Topics

1

High availability / haproxy endpoint monitoring

« on: October 16, 2020, 11:07:36 am »

Hi,

I use haproxy for exposing my services to internet. I'd want to monitor the services behind the haproxy, and though it would be the easiest to use telegraf, which I also use, to publish the backend stats into influxdb. Grafana could then give alerts if they start failing.

Other options would be to run prometheus with alert manager somewhere, but I have all the above tools aready in place. Would telegraf plugin maintainer be interested of adding the haproxy endpoints to monitored objects? Has anyone already done that?

Or do you use some other alert mechanism for monitoring availability from OPNsense?

2

General Discussion / OpenVPN GUI faulty guidance

« on: July 11, 2020, 06:22:57 pm »

Hi,

I was going through GUI for options to set static IP for roadwarrior client. There is a fault in GUI guidance. The field in client config: IPv4 " VPN: OpenVPN: Client Specific Overrides: Tunnel Settings: Tunnel Network" states:

"This is the IPv4 virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface."

Sounds a lot like description for the variable that I'd need. However if I put there: "192.168.118.1 192.168.118.2" in order to get the server to use .1 and client .2 from the tunnel network, I get the error:

"The following input errors were detected:
The field 'IPv4 Tunnel Network' must contain a single valid ipv4 CIDR range."

So clearly the instruction in the GUI is wrong. I assume it would rather set the virtual client network CIDR, and the GUI is actually missing the "ifconfig-push" option that I'd need.

I would've created an issue about that, but I couldn't find the repo for this plugin.

I'd have a wish that this GUI misguidance was fixed, and the ifconfig-push option was added.

3

20.1 Legacy Series / minor bug in firewall schedules descriptions

« on: May 03, 2020, 07:18:42 pm »

Hi,

any chance this little annoying bug would get fixed? See screenshot how the descriptions get encoded the web way, so special characters and spaces get en oded wrongly.

arkiaamua%252520edelt%2525E4v%2525E4%252520ilta

That should show "Arkiaamua edeltävä ilta", which means The night before weekday.

4

General Discussion / Route behind openvpn client

« on: July 15, 2019, 08:42:24 pm »

Hi,

I have a RasPi client which connects fine to openvpn in OPNSense. And raspi routes fine to my homenet. I'd like to route back to net behind raspi. OPNSense is the default gw at home.  How to do this?

I tried adding router into opnsense list of routes. Somehow it didn't work. How should be this done?

Let's assume home net is:
192.168.100.0/24, opnsense is 192.168.100.1

OpenVPN net is:
192.168.200.0/24, where both opnsense and client get addresses. Let's assume they would be .2 and .3. These are not static btw.

RasPi is in net:
192.168.300.0/24

How do I tell opnsense to route to 192.168.300.0 via 192.168.203?

5

General Discussion / What fails in letsencrypt acme challenge?

« on: August 04, 2018, 08:57:09 am »

Hi,

my certs won't t get renewed, and now I can't get new ones. It might be due having many HAproxy rules, perhaps one of them breaks acme.

Does anyone have idea where this loop fails at? What is it trying to do, and which might break it?

Code: [Select]

