Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - qinohe

#1
Have an issue using timeservers.
Setting a pool of timeservers, it doesn't matter what I choose.
As an example I used the NL & OPNsense pool - 0-3.nl.pool.ntp.org & 0-3.opnsense.pool.ntp.org
But using single timeservers hosted by some uni's(NL) leads to the same outcome.

OPNsense is hosted by a (local) Proxmox server which runs as it should.
Proxmox is bridged behind OPNsense in the picture of OPNsense as a router.
This also leads to no problems and runs very stable.

NTP is the only service giving me a headache for it looses it's connection after an undefined amount of time.
A message is displayed on the dashboard: No active peers available.

Mostly the NTP server will find a new peer and the time will be synchronized again on the network.
But, if the 'non active peer' situation takes too long I will be notified by the 'Check_MK' - read Nagios - server there are problems with time syncing.
Check_mk often gives a warning the service is 'flapping' - meaning it's condition is not stable and changes quickly (not measurable but quite indicative)

Because OPNsense runs on Proxmox there is no 'real' hardware clock and the clock is only run by the virtual processor.
You can imagine the offset goes haywire within a few hours, the clock can be off by (many) minutes.

Resetting the NTP server most of the times solves the problem, but not always!
One of the problems I have and is really annoying is OTP authentication.
My codes are on my phone which is on a 4G network. I think you see the problem...
Had to stop using OTP for most apps cause it became a to unstable situation.

Anyway, this has ran stable for almost a year, but I'm having problems with it for a while now - I can't remember exactly when it started, sorry!
Manually resetting the NTP server may be needed a few times per day.

Is there a way to figure out what stops the NTP server from using perfectly fine pools.

Many thanks in advance if you can help me figure this out
#2
Hi there, long time since last been here  :)

So I have this new server installed with Proxmox, running OPNsense as guest, if it's relevant.
OPNsense seems to run fine on it, I'm still in a somewhat testing setup.
However, today I updated to 20.1.7 which went fine overall but I have done a health check which gave the following warning:

............
>>> Check for and install missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ........
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/io.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/locale.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/operator.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/os.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/posixpath.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/re.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/reprlib.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/site.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/sre_compile.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/sre_constants.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/sre_parse.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/stat.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/threading.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/token.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/tokenize.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/traceback.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/types.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/__pycache__/warnings.cpython-37.pyc
python37-3.7.7: checksum mismatch for /usr/local/lib/python3.7/encodings/__pycache__/aliases.cpython-37.pyc
Checking all packages..... done
>>> Check for core packages consistency
Checking core packages: ..................................................................... done
***DONE***



Firmware Mirror     LeaseWeb (HHTP,Amsterdam,NL)
Firmware Flavour    Openssl
Release Type        Production


Should I be concerned?
I also have a box running on bare ware that doesn't show these mismatches.

Thanks, mark
#3
Hi all, is anyone else having problems to use the search function in the wiki with the newest Firefox?
All was working but since today's upgrade I'm not able to use the search anymore.
Just enter a search like 'dns' or 'api' keeps searching forever.. :(
Have also tried to open the files with SeaMonkey and it still works as supposed to.

Now the 'strange' thing is, I have also build the newest docs and opening them with Firefox and using the search works, very odd...
Oh and there are no blockers on FF all are turned off.

Thanks, mark
#4
Hi there, Thanks for again a flawless update everything seems to be working as expected  8)
However there is a small issue probably a cached file not being rotated.
After performing a health check I do after every update I noticed the previous version is shown.
This is the output

***GOT REQUEST TO AUDIT HEALTH***
>>> Check installed kernel version
Version 19.7.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 19.7.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for and install missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Checking core packages: ..................................................................... done
***DONE***


Greetings and thanks for looking into it.
Mark
#5
Hey all,

A while ago a read about how difficult some people find it to write docs in RST format and how easy it would be to use traditional wiki format. RST is a very simple markup language no more difficult then wiki markup, you can learn it and write a short page in an hour or so.

