1
22.7 Legacy Series / Re: Azure Routed Based IPSec rekey issue
« on: September 27, 2022, 02:02:55 pm »
I've disabled reauth, and so far no rekey issues
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
22.7 Legacy Series / Re: Cloud Backup other than Google Drive (use MS Onedrive)
« on: September 25, 2022, 12:18:06 pm »
I use the GIT backup plugin, I find it's a better method. Then you can backup to Gitlab, Github, or a selfhosted version of git.
3
22.7 Legacy Series / Re: Azure Routed Based IPSec rekey issue
« on: September 25, 2022, 12:01:28 pm »Hi,
iin my case I use different Settings.
In Phase I use "default " as connection method instead "response only"
In Phase 2 I use Sha265 as hash algorithm, you use none.
My Azure Settings are attached. Hope that helps
I've changed from AESGCM to AES, to see if that's the problem.
4
22.7 Legacy Series / Azure Routed Based IPSec rekey issue
« on: September 23, 2022, 09:49:52 am »
Hi Guys,
I've configured a IPSec S2S tunnel to Azure and I'm having issues at rekey, I've double checked my settings and they all match what they should be set too. We have another IPSec tunnel with the same settings to another Firewall vendor and the settings work fine, so I know there's something not quite right on the OPNsense side.
I've noticed during the rekey I end up getting "integrity check failed" messages in the IPSec log of OPNsense.
I've got the tunnel setup using AES256-GCM for both phase1 and phase2. Luckily the tunnel restarts eventually and the tunnel comes backup for the lifetime of the SA's, then rekey happens fails and then restarts again after some "integrity check failed" messages. This courses about 2-3 minutes of no traffic to pass.
Has anyone get any experience using AES GCM with IPSec to Azure?
I shall attach my OPNsense settings, encase the issue is obvious to someone when they look at them.
I've configured a IPSec S2S tunnel to Azure and I'm having issues at rekey, I've double checked my settings and they all match what they should be set too. We have another IPSec tunnel with the same settings to another Firewall vendor and the settings work fine, so I know there's something not quite right on the OPNsense side.
I've noticed during the rekey I end up getting "integrity check failed" messages in the IPSec log of OPNsense.
I've got the tunnel setup using AES256-GCM for both phase1 and phase2. Luckily the tunnel restarts eventually and the tunnel comes backup for the lifetime of the SA's, then rekey happens fails and then restarts again after some "integrity check failed" messages. This courses about 2-3 minutes of no traffic to pass.
Has anyone get any experience using AES GCM with IPSec to Azure?
I shall attach my OPNsense settings, encase the issue is obvious to someone when they look at them.
5
Virtual private networks / Re: Private Internet Access (PIA) WireGuard Guide/Script
« on: September 26, 2021, 04:02:59 pm »
Error messages are saying they can't connect to the web interface.
Have you changed its port?
Wow, thanks for the instantaneous reply and solution!
I had changed from https to http, and hadn't changed the line in PIAWireguard.json.
It's working now!
[/quote]
Glad to hear it's working 💪
6
Virtual private networks / Re: Private Internet Access (PIA) WireGuard Guide/Script
« on: September 26, 2021, 03:52:18 pm »Hmm...I've installed the latest version of the script, and it has stopped working for me. I've done something stupid, I'm sure, but I don't know what.
Can anyone help?Code: [Select]root@OPNsense:~ # /conf/PIAWireguard.py debug
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
conn = connection.create_connection(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
raise err
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
sock.connect(sa)
TimeoutError: [Errno 60] Operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
conn = self._new_conn()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/conf/PIAWireguard.py", line 202, in <module>
r = requests.get(f'{opnsenseURL}/api/wireguard/server/searchServer/', auth=(config['opnsenseKey'], config['opnsenseSecret']), verify=urlVerify)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
root@OPNsense:~ #
Error messages are saying they can't connect to the web interface.
Have you changed its port?
