Topics

1

General Discussion / Question about haproxy

« on: October 22, 2018, 12:16:21 pm »

Currently we have different services running behind our OPNsense box like
otrs, mattermost, svn, website aso.
Only one website is currently running on port 443, all other sites use different
ports. Now I want to change all website to use the standard port 443.
I cannot do let's encrypt on opnsense with haproxy as some sites use client
certificates and they have different requirements for TLS.
Is there a possibility to only inspect the SNI and forward the "raw" TCP to the correct server?
I know that I cannot use ESNI with TLS 1.3 then but I don't care about that.

2

18.7 Legacy Series / haproxy port 443 questions

« on: September 30, 2018, 01:35:52 pm »

I have some difficulties setting up haproxy in this configuration:

WAN access to port 443 https distributes access to different backend servers depending on domain name is working.
LAN access to port 443 for OPNsense GUI doesn't work.
I can access it when I change it to e.g. port 9999.
How can I configure this setup? Is it even possible?

3

17.7 Legacy Series / [SOLVED] OpenVPN: --ns-cert-type is DEPRECATED

« on: September 21, 2017, 12:48:15 am »

When I connect with OpenVPN I get this warning:

Code: [Select]

WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.

pfSense fixed it already. Perhaps you can include the code.
https://forum.pfsense.org/index.php?topic=129676.0

I get many requests from my users about this warning. Currently I fixed it by manually
editing the config file.

4

17.7 Legacy Series / WAN link state down not comming up correctly

« on: September 14, 2017, 10:36:47 pm »

Everything was running fine for 2 weeks. Last night, WAN link state changed to DOWN and UP very often.
In the morning we had no internet access.
I've rebooted our OPNsense box and everything was up again.
I don't know what the problem was. Here is the log from where it started until the reboot.
Can you tell me if this is a bug?

Code: [Select]

Sep 13 02:40:03 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:40:03 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns5'
Sep 13 02:40:02 configd.py: [63403cdd-e6d7-4007-b78b-4014c07edeb8] rc.newwanip starting ovpns5
Sep 13 02:40:02 kernel: ovpns5: link state changed to UP
Sep 13 02:40:02 configd.py: [e0cfefb7-5a7d-42ae-a54d-701a599ac0e7] Reloading filter
Sep 13 02:39:41 configd.py: [d2b1f58b-3b49-4b14-9bdd-9c06ae7a95ce] Reloading filter
Sep 13 02:39:41 kernel: ovpns5: link state changed to DOWN
Sep 13 02:39:19 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:39:19 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'
Sep 13 02:39:19 configd.py: [cd83e9ad-8a4c-4ed8-a9f7-24e2da789d76] rc.newwanip starting ovpns1
Sep 13 02:39:19 kernel: ovpns1: link state changed to UP
Sep 13 02:39:19 configd.py: [249d32c0-65af-4bb4-81bc-edbfc399dc96] Reloading filter
Sep 13 02:38:57 configd.py: [dab74afd-ced8-45e1-9dbf-d72399c19407] Reloading filter
Sep 13 02:38:57 kernel: ovpns1: link state changed to DOWN
Sep 13 02:38:36 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Sep 13 02:38:35 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns2'
Sep 13 02:38:35 configd.py: [27ab7445-31cb-4b51-98c9-87420e82856d] rc.newwanip starting ovpns2
Sep 13 02:38:35 kernel: ovpns2: link state changed to UP
Sep 13 02:38:35 configd.py: [2f5732e1-db7d-43b8-9f2e-c05775d483bd] Reloading filter
Sep 13 02:38:14 configd.py: [467fc001-9fcc-48ca-86b6-7b22f35ae2e0] Reloading filter
Sep 13 02:38:14 kernel: ovpns2: link state changed to DOWN
Sep 13 02:38:14 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Sep 13 02:37:52 configd.py: unable to sendback response [OK ] for [interface][linkup][['start', 'em1']] {a54bba41-7551-40c7-a3dc-16fe8fa6acac}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall('%s\n' % result) File "/usr/local/lib/python2.7/socket.py", line 228, in meth return getattr(self._sock,name)(*args) error: [Errno 32] Broken pipe
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route delete -inet '192.168.10.0/24'' returned exit code '1', the output was 'route: route has not been found delete net 192.168.10.0 fib 0: not in table'
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf em1 > /tmp/em1_output 2> /tmp/em1_error_output' returned exit code '1', the output was ''
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Sep 13 02:37:49 configd.py: [724674ff-a5c8-4bd7-809f-702114f51e5f] Linkup starting em1
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 192.168.177.1.
Sep 13 02:37:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Sep 13 02:37:49 configd.py: [b6c0122c-38cf-4580-8ce8-171c42dbcf13] Linkup stopping em1
Sep 13 02:37:49 configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 192.168.177.1
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 192.168.177.55) (interface: WAN[wan]) (real interface: em1).
Sep 13 02:37:29 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'em1'
Sep 13 02:37:18 kernel: em1: link state changed to UP
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route delete -inet '192.168.10.0/24'' returned exit code '1', the output was 'route: route has not been found delete net 192.168.10.0 fib 0: not in table'
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: The command '/sbin/route add -'inet' default '192.168.177.1'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add net default: gateway 192.168.177.1 fib 0: Network is unreachable'
Sep 13 02:37:10 opnsense: /usr/local/etc/rc.linkup: ROUTING: setting IPv4 default route to 192.168.177.1
Sep 13 02:36:23 kernel: em1: link state changed to DOWN
Sep 13 02:35:49 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Sep 13 02:35:49 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Sep 13 02:35:49 configd.py: [a54bba41-7551-40c7-a3dc-16fe8fa6acac] Linkup starting em1
Sep 13 02:35:49 kernel: em1: link state changed to UP
Sep 13 02:35:44 opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 192.168.177.1.
Sep 13 02:35:44 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Sep 13 02:35:44 configd.py: [bf9e83d3-05a9-44a5-82c3-f3800368d9ad] Linkup stopping em1
Sep 13 02:35:44 kernel: em1: link state changed to DOWN


