Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - ikkeT

Pages: [1] 2

Virtual private networks / [solved] third wireguard peer won't show up

« on: July 25, 2022, 10:00:21 am »

Hi,

I got my first two wg peers to connect. But as I added the third peer, it won't get picked from gui to system configs. OPNsense is the latest version at the date, OPNsense 22.1.10-amd64. The config is just the same as the two previous ones, listing name, public key and allowed ip (192.168.116.22/24).

But when I apply the settings, only the two first ones are written into wg0 config file, also seen from gui in peer list. The third one never gets there. See Peer List view:

Code: [Select]

interface: wg1
  public key: (hidden)
  private key: (hidden)
  listening port: 55555

peer: (hidden)
  endpoint: 1.1.11.24:24472
  allowed ips: 192.168.116.21/32
  latest handshake: 10 minutes, 34 seconds ago
  transfer: 4.89 MiB received, 1.00 GiB sent

peer: (hidden)
  endpoint: 1.1.1.24:26682
  allowed ips: 192.168.116.20/32
  latest handshake: 36 minutes, 6 seconds ago
  transfer: 340.61 KiB received, 480.98 KiB sent

How can this be? I have tried saving and applying it several times, but the third one never get's there. Also restarted the wg several times. The config of peer is just like the others, only pubkey and ip are different. What am I missing?

Virtual private networks / setting up wg interface ruins routing

« on: July 24, 2022, 11:04:13 pm »

Hi,

I've used this evening struggling with wireguard. I followed this guide [1] which tells to setup interface wg1 for the wg. There is some oddity in wg plugin, it doesn't list the first peer for example in list configs, which baffled me for a while, but I see from command line it's in config file.

However adding interface wg1, like instructed in guide, ruins networking. It seems to guide all traffic to this wg1. Which leads nowhere, naturally. Routing table looks like this, see the first line:

Code: [Select]

root@OPNsense:~ # netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          link#9             US          wg1
default            87-92-128-1.rev.dn UGS        igb0

Which to me tells the wg1 grabs the traffic from LAN. As soon as I disable the wg1, the 0.0.0.0/1 line disappears, and the routing becomes normal and I get to internet from LAN.

Why is this, what did I do wrong?

[1] https://docs.opnsense.org/manual/how-tos/wireguard-client.html

General Discussion / 22.7 openvpn dropping dh option - clients?

« on: July 13, 2022, 08:44:33 pm »

Hi,

I was reading changelog for 22.7-rc1, and it says dh option gets dropped for openvpn. What needs to be done for client configs to make them being able to continue working?

Do I need to reconfigure all clients not to have dh option, and then update the box, and they somewhow get back connected?

As if I don't, I loose access to clients and they won't be able to connect back any longer after 22.7 update, right?

General Discussion / automatic certificate renewal for clients?

« on: October 31, 2021, 08:44:28 pm »

Hi,

I was thinking a way to get my home intranet service SSL certs automatically renewed. I don't like that all random stuff at home have self signed certs from some different dummy CA. I would like to make trust to OPNSense CA at home, and issue home certs from OPNSense.

But I don't want to do them manually. Is there an automated way for clients to ask for a new cert, and reinstall it when needed? Like what freeipa and certmonger does? Therr you define the cert in freeipa, and it keeps cert valid by automatically renewing it. Then clients use certmonger to keep the cert files updated, and services restarted when cert gets renewed.

Any similar method for OPNSense?

High availability / haproxy endpoint monitoring

« on: October 16, 2020, 11:07:36 am »

Hi,

I use haproxy for exposing my services to internet. I'd want to monitor the services behind the haproxy, and though it would be the easiest to use telegraf, which I also use, to publish the backend stats into influxdb. Grafana could then give alerts if they start failing.

Other options would be to run prometheus with alert manager somewhere, but I have all the above tools aready in place. Would telegraf plugin maintainer be interested of adding the haproxy endpoints to monitored objects? Has anyone already done that?

Or do you use some other alert mechanism for monitoring availability from OPNsense?

General Discussion / OpenVPN GUI faulty guidance

« on: July 11, 2020, 06:22:57 pm »

Hi,

I was going through GUI for options to set static IP for roadwarrior client. There is a fault in GUI guidance. The field in client config: IPv4 " VPN: OpenVPN: Client Specific Overrides: Tunnel Settings: Tunnel Network" states:

"This is the IPv4 virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface."

Sounds a lot like description for the variable that I'd need. However if I put there: "192.168.118.1 192.168.118.2" in order to get the server to use .1 and client .2 from the tunnel network, I get the error:

"The following input errors were detected:
The field 'IPv4 Tunnel Network' must contain a single valid ipv4 CIDR range."

So clearly the instruction in the GUI is wrong. I assume it would rather set the virtual client network CIDR, and the GUI is actually missing the "ifconfig-push" option that I'd need.

