Messages

Hallo zusammen,

ich habe eine Frage zu dem Betreff siehe oben.

Aktuell habe ich ein OpenVPN Setup auf der Opnsense konfiguriert. Die User authentifizieren sich mit dem Benutzername, 2FA Code + Passwort. Die User werden manuell angelegt.

Ist es möglich die User aus Microsoft 365 AzureAD/Entra ID zu Synchronisieren? Wenn ja, wie? LDAP?

Falls dies geht, kann ich auch diese User zur Authentifizierung für OpenVPN benutzen? Wie läuft das dann mit der MFA? Der 2FA Code wird aktuell über einen Passwortmanager abgerufen.

Mein Ziel ist es, wenn ein Client AzureAD/EntraID Joined ist & SSO konfiguriert wurde, damit direkt nach der Anmeldung am Windows 10/11 Client, sich das VPN verbindet ohne die Zugangsdaten erneut eingeben zu müssen.

Hat hierzu jemand eine Idee oder Lösung?

Vielen Dank im voraus.

Grüße
Kevin

I have installed Version 24.1 with the same configuration and now it seems to be fine.
Unbound doesn´t crash since 1 day.

If you have unchecked the "Register DHCP Leases" and "Register DHCP Static Mappings" - then DNS name resolution on your intranet will not work.

I think I will quote myself from two other threads where this has been an standing challenge, which for the moment seems to be under control untill I find another challenge (16 days withut problem so far - do note the Monit scripts to help out if somethings happens anyway):

Hi @Fright!

Thanks for helping out.

I can add this that I wrote in the other Unbound thread:

I need to be more precis I think...

So, my current setup is OPNsense 23.7.11-amd64.

On this I have the two patches earlier referenced:

Code Select Expand

opnsense-patch a086f40b
opnsense-patch 845fbd384fe

The I have removed a two plugins: mDNS and IGMP Proxy - and is only running UDP Broadcast Relay: https://forum.opnsense.org/index.php?topic=38114.0

Also, since in my case there seem to be some kind of connection to IP adress changes or something I decided to uncheck "Register DHCP Leases" and "Register DHCP Static Mappings".

So in all 6 changes. I can not say that each change has anything to do with this challenge I have with Unbound, however, the changes above has made Unbound stable from 100% CPU Bound. Which one I would vote for? Patches all day long....

I have had one Unbound stop which I have no reference to why. Monit restarted Unbound directly and since I'm not at home where the OPNsense is installed, I have not been able to check anything....

I have not had any more 100% CPU on one core since I changed the above. Currently I do not know exactly which one that is most likely to have solved this. Although I have to say that removing the extra plugins should not be the reason....

I have installed opnsense Version 23.7.12 with Monit it looks like unbound service is now permanently online  (But it´s a workaround). But DNS within VLANs doesn´t work (local Network & WAN). On my VLANs i can connect to every client with IP but not DNS Name. I can ping 1.1.1.1 and 8.8.8.8.
If i connect via SSH to my opnsense i try a ping to my local clients but only IP works. But a ping to google works with DNS Name....


It´s a little bit strange i have installed a fresh Opnsense Version 23.7 and everything works fine with the default LAN Interface and same rules. I have only one LAN Interface. If i create new VLANs/Network and connect them to my singel NIC (Default LAN interface) it seems to be unbound crashed.
I have the same rules for every VLAN/Network like the default LAN Network.


Regards
Kevin

For anyone reading up on my issue: Unbound seems to break when upgrade to 23.7.7.x. Unbound worked perfect before latest and greatest - and now it just don't. I am not sure when I did the latest upgrade before 23.7.7 so I can not say exactly which level broke Unbound. But something sure did.

Hello i have the same issue with Opnsense 23.7. How can i fix the problem with unbound?

It´s al little bit strange. If i use only the default LAN unbound works perfect.

If i create a new network/VLAN on Opnsense with the same rules like default LAN unbound crashs.
I have only one LAN Interface and connect a new network/VLAN via this Interface.

Here are Some reports from unbound:

2024-01-28T10:46:57   Critical   unbound   [16075:3] fatal error: Could not initialize thread   
2024-01-28T10:46:57   Critical   unbound   [16075:0] fatal error: Could not initialize main thread   
2024-01-28T10:46:57   Error   unbound   [16075:0] error: Could not set root or stub hints   
2024-01-28T10:46:57   Error   unbound   [16075:0] error: reading root hints /root.hints 24:4: Syntax error, could not parse the RR's TTL   
2024-01-28T10:46:57   Error   unbound   [16075:3] error: Could not set root or stub hints   
2024-01-28T10:46:57   Error   unbound   [16075:3] error: reading root hints /root.hints 2:8: Syntax error, could not parse the RR's type   
2024-01-28T10:46:37   Critical   unbound   [69178:4] fatal error: Could not initialize thread   
2024-01-28T10:46:37   Warning   unbound   [69178:1] warning: root hints /root.hints:29 skipping type A   
2024-01-28T10:46:37   Error   unbound   [69178:4] error: Could not set root or stub hints   
2024-01-28T10:46:37   Error   unbound   [69178:4] error: reading root hints /root.hints 2:11: Syntax error, could not parse the RR's type   
2024-01-28T10:45:21   Critical   unbound   [91266:1] fatal error: Could not initialize thread   
2024-01-28T10:45:21   Error   unbound   [91266:1] error: Could not set root or stub hints   
2024-01-28T10:45:21   Error   unbound   [91266:1] error: reading root hints /root.hints 2:17: Syntax error, could not parse the RR's type   
2024-01-28T10:43:48   Critical   unbound   [32545:2] fatal error: Could not initialize thread   
2024-01-28T10:43:48   Critical   unbound   [32545:0] fatal error: Could not initialize main thread   
2024-01-28T10:43:48   Error   unbound   [32545:2] error: Could not set root or stub hints   
2024-01-28T10:43:48   Error   unbound   [32545:0] error: Could not set root or stub hints   
2024-01-28T10:43:48   Error   unbound   [32545:0] error: reading root hints /root.hints 28:30: Syntax error, could not parse the RR's class

Regards
Kevin