OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of mcdeltat »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - mcdeltat

Pages: [1]
1
Virtual private networks / Re: Certificate Expiration Notification
« on: October 03, 2023, 06:30:51 pm »
Posting to put another name behind the request.

I run OpnSense for personal use at home to learn networking. I've been running it for about 3 years now. The lack of notifications has bitten me in the butt multiple times, every single year. I've been meaning to request it, literally every single year.

I just spent 5+ hours troubleshooting my OpenVPN setup. I knew the client (user) certificate was expired so I generated a new one. I was reading logs, troubleshooting my DDNS, all kinds of things. Then I decided just to nuke and go again. Then I realized my CA only has a 2-year expiration, so generating new client certificates was never going to work. This already happened to me twice because the default for CAs is 1 year, if I'm not mistaken. So I caught it in the first year, and now in year three. I'll be setting up notifications, monitoring, or something with Ansible.

There are so many ways the user story can be made better here. For example:
1. Use CSS to color expired certificates or CAs to draw the user to that section.
2. When generating client certificates using a self-signed CA, throw an error when the CA is expired.
3. Improve logging to say that it's expired and not just generic "TLS Peer Certificate Validation Failed" or things like that.

These would at least cut down on my 5 hour troubleshooting session and make this less painful when people do forget.

2
General Discussion / Re: PXE Boot Raspberry Pi
« on: April 27, 2022, 05:30:49 am »
Quote from: cookiemonster on April 26, 2022, 11:04:20 pm
I had to overcome this when I setup my tutorial, albeit it is not for uefi. I had to packet capture to figure it out, hopefully you won't have to and can use my note at the bottom of the tutorial.
https://forum.opnsense.org/index.php?topic=25003.0

Thanks for that. Your tutorial is one of the many tabs I had open to troubleshoot this ha. I concluded the same thing as you.
1) It seems that the RPi may not be cable of UEFI.
2) It is expecting very specific file names.

I think my next step is to try with their Raspberry Pi OS (Debian) and see if that works. Then I might go back to Ubuntu. It's for a Kubernetes cluster, so I find it very important to be able to blow these up and reinstall whenever I mess things up with my Ansible code.

3
General Discussion / PXE Boot Raspberry Pi
« on: April 25, 2022, 06:42:09 am »
I've been working through PXE booting a Raspberry Pi 4 on my network for quite a few hours now and not sure what I'm missing. Hoping to make a video tutorial at the end of all this to avoid the forums getting hit with this constantly.

Boring Details:
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
Intel® Core™ i5-7200U CPU @ 2.50GHz (2 cores, 4 threads) (Qotom Box)

I'm mostly following this official guide from Ubuntu https://ubuntu.com/server/docs/install/netboot-arm64

I've installed the os-tftpd package on opnSense. I downloaded the latest live server image (Jammy 22.04) from here: https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04-live-server-arm64.iso

From there I copied over the following files to my tftp server in /usr/local/tftp:
1. casper/initrd
2. casper/vmlinuz
3. grub/grub.cfg
4. grubnetaa64.efi.signed

The contents of my grub/grub.cfg file are:
Code: [Select]
set timeout=30

loadfont unicode

set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

menuentry "Install Ubuntu Server (Jammy 22.04) (Pull ISO from Web)" {
        set gfxpayload=keep
        linux /casper/vmlinuz url=https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04-live-server-arm64.iso only-ubiquity ip=dhcp ---
        initrd  /casper/initrd
}

menuentry "Try or Install Ubuntu Server" {
        set gfxpayload=keep
        linux   /casper/vmlinuz quiet ---
        initrd  /casper/initrd
}
menuentry 'Boot from next volume' {
        exit 1
}
menuentry 'UEFI Firmware Settings' {
        fwsetup
}
To test things out, I went to another machine that is on the same LAN as the target machine. I ran 'tftp 192.168.x.x' and then 'get grub/grub.cfg' to which I get 'Received 608 bytes in 0.0 seconds'. Trying the same get command on a file that doesn't exist yields "Error code 1: File not found". Perfect.

So then I jumped into the GUI and made what I expect to be the final changes, but then nothing happens. Under Services -> DHCPv4 -> LAN I have the following settings:
1. TFTP server -> Set TFTP hostname: 192.168.x.x (same as the one tested above)
2. TFTP Server -> Set Bootfile: /usr/local/tftp/grub/grub.cfg
3. Network Booting -> Enable Network Booting: Checked
4. Network Booting -> Set ARM UEFI (64-bit) filename: grub/grub.cfg
5. Network Booting -> Set root-path string: /usr/local/tftp/grub/grub.cfg


The RPi then proceeds to just cycle through the boot process. Tries the SD card, gets an IP from DHCP, gets the correct TFTP Server IP, but then states "TFTP 1: File not found."

So what am I missing? Is it because the RPi can't boot UEFI? Unsure of where to go from here since my machine on the LAN finds it just fine.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2