuration in Opnsense or something should change in vpn config file? Thanks.