What I would like to show here is how to write your RST page in a clean environment similar to chroot on a linux system using systemd-nspawn and Debian as guest.
Of course you need Linux using systemd as init system...

Sorry to all non Linux users, but there are a lot of documents already to achieve the same.

I will not go into using git and creating a clone of the docs on your own GitHub page.


The fun part:

=====================================================================
edit: first look at the commands used in post #3, as fabian pointed out in post #2, Thanks  ;)
=====================================================================

Okay first you need some space to setup a container(systemd-nspawn). The size of a fully setup system would be less than 1G so a few Gigs free space would be more than enough.

Create a directory and name it, something like 'opndocs'.

Become root and be sure you cd to '../opndocs'

Time to setup the system, we use Debian stretch(old-stable)
You can try buster but it wont work on my Arch Linux system, yet.
debootstrap --include=systemd-container --components=main,universe stretch opndocs https://deb.debian.org/debian/
This mostly takes a few minutes depending on your connection/system

Next we must set a password:
systemd-nspawn -D opndocs
passwd
logout


Now it's time to start the container and login
systemd-nspawn -b -D opndocs

Install a few programs in the container:
apt-get install vim git python-pip

Time to clone the docs, don't use 'mine', create your own clone...
git clone https://github.com/qinohe/docs  # example

Install Spinx, contrib packages & OPNsense default theme with pip:
cd docs
pip install -r requirements.txt


Create a page.rst page there are examples enough in the directory.
page.rst is an example name it logic. If you write a page about ssh security, name it something like ssh-security.rst.

When you're done creating a page you need to create the wiki. There is a makefile in 'docs' dir:
make html

Upload the result to your system/web-server test them and see if you want to change anything
The resulting files are in:
docs/build/html

If you need to edit your created file cd to docs:
make clean

Make you're changes and 'make html', upload & 'make clean' etc.

When you're ready upload the docs back to your GitHub and make a pull request to OPNsense-docs

Note: if you don't have a GitHub page and don't want to setup one, clone the docs directly from OPNsense:
git clone https://github.com/opnsense/docs
Make your page and send it to the devs directly. They will accept it, but please take the effort to setup your own...

That's all, hope this helps users who want to but didn't know how to ;)

Greetings mark
#6
19.7 Legacy Series / sshd logging
November 05, 2019, 12:16:12 AM
Hi there, I got an pm from another forum member asking me how to disable sshd logging.
Now I never bothered, but his question is valid, he is just like me using https://checkmk.com/
Checks are flooding the logs every minute there are some writes, in case of problems it is very hard to deal with other writes in the log.
Now I don't think it is necessary to disable logging but sshd_config already offers this possibility in the form of 'LogLevel'(see: man sshd_config). I have tried to set it in ' /usr/local/etc/ssh/sshd_config' but is removed after sshd restart.
Is it possible 'LogLevel' is added to the GUI so we can set something like 'ERROR QUIET' etc. ?
Or it may be even better to completely give sshd it's own LOG.
I hope This not a very big work to create but I'm sure some of us would be very happy if you would consider and if you do please consider the last one ;D

Greetings and Thanks, mark
#7
Hi guys,

A while ago, a feature was added to (19.1.7), namely
Quoteadding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4
If you are a Nextcloud user using self-signed certs., like me, your backup may be failing, check this! If this is the case, the solution is to still add your self-signed CA to 'ca-root-nss.crt', after this the backup to your cloud will continue to work.

@franco, in forum post https://forum.opnsense.org/index.php?topic=12615.msg58252#msg58252 you said in #4 this feature was added, though, I'm experiecing the opposite and using the above solution. ;)

Thanks, mark
#8
Hi there,

Just a question about the builtin AP use.
I'm using a few very cheap access points :
Ralink Technology, Corp. RT5370 Wireless Adapter
which shows itself as:
Shenzhen Ogemray Technology Co., Ltd.

