"
Does OPNsense have any features or plugins that would block outbound connections to China? In case I use compromised devices that want to phone home.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Hardware and Performance / Configuration backups and new hardware
July 24, 2019, 12:40:34 AM
Hello Folks,
I have OPNsense 19.7 running as a KVM domain\guest with a LAN and WAN interface. If a new VM is created with the same VM configuration, except with 3 interfaces: LAN, WAN and wLAN, is it a good idea to apply the configuration backup to the new VM?
If restoring the configuration backup is not a bad idea:
Would it be better to restore the configuration and then start adding configuration for the wLAN interface?
Or, would it be better to do 'basic' configuration of the LAN, WAN and wLAN and then apply the restore?
I have OPNsense 19.7 running as a KVM domain\guest with a LAN and WAN interface. If a new VM is created with the same VM configuration, except with 3 interfaces: LAN, WAN and wLAN, is it a good idea to apply the configuration backup to the new VM?
If restoring the configuration backup is not a bad idea:
Would it be better to restore the configuration and then start adding configuration for the wLAN interface?
Or, would it be better to do 'basic' configuration of the LAN, WAN and wLAN and then apply the restore?
#3
19.7 Legacy Series / Re: Validating download signatures on Windows
July 20, 2019, 06:36:29 PM
Thanks! Worked just like the 'Installation & Configuration' guide has it documented. I didn't realize Kleopatra added the OpenSSL command line exe. Here are the specific commands, maybe it will help someone else.
F:\download>openssl base64 -d -in OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig -out OPNsense-19.7-tmp-image.sig
WARNING: can't open config file: /etc/ssl/openssl.cnf
F:\download>openssl dgst -sha256 -verify OPNsense-19.7.pub -signature OPNsense-19.7-tmp-image.sig OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
WARNING: can't open config file: /etc/ssl/openssl.cnf
Verified OK
F:\download>openssl base64 -d -in OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig -out OPNsense-19.7-tmp-image.sig
WARNING: can't open config file: /etc/ssl/openssl.cnf
F:\download>openssl dgst -sha256 -verify OPNsense-19.7.pub -signature OPNsense-19.7-tmp-image.sig OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
WARNING: can't open config file: /etc/ssl/openssl.cnf
Verified OK
#4
19.7 Legacy Series / Validating download signatures on Windows
July 19, 2019, 10:16:44 PM
noob question, How can I validate the download file signatures on a windows 10 pc?
Here's what I have done...
downloaded the following files from different mirrors:
OPNsense-19.7.pub
OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig
and confirmed the OPNsense-19.7.pub content matched other mirrors and the forum webpage.
using Kleopatra\GpgEX I have tried to import the public key but consistently get a BER error. (see attachment)
I have tried renaming the OPNsense-19.7.pub with these extensions: asc,gpg,pem,der but import still fails.
The best directions I found online were these, https://www.gpg4win.org/doc/en/gpg4win-compendium_15.html
Which suggests the first step is importing the public key, I don't know, but I've already tried randomly clicking all the buttons in Kleopatra. ;)
Not sure what to try next, any help would be great.
Here's what I have done...
downloaded the following files from different mirrors:
OPNsense-19.7.pub
OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig
and confirmed the OPNsense-19.7.pub content matched other mirrors and the forum webpage.
using Kleopatra\GpgEX I have tried to import the public key but consistently get a BER error. (see attachment)
I have tried renaming the OPNsense-19.7.pub with these extensions: asc,gpg,pem,der but import still fails.
The best directions I found online were these, https://www.gpg4win.org/doc/en/gpg4win-compendium_15.html
Which suggests the first step is importing the public key, I don't know, but I've already tried randomly clicking all the buttons in Kleopatra. ;)
Not sure what to try next, any help would be great.
#5
19.1 Legacy Series / Re: Site to Site VPN
June 26, 2019, 02:46:45 AM
I found the missing piece to this solution, which, was the iroute configuration in the VPN \ OpenVPN \ Client Specific Overrides.
Create a client specific override and for this scenario, I only needed:
Create a client specific override and for this scenario, I only needed:
- the OpenVPN server this override was intended for
- add the external facing Common name
- IPv4 Remote Network (the network behind the OpenVPN client, 10.20.27.0/24)
#6
19.1 Legacy Series / Re: Site to Site VPN
June 16, 2019, 04:57:22 AM
I have been working on a site to site connection today and also having issues. To get the VPN connection established with TLS, I found the certificates for the client side caused an issue. I originally created them as Server certificates. But found that "OPNsense Generated Combined Client/Server Certificate" works. Hostname, or FQDN for the CN= makes no difference, but the cert has to be a client type.
