Topics

1

20.7 Production Series / Why using stunnel via NAT only?

« on: August 02, 2020, 09:24:11 am »

Hi,

the stunnel documentation and as well the GUI help on the plugin's configuration mention, that it's safest to bind stunnel to localhost only and use NAT to forward traffic to stunnel. On the other hand online help for NAT mentions that NAT should not be used as a security measure.

So my question would be:
Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?

Thanks and BR
Manuel

2

20.7 Production Series / Routed IPsec looses static routes

« on: August 01, 2020, 12:18:54 pm »

Hi,

there was already an issue reported for 20.1, but this seems still not to be resolved for 20.7: static routes which target into a routed IPsec interface (e.g. ipsec2000) keep disappearing. I can observe this on several OPNsense instances and did not really find a workaround, but manually pressing the "Apply" button in the routing configuration.

How to troubleshoot this? Which service is responsible for applying static routes?

Thanks and BR
Manuel

3

17.1 Legacy Series / OpenVPN and Intermediate Root CA

« on: March 19, 2017, 09:32:52 pm »

Hi,

I'm struggling with OpenVPN and a more or less simple CA hierarchy. My CA chain looks like this:

Code: [Select]

Root CA (external)
   +-- Server Certificate
   \-- Client Sub-CA (internal of OPNsense)
      +-- user1
      +-- user2
      \-- usern

All CAs are installed into OPNsense. As a "Peer Certificate Authority" I have configured the "Client Sub-CA", as this is the CA directly signing the user certificates. The OpenVPN "Server Certificate" is the Server Certificate, which is not signed by the same CA as the user certificates, but its ancestor.

When trying to connect to this OpenVPN server I receive an error of VERIFY ERROR: depth=1, error=unable to get issuer certificate: Client Sub-CA. So OpenVPN is complaining, that it cannot verify the configured "peer certificate authority". This is strange in some way, as I have configured this CA manually as a trusted certification authority, so why shall it's root be validated?

Anyway, the solution to this is, simply adding the "Root CA" to the OpenVPN's certificate (/var/etc/openvpn/server1.ca), but my question is if it is a valid and intended behaviour, that OpenVPN questions my configured peer certificate authority.

4

16.7 Legacy Series / DNS override with source IP "hides" DNS server from LAN

« on: August 15, 2016, 01:37:04 pm »

Hey,

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: 10.2.0.1/16 (re0)
IPsec tunnel to: 10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq: 10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense: 10.1.1.1 255.255.255.255 via 10.2.0.1 re0

Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.

BR
Manuel

5

16.1 Legacy Series / [SOLVED] Update from OPNsense 15.7.25-amd64 fails

« on: March 12, 2016, 06:43:42 pm »

Hi,

just wanted to update a OPNsense 15.7.25-amd64 box to 16.1, but the update always fails at the same point:

Code: [Select]

root@detroid:~ # opnsense-update
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (70 candidates): 100%
Processing candidates (70 candidates): 100%
Checking integrity... done (3 conflicting)
Checking integrity... done (0 conflicting)
The following 63 package(s) will be affected (of 0 checked):

...

[6/63] Extracting ca_root_nss-3.22.2: 100%
[7/63] Deinstalling isc-dhcp42-relay-4.2.8...
[7/63] Deleting files for isc-dhcp42-relay-4.2.8:   0%/usr/local/lib/libpkg.so.3: Undefined symbol "openat"

BR,
Manuel

6

15.7 Legacy Series / Identifiers of IPsec with RSA authentication

« on: January 06, 2016, 09:54:18 am »

Hi,

I'd like to configure an IPsec tunnel with RSA authentication. As identifiers (local and peer) I'd like to use the DN of the used X.509 certificates. What do I need to configure for the My identifier and Peer identifier fields to accomplish that?

I've tried with "ASN.1 destinguished Name" with and without value in the corresponding text field, but I always receive the error charon: 13[IKE] <con2|8> no private key found for '<detroid.lan.xxx.net>'. My cert has a DN like CN=detroid.lan.xxx.net,emailAddress=detroid@lan.xxx.net,O=xxx,L=Vienna,ST=Vienna,C=AT.

