Topics

I have following sysctl values set:

Code Select Expand


net.inet.ipsec.filtertunnel: 0
net.enc.in.ipsec_filter_mask: 2
net.enc.out.ipsec_filter_mask: 1


When filtering on enc0, traffic filtering does not apply. When filtering on a ipsecXYZ device (i.e. VTI device), filtering applies. This behaviour seems to be different from 24.1 and also different than described in https://docs.opnsense.org/manual/vpnet.html#route-based-vti.
Is this an intentional change, or are there other settings which might have an impact here?

Hi,
did anyone accomplish a VTI with IPv6 addresses? The GUI accepts the config, but the inet6 address is never set on the ipsec interface.

Code Select Expand

ipsec41: flags=8011<UP,POINTOPOINT,MULTICAST> metric 0 mtu 1400
tunnel inet 198.51.100.39 --> 203.0.113.49
inet6 fe80::20d:3aff:fe83:90d5%ipsec41 prefixlen 64 tentative scopeid 0xd
groups: ipsec
reqid: 41
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


Hi,

in the legacy IPsec UI one can create VTI tunnels with dynamic remote IPs by selecting "Route-based" as a mode for the P2 entry. This will then automatically create a Virtual Tunnel Interface with the entered remote gateway of the corresponding P1 entry.

With the new IPsec UI the Virtual Tunnel Interface needs to be created manually and there, only an IP address is accepted in the remote address. A hostname is not accepted.

Did I oversee something or is there a way to create a VTI with dynamic remote address?

I've started up one of my devel machines after a longer time being offline. I faced the issue with not being able to update due to server certificate validation issues with the let's encrypt upstream. After some recommendations in other threads I removed all Let's Encrypt roots and intermediates from the certificate trust, then I switched to a HTTP mirror and accomplished to update.
Now I'm facing the situation that when trying to change to the devel stream (mirror type 'Development') I get verification errors, but on the community stream updating is possible via the same mirror even using HTTPS (default mirror - pkg.opnsense.org).

Code Select Expand


***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.9 (amd64/OpenSSL) at Sat Jun 25 22:00:51 CEST 2022
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:


How is server certificate verification related to the chosen release type?? I'm out of ideas what to try (curl https://pkg.opnsense.org actually works without issues).

Hi,
anyone already accomplished a dual-stack IPv4 and IPv6 route-based IPsec tunnel? I want to use IPv4 and IPv6 (in Phase 2) in a single tunnel, is this possible?
Whenever I add the IPv6 Phase 2 the tunnel removes the IPv4 network endpoints:

Before (IPv4 only):

Code Select Expand


ipsec2000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec2000 prefixlen 64 scopeid 0x9
        inet 172.16.0.4 --> 172.16.0.8 netmask 0xffffffff
        groups: ipsec
        reqid: 2000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


After (IPv4 and IPv6 added on P2):

Code Select Expand


ipsec4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec4 prefixlen 64 scopeid 0x9
        inet6 fdfa:8191:4040:2000::4 --> fdfa:8191:4040:2000::8 prefixlen 128
        groups: ipsec
        reqid: 4
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


Any ideas?

I'm struggling since a few days to establish a simple IPsec tunnel between two 22.1 systems or a 21.7 and a 22.1 system. Finally I've tried precisely the same configuration between to 21.7 systems and it works.
The error on the 22.1 side is

Code Select Expand


15[KNL] <con1|3> unable to add SAD entry with SPI c6651939: Invalid argument (22)


I could not find many useful details to this error, except that some specific situation might not be supported by the kernel. But my example is really simple and I've even tried very many other scenarios.

One suspicious thing I saw is during startup of charon is:

Code Select Expand


2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)


Any ideas?

Attached the complete log from charon startup incl. one session initiation cycle. P1 succeeds, only the SAD of P2 cannot be written.

Hi,

I just recognized that mail/fetchmail was removed (6673bb86). I could not find the reason for this (neither here nor on Github)... Any background information to share here?

Hi,
I'm facing a problem with OpenVPN's Client Specific Overrides: even overrides are configured, no entry is generated to /var/etc/openvpn-csc/<serverid>.

What is the trigger to generate these entries?

Thanks

[Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?]