The vpn is up between the servers, but I cannot get routing to completely work between the sites. I would like to allow all hosts on internal networks to connect to all hosts on the opposite internal network. BTW, both these OPNsense hosts are on a private "external" network (192.168.1.0/24) and not exposed to the internet.
Here is a network configuration summary (details at end):
OPNsense hostname: site09 (OpenVPN Server)
Remote Server peer to peer TLS
IPv4 local network 10.20.29.0/24
IPv4 remote network 10.20.27.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)
OPNsense hostname: minecraft (OpenVPN Client)
Remote Server peer to peer TLS
IPv4 local network 10.20.27.0/24
IPv4 remote network 10.20.29.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)
The firewall live logs are not reporting any denies.
from the minecraft (OPNsense) command line, pings to 10.20.29.1 and 10.20.29.10 get replies
root@minecraft:~ # ping 10.20.29.10
PING 10.20.29.10 (10.20.29.10): 56 data bytes
64 bytes from 10.20.29.10: icmp_seq=0 ttl=127 time=1.656 ms
.... 0 packet loss
but the mint host [inet 10.20.27.100/24 brd 10.20.27.255] can't ping any IPs on the 10.20.29.0 remote network.
jim@mint:~$ traceroute 10.20.29.1
traceroute to 10.20.29.1 (10.20.29.1), 64 hops max
1 10.20.27.1 0.352ms 0.246ms 0.240ms
2 * * *
3 * * *
jim@mint:~$ traceroute 10.20.29.10
traceroute to 10.20.29.10 (10.20.29.10), 64 hops max
1 10.20.27.1 0.381ms 0.270ms 0.273ms
2 * * *
3 * * *
Conversely, pinging from the OPNsense VPN server (hostname: site09) it cannot ping the remote network interface 10.20.27.1
root@site09:~ # ping 10.20.27.1
PING 10.20.27.1 (10.20.27.1): 56 data bytes
^C
--- 10.20.27.1 ping statistics ---
18 packets transmitted, 0 packets received, 100.0% packet loss
root@site09:~ # traceroute 10.20.27.1
traceroute to 10.20.27.1 (10.20.27.1), 64 hops max, 40 byte packets
1 * * *
2 * * *
3 * *^C
The routing tables look ok to me, but this seems like a routing problem. All these routes are dynamic, no static routes have been created.
site09 - OpenVPN Server
Proto Destination Gateway Flags Use MTU Netif Netif (name) Expire
ipv4 default 192.168.1.1 UGS 329 1500 igb1 wan
ipv4 10.20.27.0/24 10.200.200.2 UGS 0 1500 ovpns2
ipv4 10.20.29.0/24 link#1 U 222356 1500 igb0 lan
ipv4 10.20.29.1 link#1 UHS 0 16384 lo0
ipv4 10.200.200.0/24 10.200.200.2 UGS 0 1500 ovpns2
ipv4 10.200.200.1 link#8 UHS 0 16384 lo0
ipv4 10.200.200.2 link#8 UH 0 1500 ovpns2
ipv4 127.0.0.1 link#5 UH 1600 16384 lo0
ipv4 192.168.1.0/24 link#2 U 8844 1500 igb1 wan
ipv4 192.168.1.139 link#2 UHS 0 16384 lo0
minecraft - OpenVPN Client
Proto Destination Gateway Flags Use MTU Netif Netif (name) Expire
ipv4 default 192.168.1.1 UGS 403 1500 em0 wan
ipv4 10.20.27.0/24 link#2 U 10512 1500 em1 lan
ipv4 10.20.27.1 link#2 UHS 0 16384 lo0
ipv4 10.20.29.0/24 10.200.200.1 UGS 0 1500 ovpnc2
ipv4 10.200.200.0/24 10.200.200.1 UGS 0 1500 ovpnc2
ipv4 10.200.200.1 link#8 UH 0 1500 ovpnc2
ipv4 10.200.200.2 link#8 UHS 0 16384 lo0
ipv4 127.0.0.1 link#4 UH 584 16384 lo0
ipv4 192.168.1.0/24 link#1 U 8551 1500 em0 wan
ipv4 192.168.1.194 link#1 UHS 0 16384 lo0
site09 - OpenVPN Server Config *****
General information full help
Disabled
Description 614 VPN Server
Server Mode Peer to Peer (SSL/TLS)
Protocol UDP
Device Mode tun
Interface WAN
Local port 1194
Cryptographic Settings
TLS Authentication Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority
Peer Certificate Revocation List
Server Certificate
DH Parameters Length 4096
Encryption algorithm AES-256-CBC
Auth Digest Algorithm SHA512
Hardware Crypto
Certificate Depth One
Tunnel Settings
IPv4 Tunnel Network 10.200.200.0/24
