Topics

1

Virtual private networks / Wireguard multiple WAN ports

« on: January 28, 2023, 11:39:22 pm »

I'm often in Dubai, VPN is legal but often filtered in Hotels.
I have a Wireguard server running on OPNsense and it's working great but sometimes in the Hotels they start blocking this port. So as an alternative I wanted to add more ports I can use as fallbacks.

First try was to clone the whole Wireguard server with all assigned endpoints.
They get new interfaces wg1 to wg3 but don't appear in the interfaces overview.
Only when I create a new server and not clone one.
So I thought a new config makes more work and I tried to go to the firewall and
and route all ports 51821 to 52825 to the same local port 51820 so Wireguard is working.
I could get it working, so any hints if this is even possible would be helpfull.

2

22.1 Legacy Series / Warnings while updating to 22.1.1_1 from 22.1

« on: February 17, 2022, 10:33:56 pm »

I installed the update from the Web UI and got some messages but the update rebooted to fast.
When I do a health check, I get this missing dependencies. What should it do?
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

3

21.7 Legacy Series / LDAPS not working anymore with 21.7.4

« on: November 10, 2021, 09:51:42 am »

I've installed 21.7.4 update yesterday and the OpenVPN clients with AD authentication cannot connect anymore.
I have installed the certificates under System -> Trust -> Authorities and they are still valid.
When I use the internal tester, I get this error.

Code: [Select]

The following input errors were detected:

    Authentication failed.
    error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
    ldap_error: Can't contact LDAP server
I have our internal CA, intermediate CA and the DC certificates installed.
How can I fix it?

4

General Discussion / Bug in HAProxy "Save & Test syntax"?

« on: April 04, 2021, 10:40:02 am »

I have configured some real server, backend pools, public services, conditions and rules.
If HAProxy is enabled, the "Save & Test syntax" is working.
If HAProxy is disabled, I get a lot of warnings.

Code: [Select]

HAProxy config contains critical errors
[NOTICE] 093/103813 (88702) : haproxy version is 2.2.11-c58c4e4
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:9]: unknown keyword 'uid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:10]: unknown keyword 'gid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:11]: unknown keyword 'chroot' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:12]: unknown keyword 'daemon' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:13]: unknown keyword 'stats' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:14]: unknown keyword 'nbproc' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:15]: unknown keyword 'nbthread' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:16]: unknown keyword 'tune.ssl.default-dh-param' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:17]: unknown keyword 'spread-checks' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:18]: unknown keyword 'tune.chksize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:19]: unknown keyword 'tune.bufsize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:20]: unknown keyword 'tune.lua.maxmem' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:21]: unknown keyword 'log' out of section.
[ALERT] 093/103813 (88702) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] 093/103813 (88702) : Fatal errors found in configuration.

This happens because the config is invalid when I disable HAProxy

Code: [Select]

#
# NOTE: HAProxy is currently DISABLED
#global
    uid                         80
    gid                         80

You can see that just global is commented.
Isn't there a better way to enable/disable HAProxy?
Doesn't sound like a good solution to need to enable HAProxy to test the syntax.

5

General Discussion / OpenVPN Server multiple encryption algorithms/ciphers

« on: April 02, 2021, 09:37:03 pm »

On the OpenVPN server settings, I can select ONE encryption algorithm.
Some years ago, I have select AES-256-CBC, but the current client logs a warning that this algorithm will be deprecated in the future.
Now I want to migrate slowly to a better algorithm AES-256-GCM as suggested by OpenVPN but I have a lot of users I cannot change immediately.
My idea is to select the new and the old algorithm so new and old configs can connect and in 6 months, I can turn off the old algorithm.
Since OpenVPN 2.4, this is possible, but I cannot do it in the GUI. Can you change that?
Is it possible to configure it on the command line?

6

20.1 Legacy Series / AD auth LDAP with TLS and certificates question

« on: June 15, 2020, 01:15:46 am »

I've tried all the possible solutions I could find and nothing worked until I created one certificate per domain controller with the IP address in the common name.
Before, I had one certificate for all domain controllers with the different names in the subject alt name section.
Is this not supported?
Before I changed to a single certificate per DC, I always got this error in the logs.

Code: [Select]

opnsense: LDAP bind error [TLS: hostname does not match CN in peer certificate,Can't contact LDAP server]

7

General Discussion / Question about haproxy

« on: October 22, 2018, 12:16:21 pm »

Currently we have different services running behind our OPNsense box like
otrs, mattermost, svn, website aso.
Only one website is currently running on port 443, all other sites use different
ports. Now I want to change all website to use the standard port 443.
I cannot do let's encrypt on opnsense with haproxy as some sites use client
certificates and they have different requirements for TLS.
Is there a possibility to only inspect the SNI and forward the "raw" TCP to the correct server?
I know that I cannot use ESNI with TLS 1.3 then but I don't care about that.