[Sat Aug  4 09:42:41 EEST 2018] ok, let's start to verify
[Sat Aug  4 09:42:41 EEST 2018] Verifying:mydomain.com
[Sat Aug  4 09:42:41 EEST 2018] d='mydomain.com'
[Sat Aug  4 09:42:41 EEST 2018] keyauthorization='snipped'
[Sat Aug  4 09:42:41 EEST 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:41 EEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Sat Aug  4 09:42:41 EEST 2018] wellknown_path='/var/etc/acme-client/challenges/.well-known/acme-challenge'
[Sat Aug  4 09:42:41 EEST 2018] writing token:snipped to /var/etc/acme-client/challenges/.well-known/acme-challenge/snipped
[Sat Aug  4 09:42:41 EEST 2018] Changing owner/group of .well-known to root:wheel
[Sat Aug  4 09:42:41 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:41 EEST 2018] payload='{"resource": "challenge", "keyAuthorization": "snipped"}'
[Sat Aug  4 09:42:41 EEST 2018] POST
[Sat Aug  4 09:42:41 EEST 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped
[Sat Aug  4 09:42:41 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:42 EEST 2018] _ret='0'
[Sat Aug  4 09:42:42 EEST 2018] code='202'
[Sat Aug  4 09:42:42 EEST 2018] sleep 2 secs to verify
[Sat Aug  4 09:42:44 EEST 2018] checking
[Sat Aug  4 09:42:44 EEST 2018] GET
[Sat Aug  4 09:42:44 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped
[Sat Aug  4 09:42:44 EEST 2018] timeout=
[Sat Aug  4 09:42:44 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:45 EEST 2018] ret='0'
[Sat Aug  4 09:42:45 EEST 2018] Pending
[Sat Aug  4 09:42:45 EEST 2018] sleep 2 secs to verify
[Sat Aug  4 09:42:47 EEST 2018] checking
[Sat Aug  4 09:42:47 EEST 2018] GET
[Sat Aug  4 09:42:47 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:47 EEST 2018] timeout=
[Sat Aug  4 09:42:47 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:47 EEST 2018] ret='0'
[Sat Aug  4 09:42:47 EEST 2018] Pending
[Sat Aug  4 09:42:47 EEST 2018] sleep 2 secs to verify

It keeps doing that timeout loop. What is blocking it, any log which to follow for acme challenge?

6

18.7 Legacy Series / Fixed now: Warning: upgrade to 18.7 breaks HAProxy

« on: August 04, 2018, 12:12:13 am »

Hi,

I just upgraded to 18.7 from the prior latest version. Now I've lost all my websites behind HAproxy. Postpone the update if you care about HAproxy. Unfortunately I am only with mobile, so I can't debug much. Rules have lost their names for example in frontend definitions, just uuids. Perhaps some broken config conversion.

I'll update after I get back to keyboard.

I took config backup before update. Can I try restoring it to the 18.7 box?

7

Development and Code Review / Let's Encrypt always fails on first registration with HAproxy

« on: May 10, 2018, 10:44:14 am »

I really like how easy I can get certs now with HAproxy and Let's encrypt. Great work, thanks.

I thought I tell this minor issue with it here if someone is interested to fix it. It's really minor, but confusing for the first timer like me. So I have HAproxy listening all traffic to port 443. The default public service then routes requests to correct backends based on rules. First I create rules to sort traffic to given domain and backend. Then I add the ruleto to public service. That frontend also is using certs from Let's Encrypt service. Next I need to go to letsencrypt service to add domain.

I add the domain with http validation method, and press the small refresh button to force registration. This always fails at first run. But it also always works on the second run. Even though the gui don't show it until page refresh, but logs do.

So it's now OK for me, as I know this, but I sure spent some time on the first trials as I didn't look at the logs first.

Anyway, knowing this, it is great feature. Perhaps it gets fixed at some point.

8

18.1 Legacy Series / haproxy regirep rules for path rewrite?

« on: April 29, 2018, 08:05:53 pm »

Hi,

how does one do things like this in GUI? So replacing path parts with regexp placements?

 reqirep  ^([^ :]*)\ /mirror/foo/(.*)     \1\ /\2


See sample here: https://www.haproxy.com/blog/howto-write-apache-proxypass-rules-in-haproxy/

Edit: describing a bit more:

So I want my external url to be rewritten by HAproxy for my internal server:

https:/my.com/myexturl/index.html?stuff=1
=>
http://foo.intranet/index.html?stuff=1

Like about this haproxy config:

    http-request set-header Host foo.intranet
    reqirep  ^([^ :]*)\ /myexturl/(.*)     \1\ /\2

    acl hdr_location res.hdr(Location) -m found
    rspirep ^Location:\ (https?://my.com(:[0-9]+)?)?/myexturl(/.*) Location:\ /\3 if hdr_location
    # ProxyPassReverseCookieDomain my.com foo.intranet
    acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= foo.intranet
    rspirep ^(Set-Cookie:.*)\ Domain=foo.intranet(.*) \1\ Domain=my.com\2 if hdr_set_cookie_dom
    # ProxyPassReverseCookieDomain / /myexturl/
    acl hdr_set_cookie_path res.hdr(Set-cookie) -m sub Path=
    rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/myexturl\2 if hdr_set_cookie_path

Now some of those I can find through menues, but e.g. the plain reqirep at the beginning I can't. How to do it via GUI?

