Messages

Hi,

Does anyone have any information whether the openvpn obfuscate patch in OPNSense 18 is broken?
My VPN seem not to get any connection anymore.
Does anyone experience the same problem?

Kind regards, DJ

You may ignore the message below, since I decided to do a clean install. As stated in the message below it was running already for a long time. A clean install wouldn't hurt.

Dear All,

I've installed opnsense on a VM in the cloud by using the opnsense-bootstrap.sh script for over years now. Never had trouble with it until now. I wanted to upgrade to 18.1. During the upgrade process encountered problems with upgrading the kernel.  So in the end I decided to run the latest opnsense-bootstrap.sh script to set everything right. The upgrade process ended without any problems/errors, but now when booting I get to the console, but get errors:
Configuring OpenSSH .....failed
Starting Web GUI ..... failed
/usr/local/lib/libssl.so.44: Undefined symbol "timingsafe_memcmp"

When I go into the shell and try to start lighttpd manually it gives me the error:
/usr/local/sbin/lighttpd: Undefined symbol "memset_s"

The VM is used as endpoint of a VPN. On the other router I can also see that the VPN is not able to connect to the VM, so probably more services are not starting.

How to move on in troubleshooting these problems? any suggestions are very much appreciated....
Thanks in advance,
JJ

Hi,

I did some testing to set up Tinc mesh VPN, however I'm missing some basic features in the GUI:
Most important one:
- I have nodes with dynamic IP's. I believe Tinc can work with dynamic DNS names, however the OPNSense GUI doesn't seem to accept DNS names. Please make it possible to either fill in an IP or a DNS name.
Other ones:
- option to select the mode: router | switch | hub
- option to set ping time out (on poor speed connection I got "time out during authentication" errors.
- option to set custom port number

- feature add static routes to up/down scripts? This may be not be the right place to put the static routes, since OPNSense has a specific section for static routes, however - and I believe this is not solely a problem related to Tinc, but also to openvpn connection - I would like to influence the static routes in case a connection goes down/breaks (split-tunnel routing enable/disable); I know that this normally may be done by adding two static routes for the same destination, but via different gateways and putting a weight on the routes, but this feature is not provided by OPNSense.
In case there's a way to set this up by using the gateway down mechanism, I would appreciate some pointers on the how to.

Thanks for taking notice. Keep up the good work!

EDIT: I've created an issue in github for these features (except the one for the up/down scripts, because I believe it is not related to tinc).

Hi, I encounter a problem and can't figure out what the problem is.

I have a opnsense 16.7.3 installation running as router on my local lan.
My LAN has two gateways:
- one gateway is on the mentioned opnsense box (ip: 10.0.0.5/24) -> WAN interface connected to another DMZ network.
- one gateway is another router (not opnsense) on the LAN (10.0.0.1/24), which is directly connected to the internet.
All clients have the opnsense box set as default gateway. The purpose of the opnsense box is to split up the traffic bound for the internet (routes the traffic to the other gateway on the LAN: 10.0.0.1 gateway) and the traffic bound for the DMZ (routes it over the WAN). The splitting up is done with the help of static routes.
NAT rules are only applied on the WAN outbound, source = LAN and destination = any. Of course no NAT rules on the LAN interface. Firewall rules on LAN: any to any allowed on any protocol. Firewall rules on WAN: source = LAN to any allowed on any protocol.

Problem: web browsing is no problem, however if I want to upload an attachment to a webmail account on the internet I can't upload the attachment. If I try to send files over the internet to a git server (by use of http/https protocol) I can't upload the files; Git reports error: RPC failed; result=56, HTTP code = 0.
When I do a tracert from the client to the git server on the internet, I can see that the traffic is routed from opnsense to the other gateway on the LAN and doesn't show any problem.
The problem is very likely with opnsense, because if I change the default gateway on the client directly to the other gateway (so bypassing the opnsense router) everything works; I can upload attachments to my webmail accounts and upload my files to the git server without any problem.

I have not set any special settings on opnsense other than static routes, no proxy modules enabled.

Does anyone have an idea why I can browse the web, but not able to upload files?

Thanks in advance.
DJ

I'm following the digital ocean guide, however I find that the package repository is pointing to version 15.7.12, which is old. So is the ${ABI} not updated to version 16.7 ?

From the documentation on the link below, it is not clear to me whether the database is stored locally (and maybe updated every Tuesday ?) or whether the database is stored online and queried by OPNSense everytime?
In case of the latter, is there any caching mechanism to reduce querying ?

Link to doc on GeoIP: https://docs.opnsense.org/manual/ips.html#maxmind-geolite2-country

Thanks in advance.

EDIT: Never mind. Found this forum message:
https://forum.opnsense.org/index.php?topic=3081.msg9579#msg9579

Should have checked the forum first. :-o

I know....PPTP is cracked and not secure anymore...

Are their any plans to also include the client option for mpd; not for connecting to a provider, but for building a connection between two opnsense boxes. I've noticed that on a Russian website, someone created this patch for pfsense. It was just the adding of the a client text box and little code for adding the 'client' setting to the config file.

mpd also has the option to create (very stable) multilink ppp/pptp connections between. This feature also only involves adding settings to the config.

Any plans for this? If preferred I have a set of working config files.

