"
How about I add it to this one?
https://github.com/opnsense/core/issues/6703
These options would be client specific overrides right?
https://github.com/opnsense/core/issues/6703
These options would be client specific overrides right?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Virtual private networks / Re: OpenVPN Advanced Options
March 08, 2024, 12:37:52 AM
Checked the OpenVPN 2.6 Reference manual and the prng options have been deprecated and now just use the SSL prng library so I imagine that's why that notice is there.
Setting script security to 3 is listed as potentially unsafe, is it set that way so that these two scripts can run?
My VPN has the following options in their .ovpn files:
Most of these are redundant and I wouldn't really bother adding them, these though:
The first two are just a little hardening and the last is the reason I'm getting the warning in the first place. I also think it's a good idea for the client to make sure the servers cert is correct.
If I edit the .conf files in /var/etc/openvpn, as soon as I change something in the WebGUI for OpenVPN and hit save it's going to remove those changes?
Do I have to file an issue to get some of these options added to the WebGUI?
Setting script security to 3 is listed as potentially unsafe, is it set that way so that these two scripts can run?
Code Select
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdownMy VPN has the following options in their .ovpn files:
Code Select
nobind
resolv-retry infinite
explicit-exit-notify 5
push-peer-info
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBCMost of these are redundant and I wouldn't really bother adding them, these though:
Code Select
auth-nocache
mlock
remote-cert-tls serverThe first two are just a little hardening and the last is the reason I'm getting the warning in the first place. I also think it's a good idea for the client to make sure the servers cert is correct.
If I edit the .conf files in /var/etc/openvpn, as soon as I change something in the WebGUI for OpenVPN and hit save it's going to remove those changes?
Do I have to file an issue to get some of these options added to the WebGUI?
#3
Virtual private networks / OpenVPN Advanced Options
March 07, 2024, 04:18:35 AM
Moved my clients from legacy to instances and I'm getting warnings in my log because I haven't set some advanced options:
This is solved by adding remote-cert-tls server.
Was using prng sha256 64.
Not too sure what causing this one as I never got it before.
Was under the impression I could just add these via client server overrides, is there anyway to add them to the client using the command line?
Code Select
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.This is solved by adding remote-cert-tls server.
Code Select
NOTICE: --prng option ignored (SSL library PRNG is used)Was using prng sha256 64.
Code Select
NOTE: the current --script-security setting may allow this configuration to call user-defined scriptsNot too sure what causing this one as I never got it before.
Was under the impression I could just add these via client server overrides, is there anyway to add them to the client using the command line?
#4
23.7 Legacy Series / Re: 23.7.7 No WAN IP On Reboot
October 30, 2023, 04:11:43 PM
OMG I'm so dumb...years ago when I wired up the internet in the house I used a power brick with Ethernet surge protection and was running through that still. Now that I run from the modem straight to the router the problem is gone, and the port is even negotiating at 1000baseT (not that it's using it). Still I wonder why it wasn't an issue when I installed OPNsense? Sorry to waste every ones time, going to go jump in a lake now!
#5
23.7 Legacy Series / Re: 23.7.7 No WAN IP On Reboot
October 29, 2023, 09:06:22 PM
It's only a 50 Mbit connection that's what the port always auto-negotiates at even under pfSense. I will give that a try but I doubt it will make any difference.
EDIT: Guess I should add that the NIC is an Intel I350-T4, WAN is igb0 and LAN is igb1. WAN is connected to DSL modem in bridge mode.
EDIT: Guess I should add that the NIC is an Intel I350-T4, WAN is igb0 and LAN is igb1. WAN is connected to DSL modem in bridge mode.
#6
23.7 Legacy Series / 23.7.7 No WAN IP On Reboot
October 29, 2023, 08:44:08 PM
Installed OPNsense 23.7.4 and set it up from scratch it was working perfectly and have since updated to 23.7.5 and 23.7.6 without issue but now with 23.7.7 and having to reboot I have no WAN IP. I am able to work around this two ways I can either just go to the WAN interface and hit save or I can go to Interface Overview and hit reload under DHCP on the WAN, both are inconvenient as they require my manual intervention. Looking around the various forums on the net I find that this is a common issue in fact while I was running pfSense I reloaded my config and ran into this same problem but was able to work around it by setting my speed and duplex on the WAN to 100baseTX-full duplex. That same solution does not seem to work here.
My config is somewhat advanced as I have three OpenVPN connections set up into a gateway group all with priority 255 while the WAN_DHCP has 100. When I boot not having an WAN IP the gateway section says that WAN_DHCP is defunct and VPN3 is active. I do not have default gateway switching enabled and setting WAN_DHCP as upstream gateway does not work either. Have tried adding 8.8.8.8 as monitor IP to default ipv4 gateway which also didn't work.
I also have this in my logs:
Starting to wonder if this could be an issue with the DSL modem itself? I have been told at one point to try to insert a switch between the modem and the router but I don't have an extra so have not been able to try this.
Looking through Github all the other similar issues have been merged into https://github.com/opnsense/core/issues/2517 here. Nothing there has led to any solutions so I wondering if anyone here might be able to offer assistance. Please let me know what other logs you might need.
My config is somewhat advanced as I have three OpenVPN connections set up into a gateway group all with priority 255 while the WAN_DHCP has 100. When I boot not having an WAN IP the gateway section says that WAN_DHCP is defunct and VPN3 is active. I do not have default gateway switching enabled and setting WAN_DHCP as upstream gateway does not work either. Have tried adding 8.8.8.8 as monitor IP to default ipv4 gateway which also didn't work.
I also have this in my logs:
Code Select
/usr/local/etc/rc.bootup: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igb0.pid' 'igb0'' returned exit code '1', the output was 'igb0: no link .............. giving up'
Code Select
ifconfig igb0
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WAN (wan)
options=4e0002b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
ether MAC ADDRESS
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Code Select
netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
127.0.0.1 link#6 UH lo0
192.168.10.0/24 link#2 U igb1
192.168.10.1 link#2 UHS lo0
192.168.20.0/24 link#10 U vlan02
192.168.20.1 link#10 UHS lo0
192.168.30.0/24 link#11 U vlan03
192.168.30.1 link#11 UHS lo0
192.168.40.0/24 link#12 U vlan04
192.168.40.1 link#12 UHS lo0
192.168.100.0/24 link#9 U vlan010
192.168.100.1 link#9 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::1 link#6 UHS lo0
fe80::%lo0/64 link#6 U lo0
fe80::1%lo0 link#6 UHS lo0
Starting to wonder if this could be an issue with the DSL modem itself? I have been told at one point to try to insert a switch between the modem and the router but I don't have an extra so have not been able to try this.
Looking through Github all the other similar issues have been merged into https://github.com/opnsense/core/issues/2517 here. Nothing there has led to any solutions so I wondering if anyone here might be able to offer assistance. Please let me know what other logs you might need.
Pages1