Anyone already accomplished a IPsec RSA tunnel without explicitly configuring the certificate DNs?

I just recognized, that ipsec did not even load my certificate... Calling ipsec listall only lists CA certificates, no end entity certificates. Also the configured certificate is not listed in ipsec.secrets. Shouldn't it be there?

Thanks,
Manuel

7

15.7 Legacy Series / 100% CPU load

« on: January 05, 2016, 09:51:43 am »

Hi,

one of my OPNsense boxes has almost constant 100% CPU load since a few days. Interestingly the top command of FreeBSD does not work as expected by me, i.e. the sum of the CPU column does not match the total CPU load (see also e.g. this thread on unix.SE).

How can I find out what's causing the high CPU load?

Here some command output:

Code: [Select]

root@detroid:~ # vmstat 5
 procs      memory      page                    disks     faults         cpu
 r b w     avm    fre   flt  re  pi  po    fr  sr ad0 da0   in   sy   cs us sy id
 2 0 0   1876M  3094M   108   0   0   0   185  10   0   0  781  868  875 70 19 11
 2 0 0   1866M  3102M 22626   0   0   0 24790  21   7   0 2445 12832  909 78 22  0
 2 0 0   1822M  3105M 22811   0   0   0 24790  21   7   0 2359 12778  697 79 21  0
 2 0 0   1690M  3100M 22781   0   0   0 24228  21   7   0 2374 12581  736 78 22  0
 2 0 0   1880M  3090M 22707   0   0   0 23975  21   9   0 2372 24626  759 79 21  0
 3 0 0   1876M  3092M 22881   0   0   0 24790  21   7   0 2423 12801  823 76 24  0
 2 0 0   1872M  3096M 22802   0   0   0 24817  20  14   0 2450 12769  908 79 21  0
 2 0 0   1760M  3101M 22705   0   0   0 24739  22   7   0 2430 12682  846 78 22  0
 2 0 0   1884M  3091M 22942   0   0   0 24172  21   7   0 2406 12734  805 80 20  0
 2 0 0   1879M  3092M 22943   0   0   0 24790  20   7   0 2376 12788  737 78 22  0
 2 0 0   1872M  3097M 23947   0   0   0 26480  21   7   0 2367 14015  799 76 24  0


Code: [Select]

last pid: 96282;  load averages:  2.10,  2.15,  2.11                                                       up 32+22:38:05  09:47:15
81 processes:  4 running, 76 sleeping, 1 waiting
CPU: 62.5% user,  0.0% nice, 37.5% system,  0.0% interrupt,  0.0% idle
Mem: 47M Active, 270M Inact, 499M Wired, 412M Buf, 3100M Free
Swap:
 Not displaying idle processes.
  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root          2 155 ki31     0K    32K RUN     1 177.9H   1.07% idle
   12 root         16 -72    -     0K   256K WAIT    1 568:38   0.39% intr
14978 root          1  52    0 16972K  2456K wait    1 184:12   0.20% sh
65062 root          1  52    0 16972K  2456K wait    0 207:45   0.10% sh
59697 root          1  20    0 21824K  2964K CPU0    0   0:00   0.10% top
95634 root          1  72    0   113M 22216K RUN     0   0:00   0.00% php
96282 root          1  72    0   109M 20504K CPU1    1   0:00   0.00% php
The system has a AMD G-T40E processor with 2 cores.

Thanks,
Manuel

8

15.7 Legacy Series / Interface configuration IPv6: None

« on: December 31, 2015, 09:32:18 am »

Hi,

currently when configuring an interface to IPv6: None, the interface still gets a local-link IP, if IPv6 is globally enabled. Is that intended?

Manuel

9

15.7 Legacy Series / [SOLVED] Firewall rule group interfaces

« on: December 31, 2015, 09:07:37 am »

Hi,

am I doing something wrong, or is it a bug to not being able to create firewall rules for "Group" interfaces?

