Topics

1

General Discussion / What is wrong with my settings? (Dual VPN client)

« on: November 30, 2019, 11:36:57 am »

I have been over some times, trying to setup a dual openvpn client where certain computers goes thru the vpn that has a fixed public ip with all ports open, and everything else goes thru the other one (that gets a new ip each time it reconnects).

But no matter what/any changes i make, everything still seems to go thru the vpn that has fixed ip and open ports.


OpenVPN client settings (Attached)

2

General Discussion / Can someone explain this Firewal log?

« on: December 04, 2017, 12:59:19 pm »

I saw these 2 (and some more) entries in the firewall logs on the "front page".
As i read the log they originate/come over the LAN, but should come from the interface "OVPNPUBLICIPV4" since only from this interface the port it gets redirect to, are open (port forwarded).

3

17.7 Legacy Series / Broader censoring domains to ip (Ubound overrides)

« on: December 02, 2017, 07:31:56 pm »

Hi.

In ubound i have setup

Code: [Select]

Host Overrides
Host Domain Type Value Description
aftonbladet.se A 0.0.0.0 aftonbladet.se  
expressen.se A 0.0.0.0 expressen.se  
www aftonbladet.se A 0.0.0.0  
www expressen.se A 0.0.0.0 expressen.se

but how can i setup to catch *.<domainsabove> like if they change to www2, or somethingelse.<domainabove> etc?

4

17.7 Legacy Series / OpenVPN server, android "timeout" on connection

« on: November 04, 2017, 07:18:05 pm »

I setup a OpenVPN server using the wizard, and pointed it to WAN, let the wizard to configure the firewall rules.
I used client export to export an "inline config" for android.
In the server logs i see:

Code: [Select]

