Messages

1

23.7 Legacy Series / Re: OpenVPN Server migration from Server to Instances section

« on: August 04, 2023, 03:45:03 pm »

There is a patch for "auth" available now:

opnsense-patch 01ba189

The value in the configuration file was not mapped.

2

23.7 Legacy Series / Re: OpenVPN Server migration from Server to Instances section

« on: August 04, 2023, 03:12:18 pm »

Ok, I didn't knew about "cipher" being deprecated.
The option "compress" is also deprecated (https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--compressStatus:Pendingremoval).

I created a GitHub issue https://github.com/opnsense/core/issues/6708.

As always, Franco is blazingly fast in responding 

3

23.7 Legacy Series / Re: OpenVPN Server migration from Server to Instances section

« on: August 04, 2023, 01:56:57 pm »

Ok, I think I found the reason why it was not connecting anymore.

I exported the client configuration file and it was missing the "auth SHA512" parameter in my case.
I added it again manually and the connection is up and running again.

I got errors in my logfiles like this:

TLS Error: cannot locate HMAC in incoming packet from ...

But the "tls-auth" static key was appended to the configuration file, so I startet comparing again and the "cipher" and "auth" parameters were missing.

4

23.7 Legacy Series / Re: OpenVPN Server migration from Server to Instances section

« on: August 04, 2023, 01:35:20 pm »

I found no migration tool and the release notes indicate this as well.

I just copy pasted my single server configuration into the new form and it was working with my existing client configuration.

Now it does not anymore and I don't know why yet.

The static key has to be inserted into the new tab "Static Keys" in Instances.
The certificates are available as before, they just need to be selected.
Most options are available and some differ slightly in their new name.
I think "IPv4 Tunnel Network" is called "Server (IPv4)" now.
The "Topology" setting became a dropdown, where previously "net30" was default I think, now "subnet" is the default.
Some options like "Duplicate Connections" got merged into the Options multi-select field close to the end and corresponds to the parameter name.

Curiously the "Certificate Depth" setting does not keep its value for me and always reverts to "Do Not Check", as well as "Enforce local group".

5

22.1 Legacy Series / Re: Checksum issues with VirtIO in QEMU/KVM environment and OPNsense 22.1

« on: January 31, 2022, 12:36:10 pm »

Please assign vtnet0, enable and leave the rest as is. Done.


Cheers,
Franco

Thanks for replying - and helping

Ok, looking good now - I forgot to enable the interface.
(Those who can read are at a clear advantage.)

The interface options rxcsum and txcsum are disabled by default now (after rebooting).

I guess that's what the release notes meant with interface media settings...

6

22.1 Legacy Series / Checksum issues with VirtIO in QEMU/KVM environment and OPNsense 22.1

« on: January 30, 2022, 06:12:37 pm »

I'm running OPNsense 22.1 in a QEMU/KVM environment - pc-i440fx-3.0 architecture and have some major networking issues since updating yesterday (and once again I forgot to take a snapshot before updating).
(Ryzen 2600, 128 Gb RAM, B450 Chipset, Mellanox ConnectX-2)

All interfaces are VLAN on vtnet0.

Disabling rxcsum, rxcsum6, txcsum and txcsum6 got at least communication between VLAN up again.

Code: [Select]

ifconfig vtnet0 -rxcsum -rxcsum6 -txcsum -txcsum6Until rebooting - is there a permanent solution to this?

Before only ICMP (ping) and UDP passed through my firewall rules.
TCP packages failed due to checksum errors (don't remember which log), connections were visible in the firewall "Live View", but nothing went through.

I think, this is related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=165059 .
Have there been any changes in handling VirtIO adapters?

I have no additional "Tunables" set other than default (I reset them), "Disable hardware checksum offload",  "Disable hardware TCP segmentation offload" and "Disable hardware large receive offload" are checked, "Enable VLAN Hardware Filtering" enabled.

Right now the OpenVPN connection is pretty much unusable and I'm not on location, general performance is abysmal.

Any advice?