IPv6 Tunnel Network
Redirect Gateway
IPv4 Local Network 10.20.29.0/24
IPv6 Local Network
IPv4 Remote Network 10.20.27.0/24
IPv6 Remote Network
Concurrent connections 15
Compression Enabled with Adaptive Compression
Type-of-Service
Duplicate Connections
Disable IPv6 <enabled>
Client Settings
Dynamic IP
Address Pool <enabled>
Topology <enabled>
DNS Default Domain
DNS Servers
Force DNS cache update
NTP Servers
NetBIOS Options
Client Management Port
Advanced configuration
Advanced
Verbosity level
Force CSO Login Matching
minecraft - OpenVPN Client Config *****
VPN: OpenVPN: Clients
Disabled
Description
Server Mode Peer to Peer (SSL/TLS)
Protocol UDP
Device mode tun
Interface WAN
Remote server
Host or address Port
Select remote server at random
Retry DNS resolution Infinitely resolve remote server
Proxy host or address
Proxy port
Proxy authentication extra options Authentication method
Local port
User Authentication Settings
User name/pass
Username
Password
Renegotiate time
Cryptographic Settings
TLS Authentication Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority
Client Certificate
Encryption algorithm AES-256-CBC
Auth Digest Algorithm SHA512
Hardware Crypto
Tunnel Settings
IPv4 Tunnel Network 10.200.200.0/24
IPv6 Tunnel Network
IPv4 Remote Network 10.20.29.0/24
IPv6 Remote Network
Limit outgoing bandwidth
Compression Enabled with Adaptive Compression
Type-of-Service
Disable IPv6 <enabled>
Don't pull routes
Don't add/remove routes
Advanced configuration
Advanced
Verbosity level 4
The vpn is up between the servers, but I cannot get routing to completely work between the sites. I would like to allow all hosts on internal networks to connect to all hosts on the opposite internal network. BTW, both these OPNsense hosts are on a private "external" network (192.168.1.0/24) and not exposed to the internet.
Here is a network configuration summary (details at end):
OPNsense hostname: site09 (OpenVPN Server)
Remote Server peer to peer TLS
IPv4 local network 10.20.29.0/24
IPv4 remote network 10.20.27.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)
OPNsense hostname: minecraft (OpenVPN Client)
Remote Server peer to peer TLS
IPv4 local network 10.20.27.0/24
IPv4 remote network 10.20.29.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow (I assume this takes firewall out of the mix, so I am working on a routing problem)
The firewall live logs are not reporting any denies.
from the minecraft (OPNsense) command line, pings to 10.20.29.1 and 10.20.29.10 get replies
root@minecraft:~ # ping 10.20.29.10
PING 10.20.29.10 (10.20.29.10): 56 data bytes
64 bytes from 10.20.29.10: icmp_seq=0 ttl=127 time=1.656 ms
.... 0 packet loss
but the mint host [inet 10.20.27.100/24 brd 10.20.27.255] can't ping any IPs on the 10.20.29.0 remote network.
jim@mint:~$ traceroute 10.20.29.1
traceroute to 10.20.29.1 (10.20.29.1), 64 hops max
1 10.20.27.1 0.352ms 0.246ms 0.240ms
2 * * *
3 * * *
jim@mint:~$ traceroute 10.20.29.10
traceroute to 10.20.29.10 (10.20.29.10), 64 hops max
1 10.20.27.1 0.381ms 0.270ms 0.273ms
2 * * *
3 * * *
Conversely, pinging from the OPNsense VPN server (hostname: site09) it cannot ping the remote network interface 10.20.27.1
root@site09:~ # ping 10.20.27.1
PING 10.20.27.1 (10.20.27.1): 56 data bytes
^C
--- 10.20.27.1 ping statistics ---
18 packets transmitted, 0 packets received, 100.0% packet loss
root@site09:~ # traceroute 10.20.27.1
traceroute to 10.20.27.1 (10.20.27.1), 64 hops max, 40 byte packets
1 * * *
2 * * *
3 * *^C
The routing tables look ok to me, but this seems like a routing problem. All these routes are dynamic, no static routes have been created.
