Messages

1

24.7 Production Series / Re: IPSec issues since 24.7.4_1

« on: September 21, 2024, 05:22:13 am »

Update: If I create my connection on the mac (without a profile) it connects. It sends exactly the same proposals as with the profile, so I don't understand why it works. Something appears to have changed in OPNsense's IPSec implementation that doesn't play nice with profiles. Even creating a standard profile with the same values as the connection created in the macOS UI fails to connect.

I want to use the profile because I specify options that are not available in the UI.

Again, any help would be appreciated. And I'm not expecting a "just do this, bro" or "tick this box" response. I guess I'm asking if anything has changed with IPSec in OPNsense since 24.7.4_1. Nothing changed on my end apart from the update.

Cheers

2

24.7 Production Series / IPSec issues since 24.7.4_1

« on: September 21, 2024, 05:05:52 am »

UPDATE: Saved and restored a config (i.e. the exact same settings the box was running prior to restoring) and now it works... Dunno what to say... Maybe something silently went wrong with the update and restoring the config fixed it? I guess there are some things Man is just not meant to know...

Hello,

I'm having issues with IPSec and macOS since the update to 24.7.4_1. Prior to the update, everything was working fine. Now, I can no longer connect from macOS. macOS is running the same version as before the 24.7.4_1 update.

I use a configuration profile (.mobileconfig) to setup my IKEv2 connection on macOS. And I'm aware there's a bug in macOS Sonoma, where it ignores the values you set in the profile for proposals and rekey time. Regardless what you configure in the profile, macOS will send the following proposals to the server:

2024-09-20T22:40:56-04:00   Informational   charon   11[CFG] <5> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

So I made sure the server supported at least one of those:

11[CFG] <5> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256

Prior to 24.7.4_1, the profile and connection worked just fine. Since 24.7.4_1, I can no longer connect. I've attached a picture of the logs. Happy to provide more logs if needed.



I also have a pfSense box that runs the same services and has IPSec setup with the same values and it connects just fine. But I don't want to go back to pfSense - I'm an OPNsense guy now :-)

Anybody else running into issues like this? Anyone have any ideas? Was IPSec changed in 24.7.4_1?

Any help would be appreciated. Thanks.

3

23.7 Legacy Series / New IPsec Connections setup for eap-tls

« on: November 29, 2023, 12:19:30 am »

Hello,

Has anyone managed to configure an IPsec tunnel using eap-tls in the new "Connections" tab? There is no tutorial for this setup in the docs, only a legacy example using the old UI. I've tried adapting the tutorial for eap-mschapv2 that exists for the Connections tab to use eap-tls but it fails to connect, always.

I'm wondering if it's supported at this time.

Thanks.

4

23.1 Legacy Series / ddclient with NameCheap is broken

« on: May 27, 2023, 12:41:31 am »

Hello,

I hate to add to the ddclient woes, but... While it used to work with NameCheap, it does not anymore. ddclient is setup correctly and runs. But it always fetches the VPN IP address even though the selected interface is WAN. This happens using Interface as the method.

Anyone else experience this? Any workarounds? NameCheap isn't available when selecting the OPNsense backend and using 'custom' doesn't work because you can't select NameCheap as a protocol...

Cheers

5

22.1 Legacy Series / Re: os-ddclient

« on: May 10, 2023, 05:19:39 am »

Hey, just something that might be helpful for those who use a dynamic dns service that isn't supported/working properly with ddclient.

I use namecheap, which is only supported using 'ddclient' as the backend. But I have a particular setup in which my "default" gateway is a gateway group comprised of three wireguard gateways. Using 'Interface' as the IP check method and selecting WAN, ddclient always detects my wireguard IP, despite WAN being selected as the interface. It would probably work just fine with a more "vanilla" setup.

Anyway, what I ended up doing and which may be helpful to others, is using dns-o-matic. It's more of a "meta" dynamic dns service in that it can update your IP at your dynamic dns service without you having to switch your dynamic dns provider. I created an account with dns-o-matic. And using dns-o-matic (and configuring ddclient to use dns-o-matic rather than namecheap) detects the correct IP and everything works properly and my IP is updated in my namecheap dashboard. It's not the ideal solution but it works.

Maybe everyone already knows this and I just stated the obvious. But I didn't know and it helped me out.