Now, it's not that they have troubles, in fact they work very well for a 5 dollar AP, and a few years already.
My question is: if I change something in the configuration of the AP, say the WPA-pre-shared key or  intra-BSS communication, after doing that, the whole machine needs to be rebooted for the AP to become visible again, a simple save and apply won't do the trick, is that predictable(normal) behavior?

Thanks, mark
#9
Hi there,

Have upgraded my box just now and everything seems to work as expected, thanks for that  ;D
Now I saw some files that could be removed, just to be on the safe side, I can safely remove:

/usr/local/etc/ssl/cert.pem  suricate/classification.config and suricata/suricata.yaml

Thanks
Grettings mark
#10
Tutorials and FAQs / Live in a terminal
September 25, 2018, 07:14:34 PM
Hello OPNsensers,

I'm (very) curious of other users scripts and shell adaptions
With that I mean: do you tweak your shell, what does your .cshrc.mine look like, did you add some useful code/script to OPNsense?
I could find a BSD forum and ditch it there, but that don't seem right and besides that OPNsense is my only BSD ATM.
So moderators, I hope this is allowed and we can share some shell/scripting code for OPNsense here?, this could have some value for all of us, thanks.
If you decide to join in and add scripts, please, rather add SH code than BASH, I have it installed but most of us don't, thanks.

Let me do the kickoff right away  :P

My .cshrch.mine

# $FreeBSD$
#
# .cshrc.mine - csh resource script, read at beginning of execution by each she
ll
#
# see also csh(1), environ(7).
# more examples available at /usr/share/examples/csh/
#
# few aliases I like to have
#alias sum       'cksum /usr/local/share/certs/ca-root-nss.crt | sort | diff sum.txt -'
alias tm        tmux attach
alias vim       vi

# Tab completion and - correction
if ($?prompt) then
        set autocorrect =       ambiguous
        set complete    =       enhance
        set correct     =       cmd
endif

# some extra program completions
complete sysctl 'n/*/`sysctl -Na`/'
complete man 'p,*,c,'

# BSD is functional but pretty colorless, let's change that

# Let 'ls' have some color
setenv CLICOLOR yes

# Basic colors
set     red="%{\033[1;31m%}"
set   green="%{\033[0;32m%}"
set    blue="%{\033[1;34m%}"
set  yellow="%{\033[1;33m%}"
set magenta="%{\033[1;35m%}"
set    cyan="%{\033[1;36m%}"
set   white="%{\033[0;37m%}"
set     end="%{\033[0m%}"

# Colored prompt
set prompt="${cyan}%n${red}@%m ${white}%~ ${cyan}%%${end} "

# Colored man pages, I dislike the undelining of everything..
setenv LESS_TERMCAP_mb `echotc md; echotc AF 4`
setenv LESS_TERMCAP_md `echotc md; echotc AF 4`
setenv LESS_TERMCAP_me `echotc me`
setenv LESS_TERMCAP_se `echotc me`
setenv LESS_TERMCAP_so `echotc md; echotc AF 1; echotc AB 4`
setenv LESS_TERMCAP_ue `echotc me`
setenv LESS_TERMCAP_us `echotc md; echotc AF 2`

# Unset used colors
unset red green blue yellow magenta cyan white end


My .tmux.conf

set -g default-terminal "screen-256color"

# interval is up to you, but it may use precious cpu time if set to 1
set-option -g status-interval 30
set-option -g status-right-length 60
set-option -g status-left-length 120

set -g status-bg colour237
set -g status-fg colour237
set -g mouse on

set -g status-left '#[fg=blue] #(hostname -s) #[fg=colour41]*#[fg=blue] #(sh bin/tmx temp)C #[fg=colour41]* #[fg=blue]#(sh bin/tmx mem) #[fg=colour41]* #[fg=blue]#(sh bin/tmx sum)  '
set -g status-right '#[fg=blue]#(sh bin/tmx avg)#[fg=colour41]* #[fg=blue]%H:%M'