Nov 4 19:12:54 openvpn[45682]: MANAGEMENT: Client disconnected
Nov 4 19:12:54 openvpn[45682]: MANAGEMENT: CMD 'quit'
Nov 4 19:12:54 openvpn[45682]: MANAGEMENT: CMD 'status 2'
Nov 4 19:12:54 openvpn[45682]: MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
Nov 4 19:12:43 openvpn[45682]: Initialization Sequence Completed
Nov 4 19:12:43 openvpn[45682]: IFCONFIG POOL: base=10.222.0.4 size=62, ipv6=0
Nov 4 19:12:43 openvpn[45682]: MULTI: multi_init called, r=256 v=256
Nov 4 19:12:43 openvpn[45682]: UDPv6 link remote: [AF_UNSPEC]
Nov 4 19:12:43 openvpn[45682]: UDPv6 link local (bound): [AF_INET6][undef]:11194
Nov 4 19:12:43 openvpn[45682]: setsockopt(IPV6_V6ONLY=0)
Nov 4 19:12:43 openvpn[45682]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Nov 4 19:12:43 openvpn[45682]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 4 19:12:43 openvpn[45682]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Nov 4 19:12:43 openvpn[45682]: /sbin/route add -net 10.222.0.0 10.222.0.2 255.255.255.0
Nov 4 19:12:42 openvpn[45682]: /usr/local/sbin/ovpn-linkup ovpns3 1500 1622 10.222.0.1 10.222.0.2 init
Nov 4 19:12:42 openvpn[45682]: /sbin/ifconfig ovpns3 10.222.0.1 10.222.0.2 mtu 1500 netmask 255.255.255.255 up
Nov 4 19:12:42 openvpn[45682]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 4 19:12:42 openvpn[45682]: TUN/TAP device /dev/tun3 opened
Nov 4 19:12:42 openvpn[45682]: TUN/TAP device ovpns3 exists previously, keep at program end
Nov 4 19:12:42 openvpn[45682]: ROUTE_GATEWAY 155.4.197.1/255.255.255.0 IFACE=em1 HWADDR=00:e8:4c:68:50:fe
Nov 4 19:12:42 openvpn[45682]: TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Nov 4 19:12:42 openvpn[45682]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 4 19:12:42 openvpn[45682]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 4 19:12:42 openvpn[45682]: Diffie-Hellman initialized with 2048 bit key
Nov 4 19:12:42 openvpn[45682]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 4 19:12:42 openvpn[45682]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server3.sock
Nov 4 19:12:42 openvpn[45623]: library versions: LibreSSL 2.5.5, LZO 2.10
Nov 4 19:12:42 openvpn[45623]: OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 4 2017
Nov 4 19:12:42 openvpn[45623]: auth_user_pass_file = '[UNDEF]'
Nov 4 19:12:42 openvpn[45623]: pull = DISABLED
Nov 4 19:12:42 openvpn[45623]: client = DISABLED
Nov 4 19:12:42 openvpn[45623]: port_share_port = '[UNDEF]'
Nov 4 19:12:42 openvpn[45623]: port_share_host = '[UNDEF]'
Nov 4 19:12:42 openvpn[45623]: auth_token_lifetime = 0
Nov 4 19:12:42 openvpn[45623]: auth_token_generate = DISABLED
Nov 4 19:12:42 openvpn[45623]: auth_user_pass_verify_script_via_file = DISABLED
Nov 4 19:12:42 openvpn[45623]: auth_user_pass_verify_script = '/usr/local/sbin/ovpn_auth_verify user 'Local Database' 'false' 'server3''
Nov 4 19:12:42 openvpn[45623]: max_routes_per_client = 256
Nov 4 19:12:42 openvpn[45623]: max_clients = 1024
Nov 4 19:12:42 openvpn[45623]: cf_per = 0
Nov 4 19:12:42 openvpn[45623]: cf_max = 0
Nov 4 19:12:42 openvpn[45623]: duplicate_cn = DISABLED
Nov 4 19:12:42 openvpn[45623]: enable_c2c = DISABLED
Nov 4 19:12:42 openvpn[45623]: push_ifconfig_ipv6_remote = ::
Nov 4 19:12:42 openvpn[45623]: push_ifconfig_ipv6_local = ::/0
Nov 4 19:12:42 openvpn[45623]: push_ifconfig_ipv6_defined = DISABLED
Nov 4 19:12:42 openvpn[45623]: push_ifconfig_remote_netmask = 0.0.0.0
Nov 4 19:12:42 openvpn[45623]: push_ifconfig_local = 0.0.0.0
Nov 4 19:12:42 openvpn[45623]: push_ifconfig_defined = DISABLED
Nov 4 19:12:42 openvpn[45623]: tmp_dir = '/tmp'
So it SEEMS that the server sort of works, but the android client  says:

Code: [Select]

EVENT: CONNECTING
EVENT: RESOLVE
Contacting <my ip>:11194 via UDP
Server poll timeout, trying next remote entry.

What could be the problem? And how to solve it so clients can connect?

5

17.7 Legacy Series / NAT or Firewal rules for 2xOpenVPN Client connections?

« on: November 02, 2017, 09:35:30 am »

Hi.
I have setup 2 openvpn clients in my opnsense router.
Which is the best way to redirect certain IP's in my LAN side, to go to one openvpn connection, and everything else goes thru the other. And a certain IP or two directly to WAN(xbox, sonos webradio)?

I have tried to setup 2 NAT rules, but this seems to behave strange on my side, such as:
* All goes thru one openvpn.
* None get thru at all.
* Gets thru but webgui of opnsense is blocked.

Usually, it just "stops working" if i make a firewal rule, telling "this ip" should go thru "this openvpn" (when all goes thru the other) for the ip.

So how would i best go around seting this up, so i can easilly specify "all go here, but not x/y/z who goes to there, and H,G goes to WAN"?

6

17.7 Legacy Series / 2 x OpenVPN Connection, how to nat/use rules?

« on: October 12, 2017, 06:24:24 pm »

hi.
I have now come so far that i have 2 openvpn connection up.
One has a "public ipv4", intended for my servers. And the other is for any day use by unspecified users.

