Messages

1

20.7 Legacy Series / Block outbound connections to China

« on: January 02, 2021, 05:07:10 pm »

Does OPNsense have any features or plugins that would block outbound connections to China?  In case I use compromised devices that want to phone home.

2

Hardware and Performance / Configuration backups and new hardware

« on: July 24, 2019, 12:40:34 am »

Hello Folks,

I have OPNsense 19.7 running as a KVM domain\guest with a LAN and WAN interface.  If a new VM is created with the same VM configuration, except with 3 interfaces: LAN, WAN and wLAN, is it a good idea to apply the configuration backup to the new VM? 

If restoring the configuration backup is not a bad idea:

Would it be better to restore the configuration and then start adding configuration for the wLAN interface?

Or, would it be better to do 'basic' configuration of the LAN, WAN and wLAN and then apply the restore?

3

19.7 Legacy Series / Re: Validating download signatures on Windows

« on: July 20, 2019, 06:36:29 pm »

Thanks!  Worked just like the 'Installation & Configuration' guide has it documented.  I didn't realize Kleopatra added the OpenSSL command line exe.  Here are the specific commands, maybe it will help someone else.

F:\download>openssl base64 -d -in OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig -out OPNsense-19.7-tmp-image.sig
WARNING: can't open config file: /etc/ssl/openssl.cnf

F:\download>openssl dgst -sha256 -verify OPNsense-19.7.pub -signature OPNsense-19.7-tmp-image.sig OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
WARNING: can't open config file: /etc/ssl/openssl.cnf
Verified OK

4

19.7 Legacy Series / Validating download signatures on Windows

« on: July 19, 2019, 10:16:44 pm »

noob question, How can I validate the download file signatures on a windows 10 pc?

Here's what I have done...
downloaded the following files from different mirrors:
          OPNsense-19.7.pub
          OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
          OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig
and confirmed the OPNsense-19.7.pub content matched other mirrors and the forum webpage.

using Kleopatra\GpgEX I have tried to import the public key but consistently get a BER error.  (see attachment)

I have tried renaming the OPNsense-19.7.pub with these extensions: asc,gpg,pem,der but import still fails.

The best directions I found online were these, https://www.gpg4win.org/doc/en/gpg4win-compendium_15.html

Which suggests the first step is importing the public key, I don't know, but I've already tried randomly clicking all the buttons in Kleopatra. 

Not sure what to try next, any help would be great.

5

19.1 Legacy Series / Re: Site to Site VPN

« on: June 26, 2019, 02:46:45 am »

I found the missing piece to this solution, which, was the iroute configuration in the VPN \ OpenVPN \ Client Specific Overrides.

Create a client specific override and for this scenario, I only needed:

• the OpenVPN server this override was intended for
• add the external facing Common name
• IPv4 Remote Network (the network behind the OpenVPN client, 10.20.27.0/24)

6

19.1 Legacy Series / Re: Site to Site VPN

« on: June 16, 2019, 04:57:22 am »

I have been working on a site to site connection today and also having issues.  To get the VPN connection established with TLS, I found the certificates for the client side caused an issue.  I originally created them as Server certificates.  But found that "OPNsense Generated Combined Client/Server Certificate" works.  Hostname, or FQDN for the CN= makes no difference, but the cert has to be a client type.

The vpn is up between the servers, but I cannot get routing to completely work between the sites.  I would like to allow all hosts on internal networks to connect to all hosts on the opposite internal network.  BTW, both these OPNsense hosts are on a private "external" network (192.168.1.0/24) and not exposed to the internet.

Here is a network configuration summary (details at end):

OPNsense hostname: site09 (OpenVPN Server)
Remote Server peer to peer TLS
IPv4 local network 10.20.29.0/24
IPv4 remote network 10.20.27.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow  (I assume this takes firewall out of the mix, so I am working on a routing problem)

OPNsense hostname: minecraft (OpenVPN Client)
Remote Server peer to peer TLS
IPv4 local network 10.20.27.0/24
IPv4 remote network 10.20.29.0/24
IPv4 tunnel network 10.200.200.0/24
firewall OpenVPN IPv4 * * * * * allow
firewall Floating IPv4 * * * * * allow  (I assume this takes firewall out of the mix, so I am working on a routing problem)

The firewall live logs are not reporting any denies.

from the minecraft (OPNsense) command line, pings to 10.20.29.1 and 10.20.29.10 get replies
root@minecraft:~ # ping 10.20.29.10
PING 10.20.29.10 (10.20.29.10): 56 data bytes
64 bytes from 10.20.29.10: icmp_seq=0 ttl=127 time=1.656 ms
.... 0 packet loss

but the mint host [inet 10.20.27.100/24 brd 10.20.27.255] can't ping any IPs on the 10.20.29.0 remote network.

jim@mint:~$ traceroute 10.20.29.1
traceroute to 10.20.29.1 (10.20.29.1), 64 hops max
  1   10.20.27.1  0.352ms  0.246ms  0.240ms
  2   *  *  *
  3   *  *  *

jim@mint:~$ traceroute 10.20.29.10
traceroute to 10.20.29.10 (10.20.29.10), 64 hops max
  1   10.20.27.1  0.381ms  0.270ms  0.273ms
  2   *  *  *
  3   *  *  *

