Messages

Hi

We struggling with the similar problems. All new exported client configs doesn't work:

Code Select Expand

Options error: Unrecognized option or missing or extra parameter(s) in xxxx_xx01_fw01_openvpn01__Superadmins__xxx.ovpn:4: data-ciphers-fallback (2.4.7)
Use --help for more information.


I tried on our client:
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

And I also can't find an option for "data-ciphers-fallback" in (but I can't try with the ovpn file at the moment)
OpenVPN 2.6.1 [git:v2.6.1/2c2a98a0e559928c] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar  8 2023

The old exported configurations works fine and also, after we remove the "data-ciphers-fallback" line in the client exported .ovpn file or with the workaround from chrishh

It's a bit strange, because it should be work since 2.3: https://community.openvpn.net/openvpn/wiki/CipherNegotiation

gruss ivo

Salü Franco

For sure we only use opnSense :-)

Without the patch in the main office, we had different versions in place; between 19.1.2 and 19.1.4 and we can't connect to any side.

Maybe this is interesting: We patch only the FW on the main office (19.1.4 + patch) and it runs fine with the unpatched 19.1.4 boxes and 19.1.2 to .3 from the branch offices.

gruss ivo

Hallo zusammen

Die verwendete Hardware wäre doch noch interessant und hat mal jemand die MTU kontrolliert?

Wir betreiben eine opnSense auf einem Intel Server mit XEON in einem Datacenter mit 10GB Fiber und haben keine schlechteren Ergebnisse als mit unserer grossen Cisco ASA im gleichen Datacenter und gleicher Leitung.

gruss ivo

Salü gs

Why you trace to 10.10.12.3 and not to 10.10.12.2?
What about 10.10.12.1, where you define it?

gruss ivo

Salü Franco

It looks fine after applying the patch:

- Update 19.1.2 --> 19.1.4
- Manual Reboot
- Applying patch
- Manual Reboot

Besten Dank und schönen Abend.

gruss ivo

In the console:

opnsense-revert -r 19.1.2 opnsense

Yes, same on our side, we go back to 19.1.2 and have to request a maintenance window to try the patch.

ivo

Thank you for sharing your code. We use it vise-versa (our server pull it from opnsense), because the external FW boxes can't reach the backup server.

I think from the security perspective, it was safer in the 18.1 version to have a ssh key and a dedicated user without any permissions, just pull the configuration. Now, we have to give the backup admin and bash rights.

gruss ivo

Hi all

We just updated some OPNsense boxes from 18.1 -> 18.7 and got a problem with the nightly backup process.

The centralized server got all configurations from all boxes with a preshared key and a special backup user, who have no password access to the OPNsense etc.

After the update to 18.7 it doesn't work again, but I found these in the logs:

Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: User backupCFG from 198.18.6.3 not allowed because none of user's groups are listed in AllowGroups
Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: Postponed keyboard-interactive for invalid user backupCFG from 198.18.6.3 port 42896 ssh2 [preauth]
Aug 29 19:01:12 lab-ch-rma01-fw02 opnsense: user 'backupCFG' could not authenticate.

I check with the web gui the "Effective Privileges" from this user and I can't find the point "User - System: Shell account access" anymore.

On the 18.1 configuration, because the security, this user is not a member of the admin group, "/sbin/nologin" is the Login Shell and only the "Effective Privileges" "User - System: Shell account access" was set. With the preshared key we get the configuration with scp. It work's fine.

How can I setup it up with the 18.7 release?

gruss ivo

Hi all

Is anyone out there with experiences with an LTE modem on the APU2 (or APU3) board?

A list with compatible modem can I find here:
http://pcengines.ch/howto.htm#3G

Is there a OPNsense supported modem as well?

Are there any restrictions? How is the modem configured (PIN, APN etc.)?

gruss ivo

Hi all

We have also some DSL <-> Fiber VPN's (both side connected by pppoe via a bridge/converter to the provider) and we need to reduce the MSS to 1380 on the LAN side. Without, RDP is useless.

gruss ivo

Hi all

18.1.r1 is a release candidate?

If I press "Check for updates" on all of our production firewalls, this version is also listet as an update. Was this expected?

gruss ivo

Did you try to boot with CD?

[ping -s 1395 -M do 198.18.8.48]

Salü mimugmail

Yes, it was also my first intend and I tried some modifications, but I never touched the MSS field. Thank you to give me the kick to go through the thread again. It's solved now, here is how:

I try with ping, what is the biggest size where I got a reply:

[root@linux01 ~]# ping -s 1395 -M do 198.18.8.48
PING 198.18.8.48 (198.18.8.48) 1395(1423) bytes of data.
^C
--- 198.18.8.48 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4000ms

[root@linux01 ~]#

[root@linux01 ~]# ping -s 1394 -M do 198.18.8.48
PING 198.18.8.48 (198.18.8.48) 1394(1422) bytes of data.
1402 bytes from 198.18.8.48: icmp_seq=1 ttl=62 time=15.2 ms
1402 bytes from 198.18.8.48: icmp_seq=2 ttl=62 time=15.0 ms
1402 bytes from 198.18.8.48: icmp_seq=3 ttl=62 time=14.3 ms
^C
--- 198.18.8.48 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 14.316/14.856/15.203/0.386 ms
[root@linux01 ~]#

I set the MSS value "1422" from the "good" ping on the LAN interface on the opnsense and the performance was fine. I try to set it only on location A and it works, but this location is connected via DSL.

I also had a look on the Cisco ASA, there was no settings for MSS, so the default value should be active:
"By default the ASA sets the TCP MSS option in the SYN packets to 1380." (from Cisco).

gruss ivo

Hmmm, that's interesting, this is the 1st time where I see this scenario...

But, maybe one of these idea's can bring you forward:

- Configure the PPPoE with the VIP on the WAN Interface of your router and the Subnet Range on the LAN side, the connect the opnsense on the LAN port of the router.

- Or try to configure opnsense with the PPPoE VIP on the WAN interface and the IP range to a "dummy" VLAN on the opnsense and set the GW to the WAN interface.

I never try this...

gruss ivo