7
Virtual private networks / Re: Private Internet Access (PIA) WireGuard Guide/Script
« on: August 22, 2021, 01:50:17 am »Yes, I just confirmed that the actions file has all 3 setups contained within it.
There are 3 distinct entries in Cron now as well. So I guess that's good.
I have selected the uk_2 server for British streaming.
I think you might be onto something with the DNS holding me back.
Ideally I would like to capture the DNS and route appropriately for each tunnel, although it looks as though all tunnels utilise the same internal IP addresses for DNS.
I am attempting to make sense of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks in order to route the DNS appropriately. In fact I had started a separate thread about it a few days ago at https://forum.opnsense.org/index.php?topic=24416.0, but as yet don't have it working.
Sounds like your on the right tracks now. Just create the cron jobs to run each of those actions every 5 or 10 minutes.
DNS wise... what you need to do is set the PIA DNS on the clients via DHCP (or manually), to 10.0.0.243, then in the firewall rules, you allow traffic to 10.0.0.243 but using PIA gateway you need. That should then push the DNS traffic down the tunnel to the DNS server for that region :-)
Also this may be handy information.
https://www.privateinternetaccess.com/helpdesk/kb/articles/streaming-with-pia
8
Virtual private networks / Re: Private Internet Access (PIA) WireGuard Guide/Script
« on: August 22, 2021, 01:23:26 am »You're really on the ball - thanks for monitoring this thread so closely!
A little more playing around and I currently have all gateways up and running again.
One of the issues had been that I was editing the PIAWireguard.py file on my desktop, and had forgotten to copy it back across to OPNsense. Schoolboy error I'm afraid
I'm now showing 3 different public IP addresses.
Before going any further I'll see if I can get the Cron jobs set up, then I'll look a bit more closely at my firewall rules. Still trying to get the hang of those, but so far the UK streaming sites are not working for me.
Streaming can be a tricky one, you may need to use PIA DNS servers, as PIA do some DNS tricky to get streaming services working. But if you look in the regions list you'll see uk_2 which is described as a streaming optimised region, so you may need to use that region id in your setup, failing that PIA DNS maybe required.
Cron Jobs should be pretty easy.
Make sure your action file contains actions for all 3 setups, then reload the configd. Then the 3 actions will appear in the cron section of the webui.
9
Virtual private networks / Re: Private Internet Access (PIA) WireGuard Guide/Script
« on: August 22, 2021, 01:06:37 am »Now I seem to have messed it all up.
Had a brief server crash, and it obviously did some kind of reset (asked me to send a crash report).
I was still doing setup and hadn't done the cron thing.
I went back and added the original PIAWireguard.py file, with the relevant changes.
However when I run PIAWireguard.py debug, I keep getting
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information
Not sure what that means, and I can't find other errors. The other gateways (US & UK) came up fine when I ran the scripts and readded the gateways etc.
Any suggestions?
The part is failing on is sending PIA server your public key and PIA token in turn for the connection information.
https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/blob/6f839bf952b0dfe5f967ba0edb4c2b3ce9c37abf/PIAWireguard.py#L399
I would assume an issue with opnsenseWGPubkey the script is retrieving from OPNsense. Does the script pick it up correctly? The script does print this information when in debug mode.
I can provide remote support if required.
10
Virtual private networks / Re: Private Internet Access (PIA) WireGuard Guide/Script
« on: August 21, 2021, 10:58:32 pm »
I highly recommend you make sure you have the actions setup for both the new and old tunnels, and have the cron job setup.
Short term you may not find any issues, but long term you'll need the cron action for each tunnel.
Whats the action does it monitors the tunnel, if the tunnel goes down, for example the PIA server restarts for updates or maybe they retire that server, it'll then move the wireguard tunnel over to another PIA server in that region. When PIA restarts their servers, all peers will be lost as the server runs in RAM, so a full login on PIA side is required again. The action also makes sure the gateway IP is set, to allow traffic to route over the tunnel.
Also if your disconnected from PIA server for extended period of time they will remove you as a peer, so full authentication is required again. Unsure on the timescale but I think its 15 minutes or so. Which could happen if your WAN goes down or your updating OPNsense. The cron action will then make sure you get back up and running again.
