Messages

IPV6 has been disabled from day one.  I can login to OPNsense but refusing to update and plugins are showing up as orphaned.

I can no longer connect to my windows 10 PC I am using as a local lan file server.  My Norton Antivirus is telling me that my workstation is being blocked because of SMB:Brute-Force attack on the File server.

My 2nd thought was to updated my OPNsense since it had been about a week or 2 since I last looked.  When I did I got an error that it could not Authentication error.  I did change to another mirror to test and got the same error.

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 24.7.8 at Mon Nov 18 15:02:35 EST 2024
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=53 time=178.871 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=53 time=177.511 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=53 time=195.501 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=53 time=185.200 ms

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 177.511/184.271/195.501/7.103 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/24.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.pkg: Authentication error
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/24.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: pkg.opnsense.org
write:errno=54
***DONE***


Could they be related or I had 2 different issues?

Now, did you get that SSH access problem solved? It *should* be dead easy to enable password authentication in the UI and then just log in

Yea once I gave up on trying to use Putty.
The windows ssh works to good.  Kinda has me afraid anyone can ssh in.  Been watching way to many Network Chuck and Linus tech tips.

If I am not working on my computer for work I am on the network looking how to improve my security.

The NTP service was working fine with a green icon, but then it suddenly showed a large red icon in the Web UI indicating that it had stopped. I checked the logs within the UI but didn't find any entries, even after clicking through all the options. I attempted to restart the service from the UI, but the screen flashed briefly and it still wouldn't start. After rebooting OPNsense, the NTP service remained red and inactive.

I then searched online for the command to restart or reset the OPNsense NTP service. While I didn't find a specific command in the documentation, I did come across a generic Linux command for restarting services. That's when I turned to the forum for guidance on the correct command or potential fixes. I also regularly clear logs, so I'm unsure exactly when the NTP service stopped functioning.

I understand I'm still learning OPNsense; I have some Linux experience, but I'm not an expert.

Regarding the misleading error message from "service ntpd start," I'd appreciate if, instead of insults, you could share the proper syntax to restart the NTP service from the command line. When using the shell, I usually get immediate feedback on what went wrong or what's missing, and that's all I was seeking.

In the end, I disabled NTP and switched to Chrony, which I got up and running within minutes, and it's now reporting corrections successfully

The NTP service wasn't logging anything at all. Typically, when you run a command from the command line, you receive an immediate response—like whether the service started, was disabled, or if there was a bad configuration. However, the UI didn't provide any feedback, and the service just wouldn't start

Is their a page that list the proper command lines to run when I am trying to figure out why X service is bugged?

I like the command line just because I gives me the details the UI doesn't.

I was reconfiguring my OPNsense setup, and when I attempted to restart, the screen flashed but refused to reboot. I checked the logs, but there was no helpful information to diagnose the issue. After some research, I found a suggestion to run the command service ntpd restart, but that only displayed an error.

I noticed that the ntpd.conf listed the servers as:

pool 0.opnsense.pool.ntp.org
pool 1.opnsense.pool.ntp.org
pool 2.opnsense.pool.ntp.org
pool 3.opnsense.pool.ntp.org

This was different from the usual server 0.opnsense.pool.ntp.org I expected to find. I'm guessing this might be due to modifications in this custom OS.  Or could it affect the NTP service?

nevermind I just disable it and switched to chrony.

and chose a closer server

https://www.advtimesync.com/online-manual/appendix-b-the-list-of-public-time-servers

[0.opnsense.pool.ntp.org]

A while back I change the NTP server to one closer to me.  It worked for a while but I noticed it stopped.  I tried to enter the default 0.opnsense.pool.ntp.org and attempted to restart the service.  service ntpd restart, when I did I got this error:
ntpd does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable

[Optional, check if a user certificate should be created]

You did enable password authentication in System > Settings > Administration?

Yes the options was enable, but later noticed that the login shell had reverted back to "nologin." I fixed that and immediately saved and exited the Web UI.

You are aware of the extensive documentation?

https://docs.opnsense.org/manual/how-tos/user-local.html

That page I hadn't seen, would be nice if the Web UI would have taken me there.  I usually click on the full help in the top right.  So this is what I was looking at:

• User Certificates     Optional, check if a user certificate should be created

I was trying to generate a user CA that both OPNsense and Putty would use.