In my understanding the idea of group interfaces is, that a single created firewall rule will be applied to several interfaces at the same time (similar to "floating rules"). So I've created a group interface, assigned two interfaces and I can see the corresponding tab in the "Firewall: Rules" view. Nevertheless, when clicking the add button, I am not able to select the group interface from the interface list...

Thanks,
Manuel

10

15.7 Legacy Series / [SOLVED] Web UI HTTPS Intermediate Certificates

« on: December 28, 2015, 07:28:43 pm »

Hi,
is it possible to configure lighttpd to send also intermediate certificates of the configured web UI certificate chain?

Thanks,
Manuel

11

15.7 Legacy Series / Installation failure

« on: December 18, 2015, 02:45:04 pm »

Hi,
I'd like to install OPNsense into a VM, but the installer (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) runs into troubles:

Code: [Select]

Flow executing -> main/install/format_disk (Format Disk)           
,-<<< Executing `/usr/local/installer/cleargpt.sh vtbd0'           
| gpart: Device busy                                               
| gpart: Invalid value for 'i' argument: Invalid argument           
| gpart: Device busy                                               
`->>> Exit status: 0                                               
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               
[Fri Dec 18 13:25:06 2015]                                         
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               
[Fri Dec 18 13:25:09 2015]                                         
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               
I'm using KVM, but have a similar error on VMware Workstation.

12

Development and Code Review / Status display of MVC apps

« on: December 15, 2015, 09:20:15 am »

Hi,

I'd like to show some status information of an MVC app within the GUI (e.g. interface IP, sent/received bytes, etc.). I am planning to accomplish that through a script, which gets called by configd and returns the status info (as a JSON string). The configd action is being triggered by the service controller and the view requests the status info through the service controller, and then populates the corresponding layout.
Does that sound reasonable, or is there a better way to display status information of a service?

A down-side of this construct is, that the script delivering the status information does not have any well-defined (e.g. XML defined) model. The information passed between the script and the view are "loose" JSON objects. Is there any intended concept in defining models for external (Python) scripts?


Thanks,
Manuel

13

Development and Code Review / configd: stopping services via rc script

« on: December 13, 2015, 07:43:16 pm »

Hi,
what's the recommended way to stop services using configd? Keeping in mind, that rc script refuse to work if the corresponding service is not enabled, simply executing /usr/local/etc/rc.d/<service> stop is not sufficient.

In the Proxy plugin is was done by calling killall squid after trying to execute the rc.d/squid stop, but why did you actually use killall to "stop" squid instead of executing /usr/local/etc/rc.d/squid onestop? Is there a side-effect in using the "onestop" action? I'd say a completely clean mechanism should not kill all instances, but should only kill the instance stored in the service's pid-file...

Also for querying the service status, maybe using "onestatus" instead of "status" would allow recognizing e.g. a hanging or still running process, even the service has already been disabled. Right now if the service is not enabled, OPNsense always assumes that the process behind the service is not running, which is fact is not always the case.

Thanks,
Manuel

14

Development and Code Review / Coding guidelines

« on: December 07, 2015, 08:02:50 am »

Are there any coding guidelines for OPNsense? The forked pfsense code does not seem to have any guidelines (e.g. indents vary in tabs and spaces, single if statements used with and without curly braces, etc.)... Currently the code is a mix between different coding styles, it seems.

If one adds code to existing files, should the style of the file being adopted, or is there a OPNsense recommendation to apply? Shall existing files be adopted to a consistent style in future?

15

15.7 Legacy Series / New menu structure and DNS services

« on: December 04, 2015, 11:28:30 pm »

I really like the new menu structure, which e.g. unifies the DHCP Relay and the DHCP Server. But is there a specific reason, why the different DNS services were not put together into one sub-menu? I guess the DNS Filter, DNS Forwarder, DNS Resolver, and maybe even the Dynamic DNS services might go into one DNS menu, which then has sub items for Filter, Forwarder, Resolver, and Dynamic DNS.