OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of penley »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - penley

Pages: [1]
1
20.1 Legacy Series / OpenVPN road warrior error TLS handshake failed
« on: July 14, 2020, 08:10:14 pm »
OPNsense version: 20.1.8_1

I'm trying to setup the OpenVPN road warrior. I've setup 3 different OpenVPN servers, two using the manual method https://docs.opnsense.org/manual/how-tos/sslvpn_client.html, and one using the OpenVPN wizard.

I have setup OpenVPN servers to use a different port than the defualt OpenVPN such as 11941 and the other two VPN servers use a different port as well. I've set this up before doing that same thing and never had an issue.
However, with this setup I am unable to VPN successfully when hitting the WAN, receive an error TLS Handshake failed. I've checked the TLS keys and they are correct. I also changed one of the VPN server ports to 1194 and when I did that I was able to VPN successfully.

I'll keep researching to try and solve this, but wanted to ask here if anyone had any ideas?

Kind regards,
penley

2
20.1 Legacy Series / OpenVPN log show Authenticate/Decrypt packet error: bad packet ID may be replay
« on: June 10, 2020, 04:36:03 pm »
Hello,

I enabled netflow for local capture on several OPNsense machines for LAN and WAN interfaces. These machines have a site-to-site VPN setup.
Once netflow was enabled the connection to the LAN for the remote OPNsense machines went down. Each for around 10 to 15 minutes.

I looked at our main firewall these remote sites connect to and the OpenVPN tunnel to each site never showed as down. So it seems only the connection to the LAN went down.

The version of OPNsense we're using is 20.1.6
I did see this message in the VPN log file on the remote OPNsense machines:
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1552650 / time = (1590696725) Thu May 28 16:12:05 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

I've not seen this message before, but it's only in the log of the remote OPNsense machine, not our main firewall these machines connect to. The "authenticate\decrypt packet error" message shows in the VPN log as starting when the connection was lost and ending when the connection came back up.

Has anyone else experienced this before?

Kind regards,
penley



3
20.1 Legacy Series / How to configure static IP on WAN with PPPoE
« on: April 15, 2020, 02:56:48 pm »
Our ISP says in order for us to connect to their service we need to configure the WAN port for PPPoE.
We have one static IP address the ISP has given us.

I need some help to figure out how to configure the WAN with a static IP and PPPoE?

When I change the WAN interface from Static IPv4 to PPPoE, there's no where to put a static IP address.

Kind regards,
penley

4
20.1 Legacy Series / OPNsense High Availability setup with PPPoE
« on: April 09, 2020, 03:59:45 pm »
With OPNsense 20.1, is it possible to setup a High Availability with two OPNsense firewalls using PPPoE?
The PPPoE is configured on the WAN interface.

I've been searching through the forums and internet. I've only found this back in 2018:https://forum.opnsense.org/index.php?topic=9746.0.

Kind regards,
penley

5
20.1 Legacy Series / Site to site using OpenVPN with multiple sites
« on: March 31, 2020, 07:52:51 pm »
Is it possible on OPNsense to use one OpenVPN server to multiple sites in a site to site VPN, if the server uses port 1194 then can all other sites connect in using that same port?

For example we'd like our setup to be:
- Site A: The main site
- Sites B, C, and D are in other regions and need to connect back to Site A.

Sites B, C and D have no need to talk to each other.

I'm struggling to find an answer to this on the internet forums and youtube. I did find the following:
https://forum.opnsense.org/index.php?topic=5675.0 and it seemed to be what I was looking for except on one comment it says "works fine with pre shared key" and then said they ended up creating a server for each site.

Edit:
Based off this conversation https://forum.netgate.com/topic/83777/openvpn-multiple-site-to-multisites-routing/13, it looks like you would have to have multiple VPN servers on the main site A firewall to connect each site.
If this is true would it be that if each site was using the same VPN server and coming in on the same port they'd be competing for the same connection?

Kind regards,
penley

6
17.7 Legacy Series / OPNsense vpn -> FreeRadius -> authenticate to AD
« on: November 10, 2017, 07:05:17 pm »
We have a single FreeRadius server we want to use to consolidate user authentication with VPN, wireless, etc.
I have the wireless authenticating against AD through FreeRadius, but I cannot get it to work with the vpn.
The information I'm struggling to find is does it work differently when using VPN, for example do I have to configure the ldap module in FreeRadius?
I have OPNsense vpn pointed at FreeRadius, but each attempt to login produces the Error:
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available

(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

I've tested this using the PAP module and it works, but I'm not sure how to make it authenticate to AD instead.

The OPNsense version is 17.7 and the FreeRadius version is 3.0.


Kind regards,
penley


7
16.7 Legacy Series / Routing vpn users coming in one gateway out a different gateway
« on: October 11, 2017, 07:15:15 pm »
If you have an opnsense setup with two gateways (with two different ISP's) is there a way to route traffic coming in one gateway through the other gateway?
For example if vpn came in on gateway one is it possible to route any traffic coming back to that vpn user through gateway two?


Kind regards,
penley

8
General Discussion / OPNsense NAT
« on: March 09, 2017, 04:03:17 pm »
I have question when setting up NAT.
Setup- OPNsense single WAN port and single Internal port. A few outside IP addresses available.
Goal - NAT only port 443 to internal web server.

I've setup the virtual IP address we will use for the web server. Where I'm confused is do I need to setup a 1:1 NAT (but then how do I only allow port 443?) or is it sufficient to only setup port forwarding to the internal address. Within the port forward configuration set Destination to the external IP intended for the web server?

In the 1:1 NAT I'm unsure how to only allow port 443 and cannot find sufficient examples to show the benefits of 1:1 NAT vs  NAT Port Forward.


Kind regards,
penley

9
General Discussion / DDOS protection
« on: October 07, 2016, 03:57:47 pm »
Does OPNsense by default have dos and ddos prevention or is this something that needs to be configured?
We're not experiencing any issues at the moment, I'm just asking for clarification.

Kind regards,
penley

10
General Discussion / [SOLVED] Upgrading OPNsense from one major release to another
« on: July 28, 2016, 10:16:40 pm »
Hello,

I need some guidance with upgrading OPNsense.
My question is does OPNsense need to be upgraded sequentially? Will it do it on its own or can we jump major versions? For instance I have an OPNsense firewall currently at version 15.7.18_1. It's not been upgraded in a while because it's in production and just now we have some down time to upgrade it. We want to upgrade to the latest version 16.7.

I'll continue to search the forums and post anything I find here.

Kind regards,
penley

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2020 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2