Sorry I am difficult.  I also double checked my Windows 10 Pro pc and I had all ready added the Windows Subsystem for Linux.

Thanks guys the windows ssh is working.

Ok I am to tired to mess with it tonight.  May I suggest better "tips" in the add user.  One of the fields clearly ask for a User CA and when configuring Putty it also has a place to enter a CA.  Neither are documented well enough for idiots like me that require little more detail.   

I did try to ssh into OPNsense on my Windows 11 pro.  Thought it was going to work until it rejected the password.

As for the reverse engineering there is much more documentation for using CLI and manual file edits.  That it helps me understand what is needed so it makes the Web UI easier to understand.  Guess your position is, it is right there in the Web UI if you know what happens in the background.   I do not know or understand so I have to hunt for the proper terms for what I need to do and have to pray that the direction aren't outdated at the time I am reading it.  If I can view a file I can try and read a code, if I get stuck or need more information I can enter the code and get a detailed responce back.  Getting stuck in the Web UI and googling takes forever with minimal results.

[Debug configd.py OPNsense/Sslh generated //etc/rc.conf.d/sslh]

But you have not yet explained why you think you need SSH access in the first place. All logfiles are accessible in the web UI.

While all log files are accessible through the web UI, the specific details in those logs are not shown.  I am not aware of a ability to enter the console from the web UI so I can manually open the logs in question.

For example, the log entry "Debug configd.py OPNsense/Sslh generated //etc/rc.conf.d/sslh" doesn't provide me with useful information. If I could access the config file and review it with examples, I could usually identify the issue. The web UI is designed by people who are more knowledgeable than I am, and it caters to those with more networking experience. I typically learn by reverse engineering what I need to make things work.  I google the file in question and find someone that will tear the file apart and will explain what each line means and how to edit.  Or I open the file in Notepad++ and find a typo or incorrect formating that I can correct.

When I refer to the documentation for assistance, it often provides CLI instructions. However, I can't use the CLI if I don't have SSH access to the device.

Here is a example most cells are pretty simple, I looked in the docs for explination of each cell.

DNS domain names: assuming if I am connecting off site I would need to add the additional domain. user@google.com

IP addresses:  Just guessing the same but it isn't clear  Just assuming if it get a ssh request from 8.8.8.8

p.s. your requirements would be easily met if you did not use it.

Is there another Windows GUI SSH option?  Putty works really good for every other machine I have tried to ssh into.

Is there a post somewhere that list the SSH key requirements?  Putty has a ton of tweeks where I can set the algorithm, cipher, GSSAPI and so much more. 

[Unable to use certificate file 'Z:\OPN\MyInternalCert_crt.pem' (OpenSSH SSH-2 private key (old PEM format))]

Following the steps under System > Access > Users seems straightforward, but after spending about an hour re-reading the documentation, I found a couple of mistakes on my part. First, the initial setup didn't mention avoiding the use of a domain.local, which can cause confusion with certain systems. Second, I forgot to change the login shell directory.

I'm currently facing an issue with the User Certificates. OPNsense can create the certificates without any problems, and I can save them to my computer. However, when I try to import them into PuTTY, I run into challenges. I'm using an older Windows desktop at home and prefer the PuTTY GUI interface since I'm not comfortable with the CLI—I don't have an IT background.

The main error I'm encountering is: "Unable to use certificate file 'Z:\OPN\MyInternalCert_crt.pem' (OpenSSH SSH-2 private key (old PEM format))."

I've researched the difference between old and new PEM formats. I found an example in another post and tried editing the PEM file to match that format, but I'm still getting an error.

My main question is: how can I secure SSH so that only I can log in using the username/password, CA, or key, ensuring it works across any OS I use?

Additionally, I noticed the package openssh-portable 9.9.p1,1 in OPNsense. Is it possible to convert the OpenSSH CA to SSH-2 PEM format so that it will work with PuTTY?

Thank you for your help!

I found where someone else was having issues with putty.

https://forum.opnsense.org/index.php?topic=40743.0