1
24.7 Production Series / Re: OpenVPN and Wireguard wont work from DS Lite ISPs
« on: October 08, 2024, 09:37:56 am »
Awesome. Thanks.
On fw side or on client side or both?
On fw side or on client side or both?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.7 Production Series / OpenVPN and Wireguard wont work from DS Lite ISPs
« on: October 08, 2024, 08:50:09 am »
Cheers everyone,
we switched our Companys Firewall a few weeks ago to Opnsense (from Pfsense).
Everything works great now. Except some users, who can connect (they get an IP) and cant ping ressources on the lan but cant access via browser (80,443).
All have in common that they have the same german isp (vodafone) with ds-lite.
If they switch to mobile hotspot, the vpn works fine.
subnets of the private lan and vpn and corp lan are different.
Before with the pfsense it was working too. but i cant find the difference.
i read its a common problem but it seems no one has a solution. could it be mtu?
if anyone has experience with let me know : )
we switched our Companys Firewall a few weeks ago to Opnsense (from Pfsense).
Everything works great now. Except some users, who can connect (they get an IP) and cant ping ressources on the lan but cant access via browser (80,443).
All have in common that they have the same german isp (vodafone) with ds-lite.
If they switch to mobile hotspot, the vpn works fine.
subnets of the private lan and vpn and corp lan are different.
Before with the pfsense it was working too. but i cant find the difference.
i read its a common problem but it seems no one has a solution. could it be mtu?
if anyone has experience with let me know : )
3
24.7 Production Series / Weird "Default deny / state violation rule" behavior
« on: September 24, 2024, 11:20:59 am »
Cheers,
yesterday we installed a site2site wireguard vpn on our opnsense.
new interface was created "wg1". when i clicked apply to the changes of the interfaces there was no working internet anymore.
the logs on all the vlans hat the default deny / state violation rule on, blocking all packets. so somehow the first match rule "allow all" that we have on all interfaces was not matching anymore.
i still dont get why.
we reverted back with a backup. we still have some packets beeing blocked by default deny rule where i also have no clue why.
any help is appreciated.
Screenshots attached. Somehow embedding didnt work
yesterday we installed a site2site wireguard vpn on our opnsense.
new interface was created "wg1". when i clicked apply to the changes of the interfaces there was no working internet anymore.
the logs on all the vlans hat the default deny / state violation rule on, blocking all packets. so somehow the first match rule "allow all" that we have on all interfaces was not matching anymore.
i still dont get why.
we reverted back with a backup. we still have some packets beeing blocked by default deny rule where i also have no clue why.
any help is appreciated.
Screenshots attached. Somehow embedding didnt work
4
24.7 Production Series / Re: OpenVPN: could not extract CN from X509 string
« on: September 03, 2024, 12:46:09 pm »
That helped! thanks a lot.
But im still in struggle with the cert export.
As i am authenticating with ldap which cert do export? does every client use the same cert?
Under my Instance i put 10.0.10.0/24 in "Server IPV4"
but it seems every client is trying to get the same IP (10.0.10.2).
But im still in struggle with the cert export.
As i am authenticating with ldap which cert do export? does every client use the same cert?
Under my Instance i put 10.0.10.0/24 in "Server IPV4"
but it seems every client is trying to get the same IP (10.0.10.2).
5
24.7 Production Series / OpenVPN: could not extract CN from X509 string
« on: September 02, 2024, 09:21:27 am »
Hey everyone,
i configured OpenVPN and with 2/3 Windows Clients with the OpenVPNConnect software its working (connecting, ip adress, routing)
The other windows client and die mac os client and one linux client get all this error on Client side:
VERIFY ERROR: could not extract CN from X509 subject string
2024-08-30 16:21:38 VERIFY ERROR: could not extract CN from X509 subject string ('C=DE, ST=xxxxx, L=xxxxxx, O=xxxxxx, OU=IT') -- note that the username length is limited to 64 characters
In OpenVPN Logs i get a TLS handshake failure.
I know there is no CN in that String.
Auth is obv. with LDAP. Really dont get where the difference is.
How do i add the CN to the subject string?
i configured OpenVPN and with 2/3 Windows Clients with the OpenVPNConnect software its working (connecting, ip adress, routing)
The other windows client and die mac os client and one linux client get all this error on Client side:
VERIFY ERROR: could not extract CN from X509 subject string
2024-08-30 16:21:38 VERIFY ERROR: could not extract CN from X509 subject string ('C=DE, ST=xxxxx, L=xxxxxx, O=xxxxxx, OU=IT') -- note that the username length is limited to 64 characters
In OpenVPN Logs i get a TLS handshake failure.