5

German - Deutsch / Plötzlich 8 IPSec Tunnel weg. Fehler in OPNsense

« on: August 29, 2017, 01:09:18 am »

Von jetzt auf gleich sind 8 IPSec Tunnel offline und lassen sich nicht mehr starten.
Nach längerem Debuggen hab ich folgendes in den Logs gefunden.

Aug 29 00:42:09    charon: 16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_2048/NO_EXT_SEQ
Aug 29 00:42:09    charon: 16[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_1536/NO_EXT_SEQ

Ich hab aber kein MODP_2048 konfiguriert sonder MODP_1536.
Ich habe in Phase 2 geschaut. Egal was ich unter PFS einstelle, wenn ich

cat /usr/local/etc/ipsec.conf
aufrufe steht IMMER
esp = aes256-sha512-modp2048!
Ich kann AES ändern und SHA ändern usw. Aber -modp2048 bleibt IMMER stehen hinter jeder esp Einstellung und bei jeder IPSec Verbindung. Woher kommt das plötzlich?
Selbst Phase 2 Einträge löschen und neu anlegen ändert nichts.

Ach ja. An der Oberfläche stimmt alles was ich eingestellt habe.
Egal welche PFS Einstellung, sie ist immer da. Nur der Eintrag in der ipsec.conf ist IMMER falsch.

6

German - Deutsch / Unterschiedliche Firewallregeln für verschiedene IPSec Verbindungen

« on: August 28, 2017, 04:14:52 pm »

Bei Site-2-Site Tunneln habe ich gar kein Problem mit den Firewallregeln.
Source auf Netzwerk A/B/C und ich kann je nach Site-2-Site VPN unterschiedliche
Regeln definieren.
Wie erstelle ich aber unterschiedliche RoadWarrior VPN Regeln?
Bei unserer bisherigen ZyWALL habe ich einfach unterschiedliche "VPN Zonen"
definieren können und in den Firewallregeln konnte ich dann dort das VPN auswählen und so die Firewall konfigurieren.
Wie unterscheide ich jetzt einen RoadWarrior Admin von einem RoadWarrior User?
Der Admin hat Zugriff auf alles, der User nur auf einzelne Server und Dienste.

In dem Zusammenhang: wie kann man unterschiedliche Phase 1/2 für unterschiedliche Benutzer (Admin/User) definieren?

7

17.7 Legacy Series / IPSec Tunnel Settings no alias possible

« on: August 27, 2017, 07:03:22 pm »

Why I cannot use an network alias in tunnel settings for the remote network?
I can enter an address manually or a network. But the alias would be much easier and better.
Is there a reason for it? Could you improve it?

Btw: Thanks for a great product

8

17.1 Legacy Series / Multiple IPSec Phase1 for roadwarriors with different access rights.

« on: May 20, 2017, 01:24:51 am »

Since v5.0.0 strongswan supports aggressive mode with PSK and right=%any.
And with aggressive mode it is possible to use different PSK and IDs for different Phase 1s.
How can I configure this as I need different Phase 1 settings for different PSKs with different
access rights.

9

17.1 Legacy Series / Multiple IPSec VPNs with different firewall rules

« on: April 15, 2017, 12:08:23 am »

I have my main office with address: 192.168.0.x/24
Office 2 with 192.168.10.x/24
Office 3 with 192.168.10.x/24
and one road warrior IPSec VPN.
How can I configure the road warrior VPN to have full access to the main office
and Office 2 and Office 3 only access to specific hosts and ports?
With ZyWALL I could configure different Zones for every VPN and assign different rules.
Here I have configured the rules based on the IP range for now, but with road warrior VPN, I don't know the IPs.

I couldn't find any good documentation or I missed it.

Thanks for your help.

10

17.1 Legacy Series / [SOLVED] Username length limit 16

« on: February 25, 2017, 10:03:05 pm »

OPNsense has a limit of 16 characters when creating users.
FreeBSD changed it to 32.
There was a post in pfSense forum how to change the php file and it worked.
https://forum.pfsense.org/index.php?topic=109508.0
Perhaps you can include this fix.

Thanks.