Some new info on this. I changed my setup to exclude the LAGG, and just worked with the openvpn.
I discovered that some of the symptoms also came back in this scenario.
When the VPN was disconnected and the gateway (dynamic) went down, it didn't come up again after reconnect.
So I started to play around with the advanced settings for the gateway down functionality. I increased the values (more delay in polling, more polls before marking gateway down) and it seems to be more stable (testing now for 1 day).

I will play around and test some more, then I will try the LAGG again and post the results over here. to be continued...

Ok thnx, I'll play around with it.

Tested it on the latest development release:

Used version:

OPNsense 15.7.99_1261-amd64
FreeBSD 10.1-RELEASE-p19
LibreSSL 2.2.4

kldstat output:

Id Refs Address            Size     Name
1   10 0xffffffff80200000 20afd18  kernel
2    1 0xffffffff82411000 231a     vmmemctl.ko
3    1 0xffffffff82414000 2382     vmxnet.ko
4    1 0xffffffff82417000 2d8c     vmblock.ko
5    1 0xffffffff8241a000 89be     vmhgfs.ko

So it seems to work now !! Thanks! 8)

I'm interested introduction. What is the functionality of the service? does it block or only registers? What are rulesets? what is the diff with the rules tab? what does every rule or ruleset do (criteria?) ?

I want to understand the service; decide whether it is useful in my situation and if so, what config options are of interest.

Version info from UI:

OPNsense 15.7.99_1261-amd64
FreeBSD 10.1-RELEASE-p19
LibreSSL 2.2.4

Output kldstat:

Id Refs Address            Size     Name
1    1 0xffffffff80200000 20afd18  kernel

Is this good or bad?  :)

I tried to install VM-tools on ESXi 5.5 with latest dev release of opnsense 15.7.99_1261 (amd64/LibreSSL).
I run into the same problem. kernel mods cannot be loaded:

Oct 14 10:32:45   kernel: KLD vmmemctl.ko: depends on kernel - not available or version mismatch
Oct 14 10:32:45   kernel: linker_load_file: Unsupported file type
Oct 14 10:32:45   kernel: KLD vmxnet.ko: depends on kernel - not available or version mismatch
Oct 14 10:32:45   kernel: linker_load_file: Unsupported file type
Oct 14 10:32:45   kernel: KLD vmblock.ko: depends on kernel - not available or version mismatch
Oct 14 10:32:45   kernel: linker_load_file: Unsupported file type
Oct 14 10:32:45   kernel: KLD vmhgfs.ko: depends on kernel - not available or version mismatch
Oct 14 10:32:45   kernel: linker_load_file: Unsupported file type

I tried the suggestions as provided in this thread, but no success.
Any progress or update on how to solve?

oops. posted double

Reproduce:

1) Create a site 2 site connection with openvpn (openvpn client in the LAGG will be the test environment); I've created the connection with pre-shared key, udp or tcp (doesn't matter), tap interface, rest is default settings, no ip address info in the openvpn settings. one openvpn connection is enough, behavior with one or multiple is the same. The connection should be up and running, but no pinging, since no ip addresses assigned.
2) create lagg interfaces on both sides. Assign the openvpn connection to the lagg interface (do this for both sides), and choose FAILOVER or ROUNDROBIN (doesn't matter which of the two you choose).
3) Now go to the newly created LAGG interface (do this for both sides again) and assign an ip address in the same subnet (I used 10.0.0.1/24 and 10.0.0.2/24). On the same page you can add and need to add the gateway to the other side of the openvpn tunnel (again do this for both side).

If the firewall rules are set to allow everything, you should be able to ping the tunnel.

Test Case 1: After reboot LAGG interface doesnt come up.
- Reboot the opnsense router with the openvpn client. After reboot the openvpn client is connected, but the LAGG interface is down, so tunnel is not useable. It seems that the LAGG interface is going up before the VPN tunnel is connected, therefore the LAGG interface goes into down mode, and it also seems not to poll the openvpn connection with intervals. (I forgot whether the same behavior was also on the server side, but one can test it easely if the above test environment is created).
To get it started, you have to browse to the assigments/LAGG and edit the LAGG interface. You don't need to change any of the associated interface(s), nor change the mode. The only thing you have to do is to click the save button, and then the LAGG/openvpn client combi should work.

Test Case 2: After openvpn connection has been down LAGG interface does not re-establish a good connection.
-Now in the same test scenario/environment, get the connection up and running.
-Break the openvpn connection; maybe unplug the network cable (in my case the VPN just loses connection over the internet), then reconnect. The openvpn client connects again, but the tunnel is unuseable. (not sure whether in this case the LAGG interface is down (red) or stays green; i forgot).
- to get it running again: you have to do two things: 1) same as situation after reboot: you have to browse to the assigments/LAGG and edit the LAGG interface. You don't need to change any of the associated interface(s), nor change the mode. Just click the save button. 2) navigate to system -> gateways -> all, edit the gateway associated with the LAGG interface, don't change anything, just click the save button (make sure you apply the changes). And the tunnel should be working again.

So there are work arounds, but it is all manual actions after reboot or disconnect.
I didn't test it with bridges.
Maybe the order in which the interfaces start is causing the problem. Maybe some polling mechanism should be implemented?

There's one linux distri that handles the combi multiple openvpn connections with bonding(LAGG in BSD) flawlessly: zeroshell. Maybe it is worth to have a look at it and might give you some ideas.

If any additional (test) help is needed, let me know; for now I just use openvpn without LAGG.   


I hope this helps.