Topics

1

24.7 Production Series / OpenVPN - Sometimes works, sometimes not

« on: September 01, 2024, 10:52:05 am »

Hi
I am using OpenVPN with OPNSense since many years. For some reasons we have multiple OpnVPN Servers running ("legacy mode"). The config is

WAN1: 1194 UDP
WAN2: 1195 UDP
WAN1: 443 TCP
WAN2: 443 TCP

The latter two servers are in the (from time to time happening case) that UDP connections are blocked by a firewall e.g. in a hotel.

Now, the fun part is: Depending on which server to connect, sometimes we cannot acces certain webservers in the company, and other times we can. Sometimes it happens on the UDP ports and sometimes on the 443. To be honest, I do not understand what the problem is - the firewall actually does not block it.

Maybe someone has an idea to debug this? Is it mandatory to move to the new "instances"  or can I continue to use the "old" setup?
Thanks

2

24.7 Production Series / Wireguard not working

« on: September 01, 2024, 10:34:27 am »

Hi
I am trying to setup wireguard as alternate VPN to the existing and running vpn. However, even if I religously follow the instruction in the documentation, i get an immediate connect (well, both linux and android claim to have connected), but nothing is accessible. i do not see anything from the inside network, not the ouside network.

Protocoll is set to "debugging" but does not even show entries (no new entries when somebody tries to connect I mean):

2024-09-01T10:21:54   Notice   wireguard   wireguard instance RoadWarrior (wg0) started   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,WireGuard))   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WireGuard)   
2024-09-01T10:21:54   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt4 interface gateway address: 'missing'   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt4'

I have no idea where to set the "gateway address" as I have set it under "Peers" with the correct IP of the outside address. However, the address is tested either to be the external IP to the internet (which is the IP of a router forwarding everything to the firewall) OR the IP of the firewall. Both do not make any difference.

I really do not understand what the problem is or how to debug it. There is literally no traffic via the wireguard interface.

Thank you for your help.

3

24.1 Legacy Series / No Access to specific machines after Update, including ports 8000,8080,8100

« on: June 30, 2024, 10:25:31 am »

Hi
since the latest update, I cannot access from my VPN services that are available at ports 8000, 8080, 8100 etc.
On hosts, providing those services, I cannot even get a ping (either direction) through or login.

This worked right before the last update (24.1.9_hf4).

I did not change anyhting a the firewall rules. I tried to loosen the rules, but no effect.

Specifically one virtual machine running in the main net 192.168.1.33 is not accessible. On any port.
My VPN runs (openVPN) at 192.168.21.x
I cannot ping in either direction or connect.

The Firewall seems to accept the cooection  ("pass") from the VPN - after that it is silence.

Within the main main net, the hosts in question (192.168.1.33) is reachable on any port, ping, ssh etc.

It seems as the packages send are just eaten up from the firewall.

I am runnign out of ideas how to find the problem. The hosts in question is a VM, but on that machine a number of identically configured VMs are present and all work.

Any idea where that comes from and how to solve?
Thanks.

4

24.1 Legacy Series / Unbound Whitelisting not working

« on: February 14, 2024, 09:21:15 am »

Hi
I recently have discovered blacklisting with unbound (yes, yes, I am slow sometimes), and now want to WHITELIST some pages, e.g. web.whatsapp.com
However, the whitelisting does not work at all

- *.whatsapp.com (despite the help below that field) is not accepted, according to protocol "invalid"
- (.*)?(\.)?whatsapp.com is accepted

However, none of them allow access to web.whatsapp.com

It seems as the Whitelisting is broken? I am on the current 24.1 version with todays updates (OPNsense 24.1.1-amd64).

5

23.1 Legacy Series / Memory leak with 23.1.1_2?

« on: March 01, 2023, 03:45:36 pm »

Hi
Right after the last update I see that the memory consuption is very high on my system (>>90%).
Most of it is made up by "inactive processes". They form like a stepwise ladder during the day and are killed somewhere late in the evening.
The strange thing is, that if I look at a long term overview, this only.
It started around Jan 20 this year right after an update.
Since then it seems to get worse.

6

23.1 Legacy Series / TLS Inspection not working on all pages?

« on: January 31, 2023, 06:22:08 pm »

Hi
I tried to install the webproxy with TLS inspection and ICAP. However, this does not work on all pages.

While https://www.spiegel.de loads fine, https://faz.net is not loading at all (access denied by proxy). Many other pages, e.g. this forum work.