Hi,

the stunnel documentation and as well the GUI help on the plugin's configuration mention, that it's safest to bind stunnel to localhost only and use NAT to forward traffic to stunnel. On the other hand online help for NAT mentions that NAT should not be used as a security measure.

So my question would be:
Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?

Thanks and BR
Manuel

Hi,

there was already an issue reported for 20.1, but this seems still not to be resolved for 20.7: static routes which target into a routed IPsec interface (e.g. ipsec2000) keep disappearing. I can observe this on several OPNsense instances and did not really find a workaround, but manually pressing the "Apply" button in the routing configuration.

How to troubleshoot this? Which service is responsible for applying static routes?

Thanks and BR
Manuel

Hi,

I'm struggling with OpenVPN and a more or less simple CA hierarchy. My CA chain looks like this:

Code Select Expand


Root CA (external)
   +-- Server Certificate
   \-- Client Sub-CA (internal of OPNsense)
      +-- user1
      +-- user2
      \-- usern


All CAs are installed into OPNsense. As a "Peer Certificate Authority" I have configured the "Client Sub-CA", as this is the CA directly signing the user certificates. The OpenVPN "Server Certificate" is the Server Certificate, which is not signed by the same CA as the user certificates, but its ancestor.

When trying to connect to this OpenVPN server I receive an error of VERIFY ERROR: depth=1, error=unable to get issuer certificate: Client Sub-CA. So OpenVPN is complaining, that it cannot verify the configured "peer certificate authority". This is strange in some way, as I have configured this CA manually as a trusted certification authority, so why shall it's root be validated? :-\

Anyway, the solution to this is, simply adding the "Root CA" to the OpenVPN's certificate (/var/etc/openvpn/server1.ca), but my question is if it is a valid and intended behaviour, that OpenVPN questions my configured peer certificate authority.

Hey,

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: 10.2.0.1/16 (re0)
IPsec tunnel to: 10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq: 10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense: 10.1.1.1 255.255.255.255 via 10.2.0.1 re0

Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.

BR
Manuel

Hi,

just wanted to update a OPNsense 15.7.25-amd64 box to 16.1, but the update always fails at the same point:

Code Select Expand


root@detroid:~ # opnsense-update
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (70 candidates): 100%
Processing candidates (70 candidates): 100%
Checking integrity... done (3 conflicting)
Checking integrity... done (0 conflicting)
The following 63 package(s) will be affected (of 0 checked):

...

[6/63] Extracting ca_root_nss-3.22.2: 100%
[7/63] Deinstalling isc-dhcp42-relay-4.2.8...
[7/63] Deleting files for isc-dhcp42-relay-4.2.8:   0%/usr/local/lib/libpkg.so.3: Undefined symbol "openat"


BR,
Manuel

Hi,

I'd like to configure an IPsec tunnel with RSA authentication. As identifiers (local and peer) I'd like to use the DN of the used X.509 certificates. What do I need to configure for the My identifier and Peer identifier fields to accomplish that?

I've tried with "ASN.1 destinguished Name" with and without value in the corresponding text field, but I always receive the error charon: 13[IKE] <con2|8> no private key found for '<detroid.lan.xxx.net>'. My cert has a DN like CN=detroid.lan.xxx.net,emailAddress=detroid@lan.xxx.net,O=xxx,L=Vienna,ST=Vienna,C=AT.

Anyone already accomplished a IPsec RSA tunnel without explicitly configuring the certificate DNs?

I just recognized, that ipsec did not even load my certificate... Calling ipsec listall only lists CA certificates, no end entity certificates. Also the configured certificate is not listed in ipsec.secrets. Shouldn't it be there?

Thanks,
Manuel

Hi,

one of my OPNsense boxes has almost constant 100% CPU load since a few days. Interestingly the top command of FreeBSD does not work as expected by me, i.e. the sum of the CPU column does not match the total CPU load (see also e.g. this thread on unix.SE).

How can I find out what's causing the high CPU load?