Conversely, pinging from the OPNsense VPN server (hostname: site09) it cannot ping the remote network interface 10.20.27.1

root@site09:~ # ping 10.20.27.1
PING 10.20.27.1 (10.20.27.1): 56 data bytes
^C
--- 10.20.27.1 ping statistics ---
18 packets transmitted, 0 packets received, 100.0% packet loss

root@site09:~ # traceroute 10.20.27.1
traceroute to 10.20.27.1 (10.20.27.1), 64 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * *^C

The routing tables look ok to me, but this seems like a routing problem.  All these routes are dynamic, no static routes have been created.

site09 - OpenVPN Server

Proto Destination       Gateway            Flags Use  MTU       Netif    Netif (name) Expire
ipv4   default           192.168.1.1   UGS   329   1500      igb1      wan   
ipv4   10.20.27.0/24   10.200.200.2   UGS   0   1500      ovpns2       
ipv4   10.20.29.0/24   link#1           U   222356 1500   igb0      lan   
ipv4   10.20.29.1    link#1           UHS   0   16384   lo0       
ipv4   10.200.200.0/24 10.200.200.2   UGS   0   1500      ovpns2       
ipv4   10.200.200.1   link#8           UHS   0   16384   lo0       
ipv4   10.200.200.2   link#8           UH   0   1500      ovpns2       
ipv4   127.0.0.1           link#5           UH   1600   16384   lo0       
ipv4   192.168.1.0/24   link#2           U   8844   1500      igb1      wan   
ipv4   192.168.1.139   link#2           UHS   0   16384   lo0   

minecraft - OpenVPN Client

Proto Destination       Gateway            Flags Use  MTU Netif Netif (name) Expire
ipv4   default      192.168.1.1   UGS   403   1500      em0      wan   
ipv4   10.20.27.0/24   link#2      U   10512 1500   em1      lan   
ipv4   10.20.27.1   link#2      UHS   0   16384   lo0       
ipv4   10.20.29.0/24   10.200.200.1   UGS   0   1500      ovpnc2       
ipv4   10.200.200.0/24 10.200.200.1   UGS   0   1500      ovpnc2       
ipv4   10.200.200.1   link#8      UH   0   1500      ovpnc2       
ipv4   10.200.200.2   link#8      UHS   0   16384   lo0       
ipv4   127.0.0.1      link#4      UH   584   16384   lo0       
ipv4   192.168.1.0/24   link#1      U   8551   1500      em0      wan   
ipv4   192.168.1.194   link#1      UHS   0   16384   lo0       



site09 - OpenVPN Server Config *****
General information   full help
 Disabled   
 Description   614 VPN Server
 Server Mode   Peer to Peer (SSL/TLS)
 Protocol   UDP
 Device Mode   tun
 Interface   WAN
 Local port   1194
Cryptographic Settings
 TLS Authentication    Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

 Peer Certificate Authority   
 Peer Certificate Revocation List   
 Server Certificate   
 DH Parameters Length   4096
 Encryption algorithm           AES-256-CBC
 Auth Digest Algorithm   SHA512
 Hardware Crypto   
 Certificate Depth   One

Tunnel Settings
 IPv4 Tunnel Network   10.200.200.0/24
 IPv6 Tunnel Network   
 Redirect Gateway   
 IPv4 Local Network   10.20.29.0/24
 IPv6 Local Network   
 IPv4 Remote Network 10.20.27.0/24
 IPv6 Remote Network   
 Concurrent connections   15
 Compression   Enabled with Adaptive Compression
 Type-of-Service   
 Duplicate Connections   
 Disable IPv6      <enabled>
Client Settings
 Dynamic IP   
 Address Pool   <enabled>
 Topology      <enabled>
 DNS Default Domain   
 DNS Servers   
 Force DNS cache update   
 NTP Servers   
 NetBIOS Options   
 Client Management Port   
Advanced configuration
 Advanced   
 Verbosity level   
 Force CSO Login Matching   


minecraft - OpenVPN Client Config *****
VPN: OpenVPN: Clients
Disabled    
Description    
Server Mode    Peer to Peer (SSL/TLS)
Protocol    UDP
Device mode    tun
Interface    WAN
Remote server    
   Host or address    Port
   Select remote server at random
Retry DNS resolution    Infinitely resolve remote server
Proxy host or address    
Proxy port    
Proxy authentication extra options    Authentication method
Local port    
User Authentication Settings
User name/pass    
Username
Password
Renegotiate time    
Cryptographic Settings    
TLS Authentication    Enable authentication of TLS packets.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
Peer Certificate Authority    
Client Certificate    
Encryption algorithm    AES-256-CBC
Auth Digest Algorithm    SHA512
Hardware Crypto    
Tunnel Settings
IPv4 Tunnel Network    10.200.200.0/24
IPv6 Tunnel Network    
IPv4 Remote Network    10.20.29.0/24
IPv6 Remote Network    
Limit outgoing bandwidth    
Compression    Enabled with Adaptive Compression
Type-of-Service    
Disable IPv6    <enabled>
Don't pull routes    
Don't add/remove routes    
Advanced configuration
Advanced    
Verbosity level    4

7

19.7 Legacy Series / Re: How to block YouTube and Netflix?

« on: June 15, 2019, 08:11:33 pm »

On the OPNsense web gui
Services\Unbound DNS\Overrides
Add Domain Overrides for youtube.com and netflix.com and point them to a bogus DNS server, such as 10.1.1.1
Workstations may have DNS cached for youtube.com and netflix.com and may have access until the cache expires

Alternatively;
setup an account at opendns.com
setup custom dns filtering and block youtube.com and netflix.com
configure OPNsense to use OpenDNS in Services\OpenDNS