Messages

1

21.1 Legacy Series / Re: Upgrade from 19.1.7 to 21.1

« on: April 26, 2021, 02:53:04 am »

You have to upgrade to 19.7, patch 19.7 and then upgrade to 20.1 etc....

Alternatively, if you are willing to save the configuration and either restore/recreate it, you can write a copy of the latest system install to usb, boot the box from the usb stick and install from the live system.

Might be significantly faster that way

2

General Discussion / Request Suggestions for Caching OPNSense Updates

« on: December 17, 2020, 07:13:15 pm »

I have a home lab in which I study networking and pen testing.  Unfortunately, my ISP has a data cap which limits me to 1.2 TB/month.  I have set up a SQUID proxy to cache my windows/LINUX updates but it is unable to properly cache my OPNSense updates (the initial download completes but when subsequent OPNSense VMs try to download the same update from the cache, the files fail to download (update fails).

I have looked at maintaining a local update server via RSYNC, however, since every update (including betas) consists of hundreds of megs, keeping the local repo in sync will tax my data cap as well.  That is why I am looking at only caching the files I am actually using/need.

Since I am not finding luck using SQUID to cache and keeping a local repo in sync will not help my data cap, are there other methods/setups people have found to work?

Thanks

3

Web Proxy Filtering and Caching / Squid Peer Configuration Possible?

« on: June 05, 2020, 08:04:06 pm »

I am looking at setting up a pair of SQUID proxies to cache linux updates in an HAproxy configuration.  Since ideally I want to minimize the number of times a package is downloaded, I want to configure the proxies to either sync caches (not seeing how to do that within Squid) or configure each instance to query the other instance as a peer.  The plugin looks like it only has an option for a parent.

Any help/guidance would be appreciated.

Thanks

4

20.1 Legacy Series / Re: OPNsense 20.1.4 VM on KVM Not Allowing Inbound Connections aside from ICMP

« on: April 21, 2020, 10:25:01 pm »

Just 3 quick updates for you.

First I noticed that my firewall rules were not set to log on success.  I enabled logging and was able to confirm that the firewall was successfully passing the traffic but that it then timed out.

Second, I also tested against a fresh OPNSense 19.7 install and I was successfully able to connect without any issues.  I then applied the available patches making it a 19.7.10_1 system and it was still working properly.

Third, I installed a fresh version of 20.1 (before patching) and it worked.  I then applied the patch to 20.1.4 and it still worked.

This tells me that the issue I am encountering is very weird as I am so far unable to replicate it (maybe it is simply user error).

If anyone has any suggestions, please let me know (I will be keeping the VM).

Thanks

5

20.1 Legacy Series / OPNsense 20.1.4 VM on KVM Not Allowing Inbound Connections aside from ICMP

« on: April 21, 2020, 08:16:17 pm »

I am in the process of setting up a test lab using KVM (Ubuntu Server 20.04 running KVM and Cockpit).  I am able to install and update OPNsense without issues and the client behind OPNsense has full connectivity.  However, even after I permitted incoming non-routable IP address traffic and set the appropriate rules to permit inbound HTTPS and SSH, the traffic times out and I see no entries in the firewall logs.  However, when I try to connect from the same source to the same destination on HTTP (still blocked by rule),  the traffic also times out but I DO see entries in the firewall logs.  I should also note that incoming ICMP is permitted by rule and is working correctly.

To further test if the issue was related to KVM or OPNsense, I downloaded and installed PFsense (latest) in parallel on the KVM server.  Same base rules and I am able to successfully connect to the webgui and SSH through the WAN interface.

I am not sure where to look to troubleshoot this issue further.

Please let me know what you need from me (screen shots or logs).

Thanks

6

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 05:02:50 am »

first, I am reading through an older thread on a similar issue https://forum.opnsense.org/index.php?topic=4979.msg25066#msg25066.  Yes it is a bit dated but it has interesting suggestions.  The other thing I would try is on the firewall rules for the VLans you are trying to secure, I would try adding floating rules (outbound from the firewall) blocking all traffic that is not being routed through the appropriate gateway.  In theory if you do one floating rule per VLAN/VPN denying everything that is unexpected, I believe it would function as a kill switch.