I know there is no CN in that String.
Auth is obv. with LDAP. Really dont get where the difference is.
How do i add the CN to the subject string?
6
24.7 Production Series / Re: VPN with LDAP Sync and Client export
« on: August 22, 2024, 08:10:03 am »
Awesome! worked like charm.
Thank you!
Thank you!
7
24.7 Production Series / VPN with LDAP Sync and Client export
« on: August 20, 2024, 10:37:11 am »
Hey everyone,
Trying to understand the whole OpenVPN with LDAP Configuration.
My Ldap is configured and tested via Tester and working.
I configured my OpenVPN Server to use Authentication my LDAP.
From the Docs its unclear for me if i need to import users now if i only want them for VPN use
or not, and how to sync so that when a new user is created in LDAP it automatically is created on the Opnsense too.
AFAIK import is only needed for GUI Access which i do not want
Also how do get the Client Certs created and how to import if i dont have to import the users?
Trying to understand the whole OpenVPN with LDAP Configuration.
My Ldap is configured and tested via Tester and working.
I configured my OpenVPN Server to use Authentication my LDAP.
From the Docs its unclear for me if i need to import users now if i only want them for VPN use
or not, and how to sync so that when a new user is created in LDAP it automatically is created on the Opnsense too.
AFAIK import is only needed for GUI Access which i do not want
Also how do get the Client Certs created and how to import if i dont have to import the users?
8
German - Deutsch / Re: Testumgebung mit VPN Zugang konfigurieren
« on: August 15, 2024, 11:46:49 am »
oh natürlich...sorry.
OpenVPN
OpenVPN
9
German - Deutsch / Testumgebung mit VPN Zugang konfigurieren
« on: August 15, 2024, 11:40:32 am »
Hey zusammen,
eventuell hat jemand eine Idee zu meinem Problem.
Wir haben derzeit eine pfsense laufen mit folgenden Subnetzen, 1.0, 15.0, 80.0, 85.0, 90.0 und 10.x.x.x für VPN
Wir haben eine Testumgebung mit Opnsense aufgebaut und wollen in ca. 1 Monat damit Live gehen.
Derzeit hängt das WAN Interface im 15er Subnetz für den Zugang zum Internet. Damit kann ich aber natürlich kein VPN von außen testen.
Hatten jetzt einen LTE Router bestellt mit 02 30-Tage gratis Sim. Aber natürlich funktioniert dies nicht da das WAN Interface mit dem LTE Router im Bridge Modus einer 10.0.0.1 bekommt. Wahrscheinlich kein echter Bridge Modus.
Würde sicher eh nicht gehen wegen NAT von Mobilfunk etc.
Einen zusätzlichen normalen Anschluss über Glasfaser oder DSL gibt es nicht. Die werden an der Pfsense benötigt.
Hin und her switchen zwischen den beiden Firewalls geht auch nicht.
Wenn ich das neue 1er Netz erstmal als 2er Netz konfiguriere kann stimmen ja die Static IP Mappings auch nicht.
Falls jemand noch eine Idee hat...eventuell selbst mal in dem Dilemma war....
eventuell hat jemand eine Idee zu meinem Problem.
Wir haben derzeit eine pfsense laufen mit folgenden Subnetzen, 1.0, 15.0, 80.0, 85.0, 90.0 und 10.x.x.x für VPN
Wir haben eine Testumgebung mit Opnsense aufgebaut und wollen in ca. 1 Monat damit Live gehen.
Derzeit hängt das WAN Interface im 15er Subnetz für den Zugang zum Internet. Damit kann ich aber natürlich kein VPN von außen testen.
Hatten jetzt einen LTE Router bestellt mit 02 30-Tage gratis Sim. Aber natürlich funktioniert dies nicht da das WAN Interface mit dem LTE Router im Bridge Modus einer 10.0.0.1 bekommt. Wahrscheinlich kein echter Bridge Modus.
Würde sicher eh nicht gehen wegen NAT von Mobilfunk etc.
Einen zusätzlichen normalen Anschluss über Glasfaser oder DSL gibt es nicht. Die werden an der Pfsense benötigt.
Hin und her switchen zwischen den beiden Firewalls geht auch nicht.