# Attach a running session or create a fresh one
new-session -n $HOST


Script called by tmux, I use it for the statusbar,
#!/bin/sh
set -xe

temp () {
  var1=$(sysctl -n dev.cpu.0.temperature | awk '{printf "%3.0f\n",$1}')
  var2=$(sysctl -n dev.cpu.1.temperature | awk '{printf "%3.0f\n",$1}')

  echo "scale=1; ($var1 + $var2) / 2" | bc
}

mem () {
  mem_real=$(sysctl -n hw.realmem)
  pagesize=$(sysctl -n hw.pagesize)

  inact_count=$(sysctl -n vm.stats.vm.v_inactive_count)
  free_count=$(sysctl -n vm.stats.vm.v_free_count)

  mem_inact=$(printf "%s\\n" "$inact_count *$pagesize" | bc)
  mem_free=$(printf "%s\\n" "$free_count * $pagesize" | bc)

  mem_avail=$(printf "%s\\n" "$mem_inact + $mem_free" | bc)
  mem_used=$(printf "%s\\n" "$mem_real - $mem_avail" | bc)

  printf "%s\\n" "$(("$mem_used * 100 / $mem_real"))"%
  exit 0
}

avg () {
  sysctl -n vm.loadavg | sed 's/{//g;s/}//g'
}

sum () {
  if [ "$(cksum /usr/local/share/certs/ca-root-nss.crt | \
      awk '{printf "%-1s %s\n", $1 , $2}')" \
      != "$(awk '{printf "%-1s %s\n", $1 , $2}' ~/sum.txt)" ]; then
    echo nss-mismatch
  fi
}

if [ "$1" = temp ]; then
  temp
elif [ "$1" = mem ]; then
  mem
elif [ "$1" = avg ]; then
  avg
elif [ "$1" = sum ]; then
  sum
else
  printf "Usage: sh tmx (temp mem or avg) \\n"
fi

exit 0


That's it, enjoy
Greetings, mark

edit:remove hard enter (CR)
edit2:add function sum to script
#11
General Discussion / robust remote safety
August 23, 2018, 06:43:01 PM
Hello all,

I have a question which I'm not sure if it is or is not and will not test it on my only OPNsense host, anyway, If I am connected to OPNsense trough SSH and  (hypothec) my shell breaks and I loose connection with it.
1. Nothing happens OPNsense is protected against this breakage.
2 Depending on where you were in the upgrade process you're screwed.

If it were 1, sorry for the noise.
If it were 2 however then I would like to request to make Tmux a standard package or plugin even if that would make sense.
The reason is Tmux can prevent damage being done from any kind of remote breakage like accidentally killing a shell and would be sane added safety, don't say it wont happen to you  :P

Now if you ask me I'm a true believer and have been saved by Tmux more than once and think it should be on every running host to hold the fortress and so I have it, but what do you think about it?  I mean we all want a safer securer but also more robust firewall :D

Thanks mark

edit: assume breakage happens when in the middle of an upgrade.;)
#12
Hey all, trying to install MC which has gmake as (make) dependency.

The problem lies here, it seems to not get installed no error.

This is what I did:

sudo opnsense-code ports
cd /usr/ports/devel/gmake/
sudo make install

The log contained the following:
Aug 16 20:44:52    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/su
Aug 16 20:44:52    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/su
Aug 16 20:44:28    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/make install
Aug 16 20:44:28    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/make install

Thanks mark

edit;forgot to mention it has worked in the past, I have bash & tmux installed  :)
#13
Documentation and Translation / Share docs
July 04, 2018, 04:30:19 PM
Hello, I have build a clean container setup for building the docs, cloned the repo and did build the docs, uploaded the result to a local web server and tested it.
Very nice, I never worked with Sphinx nor ReadTheDocs before but I may just convert my own local wiki to it, works beautiful.
Now if I understand I can just throw my .rst in the right dir. with the imgages appended & in the right dir. and it will build right? That would be very very easy.  ;D
Also, forgive my noob ness here, but I have question about git I don't use it much: I fork the repo to my own github account than do the adjustments push them back to my account.
You guys would be notified when I pushed the change to my own account, right...