Here some command output:

Code Select Expand


root@detroid:~ # vmstat 5
procs      memory      page                    disks     faults         cpu
r b w     avm    fre   flt  re  pi  po    fr  sr ad0 da0   in   sy   cs us sy id
2 0 0   1876M  3094M   108   0   0   0   185  10   0   0  781  868  875 70 19 11
2 0 0   1866M  3102M 22626   0   0   0 24790  21   7   0 2445 12832  909 78 22  0
2 0 0   1822M  3105M 22811   0   0   0 24790  21   7   0 2359 12778  697 79 21  0
2 0 0   1690M  3100M 22781   0   0   0 24228  21   7   0 2374 12581  736 78 22  0
2 0 0   1880M  3090M 22707   0   0   0 23975  21   9   0 2372 24626  759 79 21  0
3 0 0   1876M  3092M 22881   0   0   0 24790  21   7   0 2423 12801  823 76 24  0
2 0 0   1872M  3096M 22802   0   0   0 24817  20  14   0 2450 12769  908 79 21  0
2 0 0   1760M  3101M 22705   0   0   0 24739  22   7   0 2430 12682  846 78 22  0
2 0 0   1884M  3091M 22942   0   0   0 24172  21   7   0 2406 12734  805 80 20  0
2 0 0   1879M  3092M 22943   0   0   0 24790  20   7   0 2376 12788  737 78 22  0
2 0 0   1872M  3097M 23947   0   0   0 26480  21   7   0 2367 14015  799 76 24  0


Code Select Expand

last pid: 96282;  load averages:  2.10,  2.15,  2.11                                                       up 32+22:38:05  09:47:15
81 processes:  4 running, 76 sleeping, 1 waiting
CPU: 62.5% user,  0.0% nice, 37.5% system,  0.0% interrupt,  0.0% idle
Mem: 47M Active, 270M Inact, 499M Wired, 412M Buf, 3100M Free
Swap:
Not displaying idle processes.
  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root          2 155 ki31     0K    32K RUN     1 177.9H   1.07% idle
   12 root         16 -72    -     0K   256K WAIT    1 568:38   0.39% intr
14978 root          1  52    0 16972K  2456K wait    1 184:12   0.20% sh
65062 root          1  52    0 16972K  2456K wait    0 207:45   0.10% sh
59697 root          1  20    0 21824K  2964K CPU0    0   0:00   0.10% top
95634 root          1  72    0   113M 22216K RUN     0   0:00   0.00% php
96282 root          1  72    0   109M 20504K CPU1    1   0:00   0.00% php

The system has a AMD G-T40E processor with 2 cores.

Thanks,
Manuel

Hi,

currently when configuring an interface to IPv6: None, the interface still gets a local-link IP, if IPv6 is globally enabled. Is that intended?

Manuel

Hi,

am I doing something wrong, or is it a bug to not being able to create firewall rules for "Group" interfaces?

In my understanding the idea of group interfaces is, that a single created firewall rule will be applied to several interfaces at the same time (similar to "floating rules"). So I've created a group interface, assigned two interfaces and I can see the corresponding tab in the "Firewall: Rules" view. Nevertheless, when clicking the add button, I am not able to select the group interface from the interface list...

Thanks,
Manuel

Hi,
is it possible to configure lighttpd to send also intermediate certificates of the configured web UI certificate chain?

Thanks,
Manuel

Hi,
I'd like to install OPNsense into a VM, but the installer (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) runs into troubles:

Code Select Expand

Flow executing -> main/install/format_disk (Format Disk)           
,-<<< Executing `/usr/local/installer/cleargpt.sh vtbd0'           
| gpart: Device busy                                               
| gpart: Invalid value for 'i' argument: Invalid argument           
| gpart: Device busy                                               
`->>> Exit status: 0                                               
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               
[Fri Dec 18 13:25:06 2015]                                         
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               
[Fri Dec 18 13:25:09 2015]                                         
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               

I'm using KVM, but have a similar error on VMware Workstation.

Hi,

I'd like to show some status information of an MVC app within the GUI (e.g. interface IP, sent/received bytes, etc.). I am planning to accomplish that through a script, which gets called by configd and returns the status info (as a JSON string). The configd action is being triggered by the service controller and the view requests the status info through the service controller, and then populates the corresponding layout.
Does that sound reasonable, or is there a better way to display status information of a service?

A down-side of this construct is, that the script delivering the status information does not have any well-defined (e.g. XML defined) model. The information passed between the script and the view are "loose" JSON objects. Is there any intended concept in defining models for external (Python) scripts?


Thanks,
Manuel