Messages

1

24.7 Production Series / Re: Help with creating server certificate for OpenVPN

« on: August 06, 2024, 07:26:08 pm »

It is the FQDN from the client perspective, i.e. your Cloudflare DDNS name.

Interesting, because I know I have setups still on previous versions of Opnsense where it just says "internal-ca" for the CN and (seems to be) working just fine.  But I'll definitely try putting my domain address in there and see what happens.  Thanks again!

2

24.7 Production Series / Re: Help with creating server certificate for OpenVPN

« on: August 06, 2024, 01:45:51 pm »

The place to choose your newly-created CA is under Key->Issuer. Not sure if this is a change in 24.7 (I don't have anything older to compare to right now), but it's a doc bug (now) anyway....

Thanks for the clarification!  I guess the docs haven't been updated to match the new interface layout yet?

3

24.7 Production Series / Re: Help with creating server certificate for OpenVPN

« on: August 06, 2024, 01:43:58 pm »

You don't need to create a cert for the CA, it comes with one. You need to request a cert for your server (i.e. the firewall) and later on for your clients (the VPN users)

- create a CSR with the CN which will match your DNS FQDN
- sign it with OpenVPN_CA
- configure OpenVPN to use it

Bart...

Thanks for the clarification on server (firewall) vs CA.  I was wondering about the FQDN too.  In previous (working) iterations, I noticed that under Common Name it just said "internal-ca" and I saw some places in the interwebs saying to use that.  When you say to use a Common Name that will match my DNS FQDN, do you mean put in "subdomain.mywebsite.com"?  Because the instructions said to use the FQDN of this machine.  Which as far as I know, my firewall doesn't have one.

4

24.7 Production Series / Help with creating server certificate for OpenVPN

« on: August 06, 2024, 02:24:34 am »

Hello all,

Wondering if you could help with a little problem I'm having.  Probably end up to be some stupid oversight on my part, but I'm prepared to be humbled.  Recently upgraded to 24.7, imported all my settings, but my OpenVPN connection no longer worked.  The clients on remote PCs just hung and then timed out.  I'm using DDNS to Cloudflare on one of my subdomains.  That seems to be fine.  I can ping the subdomain and my home IP from my ISP remotely.  Not sure what broke, but thought maybe it had something to do with the certificates.  So I decided to try starting from scratch using the new "instance" version of OpenVPN.

I was following the instructions in the documentation here https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html .  Step 1, create certificate authority.  No problem, created one called OpenVPN_CA.  Step 2, generate a certificate for the CA.  Here's where I'm getting confused.  The second bullet point says "Choose the just created authority in Certificate authority".  However, on the certificate creation window there is no field called "Certificate Authority" from which to select the newly created OpenVPN_CA.  See attached screenshot.  What am I missing here??

Thanks!

5

General Discussion / Re: Trouble with Wifi access points

« on: June 11, 2024, 08:28:17 pm »

Well, I've got a weird update.  Everything works now!  After wondering yet again whether it was really Comcast screwing everything up, I logged into our Comcast Business account and verified one more time that SecurityEdge still showed "not set up".  All good.  But this time, I decided to go a step further and clicked on Set Up, did the first setup step, but then went back without finishing.  Now on the Internet settings page, lo and behold, SecurityEdge was now turned on, with a message that setup was not finished.  So I clicked the toggle and turned it off.  And DHCP DNS worked!  Whether from a phone connected to Wifi or a desktop PC using DHCP connected via ethernet.  And Opnsense system updates work too!  Near as I can figure, SecurityEdge was actually turned on, even though it said it was not, and was never set up.  From many other posts, it seems SecurityEdge causes all sorts of grief when trying to run one's own firewall.  Who would have thought that when it showed as off it was actually on. 

So sorry to waste your time with all of that.  I do appreciate you sticking with me.  I did learn a LOT about my firewall.  Fingers crossed that this is the end of this particular issue!