I would've created an issue about that, but I couldn't find the repo for this plugin.

I'd have a wish that this GUI misguidance was fixed, and the ifconfig-push option was added.

20.1 Legacy Series / minor bug in firewall schedules descriptions

« on: May 03, 2020, 07:18:42 pm »

Hi,

any chance this little annoying bug would get fixed? See screenshot how the descriptions get encoded the web way, so special characters and spaces get en oded wrongly.

Quote

arkiaamua%252520edelt%2525E4v%2525E4%252520ilta

That should show "Arkiaamua edeltävä ilta", which means The night before weekday.

General Discussion / Route behind openvpn client

« on: July 15, 2019, 08:42:24 pm »

Hi,

I have a RasPi client which connects fine to openvpn in OPNSense. And raspi routes fine to my homenet. I'd like to route back to net behind raspi. OPNSense is the default gw at home. How to do this?

I tried adding router into opnsense list of routes. Somehow it didn't work. How should be this done?

Let's assume home net is:
192.168.100.0/24, opnsense is 192.168.100.1

OpenVPN net is:
192.168.200.0/24, where both opnsense and client get addresses. Let's assume they would be .2 and .3. These are not static btw.

RasPi is in net:
192.168.300.0/24

How do I tell opnsense to route to 192.168.300.0 via 192.168.203?

General Discussion / What fails in letsencrypt acme challenge?

« on: August 04, 2018, 08:57:09 am »

Hi,

my certs won't t get renewed, and now I can't get new ones. It might be due having many HAproxy rules, perhaps one of them breaks acme.

Does anyone have idea where this loop fails at? What is it trying to do, and which might break it?

Code: [Select]

[Sat Aug  4 09:42:41 EEST 2018] ok, let's start to verify
[Sat Aug  4 09:42:41 EEST 2018] Verifying:mydomain.com
[Sat Aug  4 09:42:41 EEST 2018] d='mydomain.com'
[Sat Aug  4 09:42:41 EEST 2018] keyauthorization='snipped'
[Sat Aug  4 09:42:41 EEST 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:41 EEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Sat Aug  4 09:42:41 EEST 2018] wellknown_path='/var/etc/acme-client/challenges/.well-known/acme-challenge'
[Sat Aug  4 09:42:41 EEST 2018] writing token:snipped to /var/etc/acme-client/challenges/.well-known/acme-challenge/snipped
[Sat Aug  4 09:42:41 EEST 2018] Changing owner/group of .well-known to root:wheel
[Sat Aug  4 09:42:41 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:41 EEST 2018] payload='{"resource": "challenge", "keyAuthorization": "snipped"}'
[Sat Aug  4 09:42:41 EEST 2018] POST
[Sat Aug  4 09:42:41 EEST 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped
[Sat Aug  4 09:42:41 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:42 EEST 2018] _ret='0'
[Sat Aug  4 09:42:42 EEST 2018] code='202'
[Sat Aug  4 09:42:42 EEST 2018] sleep 2 secs to verify
[Sat Aug  4 09:42:44 EEST 2018] checking
[Sat Aug  4 09:42:44 EEST 2018] GET
[Sat Aug  4 09:42:44 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped
[Sat Aug  4 09:42:44 EEST 2018] timeout=
[Sat Aug  4 09:42:44 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:45 EEST 2018] ret='0'
[Sat Aug  4 09:42:45 EEST 2018] Pending
[Sat Aug  4 09:42:45 EEST 2018] sleep 2 secs to verify
[Sat Aug  4 09:42:47 EEST 2018] checking
[Sat Aug  4 09:42:47 EEST 2018] GET
[Sat Aug  4 09:42:47 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:47 EEST 2018] timeout=
[Sat Aug  4 09:42:47 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:47 EEST 2018] ret='0'
[Sat Aug  4 09:42:47 EEST 2018] Pending
[Sat Aug  4 09:42:47 EEST 2018] sleep 2 secs to verify

It keeps doing that timeout loop. What is blocking it, any log which to follow for acme challenge?

18.7 Legacy Series / Fixed now: Warning: upgrade to 18.7 breaks HAProxy

« on: August 04, 2018, 12:12:13 am »

Hi,

I just upgraded to 18.7 from the prior latest version. Now I've lost all my websites behind HAproxy. Postpone the update if you care about HAproxy. Unfortunately I am only with mobile, so I can't debug much. Rules have lost their names for example in frontend definitions, just uuids. Perhaps some broken config conversion.

I'll update after I get back to keyboard.

I took config backup before update. Can I try restoring it to the 18.7 box?

Development and Code Review / Let's Encrypt always fails on first registration with HAproxy

« on: May 10, 2018, 10:44:14 am »

I really like how easy I can get certs now with HAproxy and Let's encrypt. Great work, thanks.