Hope this helps :-)
Short term you may not find any issues, but long term you'll need the cron action for each tunnel.
Whats the action does it monitors the tunnel, if the tunnel goes down, for example the PIA server restarts for updates or maybe they retire that server, it'll then move the wireguard tunnel over to another PIA server in that region. When PIA restarts their servers, all peers will be lost as the server runs in RAM, so a full login on PIA side is required again. The action also makes sure the gateway IP is set, to allow traffic to route over the tunnel.
Also if your disconnected from PIA server for extended period of time they will remove you as a peer, so full authentication is required again. Unsure on the timescale but I think its 15 minutes or so. Which could happen if your WAN goes down or your updating OPNsense. The cron action will then make sure you get back up and running again.
Hope this helps :-)
11
Virtual private networks / Re: Private Internet Access (PIA) WireGuard Guide/Script
« on: August 21, 2021, 09:02:27 pm »**Looks around slowly and raises hand sheepishly after several months of inactivity in thread...**
I used this script to set up a PIA WG tunnel . Worked great
Now I am hoping to set up multiple WG tunnels.
How would I go about this? The idea is a tunnel for US & UK in addition to my existing tunnel.
If I run the primary script again, will it break the existing connection? Do I need to go right back and create a new API for example, or can I start further along in the process?
It very simple to do
Make a copy of your current PIAWireguard.py, name it something like PIAWireguard_US.py then edit the below variables
Code: [Select]
opnsenseWGName = 'PIAUS'
opnsenseWGPort = "51816"
piaRegionId = "us_silicon_valley"Very important to change the WGName and WGPort!Then you'll also need to add some new entries to the actions file, just need to add new actions for each region example below
"/usr/local/opnsense/service/conf/actions.d/actions_piawireguard.conf"
Code: [Select]
[piaWireGuardUS]
command:/conf/PIAWireguard_US.py
parameters: %s %s
type:script_output
message:Running PIA WireGuard US Script : /conf/PIAWireguard_US.py %s %s
description:PIA WireGuard USThen reload the configd service
Code: [Select]
configd restartNow you can run the script again and it'll create the next PIA WireGuard Interface, and follow the setup guide again, with the second PIA interface.
Code: [Select]
/conf/PIAWireguard_US.py debug
12
General Discussion / Re: Improvement suggestion for the forum
« on: May 28, 2021, 11:55:53 am »
Making use of wider screens would be great!
13
21.1 Legacy Series / Re: Native-kernel wireguard support for 21.1 feasible? FreeBSD 13 may have it
« on: April 30, 2021, 02:51:45 pm »Glad to hear it working great for you. I also find it worth using a known good speedtest server.I saw you have a script for PIA, curious if you were able to get port forwarding working using the new kernel mod with PIA, and if so how?
Port forwarding works and its mentioned at the bottom of my Scripts README
14
21.1 Legacy Series / Re: Native-kernel wireguard support for 21.1 feasible? FreeBSD 13 may have it
« on: April 27, 2021, 07:11:42 pm »
Glad to hear it working great for you. I also find it worth using a known good speedtest server.
I usually try and use http://ovh.net as I know all their test locations are 10gbit connections, if speedtest.net is looking to give odd/varying results.
I usually try and use http://ovh.net as I know all their test locations are 10gbit connections, if speedtest.net is looking to give odd/varying results.
15
21.1 Legacy Series / Re: NPTv6 only working one way
« on: April 27, 2021, 10:23:42 am »
Could be 20.7.6, I wasn't monitoring IPv6...
I'm running 21.1.5 currently and still not working. Funnily enough I too are getting the issue at OVH.
leifnel, do you have a backup of your firewall when you was running 20.7.5? or have you already reverted back?
I'm running 21.1.5 currently and still not working. Funnily enough I too are getting the issue at OVH.
leifnel, do you have a backup of your firewall when you was running 20.7.5? or have you already reverted back?