P.S. - I discovered one thing left still checked from all of my monkeying with this.  On Services: Unbound DNS: DNS over TLS (which I was looking into in case I could not get around Comcast...but SecurityEdge was "off".... ), the box Use System Nameservers was checked, and there was a little warning underneath saying there were no system nameservers configured (which was true).  So I unchecked that.  But in testing, it seems to make no different whether it was checked or not.

6

General Discussion / Re: Trouble with Wifi access points

« on: June 10, 2024, 11:57:50 pm »

Heh, I did read through that article.  I just went through it again with a fine tooth comb.  Nothing stood out to me with regard to anything checked or unchecked, set or unset, that might be causing this.

Yes, any client with an external DNS address directly configured works fine.  It's when clients try and use the LAN IP as the DNS that issues come up.  Also, system queries are failing (at least, when using the "Check For Updates" as a test - with DNS address erased from everywhere, no update server can be found - when 1.1.1.1 entered under System:Settings:General, the update server can be reached again).

I'll upload screenshots of everything tomorrow.

7

General Discussion / Re: Trouble with Wifi access points

« on: June 10, 2024, 09:21:41 pm »

Sorry for the delay.  Busy weekend.

resolv.conf has only the following in it:

domain localdomain
nameserver 127.0.0.1
search localdomain

Packet capture had the following pair for google.com from igb0 (LAN) when the PC is switched to DHCP (and identical responses for any other website attempted to visit).  .2 = Opnsense LAN, .175 = desktop PC:

492   7.344390   192.168.10.175   192.168.10.2   DNS   74   Standard query 0xc9a5 A www.google.com
494   7.345286   192.168.10.2   192.168.10.175   DNS   74   Standard query response 0xc9a5 Server failure A www.google.com

On the WAN side (em0) packet capture, there are no DNS entries from any local device, just a bunch of DNS entries back and forth between the WAN address to outside DNS like Cloudflare (1.1.1.1) or Comcast (75.75.5.75).   Which is to be expected I guess.  Any device on the network with a static LAN IP is set to use our server as DNS first (which is then set to use Cloudflare) or Cloudflare second if the server's down.  Weird aside, the server is supposed to be using 1.1.1.1 for DNS too, but the timestamps indicate it seems to be the only device querying 75.75.75.75.  Not sure why, I can't seem to find any evidence of 75.75.75.75 in any settings on the server.  But I did inherit this setup, so I'm sure there are oddities left over from the previous setter-upper. 

Also, there were no entries on the WAN side in the packet capture at the 7.34 second mark to match the entries on the LAN side above.

It's like once on DHCP, a device's DNS queries are getting as far as Unbound on the Opnsense box and then just getting blocked or disappearing.  Thanks again for sticking with me on this.  I hardly ever post in forums any more because 99.9% of my issues have already been posted about and solved.  But this one really has me stumped.

8

General Discussion / Re: Trouble with Wifi access points

« on: June 07, 2024, 06:36:53 pm »

Logging was already on.  When switching the test PC to DHCP, a green log "allow access to the DHCP server" showed up, along with the "anti lockout rule" allowing access to the WebUI.  That was it.  Bunch of 127.0.0.1 from and to different ports (including port 53 of unbound) when attempting to check for updates.  I thought maybe it would show 127.0.0.1 trying to reach the WAN or the update server address when checking for updates, but it's always 127.0.0.1:port to 127.0.0.1:some other port.  Don't know if that matters any.  Would it be worth picking some other port for Unbound just to try?

If you have a link for a packet capture tutorial, or feel like explaining it yourself, I'd be grateful.

9

General Discussion / Re: Trouble with Wifi access points

« on: June 07, 2024, 05:31:24 pm »

OK, I will turn on logging of default rules.  Is there a specific one I should be looking at?

I have a laptop with Mint installed on it that I could use for packet capture.

Thanks for hanging in with me through this!  I really appreciate it.

10

General Discussion / Re: Trouble with Wifi access points

« on: June 06, 2024, 03:11:39 pm »

@cookiemoster, amazing guess on the network setup without my having explicitly laid it out for you.  <smacks face>  Yes, that is exactly correct.  I have verified multiple times that no AP is doing DHCP.