I thought I tell this minor issue with it here if someone is interested to fix it. It's really minor, but confusing for the first timer like me. So I have HAproxy listening all traffic to port 443. The default public service then routes requests to correct backends based on rules. First I create rules to sort traffic to given domain and backend. Then I add the ruleto to public service. That frontend also is using certs from Let's Encrypt service. Next I need to go to letsencrypt service to add domain.

I add the domain with http validation method, and press the small refresh button to force registration. This always fails at first run. But it also always works on the second run. Even though the gui don't show it until page refresh, but logs do.

So it's now OK for me, as I know this, but I sure spent some time on the first trials as I didn't look at the logs first.

Anyway, knowing this, it is great feature. Perhaps it gets fixed at some point.

18.1 Legacy Series / haproxy regirep rules for path rewrite?

« on: April 29, 2018, 08:05:53 pm »

Hi,

how does one do things like this in GUI? So replacing path parts with regexp placements?

reqirep ^([^ :]*)\ /mirror/foo/(.*) \1\ /\2

See sample here: https://www.haproxy.com/blog/howto-write-apache-proxypass-rules-in-haproxy/

Edit: describing a bit more:

So I want my external url to be rewritten by HAproxy for my internal server:

https:/my.com/myexturl/index.html?stuff=1
=>
http://foo.intranet/index.html?stuff=1

Like about this haproxy config:

http-request set-header Host foo.intranet
reqirep ^([^ :]*)\ /myexturl/(.*) \1\ /\2

acl hdr_location res.hdr(Location) -m found
rspirep ^Location:\ (https?://my.com(:[0-9]+)?)?/myexturl(/.*) Location:\ /\3 if hdr_location
# ProxyPassReverseCookieDomain my.com foo.intranet
acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= foo.intranet
rspirep ^(Set-Cookie:.*)\ Domain=foo.intranet(.*) \1\ Domain=my.com\2 if hdr_set_cookie_dom
# ProxyPassReverseCookieDomain / /myexturl/
acl hdr_set_cookie_path res.hdr(Set-cookie) -m sub Path=
rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/myexturl\2 if hdr_set_cookie_path

Now some of those I can find through menues, but e.g. the plain reqirep at the beginning I can't. How to do it via GUI?

18.1 Legacy Series / Remote upgrade 17->18 failed, what is expexted

« on: April 09, 2018, 05:34:22 am »

Hi,

I'm asking for tips what's to be expected after upgrade gone bad with remote box.

I do have a OPNSense at remote location. Same HW as my home, apu2. At home I've successfully upgraded from 17 something to current every time there has been upgrade available. This remote box I tried to uograde yesterday for the first time in about half a year. I had ovpn on, and at first the uograde upgraded pkg. Then I suppose lot of 17 stuff. And a reboot I recall. Then the next upgrade required unlocking the 18 upgrade. I did.

After I then pressed the upgrade to 18 button, I got told it takes several reboots. I allowed it to go forward. The last message was about upgrading kernel and reboot. The next boot never brought up the OVPN or dynamicDNS update.

Luckily it's NATting as should, so people get to internet. I need to drive there having serial cable to see how to bring it back.

What do you think I'll face there, and what are the recovery actions?

If it's the worst, messed up install, will it work if I clean install 18 and import the 17 backup config?

Thumbs up reboot would fix it...

Web Proxy Filtering and Caching / block lists not including urls nor expressions?

« on: January 17, 2018, 09:15:33 pm »

Hi,

I enabled transparent squid with adblocking, using UT1 list. It's great feature! However it didn't stop many Finnish ad sites, so I started digging into files and their formats. I noticed the urls or expressions don't get included, only domain list is added, and even that is formatted to include dot [.] in front of each domain. Is this just work in progress, or does opnsense squid not support the urls and expressions?

Another thing, what's the easiest way of adding my own list? Is it enough to have it in .gz file on own web server and adding it to remote control lists? Or have you noticed UT1 would take such input? It seems there is pretty good local list available for adblock plus: http://adb.juvander.net/Finland_adb.txt , which would be worth converting to squid format for myself, in case if it supported url and expressions files.

Here's how the file list looks like in UT1 block list for ads:

Code: [Select]

$ tree publicite/
publicite/
├── domains
├── expressions
├── urls
└── usage

Here's how expressions should work: http://www.squidguard.org/Doc/expressionlist.html

General Discussion / API or any remote method to activate rules?

« on: November 19, 2017, 08:15:58 pm »

Hi,

I fancy a physical button at home, which would kill certain devices network connectivity. Think of kid not stopping playing after several mentions about dinner....

So I could use my BT button which controls rules in my OpenHAB home automation box. That could then call API of OPNSense to toggle certain FW group on/off.

Is there such API, or any samples doing it e.g. using curl? I didn't find API in docs.

BR,
ikke

Pages: [1] 2