Messages

1

Virtual private networks / Nat traffic to an address that can communicate through a tunnel

« on: February 23, 2024, 02:57:44 pm »

I've recently switched over to OPNsense and loving it. I've come from many years of doing things in the Vyatta (and forks of - VyOS & Ubquiti) for my firewalls/routers. With that being said previously I had a tunnel (ipsec) that had my 10.212.5.0/24 network in route through the tunnel on my side. I would nat from another interface on a different vlan (10.212.3.0/24) and nat all that traffic to a virtual interface on that layer 3 (10.212.5.2) then which once natted it would then go through the tunnel to the other side.

I've made a number of attempts to do this in OPNsense but I feel like I'm fundamentally missing a key concept here so I'm seeking help! Here's my original rule:

VyattaOS Style Configuration

Code: [Select]

        rule 5003 {
            description "ipsec proxy tunnel"
            destination {
                address 10.218.5.0/24
            }
            log disable
            outbound-interface eth0
            outside-address {
                address 10.212.5.2
            }
            protocol all
            source {
                address 10.212.3.0/24
            }
            type source
        }

2

23.7 Legacy Series / Re: OpenVPN Site-to-Site with Ubiquiti EdgeRouter not working

« on: January 25, 2024, 08:50:31 pm »

I decided to write up a blog article on this topic since it has a lot of moving parts. Here take a look, let me know if this all makes sense to you. It makes sense to me but I wanted to confirm on your end.

https://blog.tkrn.io/site-to-site-openvpn-between-opnsense-and-ubiquiti-edgerouter-edgeos/

3

23.7 Legacy Series / Re: OpenVPN Site-to-Site with Ubiquiti EdgeRouter not working

« on: January 25, 2024, 01:37:29 pm »

The root of the problem is that Ubiquiti is using an old version of OpenVPN (2.4.7) and OPNsense is using 2.6.8 which changes security significantly. I have the same exact issue with an existing site-to-site but that client can only do AES-256 (AES-256-CBC) at best. WIth that being said, once I increase the log level on the OpenVPN instance on OPNsesne it turns out that the root of the issue is the cipher not being able to exchange keys

Heres the version information from an ER-4 on v2.0.9-hotfix 9:

Code: [Select]

OpenVPN 2.4.7 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 22 2022
library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
The OPNsense log points to this:

Code: [Select]

PUSH: No common cipher between server and client. Server data-ciphers: 'AES-256-GCM', client supports cipher 'AES-256-CBC'
After some more investigation, the cipher list in EdgeOS does support AES-256-GCM:

Code: [Select]

/usr/sbin/openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be use as a
parameter to the --cipher option.  The default key size is
shown as well as whether or not it can be changed with the
--keysize directive.  Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CBC  (128 bit key, 128 bit block)
CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CBC  (192 bit key, 128 bit block)
CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CBC  (256 bit key, 128 bit block)
CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
SEED-CBC  (128 bit key, 128 bit block)
SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits,
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)

It turns out that it will have to be a custom configuration on the Ubquiti side which you'll need to use a traditional ovpn profile and set EdgeOS to use it like:

Code: [Select]

configure
set interfaces openvpn vtun0 config-file /config/site-to-site.ovpn
commit

I'm going to give that a try this cipher list a try on my EdgeRouter and I'll let you know how it goes soon:

Code: [Select]

data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC

I believe this to be the problem because in the EdgeOS interface when configuring site to site it's assumed that it's "In static key mode" which means only "CBC mode is allowed." The documentation and interface doesn't use of GCM in site-to-site mode.  I *believe* that is the core issue thus you have to fall back to a traditional OpenVPN profile.