9

18.1 Legacy Series / Remote upgrade 17->18 failed, what is expexted

« on: April 09, 2018, 05:34:22 am »

Hi,

I'm asking for tips what's to be expected after upgrade gone bad with remote box.

I do have a OPNSense at remote location. Same HW as my home, apu2. At home I've successfully upgraded from 17 something to current every time there has been upgrade available. This remote box I tried to uograde yesterday for the first time in about half a year. I had ovpn on, and at first the uograde upgraded pkg. Then I suppose lot of 17 stuff. And a reboot I recall. Then the next upgrade required unlocking the 18 upgrade. I did.

After I then pressed the upgrade to 18 button, I got told it takes several reboots. I allowed it to go forward. The last message was about upgrading kernel and reboot. The next boot never brought up the OVPN or dynamicDNS update.

Luckily it's NATting as should, so people get to internet. I need to drive there having serial cable to see how to bring it back.

What do you think I'll face there, and what are the recovery actions?

If it's the worst, messed up install, will it work if I clean install 18 and import the 17 backup config?

Thumbs up reboot would fix it...

10

Web Proxy Filtering and Caching / block lists not including urls nor expressions?

« on: January 17, 2018, 09:15:33 pm »

Hi,

I enabled transparent squid with adblocking, using UT1 list. It's great feature! However it didn't stop many Finnish ad sites, so I started digging into files and their formats. I noticed the urls or expressions don't get included, only domain list is added, and even that is formatted to include dot [.] in front of each domain. Is this just work in progress, or does opnsense squid not support the urls and expressions?

Another thing, what's the easiest way of adding my own list? Is it enough to have it in .gz file on own web server and adding it to remote control lists? Or have you noticed UT1 would take such input? It seems there is pretty good local list available for adblock plus: http://adb.juvander.net/Finland_adb.txt , which would be worth converting to squid format for myself, in case if it supported url and expressions files.

Here's how the file list looks like in UT1 block list for ads:

Code: [Select]

$ tree publicite/
publicite/
├── domains
├── expressions
├── urls
└── usage

Here's how expressions should work: http://www.squidguard.org/Doc/expressionlist.html

11

General Discussion / API or any remote method to activate rules?

« on: November 19, 2017, 08:15:58 pm »

Hi,

I fancy a physical button at home, which would kill certain devices network connectivity. Think of kid not stopping playing after several mentions about dinner....

So I could use my BT button which controls rules in my OpenHAB home automation box. That could then call API of OPNSense to toggle certain FW group on/off.

Is there such API, or any samples doing it e.g. using curl? I didn't find API in docs.

BR,
ikke

12

General Discussion / openvpn mixed OPT and machine clients?

« on: October 08, 2017, 04:00:48 pm »

Hi,

I have been happily using VPN with OTP for a while. Now I would need to setup a VPN for some remote raspberry pi clients. I'd collect data from them over VPN. My question would be, can I add somehow exception for openvpn to not use one time password for those clients, but rather fixed passwords? Or just certs?

Like many web services have an option for "legacy" clients to have fixed passwords, like google talk clients.

-ikke

13

General Discussion / [SOLVED] DDNS with route53

« on: September 10, 2017, 10:58:17 pm »

Hi,

is there any plugin to do dynamic dns with route53? I see on the list the dyndns plugin, but I'd like to use something else instead. I do this on one of my arm boxes: https://github.com/mthssdrbrg/ddns-route53

There seems to be different clients around, mainly using boto libraries. Has anyone yet happened to implement such plugin for OPNsense?