I cannot find the reason for that acutally. Even if I specifically insert an exception in the SSL inspection, or in the access lists, it still does not load faz.net.

Is there any way to find out what is actually blocking the page?

BTW: Funny enough, the EICAR test file is loaded both with https and with http....

7

22.7 Legacy Series / 22.7.4/Proxy ACL Blacklists (external)

« on: September 16, 2022, 02:30:22 pm »

Hi
I found that it seems a number of external ACL blacklists do not work anymore. So I searched for new ones and I wonder if I can test if they are good and active. Some pages (e.g. www.spiegel.de or www.faz.net) manage to dump a lot of advertisement on the page - that is funny enough not displayed on a reload of the page.

So I wonder if the ACL is working correctly.

Any way to test this?

8

22.7 Legacy Series / Proxy Errormessage

« on: September 16, 2022, 02:28:53 pm »

Hi
my proxy with 22.7.4 pops up regularly

 FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all

as error message. I do not know where it comes from and it does not seem to have any effect. But I would like to sure it is not a problem and preferably get rid of this error message.
Any idea?

9

22.7 Legacy Series / 22.7.3/4 Update ACME fails

« on: September 16, 2022, 02:27:37 pm »

Hi
I am using ACME to update some Let's Encrypt certificates. However, despite claiming to have the new signed certificate, the certificate in the certificate store is 2 months old and invalid now.

When I try to use the test signing facility of Let's encrypt it is no problem to get the new one. But with the "real" one he just sends "all right" but neither stores the correct one in the certificate store nor (obivously) copies it to the server in question.
Any idea?

10

22.1 Legacy Series / ACME not Working

« on: May 30, 2022, 09:59:06 am »

Hi
Since version 22 ACME plugin is not working anymore. No certificate can be verified or issued due to timeout finding the token (HTTP/TLS challenge). It seems to be a firewall problem.
Can anybody help?

11

22.1 Legacy Series / ACME CLient HTTP challenge - Token not found

« on: May 07, 2022, 08:36:26 am »

Hi
I configured some time ago the ACME client for an internal rocket.chat server. Which worked well, but it seems to be broken at some time in the last 60 days (update to 22?). That means, that the cerficate is not renewed anymore.
The message is "timeout while retrieving token".
My configuration is that I have 2 DSL lines with 2 routers, and the exposed host ends up on the OPNSense. The routers have both external IP4 addresses.
I use HTTP challenge.
It worked well for quite some time (like 2 years) and not suddenly stopped (which I only noticed when the certificate was outdated).
Is there any change in the configuration? Is there anything broken with the update to 22?
I am using 22.1.6 as version.
Please, any hints?
THank you.

12

22.1 Legacy Series / Update to 22.1.5 removes all Unbound Aliases!

« on: April 08, 2022, 11:55:23 am »

Hi
the update today from 22.1.4 -> 22.1.5 removes all Host-aliases in Unbound!
How can I reinstall them?
How can I unencrypt the cloud saved version?
Thank you.

13

22.1 Legacy Series / Syslog-ng / Journald

« on: February 15, 2022, 12:23:28 pm »

Hi,
I asked this question quite a while ago and would like to reopen it (https://forum.opnsense.org/index.php?topic=16819.msg76586#msg76586).
My current Servers are all running on systemd. So I do not have a syslog facility anymore, meaning I cannot accept the remote logs from my firewall anymore.

I have installed rsyslog, which is able to open a connection at port 514. Hower, there it stops. The "snipped" given in the post above is unclear where to go. If I creeate an "frule" file with that contents, rsyslog just throws an error message.

Can anybody help me how to configure rsyslog to receive the messages from the firewall correctly?
Thank you.

14

21.7 Legacy Series / How to remove unbound plus plugin?

« on: January 01, 2022, 08:32:06 am »

Hi
I had the unbound plus plugin installed some time ago. Now it is unavailable and listed in the packages "red". But I cannot remove it...
How can I remove this annoying red message?
Thank you.

15

21.7 Legacy Series / ACME Client Problems

« on: January 01, 2022, 08:30:41 am »

Hi,
I was trying to change an option with the ACME client and found that under "zertificates" the "save" does not have any funciton anymore.

Additonally, when I try to remove a (misconfigured) certificate in the "zertificate" list with the trashcan button I get this error message:

/usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:572: [OPNsense\AcmeClient\AcmeClient:validations.validation.3e06161a-7380-40a9-b49b-cfdc8f24e65d.tlsalpn_acme_interface] option not in list

Needless to say, that it is not removed.

What happened here and how can I fix it?