Topics

1

16.7 Legacy Series / [SOLVED] OpenVPN client export does not unescape strings

« on: February 03, 2017, 03:17:42 pm »

Not sure if this is still relevant so shortly before 17.x, but I just noticed that the OpenVPN Client Export feature does not un-escape strings from the "additional config options" box.
I tried to put in the "reneg-sec 0" option there, which ended up in the ovpn file as "reneg-sec%200" with the space still web-encoded.

2

16.7 Legacy Series / more confusion about VPN routing

« on: November 04, 2016, 10:48:14 am »

Hi again,
I've stumbled upon some other confusing issue with my OPNsense-as-VPN-concentrator project...
for some reason, there seems to have been a change in routing behaviour recently that I can't find the reason for.
When I started with the setup, I saw all connections from dialled-in users as coming from their virtual IP addresses (configured via ifconfig-push in the CSCs), and I set up the firewall rules accordingly (users' VPN IP allow RDP to their workstation IP). For some reason, recently I only see connections in the log seeming to originate from the OPNsense LAN IP, even though they clearly are initiated by VPN-connected users.
I don't recall changing anything to the setup except adding more users..
Can anyone provide a hint on what could cause this behaviour? It kinda messes up my whole security concept..

3

16.7 Legacy Series / OpenVPN connections keep dropping

« on: October 28, 2016, 03:52:05 pm »

Hi all,
(this is not directly related to OPNsense code itself, just a service provided by an OPNsense box, but here are people who know OpenVPN and can probably help me, I'm sure..)
I've now got about 50 regular users on my OPNsense OpenVPN concentrator, and I keep getting complaints that connections are dropping out, mostly around the 1 hour mark.
The log always shows the same picture.. a slew of messages "openvpn[78997]: hans/191.19.25.210:63081 TLS Error: local/remote TLS keys are out of sync: [AF_INET]191.19.25.210:63081 [1]", followed by one "openvpn[78997]: hans/191.19.25.210:63081 [hans] Inactivity timeout (--ping-restart), restarting"

All web research I've done points to this message relating to firewall config issues, but then the connection shouldn't even be able to be established in the first place.
To me, it looks like some part of the keepalive packets either can not be sent or do not arrive.. but I failed to find any details of what the keepalive actually consists of, and which firewall rules I might need to permit it.
Also, it does not seem to match up from a time perspective.. my server has "keepalive 10 30" set, which should kill the session much sooner than one hour, if it really was keepalive related.

I've switched users from UDP to TCP connection mode, with no difference. I've played with the numbers in the keepalive settings, also no change. I can't really just sniff packets on all interfaces for hours, hoping to catch the one that makes trouble, either...

I'm running out of ideas how to debug this further.. so if anyone can provide enlightenment, I'd be really grateful.

Regards
 ~woo

4

16.7 Legacy Series / [SOLVED] Nesting aliases?

« on: August 25, 2016, 10:19:24 am »

Hi all,
is there any valid method for nesting aliases, or to create host groups without listing IPs?
I'm designing the ruleset for my new OPNsense-as-VPN-concentrator appliance,
and I noticed that things tend to get unwieldy rather quickly.
If I have five people requiring access to ticketing, that's five separate rules IFF I want to adress them by alias instead of by IP address. I would much prefer to create a group alias Ticket_Users and shove the five user aliases in there, condensing all into one rule only.
I know that that's not a trivial feature, as it brings error cases like circular nesting with it, but it would be a great improvement over pfSense and other similar projects.
Best regards,
Woo

5

16.7 Legacy Series / Creating personalized firewall rules for VPN users

« on: August 03, 2016, 03:38:06 pm »

and Hi again..
Since I couldn't find useful hints on the wiki, I'll have to ask here..
Is there any method to..
a) assign static IPs to each OpenVPN client, or
b) use the VPN username in a firewall rule?
I've got quite a lot of road warriors, and need to limit their access to internal systems based on either username or department/group membership, same as it's done on the LAN already. Does OPNsense have a solution for that?

Regards
~woo

6

16.7 Legacy Series / 2FA token not working for OpenVPN dialin

« on: August 03, 2016, 02:25:37 pm »

Hi,
I just did my first OpenVPN test runs on 16.7 (after having worked around my earlier reported issue with the client export), and I noticed that VPN dialin does not seem to use 2FA tokens even though I have configured one for the users. I can just connect with username and password. When I try to append the 2FA token string after or before the password, as is customary for that method, the authentication fails.
Is this not supposed to work like that, or is there something broken? If it's the latter, how could I go about finding and fixing the cause?

Regards
~woo

7

16.7 Legacy Series / OpenVPN client export (Windows) broken on 16.7

« on: August 03, 2016, 01:45:50 pm »

Hi OPNsense team,

I've recently installed 16.7 as what is going to be our upcoming VPN concentrator,
and so far the configuration etc all worked really fine - thanks for all that!
Just the OpenVPN client exporter seems to produce invalid archive files.
I've tried all four Windows clients (XP and 6, both 32 and 64 bit), and the resulting exes all produce a window "Extraction Failed - Unsupported Method" on execution.
The clients work fine when I manually extract them with 7zip and then run the files inside, but I can't trust our users to get this right.
How exactly is OPNsense generating these customized installers, and is there any way I can assist with debugging this issue? I'd really like to see this working.

Thanks,
 ~woo