Messages

This the only place I can find to set to local database + otp and it is set.  Unless I am missing something else.

opnsense 23.1.11
I have openvpn set with server mode set to Remote Access (SSL/TLS + User Auth) set.  According to the instructions I have this should require users access via vpn to enter their user name and then their local password + OTP.  When a person provides these credentials it does work.  However, a person can also access via vpn by just providing user name and password.  OTP is not required, but will use it.

In the log files I see the following errors, repeatedly.

2024-09-18T03:56:30   Error   openvpn_server1   ipaddress:59919 TLS Error: TLS handshake failed   
2024-09-18T03:56:30   Error   openvpn_server1   ipaddress:59919 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

When I search for the above error I see references to firewalls blocking the establishment of communication but in my case this error doesn't seem to apply since the vpn connection is made and functions.  So, the TLS handshake error doesn't seem to lend evidence on why the OTP is accepted but not required.

I'm confused...  ???

All suggestions and help appreciated.

I have setup TOTP for vpn connection and it is working.  I have tested it using the tester function (cool feature) and using a vpn client.  That is all good.  But, in my testing I figured out that I can access the vpn using either local account + OTP or just using the local account.  This surprised me since I double checked and see that the local + OTP is select for Openvpn connection.   In fact, as I previously stated, that the local account works as well.

So back to research, reading forum posts, reading documents, searching other sites. 

Now it seems that on an opnsense device (this is install is on Proctectli FW4B) that one either has the local account login enable (by default) or disabled.  It cannot be an AND it is OR. 

I thought that I could use the local account  + OTP for vpn and then local only for GUI and management.  Am I wrong, is it either local account only OR local + OTP (or some other method (LDAP or AD or RAIDUS)? 

Can I not set up a group for VPN access and have just that group use the local + OTP? 

Other questions:

Assuming that it is one or the other authentication option,

Then the root will need an OTP to use the GUI?  Or any other admin?

SSH is therefore essential if it is OR ?  (Why is SSH disabled by default?)

A backup version stored securely is even more essential incase OTP gets corrupted by an update or power surge or the electron devils scrambling a bit or two. 

Any suggestions or knowledge or guidance would be appreciated.

I don't know what changed but I thought that I had tired each setting (w/o reversing and w/ reversing) and couldn't get it to work using the tester function.  Now it just works.  Must have been user (me  :-\) error.

I think the greatest challenge is the configuring anything for the first time.  Skills do transfer but knowledge of the particulars for any os are the gotchya part. 

The new rule that the wizard added that allowed vpn traffic to flow into the lan has the following parameters.

Inbound rule

IPv6+6

any source network

any source port

any Destination network

any Destination port

Gateway default

no schedule

That's it.  Just to clarify, I used the wizard to setup a new instance of openvpn which at the end creates the firewall rule needed for the openvpn interface.  But I used the credentials from my first install using the road warrior doc ( https://docs.opnsense.org/manual/how-tos/sslvpn_client.html ).  All I needed was a openvpn firewall rule.  Hope this helps someone else.

After researching and reading other posts I decide to add a new vpn instance using the wizard.  For anyone who is a newbie like me next to the + sign to add a server is a small icon, which I believe is a magic wand.  That launches the wizard.  The key for me was an openvpn firewall rule.  I had no rules, the road warrior doc either doesn't mention it or I missed it.  Anyway the wizard creates a simple openvpn firewall rule and that was enough to make the old (first instance) function.  I will post the firewall rule soon, once I vpn into the router.

Now I just need to get the otp working and I will be even a happier IT person...

yes, I have tried it both ways.  I have removed the service and added it back with manly default settings.  I tested with the only the local password w/o otp and it works, then switched option to otp server and added token at the end, still fails.  Strange. 

Could it be the 22.7.4 update?   

opnsense 2.7.4 running on Protectli Vault FW4b.

Followed the Road Warrior doc and have successfully connected using Viscosity vpn client.  But now I can't seem to figure out how to access LAN resources.  I want to be able to connect to a file server for file access and management and I want to be able access the Protectli Vault for management. 

I thought that all the ip traffic from the remote client would be directed through the vpn connection, but the reality is different.  Traffic still traverses to the isp outside the ssl vpn tunnel.  What did I miss?  How do I make the remote client machine only use the vpn when it is connected?

In reality I am only connect to the WAN interface.  In the setup I remember setting the LAN the clients are accessing in the configuration, but I don't see that 192.168.x.x address? 

Viscosity shows the client ip as 10.10.x.x as setup for the tunnel and the server IP as the IP of the WAN interface. 

Incase anyone notices, the otp issue is still unresolved. :-[

Opnsense 22.7.4  openvpn is working if I use the local database.  Once I create the OTP server and set the parameters:  name, local + timebased otp, token length 6, time period 60, grace period 60, and reverse (password then token) it doesnt' work.  I use the tester function in the Access submenu, but it fails on local + otp.

I am using the google authenticator, I tried deleting authenticator account and create a new QR code, but can't authenticate.  The issue seems to be the otp but I can't figure out why.

Any suggestions?

Or should the rule

Nat on igb0 inet from (igb1:network) to any -> (igb0:0) port 1024:65535

Work if my igb1 is the 192.168.x.x the subnet I need to be NAT to Wan which is igb0?

I see the 10.10.0.0 to any port. I have a 192.168.x.x. How do I nat that subnet to the ip of the wan ip?

I don't have internet connection.  That is why I want to check NAT at the interface.  Thank you for the reply

I need to be sure my WAN interface is performing NAT correctly.  I have not found a way to do this.  I am using the default setup (only automatic rules to NAT).  My WAN is connect to an ISP.  I don't have a true hub to use WireShark or similar to capture packets on my out bound interface.  Is there a way my Protectli Vault running opnsense 22.7.2 to accomplish this?  Is there log file (I couldn't find it) that will show the NAT occurring?

More info:

Computer connected to LAN via switch which is connected to igb1 of protectli vault can ping igb1 and igb0 (wan) but not WAN gateway.

Pinging from cli of opnsense serial connection can ping computer but cannot ping igb0 nor igb1

Opnsense 22.7.2.  LAN is working. WAN is not. I am waiting for tier 2 of isp support to call back.  :(

I come from a Cisco background. I cannot ping the isp gateway I am told my interface is connected to. Tier 1 says all is good.
So I'm thinking it's me and my lack of experience with opnsense.

I can't tell if LAN private ips are being translated or not. How can I tell that?

Do I need to set up a NAT rule?  Tried but it didn't work.

Any suggestions would be appreciated