Worth testing.

7

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 04:24:59 am »

so you are running 3 openvpn client instances on the opnsense server and routing to them via NAT?  It also sounds like you have one network that you do not route through the VPN is that correct?

8

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 03:58:35 am »

In theory you can do this with firewall rules.  I do however have a few more specific questions for you.

1.  Are you looking to restrict a single host to VPN only or the entire network? - the answer to this question would determine what rules to use.
2. Do you establish VPN connectivity via an IP address or a hostname (which must be resolved via DNS)?  - the answer to this question would determine if DNS should be included or excluded from the kill switch (if I need DNS working to resolve my VPN hostname I can't include it within the kill switch).

I would also suggest looking into DNS encryption as normal DNS is in plain text and gives your ISP insight into where you are going (unless DNS is forced through VPN).

Please advise.

Thanks

9

Development and Code Review / Re: Wireguard in opnsense

« on: September 14, 2018, 01:39:51 pm »

Thank you.  My next step is to turn on packet capturing on my test opnsense box and its gateway to see what is happening. I will keep you posted.

10

Development and Code Review / Re: Wireguard in opnsense

« on: September 14, 2018, 04:41:58 am »

I found and reviewed the wg0.conf file on my opnsense box with the azire conf file I downloaded.  The only differences are:
No DNS field on OPNSense (not in the plugin)
Server listening port configured.

I suspect that the issue is that when I start the wireguard service locally because of the listening port opnsense is listening for an incoming connection from Azire.  When I tried to remove the listening port, the plugin gave me an error.  I can send you a copy of my wg0.conf and downloaded conf from azire (with keys removed) if you feel that would be useful.

Thanks

11

Development and Code Review / Re: Wireguard in opnsense

« on: September 09, 2018, 11:24:17 pm »

I did a copy/paste from the configuration file they sent me yes.

12

Development and Code Review / Re: Wireguard in opnsense

« on: September 09, 2018, 08:05:14 pm »

stopping wireguard
wg-quick: `wg0' is not a WireGuard interface
ifconfig: interface wg0 does not exist
starting wireguard

• wireguard-go wg0

WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/09/09 14:03:29 Starting wireguard-go version 0.0.20180613

• wg setconf wg0 /tmp/tmp.AOoRwC3Z/sh-np.17Is8r
• ifconfig wg0 inet 10.10.16.138/19 10.10.16.138 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 0.0.0.0/1 -interface wg0
• route -q -n add -inet 128.0.0.0/1 -interface wg0
• route -q -n add -inet 193.180.164.58 -gateway 192.168.1.1
• Backgrounding route monitor

and ifconfig output:

wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
   options=80000<LINKSTATE>
   inet 10.10.16.138 --> 10.10.16.138  netmask 0xffffe000
   inet6 fe80::a00:27ff:fe75:c4f1%wg0 prefixlen 64 scopeid 0x6
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: tun wg
   Opened by PID 59450

13

Development and Code Review / Re: Wireguard in opnsense

« on: September 09, 2018, 12:35:29 pm »

Also, while the wireguard service was running the server tried to send all traffic through the wireguard tunnel (which did not have valid IP addresses set up).  This forced me to stop the service while I conduct more research.

14

Development and Code Review / Re: Wireguard in opnsense

« on: September 09, 2018, 05:37:19 am »

I tried to set up azire VPN using 0.3 of the wireguard plugin.  the service starts and the tunnel address is assigned (not a single IP address) so I have nothing to ping and no traffic to monitor.  What would you advise for next steps?

Thanks

15

18.7 Legacy Series / Re: WireGuard: Last call for testing

« on: September 07, 2018, 04:22:54 am »

Quick question, I could not find an explanation for why the interface wireguard is using must be left disabled.  Please explain,  Thanks