I have set up an alias, in there i have specified my computers ip (10.220.0.1) and computername.localdomain in.
In NAT -> Outbound i have created a rule in the top that specifies my alias as source, and interface as the public ip4 connection, other is defaults.
below this rule i have specified any as source and interface with the other openvpn connection.

When i look up "my ip" i get the non public ipv4 IP.

I have tried to create a LAN rule, specifying source=my alias, to use gateway of the public ipv4 gateway, and still i get the non-public.

Where and how should i create rules/NAT to be able to specify which lan ip goes to which openvpn connection?

I wish to make default is always non-public, and specify certain IP's to go thru the public one.

7

17.7 Legacy Series / VERY slow speeds with OPNsense

« on: October 12, 2017, 04:20:36 pm »

Hi, i just installed OPNSense, and ran update to the latest updates as of today.
when i check my speed at http://www.dslreports.com/speedtest i only get 24 megabits/s down and 70 megabits/s up, and i have 250/250 connection, i have checked my switch for my lan, it reports Gbit connection for all connected cables, and opnsense reports nearly no traffic on wan.

I have yet setup openvpn connection and such i would like.

I have tried to enable the 3 offloading hardware settings, rebooted, still same roughly speed.

the opnsense is nearly 100% default from installation, only changes is that i dont use 192.168 but 10.200.x.x for my lan.

what settings should i check? When i was directly connected to the box, i got full speed.
any ideas? Switch is Netgeat GS108E and everything is connected exactly as it was with pfSense.

8

General Discussion / USB Drive empty when DD-ing the img?

« on: October 12, 2017, 02:04:37 pm »

Hi.
I just ran DD im OPNsense-17.7-OpenSSL-vga-amd64.img to a thumbdrive that previously had pfsense.
When i mount that drive it comes up empty, is it as it should?

9

General Discussion / Dumb question about opnvpn

« on: October 11, 2017, 01:53:49 pm »

Hi.
Pretty dumb question here.
Would an openvpn connection (from router/lan to internet) be able to do higher speeds if opnsense is virtualized with 1 cpu / 1 core? (Would not the VM like ESXi, use more cores but the guest "only uses one"?)

I have a i7-5550U cpu in my firewall-computer, and thinking now on either 2 openvpn instances to split lan/servers to 2 different connection using vlan instead of all go over one openvpn connection (AES-256-GCM).

10

General Discussion / Setup from scratch, tips?

« on: October 04, 2017, 09:47:04 am »

Hi.

At home i have 250/250 Mbps connection.
I am currently running pfSense, and its "so so" due to config i believe.

I was thinking on to completely wipe my setup at home while i re-install servers and other computers on the lan.

Will a i7-5550U cpu with OPNsense be able to handle 1 or 2 connection of AES-256-CBC / SHA1 OpenVPN connection and give as close to max speed as possible as "vanilla wan"?

Currently i have one connection and all servers and utilities goes thru the same VPN route.

I was thinking to get another managed switch and setup vlan so certain servers goes thru "openvpn connection #1", so i can port forward to the servers that needs it, with a public ip.
And all other users gets router thru the "openvpn connection #2" where they share the ip of many other users that subscribes to the same service, and no ports open(inbound).

If i setup 2 openvpn connection, will these 2 use one core each (2 physical cores, 4 threads)
https://ark.intel.com/products/84992/Intel-Core-i7-5550U-Processor-4M-Cache-up-to-3_00-GHz

The box i use has 8GB ram and 128 GB ssd.

I do not really plan to use snort/ids etc, but might use it to detect possible attacks of some sort from the "outside" (wan/openvpn-wan).

I will also have an openvpn server to be able to connect from anywhere in the world, to get on to the lan when i need to, here speed is not main concern, security is more the concern, but need an open hole to get "home".

I have 1 pc at home (and openvpn server from internet) that should be able to reach all servers on the lan, but most servers and other peripherals, do not need to access anything else then internet, more or less.

--

How would you setup this? Or am i over-complicating this?