Messages

1

23.7 Legacy Series / Re: OpenVPN CVE-2023-46850 & CVE-2023-46849

« on: November 13, 2023, 12:23:35 pm »

Thanks for that.
Let's wait and see how critical the vuln is. Might be from no problem up to critical...

Strictly limiting IP addresses for the VPN endpoint should at least reduce the risk.

2

23.7 Legacy Series / OpenVPN CVE-2023-46850 & CVE-2023-46849

« on: November 13, 2023, 09:49:56 am »

Hi,
there are two CVEs regarding OpenVPN.
https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst
Sadly, there is not much information around, but one of them is a memory leak, which might be unauthenticated.

Does anybody have more information, or would it be possible to quickly bump the version to 2.6.7 for the OpenVPN package?
The distros are slow with patches at the moment, which might mean this is not "Heartbleed" like, however the VPN is critical for our infrastructure, so ...

BR,
Matthias

3

General Discussion / Re: WAN (TCP) get interrupts (Rootserver, single NIC, Proxmox)

« on: May 15, 2023, 02:09:54 pm »

Nobody an idea, or any information missing?

On OPNsense side no special settings are made. And in the livelog I can not see any blocks or rules triggering then the normal / default ones.

Attached there is a shell session on the firewall showing the problem. If I set "disable Packet filtering" in the firewall every request gets a response.


Ideas are still appreciated
Thanks!

4

General Discussion / WAN (TCP) get interrupts (Rootserver, single NIC, Proxmox)

« on: May 11, 2023, 01:56:46 pm »

I have the following setup.
- Rootserver in a datacenter
- single Public IP, single NIC
- Proxmox as Hypervisor
- Opnsense running as VM

On the proxmox a DNAT is configured.

Code: [Select]

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp0s31f6
iface enp0s31f6 inet static
        address 168.119.39.103/26
        gateway 168.119.39.65
        up route add -net <<publicIP>> netmask 255.255.255.192 gw <<GATEWAY>> dev enp0s31f6
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A PREROUTING -i ens33 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.10.10.12
        post-up iptables -t nat -A PREROUTING -i ens33 -p udp -j DNAT --to 10.10.10.12


auto vmbr1
iface vmbr1 inet static
        address 192.168.100.253/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr99
iface vmbr99 inet static
        address 10.10.10.10/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE


On the OPNsense for the WAN vmbr99 is used and for LAN vmbr1.

On the LAN side several VMs are hosted and configured via DHCP.

No additional firewall rules (with block) configured.

My problem is, that TCP connections are not stable and get interruptions.
If i make several curls to an hostname or IP (DNS is working), every 3rd or so it timeouts (75s). Seems that there is no pattern.
Things I allready found out:
- Ping (ICMP) is stable
- Behaviour is the same directly on a shell on the firewall
- If I disable the FW in the settings, connections get stable
- adding a firewall rule allowing everything in and out does not change the behaviour.

--> Therefore I assume that it is something with NAT and specially with the double NAT?
At the moment I am a little bit lost where to look at. Any ideas?