Wenn ich das neue 1er Netz erstmal als 2er Netz konfiguriere kann stimmen ja die Static IP Mappings auch nicht.
Falls jemand noch eine Idee hat...eventuell selbst mal in dem Dilemma war....
10
24.1 Legacy Series / Re: Host does not resolve with DHCP WAN
« on: July 29, 2024, 02:36:36 pm »
I found the problem! Stupid me created a VLAN with the same subnet x.x.15.1/24
Thanks for your help
Thanks for your help
11
24.1 Legacy Series / Re: Host does not resolve with DHCP WAN
« on: July 29, 2024, 11:22:51 am »
All devices on the x.x.15.1/24 subnet are allow to use the internet. i double checked this again.
12
24.1 Legacy Series / Re: Host does not resolve with DHCP WAN
« on: July 29, 2024, 11:16:37 am »
The WAN IP is a private one.x.x.15.108. The Gateway is x.x.15.1 and is displayed on the dashboard as online.
The weird thing is it was working before. I tried to ping 8.8.8.8 also this is not working anymore.
The weird thing is it was working before. I tried to ping 8.8.8.8 also this is not working anymore.
13
24.1 Legacy Series / Re: Host does not resolve with DHCP WAN
« on: July 29, 2024, 10:37:20 am »
Anyone has an idea what i could try?
14
24.1 Legacy Series / Host does not resolve with DHCP WAN
« on: July 26, 2024, 12:44:10 pm »
Hey everyone,
fresh new install of OPNsense and transfering from pfsense.
Right now for Testpurposes im getting an IP Adresse on WAN from x.x.15.1 Subnet (x.x.15.108)
That was working fine in the beginning. I activated Unbound DNS and did the Overrides.
System-Settings-General i have not DNS Servers and "Allow DNS server list to be overridden by DHCP/PPP on WAN" is checked.
Also tried "Do not use the local DNS service as a nameserver for this system" but still OPNsense cannot resolve adresses for the Updates or ping.
System - Gateways - Configuration : There is the Route to 15.1. Status online
Firewall Rules for LAN : Default allow LAN to any rule
The weird thing is this was working. Then it just stopped without doing anything. Then it was working again now it stopped.
I rebooted serveral times. Tried a lot of stuff from other posts that sounded like the same problem.
I cant find the reason.
Firewall Live View shows all green.
Unbound Log shows a lot of : PTR record already exists for the overrides
and these
2024-07-25T14:09:27 Error unbound [32600:0] error: module init for module python failed
2024-07-25T14:09:27 Error unbound [32600:0] error: python exception in Py_InitializeFromConfig: init_fs_encoding: failed to get the Python codec of the filesystem encoding
2024-06-24T10:49:38 Error unbound [87795:7] error: recvfrom 65 failed: Protocol not available
But as i understand Opnsense system is not using unbound because of the checked option "Allow DNS server list to be overridden by DHCP/PPP"
Driving me crazy hope someone can help
fresh new install of OPNsense and transfering from pfsense.
Right now for Testpurposes im getting an IP Adresse on WAN from x.x.15.1 Subnet (x.x.15.108)
That was working fine in the beginning. I activated Unbound DNS and did the Overrides.
System-Settings-General i have not DNS Servers and "Allow DNS server list to be overridden by DHCP/PPP on WAN" is checked.
Also tried "Do not use the local DNS service as a nameserver for this system" but still OPNsense cannot resolve adresses for the Updates or ping.
System - Gateways - Configuration : There is the Route to 15.1. Status online
Firewall Rules for LAN : Default allow LAN to any rule
The weird thing is this was working. Then it just stopped without doing anything. Then it was working again now it stopped.
I rebooted serveral times. Tried a lot of stuff from other posts that sounded like the same problem.
I cant find the reason.
Firewall Live View shows all green.
Unbound Log shows a lot of : PTR record already exists for the overrides
and these
2024-07-25T14:09:27 Error unbound [32600:0] error: module init for module python failed
2024-07-25T14:09:27 Error unbound [32600:0] error: python exception in Py_InitializeFromConfig: init_fs_encoding: failed to get the Python codec of the filesystem encoding
2024-06-24T10:49:38 Error unbound [87795:7] error: recvfrom 65 failed: Protocol not available
But as i understand Opnsense system is not using unbound because of the checked option "Allow DNS server list to be overridden by DHCP/PPP"
Driving me crazy hope someone can help
Pages: [1]