Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - ita.tc

Pages1

Virtual private networks / Re: OPNsense as OpenVPN Server behind another firewall

December 01, 2025, 03:56:52 PM

Hi viragomann,

thanks for your response. I don't know how I missed including that information in my original post. I can't even get a connection, it always ends in a time out. Sadly I locked myself out of the device (as mentioned) and the current client log I have only reflects that complete unavailability.
Should this setup even work in theory? I suspect some kind of NAT issue but I'm absolutely not sure.

Virtual private networks / OPNsense as OpenVPN Server behind another firewall

November 27, 2025, 01:46:01 PM

Hi all,

I would like to setup an OPNsense behind another firewall to provide OpenVPN Road warrior connections into a network. I thought "how hard could it be?", set up a new OPNsense, disabled the WAN interface, configured LAN with a static IPv4 and added the existing firewall as gateway. Added port forwarding for management interfaces (temporarily for deployment) and 1194 UDP in that firewall and configured an OpenVPN instance on the OPNsense. Remote Access worked instantly, but I can't get OpenVPN to work. It seems like am missing an important step here. I read some posts and found this one, which seemed promising. Sadly I must have messed up since disabling the Anti-lockout rule locked me out of the admin interface. I did create my own rules allowing access beforehand but I might have forgotten to hit "apply" like a total noob.
So now I'm looking to understand this issue before making another attempt. I had something similar running on a Synology NAS with their VPN Server and really didn't expect to run into so many issues. We have quite a few OPNsenses deployed successfully, but not with only one interface. If I could I would replace the existing firewall but that is currently not possible.
Any help in this matter will be greatly appreciated.

24.7, 24.10 Legacy Series / Re: 24.7.1 issue with importing CA and Certificate

October 15, 2024, 03:29:00 PM

I'm sorry for not repsonding to my own thread in quite a while. Work has been busy and I was on vacation.
I just wanted to thank everyone who contributed to this thread. I can report that my latest test with 24.7.6 shows no more problems with certificate import or export. Even the manual naming of the downloaded certifcates was fixed!
We will now slowly start rolling out 24.7

24.7, 24.10 Legacy Series / Re: 24.7.1 issue with importing CA and Certificate

August 21, 2024, 09:01:11 AM

Thank you for your efforts! I hope this gets fixed soon. As long as this issue persists we won't be using 24.7.
I also noticed that the way to export certificates was "better" before. You need extra clicks now and you have to name the files yourself. It's way more cumbersome in 24.7

24.7, 24.10 Legacy Series / Re: 24.7.1 issue with importing CA and Certificate

August 20, 2024, 04:42:00 PM

Thank you for your input, netnut. You are right, those two certs where indeed created on 24.7.0 the original issue ocurred on a fully patched system with 24.7.1 installed on both firewalls.
I have updated my test system, deleted both certificate and CA and created new ones. But after import on the second firewall the certificate is still listed as self-signed and trying to use it in an openVPN instance leads to the aforementioned error "Unable to locate a CA for this certificate". The exact same thing happens, when I import the certificates you provided.

As for your other points: I'm thankful for your input and will bring this up internally. Sadly I don't have as much time for research and development as I once did so I appreciate you taking your time to educate me.

For Reference the newly created certificate (still RSA ;)):

CA:

Code Select

Certificate

Code Select

24.7, 24.10 Legacy Series / Re: 24.7.1 issue with importing CA and Certificate

August 19, 2024, 03:18:53 PM

Hi netnut,
thank you for your reply and excuse my late response. Sadly we noticed this bug with two firewalls that needed to be deployed, so we had to roll back to 24.1.
I have just installed two new 24.7 opnsenses and could recreate the issue. Here's the certificate data:

CA Cert:

Code Select

Test-Cert

Code Select

24.7, 24.10 Legacy Series / 24.7.1 issue with importing CA and Certificate

August 15, 2024, 09:11:00 AM

We're having trouble with importing certificates on 24.7.1:
While trying to set up a site to site OpenVPN we created a CA and certificate on firewall A and exported those as usual.
We then imported the CA and then the certificate on firewall B, but the certificate shows up as "self signed" and trying to use it in an OpenVPN instance leads to an error (Unable to locate a CA for this certificate.).

If I reproduce these exact same steps on an older opnsense (I used one on 22.7.11 that I have for reference) the certificate is correctly linked to the CA.

Is this a known issue in 24.7? Do we need to do something differently than before?

Pages1