Messages

Hi AdSchellevis,

Thank you for your feedback. Sorry but I'm not sure to fully understand your solution. I did indeed configured the "Automatic user creation" and "Synchronize groups".

From my understanding, it seems that for the "synchronize groups" option to work, you need to create a local group matching the CN of the AD group. So I did this, and I also then added these local VPN Groups to the user OTP Seed field in the System -> Settings -> Configuration menu, as you mentionned.

But I don't know where to go from here... How can I generate the OTP Seed for the users ? I tried putting a manual key into the google authenticator app (instead of the QR Code) but the connection is not working.

Thus, I never managed to create a connection without user certificates ( I wrote another post about this) so I'm not sure if this is the same issue or something wrong with the LDAP+TOTP configuration.
The one thing I find strange is that my local groups don't seem to be populated (the member count is still at 0). If they were synchronized, I would think that the members count would grow up, so I'm affraid I did not configure it correctly.

Hi,

Thanks for your reply. Yes, that's exactly it and it behaves just like in the link you provided.

The trick mentionned in it won't do it for me though.

The trick I found so far is to first import the users from the first access server, then unselect it from the administration settings authentication servers, so that only the second one is left, then launch the import again, import the other users, and go back to the administration settings to enable both again.

But it's a bit laborious.

Hello,

I'm trying to configure the following : I want to allow users from an active directory to connect to the network with SSL VPN. These users should use MFA with username/password and TOTP. I also want to match these users with some AD security group so that they will have network accesses restricted to the ones defined for their belonging group ( i.e : one access for admins, allowing all networks, one access for the users only allowing SMB to the filer... that king of stuff)

So far, I did the following :
- Added to access servers, type LDAP + TOTP, with "Extended Query" : &(memberOf=DN_of_the_AD_group_used_as_filter), read properties and synchronize groups option checked

- Created 2 OpenVPN servers, each one using one of the 2 access server as backend, and each one with a different IPv4 Tunnel Network. This way I can have the users connect from different subnets accordingly to their group belonging and define my firewall rules adapted to their profile.

- To generate the OTP Seed to the users, I need to import them on the forewall. To manage that, I went to the System -> Settings -> Administration menu and added my two authentication servers in the server list. Once I did that, the little cloud icon appeared on the Users menu to import the LDAP users. The issue is that is only retrieves the user from the first LDAP server defined in the settings/administration menu. This means if I remove the first server from the list, then the import shows me the users from the second server. But if I had both, it only show the users from the first server. When I import it it works but how can I manage to have both server's users to be imported ?

Is there any reason explaining this behaviour ? Maybe there is a better way to do what I want to configure. I'm new to OPNsense so I might not use the right methods.

Thank you for your help !

Hello,

I'm struggling with the openVPN road warrior configuration. I've been following the following how to : https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

I want to make it work using LDAP accounts with TOTP but no client certificates.

The LDAP users have been imported fine and I configured the OTP Seed on them. When I add client certificates as described in the how to, it works fine. I can connect to the OpenVPN server, and traffic is working as expected.
But as I don't want to use client certificate, I don't create them, and in this case it does not work. Obviously I updated the openVPN client with an update export for it to embed the right settings.

I tried to add the client-cert-not-required option but still have the same problem.

On the OPNSense FW I have the following logs :

2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS Error: TLS handshake failed   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS Error: TLS object -> incoming plaintext read error   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS_ERROR: BIO read tls_read_plaintext error   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate

And on the client side :

⏎[Apr 27, 2022, 14:16:25] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Apr 27, 2022, 14:16:25] UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
6 [resolv-retry] [infinite]
8 [lport]

• 
  ⏎[Apr 27, 2022, 14:16:25] EVENT: RESOLVE ⏎[Apr 27, 2022, 14:16:25] Contacting REMOTEIP:1194 via UDP
  ⏎[Apr 27, 2022, 14:16:25] EVENT: WAIT ⏎[Apr 27, 2022, 14:16:25] WinCommandAgent: transmitting bypass route to REMOTEIP
  {
     "host" : "REMOTEIP",
     "ipv6" : false
  }
  
  ⏎[Apr 27, 2022, 14:16:25] Connecting to [REMOTEIP]:1194 (REMOTEIP) via UDPv4
  ⏎[Apr 27, 2022, 14:16:25] EVENT: CONNECTING ⏎[Apr 27, 2022, 14:16:25] Tunnel Options:V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
  ⏎[Apr 27, 2022, 14:16:25] Creds: Username/Password
  ⏎[Apr 27, 2022, 14:16:25] Peer Info:
  IV_VER=3.git::d3f8b18b
  IV_PLAT=win
  IV_NCP=2
  IV_TCPNL=1
  IV_PROTO=30
  IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
  IV_LZ4v2=1
  IV_GUI_VER=OCWindows_3.3.6-2752
  IV_SSO=webauth,openurl,crtext
  
  ⏎[Apr 27, 2022, 14:17:05] Session invalidated: KEEPALIVE_TIMEOUT
  ⏎[Apr 27, 2022, 14:17:05] Client terminated, restarting in 2000 ms...
  
  If anyone has an idea about this... Thank you for your help !