As a further test, on my own desktop PC, (plugged into the switch) I changed it entirely over to DHCP.  Soon as I do that, no internet access.  It correctly chooses the Opnsense box for both gateway and DNS.  If I manually change just the DNS on the desktop PC to 1.1.1.1 or 8.8.8.8, immediately it has internet access again.

11

General Discussion / Re: Trouble with Wifi access points

« on: June 05, 2024, 09:25:27 pm »

Second screenshot.

12

General Discussion / Re: Trouble with Wifi access points

« on: June 05, 2024, 09:25:03 pm »

Here are two screenshots.  You can see the PC (.175) trying to reach youtube and google, and Opnsense itself trying to reach the update servers.

13

General Discussion / Re: Trouble with Wifi access points

« on: June 05, 2024, 05:51:07 pm »

Under System: Settings: General:  all DNS entries are blank, all "Use Gateway" dropdown menus are set to none.  Under "DNS server options", everything is unchecked.

Under Services: ISC DHCPv4: [LAN], "Enable DHCP server on the LAN interface" is checked, and the Range is set from .125 to .200.  Otherwise everything is blank or unchecked including DNS.

Under Services: Unbound DNS: General:  Enable Unbound is checked, port is left at default of 53, three boxes are checked (which were not initially, but I added a few days ago to try and solve the DHCP DNS issue):   Enable DNSSEC Support, Register ISC DHCP4 Leases, Register ISC DHCP Static Mappings.

After the current config listed above, I did reboot the box, which did not seem to change anything.

For lack of knowing a better way, I did try scanning my network with AngryIP the other day just to see if something else was using port 53, but nothing showed using it at all.

I will try restarting Unbound service and enabling the logging you suggested.

I did notice under Services: Unbound DNS: Advanced that "Aggressive NSEC" was checked, though I did not check that, so I don't know if that is a default setting.

14

General Discussion / Re: Trouble with Wifi access points

« on: June 04, 2024, 09:28:55 pm »

@cookiemonster, thanks for the suggestions.  When I had read through this article, https://homenetworkguy.com/how-to/confused-about-dns-configuration-in-opnsense/, what I thought it was saying, along with some other posts in this forum, was that even if DNS IP's were put in those two locations, it didn't matter because Unbound would ignore them.  Seems I had it exactly backwards.

So a couple of things.  When I switched a PC over to "obtain everything automatically", I did see the "allow access to DHCP server" in the log live view.  Unbound's log did not show anything related to that PC, and no errors or warnings, just Informational and Notice items.  Closest I could find was an occasional "daemonize unbound dhcpd watcher".  However, under Reporting:Unbound DNS:Reporting tab, everything is red with a return code of SERVFAIL and a resolve time of 0ms.  Bunch of entries there from the PC trying to reach different websites, and a bunch of stuff from Opnsense itself trying to check for updates (which incidentally no longer works after I removed all of the DNS IP's).

What should I try next?  Also, do you need screenshots of anything?

15

General Discussion / Re: Trouble with Wifi access points

« on: June 03, 2024, 09:07:20 pm »

Well, I've narrowed down the problem.  When I switch one of the PC to use DHCP, it immediately loses internet.  If I manually put in Google's DNS or Cloudflare's DNS in the ethernet adapter settings, it gets internet again.  Seems everything going through Opnsense's DHCP is not getting DNS.  Everything on the Opnsense box is still default.  Unbound DNS is on.  In testing things, it seems to make no difference whether I put in 1.1.1.1 under the LAN DHCP settings or not, or under System:Settings:General or not.  I'm not super familiar with Unbound.  Is there somewhere I should be putting in a DNS like 1.1.1.1 in Unbound's settings, or does Unbound use it's own DNS IP address?  Or maybe Unbound is trying to use a DNS from upstream on Comcast's box, which is now turned off?  What is a good method to test if Unbound is working OK?