Messages

1

Virtual private networks / Re: OpenVPN Advanced Options

« on: March 08, 2024, 02:48:09 pm »

How about I add it to this one?

https://github.com/opnsense/core/issues/6703

These options would be client specific overrides right?

2

Virtual private networks / Re: OpenVPN Advanced Options

« on: March 08, 2024, 12:37:52 am »

Checked the OpenVPN 2.6 Reference manual and the prng options have been deprecated and now just use the SSL prng library so I imagine that's why that notice is there.

Setting script security to 3 is listed as potentially unsafe, is it set that way so that these two scripts can run?

Code: [Select]

up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
My VPN has the following options in their .ovpn files:

Code: [Select]

nobind
resolv-retry infinite
explicit-exit-notify 5
push-peer-info
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
Most of these are redundant and I wouldn't really bother adding them, these though:

Code: [Select]

auth-nocache
mlock
remote-cert-tls server
The first two are just a little hardening and the last is the reason I'm getting the warning in the first place. I also think it's a good idea for the client to make sure the servers cert is correct.

If I edit the .conf files in /var/etc/openvpn, as soon as I change something in the WebGUI for OpenVPN and hit save it's going to remove those changes?

Do I have to file an issue to get some of these options added to the WebGUI?

3

Virtual private networks / OpenVPN Advanced Options

« on: March 07, 2024, 04:18:35 am »

Moved my clients from legacy to instances and I'm getting warnings in my log because I haven't set some advanced options:

Code: [Select]

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
This is solved by adding remote-cert-tls server.

Code: [Select]

NOTICE: --prng option ignored (SSL library PRNG is used)
Was using prng sha256 64.

Code: [Select]

NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Not too sure what causing this one as I never got it before.

Was under the impression I could just add these via client server overrides, is there anyway to add them to the client using the command line?

4

23.7 Legacy Series / Re: 23.7.7 No WAN IP On Reboot

« on: October 30, 2023, 04:11:43 pm »

OMG I'm so dumb...years ago when I wired up the internet in the house I used a power brick with Ethernet surge protection and was running through that still. Now that I run from the modem straight to the router the problem is gone, and the port is even negotiating at 1000baseT (not that it's using it). Still I wonder why it wasn't an issue when I installed OPNsense? Sorry to waste every ones time, going to go jump in a lake now! 

5

23.7 Legacy Series / Re: 23.7.7 No WAN IP On Reboot

« on: October 29, 2023, 09:06:22 pm »

It's only a 50 Mbit connection that's what the port always auto-negotiates at even under pfSense. I will give that a try but I doubt it will make any difference.

EDIT: Guess I should add that the NIC is an Intel I350-T4, WAN is igb0 and LAN is igb1. WAN is connected to DSL modem in bridge mode.

6

23.7 Legacy Series / 23.7.7 No WAN IP On Reboot

« on: October 29, 2023, 08:44:08 pm »

Installed OPNsense 23.7.4 and set it up from scratch it was working perfectly and have since updated to 23.7.5 and 23.7.6 without issue but now with 23.7.7 and having to reboot I have no WAN IP. I am able to work around this two ways I can either just go to the WAN interface and hit save or I can go to Interface Overview and hit reload under DHCP on the WAN, both are inconvenient as they require my manual intervention. Looking around the various forums on the net I find that this is a common issue in fact while I was running pfSense I reloaded my config and ran into this same problem but was able to work around it by setting my speed and duplex on the WAN to 100baseTX-full duplex. That same solution does not seem to work here.

My config is somewhat advanced as I have three OpenVPN connections set up into a gateway group all with priority 255 while the WAN_DHCP has 100. When I boot not having an WAN IP the gateway section says that WAN_DHCP is defunct and VPN3 is active. I do not have default gateway switching enabled and setting WAN_DHCP as upstream gateway does not work either. Have tried adding 8.8.8.8 as monitor IP to default ipv4 gateway which also didn't work.

I also have this in my logs:

Code: [Select]


/usr/local/etc/rc.bootup: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igb0.pid' 'igb0'' returned exit code '1', the output was 'igb0: no link .............. giving up'



Code: [Select]


ifconfig igb0

igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WAN (wan)
options=4e0002b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
ether MAC ADDRESS
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>



Code: [Select]


netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
127.0.0.1             link#6             UH          lo0
192.168.10.0/24    link#2             U          igb1
192.168.10.1       link#2             UHS         lo0
192.168.20.0/24    link#10            U        vlan02
192.168.20.1       link#10            UHS         lo0
192.168.30.0/24    link#11            U        vlan03
192.168.30.1       link#11            UHS         lo0
192.168.40.0/24    link#12            U        vlan04
192.168.40.1       link#12            UHS         lo0
192.168.100.0/24   link#9             U       vlan010
192.168.100.1      link#9             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::1                                       link#6                        UHS         lo0
fe80::%lo0/64                     link#6                        U              lo0
fe80::1%lo0                        link#6                        UHS         lo0


Starting to wonder if this could be an issue with the DSL modem itself? I have been told at one point to try to insert a switch between the modem and the router but I don't have an extra so have not been able to try this.

Looking through Github all the other similar issues have been merged into https://github.com/opnsense/core/issues/2517 here. Nothing there has led to any solutions so I wondering if anyone here might be able to offer assistance. Please let me know what other logs you might need.