site09 - OpenVPN Server
Proto Destination Gateway Flags Use MTU Netif Netif (name) Expire
ipv4 default 192.168.1.1 UGS 329 1500 igb1 wan
ipv4 10.20.27.0/24 10.200.200.2 UGS 0 1500 ovpns2
ipv4 10.20.29.0/24 link#1 U 222356 1500 igb0 lan
ipv4 10.20.29.1 link#1 UHS 0 16384 lo0
ipv4 10.200.200.0/24 10.200.200.2 UGS 0 1500 ovpns2
ipv4 10.200.200.1 link#8 UHS 0 16384 lo0
ipv4 10.200.200.2 link#8 UH 0 1500 ovpns2
ipv4 127.0.0.1 link#5 UH 1600 16384 lo0
ipv4 192.168.1.0/24 link#2 U 8844 1500 igb1 wan
ipv4 192.168.1.139 link#2 UHS 0 16384 lo0
minecraft - OpenVPN Client
Proto Destination Gateway Flags Use MTU Netif Netif (name) Expire
ipv4 default 192.168.1.1 UGS 403 1500 em0 wan
ipv4 10.20.27.0/24 link#2 U 10512 1500 em1 lan
ipv4 10.20.27.1 link#2 UHS 0 16384 lo0
ipv4 10.20.29.0/24 10.200.200.1 UGS 0 1500 ovpnc2
ipv4 10.200.200.0/24 10.200.200.1 UGS 0 1500 ovpnc2
ipv4 10.200.200.1 link#8 UH 0 1500 ovpnc2
ipv4 10.200.200.2 link#8 UHS 0 16384 lo0
ipv4 127.0.0.1 link#4 UH 584 16384 lo0
ipv4 192.168.1.0/24 link#1 U 8551 1500 em0 wan
ipv4 192.168.1.194 link#1 UHS 0 16384 lo0
site09 - OpenVPN Server Config *****
General information full help
Disabled
Description 614 VPN Server
Server Mode Peer to Peer (SSL/TLS)
Protocol UDP
Device Mode tun
Interface WAN
Local port 1194
Cryptographic Settings
TLS Authentication Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority
Peer Certificate Revocation List
Server Certificate
DH Parameters Length 4096
Encryption algorithm AES-256-CBC
Auth Digest Algorithm SHA512
Hardware Crypto
Certificate Depth One
Tunnel Settings
IPv4 Tunnel Network 10.200.200.0/24
IPv6 Tunnel Network
Redirect Gateway
IPv4 Local Network 10.20.29.0/24
IPv6 Local Network
IPv4 Remote Network 10.20.27.0/24
IPv6 Remote Network
Concurrent connections 15
Compression Enabled with Adaptive Compression
Type-of-Service
Duplicate Connections
Disable IPv6 <enabled>
Client Settings
Dynamic IP
Address Pool <enabled>
Topology <enabled>
DNS Default Domain
DNS Servers
Force DNS cache update
NTP Servers
NetBIOS Options
Client Management Port
Advanced configuration
Advanced
Verbosity level
Force CSO Login Matching
minecraft - OpenVPN Client Config *****
VPN: OpenVPN: Clients
Disabled
Description
Server Mode Peer to Peer (SSL/TLS)
Protocol UDP
Device mode tun
Interface WAN
Remote server
Host or address Port
Select remote server at random
Retry DNS resolution Infinitely resolve remote server
Proxy host or address
Proxy port
Proxy authentication extra options Authentication method
Local port
User Authentication Settings
User name/pass
Username
Password
Renegotiate time
Cryptographic Settings
TLS Authentication Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority
Client Certificate
Encryption algorithm AES-256-CBC
Auth Digest Algorithm SHA512
Hardware Crypto
Tunnel Settings
IPv4 Tunnel Network 10.200.200.0/24
IPv6 Tunnel Network
IPv4 Remote Network 10.20.29.0/24
IPv6 Remote Network
Limit outgoing bandwidth
Compression Enabled with Adaptive Compression
Type-of-Service
Disable IPv6 <enabled>
Don't pull routes
Don't add/remove routes
Advanced configuration
Advanced
Verbosity level 4
#7
19.7 Legacy Series / Re: How to block YouTube and Netflix?
June 15, 2019, 08:11:33 PM
On the OPNsense web gui
Services\Unbound DNS\Overrides
Add Domain Overrides for youtube.com and netflix.com and point them to a bogus DNS server, such as 10.1.1.1
Workstations may have DNS cached for youtube.com and netflix.com and may have access until the cache expires
Alternatively;
setup an account at opendns.com
setup custom dns filtering and block youtube.com and netflix.com
configure OPNsense to use OpenDNS in Services\OpenDNS
Services\Unbound DNS\Overrides
Add Domain Overrides for youtube.com and netflix.com and point them to a bogus DNS server, such as 10.1.1.1
Workstations may have DNS cached for youtube.com and netflix.com and may have access until the cache expires
Alternatively;
setup an account at opendns.com
setup custom dns filtering and block youtube.com and netflix.com
configure OPNsense to use OpenDNS in Services\OpenDNS
Pages1