8

18.7 Legacy Series / haproxy port 443 questions

« on: September 30, 2018, 01:35:52 pm »

I have some difficulties setting up haproxy in this configuration:

WAN access to port 443 https distributes access to different backend servers depending on domain name is working.
LAN access to port 443 for OPNsense GUI doesn't work.
I can access it when I change it to e.g. port 9999.
How can I configure this setup? Is it even possible?

9

17.7 Legacy Series / [SOLVED] OpenVPN: --ns-cert-type is DEPRECATED

« on: September 21, 2017, 12:48:15 am »

When I connect with OpenVPN I get this warning:

Code: [Select]

WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.

pfSense fixed it already. Perhaps you can include the code.
https://forum.pfsense.org/index.php?topic=129676.0

I get many requests from my users about this warning. Currently I fixed it by manually
editing the config file.

10

17.7 Legacy Series / WAN link state down not comming up correctly

« on: September 14, 2017, 10:36:47 pm »

Everything was running fine for 2 weeks. Last night, WAN link state changed to DOWN and UP very often.
In the morning we had no internet access.
I've rebooted our OPNsense box and everything was up again.
I don't know what the problem was. Here is the log from where it started until the reboot.
Can you tell me if this is a bug?

Code: [Select]

Sep 13 02:40:03 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:40:03 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns5'
Sep 13 02:40:02 configd.py: [63403cdd-e6d7-4007-b78b-4014c07edeb8] rc.newwanip starting ovpns5
Sep 13 02:40:02 kernel: ovpns5: link state changed to UP
Sep 13 02:40:02 configd.py: [e0cfefb7-5a7d-42ae-a54d-701a599ac0e7] Reloading filter
Sep 13 02:39:41 configd.py: [d2b1f58b-3b49-4b14-9bdd-9c06ae7a95ce] Reloading filter
Sep 13 02:39:41 kernel: ovpns5: link state changed to DOWN
Sep 13 02:39:19 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:39:19 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'
Sep 13 02:39:19 configd.py: [cd83e9ad-8a4c-4ed8-a9f7-24e2da789d76] rc.newwanip starting ovpns1
Sep 13 02:39:19 kernel: ovpns1: link state changed to UP
Sep 13 02:39:19 configd.py: [249d32c0-65af-4bb4-81bc-edbfc399dc96] Reloading filter
Sep 13 02:38:57 configd.py: [dab74afd-ced8-45e1-9dbf-d72399c19407] Reloading filter
Sep 13 02:38:57 kernel: ovpns1: link state changed to DOWN
Sep 13 02:38:36 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:38:35 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns2'
Sep 13 02:38:35 configd.py: [27ab7445-31cb-4b51-98c9-87420e82856d] rc.newwanip starting ovpns2
Sep 13 02:38:35 kernel: ovpns2: link state changed to UP
Sep 13 02:38:35 configd.py: [2f5732e1-db7d-43b8-9f2e-c05775d483bd] Reloading filter
Sep 13 02:38:14 configd.py: [467fc001-9fcc-48ca-86b6-7b22f35ae2e0] Reloading filter
Sep 13 02:38:14 kernel: ovpns2: link state changed to DOWN
Sep 13 02:38:14 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Sep 13 02:37:52 configd.py: unable to sendback response [OK ] for [interface][linkup][['start', 'em1']] {a54bba41-7551-40c7-a3dc-16fe8fa6acac}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall('%s\n' % result) File "/usr/local/lib/python2.7/socket.py", line 228, in meth return getattr(self._sock,name)(*args) error: [Errno 32] Broken pipe
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route delete -inet '192.168.10.0/24'' returned exit code '1', the output was 'route: route has not been found delete net 192.168.10.0 fib 0: not in table'
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em1 > /tmp/em1_output 2> /tmp/em1_error_output' returned exit code '1', the output was ''
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Sep 13 02:37:49 configd.py: [724674ff-a5c8-4bd7-809f-702114f51e5f] Linkup starting em1
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 192.168.177.1.
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Sep 13 02:37:49 configd.py: [b6c0122c-38cf-4580-8ce8-171c42dbcf13] Linkup stopping em1
Sep 13 02:37:49 configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 192.168.177.1
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.177.55) (interface: WAN[wan]) (real interface: em1).
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'em1'
Sep 13 02:37:18 kernel: em1: link state changed to UP
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route delete -inet '192.168.10.0/24'' returned exit code '1', the output was 'route: route has not been found delete net 192.168.10.0 fib 0: not in table'
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route add -'inet' default '192.168.177.1'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add net default: gateway 192.168.177.1 fib 0: Network is unreachable'
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: ROUTING: setting IPv4 default route to 192.168.177.1
Sep 13 02:36:23 kernel: em1: link state changed to DOWN
Sep 13 02:35:49 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Sep 13 02:35:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Sep 13 02:35:49 configd.py: [a54bba41-7551-40c7-a3dc-16fe8fa6acac] Linkup starting em1
Sep 13 02:35:49 kernel: em1: link state changed to UP
Sep 13 02:35:44 opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 192.168.177.1.
Sep 13 02:35:44 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Sep 13 02:35:44 configd.py: [bf9e83d3-05a9-44a5-82c3-f3800368d9ad] Linkup stopping em1
Sep 13 02:35:44 kernel: em1: link state changed to DOWN