Cheers

6

23.1 Legacy Series / Re: Uber Slow OpenVPN

« on: April 04, 2023, 09:16:51 am »

I doubt there's anything to glean from my server configuration. So it's more about asking if anyone else has ever encountered this with OpenVPN and what they did to resolve it.

Thanks

7

23.1 Legacy Series / Uber Slow OpenVPN

« on: April 04, 2023, 06:25:29 am »

Hi,

I recently transitioned from pfSense to OPNsense and everything works extremely well - except for OpenVPN. While it does work, it's exteremely slow.

I have WireGuard and IPsec (IKEv2) tunnels running on the same box and both WG and IPsec are blazing fast. I understand that OpenVPN is single-threaded and generally slower than the other two protocols. But I believe I should be getting roughly 300 - 400 Mbps with this box. I'm barely getting 80Mbps. With WG and IPsec, I'm getting close to 900Mbps.

My OpenVPN server has pretty much a "vanilla" configuration. Essentially the same settings in pfSense get me 400Mbps, so I'm inclined to believe I should be getting roughly the same speed woth OPNsense.

I've attached a screenshot of my server config. If anyone has any ideas as to what might be bogging OpenVPN down, I'd appreciate it. If any more info is need, I'm happy to provide it.

I'm running OPNsense 23.1.5_4 on a Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz (4 cores, 4 threads).

Cheers.

8

23.1 Legacy Series / Re: Cron jobs not running on schedule

« on: March 20, 2023, 05:22:07 pm »

Thanks for looking into this @meyergru.

Turns out you're correct. Looking in System > Log Files > Backend and filtering with the term "alias", shows the job being run every minute, as it should.

I was just looking at the wrong logs. Non-issue.

Thanks again.

Cheers

9

23.1 Legacy Series / Re: Cron jobs not running on schedule

« on: March 20, 2023, 12:31:00 am »

Firewall > Log Files > General

The job runs every 6 minutes on the dot.

10

23.1 Legacy Series / Re: Cron jobs not running on schedule

« on: March 20, 2023, 12:13:36 am »

Thanks wbk, and meyergru for your responses.

@meyergru I didn't have Monit configured, so I have no email settings on my box.

Also checked in /var/cron/tabs/nobody. Cron job is listed correctly.

Has cron always acted this way in OPNsense? Feels like a bug...

11

23.1 Legacy Series / Re: Cron jobs not running on schedule

« on: March 19, 2023, 11:18:55 pm »

Hi wbk,

Thanks for the reply.

Here's the screenshot. The thing is, I understand how cron works. And my cron job should be running every minute but it runs every 6 minutes instead - that's what I don't get.

Any ideas as to why it runs every 6 minutes instead every minute?

12

23.1 Legacy Series / Re: Unbound Query Forwarding Making Me Crazy [RESOLVED]

« on: March 19, 2023, 09:27:49 pm »

This is resolved. Needed to fiddle with my gateway settings.

13

23.1 Legacy Series / Cron jobs not running on schedule

« on: March 19, 2023, 09:25:22 pm »

Hi there,

I'm trying to set up a cron job that will run every minute. In the minutes field, I've tried */1, *, and listing out all the minutes in a comma-seperated list. It simply will not run every minute. Instead, it runs at 6 minutes intervals, like clockwork.

Any idea what I'm doing wrong?

Thanks

14

23.1 Legacy Series / Unbound regex blocking

« on: March 18, 2023, 09:00:38 am »

I don't think it can be done as it stands right now. Anyone know if it's on the radar?

15

23.1 Legacy Series / Unbound Query Forwarding Making Me Crazy [RESOLVED]

« on: March 14, 2023, 10:44:02 pm »

Hi,

I'm setting up an OPNsense box and for the most part, it's going very well. I'm trying to setup Unbound Query Forwarding for just two interfaces on the box and it's not working. As soon as I enable Unbound, DNS resolution stops working (for the clients that are meant to use it). If I set the exact same DNS server in DHCP, everything just works.

Also, with Unbound enabled, the firewall is able to resolve domains from those interfaces but the clients on those interfaces cannot. I've checked my firewall rules and it's not that - an allow any to any rules gets the same result. It's also not a DNSSEC issue - same result with or without DNSSEC.

Any ideas where I should look to find the issue?