11

German - Deutsch / Plötzlich 8 IPSec Tunnel weg. Fehler in OPNsense

« on: August 29, 2017, 01:09:18 am »

Von jetzt auf gleich sind 8 IPSec Tunnel offline und lassen sich nicht mehr starten.
Nach längerem Debuggen hab ich folgendes in den Logs gefunden.

Aug 29 00:42:09    charon: 16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ
Aug 29 00:42:09    charon: 16[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_1536/NO_EXT_SEQ

Ich hab aber kein MODP_2048 konfiguriert sonder MODP_1536.
Ich habe in Phase 2 geschaut. Egal was ich unter PFS einstelle, wenn ich

cat /usr/local/etc/ipsec.conf
aufrufe steht IMMER
esp = aes256-sha512-modp2048!
Ich kann AES ändern und SHA ändern usw. Aber -modp2048 bleibt IMMER stehen hinter jeder esp Einstellung und bei jeder IPSec Verbindung. Woher kommt das plötzlich?
Selbst Phase 2 Einträge löschen und neu anlegen ändert nichts.

Ach ja. An der Oberfläche stimmt alles was ich eingestellt habe.
Egal welche PFS Einstellung, sie ist immer da. Nur der Eintrag in der ipsec.conf ist IMMER falsch.

12

German - Deutsch / Unterschiedliche Firewallregeln für verschiedene IPSec Verbindungen

« on: August 28, 2017, 04:14:52 pm »

Bei Site-2-Site Tunneln habe ich gar kein Problem mit den Firewallregeln.
Source auf Netzwerk A/B/C und ich kann je nach Site-2-Site VPN unterschiedliche
Regeln definieren.
Wie erstelle ich aber unterschiedliche RoadWarrior VPN Regeln?
Bei unserer bisherigen ZyWALL habe ich einfach unterschiedliche "VPN Zonen"
definieren können und in den Firewallregeln konnte ich dann dort das VPN auswählen und so die Firewall konfigurieren.
Wie unterscheide ich jetzt einen RoadWarrior Admin von einem RoadWarrior User?
Der Admin hat Zugriff auf alles, der User nur auf einzelne Server und Dienste.

In dem Zusammenhang: wie kann man unterschiedliche Phase 1/2 für unterschiedliche Benutzer (Admin/User) definieren?

13

17.7 Legacy Series / IPSec Tunnel Settings no alias possible

« on: August 27, 2017, 07:03:22 pm »

Why I cannot use an network alias in tunnel settings for the remote network?
I can enter an address manually or a network. But the alias would be much easier and better.
Is there a reason for it? Could you improve it?

Btw: Thanks for a great product

14

17.1 Legacy Series / Multiple IPSec Phase1 for roadwarriors with different access rights.

« on: May 20, 2017, 01:24:51 am »

Since v5.0.0 strongswan supports aggressive mode with PSK and right=%any.
And with aggressive mode it is possible to use different PSK and IDs for different Phase 1s.
How can I configure this as I need different Phase 1 settings for different PSKs with different
access rights.

15

17.1 Legacy Series / Multiple IPSec VPNs with different firewall rules

« on: April 15, 2017, 12:08:23 am »

I have my main office with address: 192.168.0.x/24
Office 2 with 192.168.10.x/24
Office 3 with 192.168.10.x/24
and one road warrior IPSec VPN.
How can I configure the road warrior VPN to have full access to the main office
and Office 2 and Office 3 only access to specific hosts and ports?
With ZyWALL I could configure different Zones for every VPN and assign different rules.
Here I have configured the rules based on the IP range for now, but with road warrior VPN, I don't know the IPs.

I couldn't find any good documentation or I missed it.

Thanks for your help.