Thanks mark

edit: just added my own page, nice, though that page is not ready but this super easy, I like it
#14
Hello all,


A liitle guide for home 'sensers' not willing to buy or make use of free CRT's or not able to do so.

Set up a chain of trust for your OPNsense and use OPNsense to do that for other local network services.

Though it's not complicated, backup before you proceed.

Once done we would only have one self signed CRT for the OPNsense chain, the root CA which is never exposed.
The number of self signed CA's & signed intermediates is up to you of course, always keep in mind, the chain... and the common name...
Use understandable descriptions for your CRT's

====================
Right lets start the fun part
First go to trust/Authorities and create an internal CA.
This will be the root CA, it does nothing besides sign intermediate CA's, we don't expose nor abuse this one.

Now create a second CA signed by the first one you created and let it be intermediate.
This intermediate will sign the CRT for the OPNsense webserver

Head to trust/Certificates and create the server CRT, use the intermediate to sign it.

Head back to Authorities and download the intermediate CRT and open your browser/preferences & head to certificates/Authorities
Import the intermediate CA CRT you just saved, U still need to trust it.

Go to system/settings/Administration and set the dashboard to use the newly installed CRT for the webgui.
Remove any old OPNsense CRT from your browser restart it (don't know if this step is actually neccesary)
Open up OPNsense dashboard & be presented with a secure site trusted by you and therefore by your browser.


============
Nexcloud users:
Your Nexcloud server is in a local/lab environment.
This one is a little trickier than the previous one.
OPNsense don't know nothing about the self signed CA's intermediates etc. on your OPNsense box
Using self signed CRT's for the backup to Nextcloud can be done roughly the same way we did for OPNsense.
In this case you need to add the root CA to OPNsense CRT store 'ca-root-nss.crt',
and not the intermediate otherwise you would get something like 'verify_result 2',
which means the issuer is unknown because of an incomplte chain --> the CA is missing in this case

There is no need to expose your OPNsense root CA , create at least the next chain:
'CA --> intermediate-CA --> server-crt.'
Download the CA.crt from OPNsense, upload it back to OPNsense, do it safe using something like SCP at least and add it to the store, like this:
'cat nextcloud-CA.crt >> /usr/local/share/certs/ca-root-nss.crt'.
You can't use 'cp' because it needs to be appended to the excisting CRT which is a single file.

Upload the *.p12 server CRT archive from OPNsense to your Nextcloud server.
Extact the archive into a single PEM file: '#openssl pkcs12 -in nextcloud-crt.p12 -out nextcloud-crt.pem -nodes'
Now create the CRT from the PEM '#cp nextcloud-crt.pem nextcloud-crt.crt'
Point your webserver to use the CRT, no need to add the key separately it's included in the CRT.
If you don't want this, check some guides ;)
Some sane permissions '400' read only owner is sufficent, no one going/needs to change it.

Your backup should run on first test.
Download the intermediate CRT and add it to your browser.
Your Nextcloud frontend is now also a trusted site.
Want to remove the CA from the OPNsense store, just use 'vi' and remove the part below '#End of file', if you did only add this CRT!!

WARNING: If 'ca_root_nss' is updated your input is removed, add the CRT overnew, you may script/automate this but I don't see the real advantage it's 5 seconds work.

Performing a 'Health' audit would raise an alert:'checksum mismatch for /usr/local/share/certs/ca-root-nss.crt' which is obvious,
You still check though... perform a audit health check before you add the CA, if okay add the CA and than make a new sum and save it  'cksum ca-root-nss.crt > /home/user/sum.txt'


======================
Servers on your local subnets
The procedure is the same.
'CA --> intermediate-CA --> server-crt'
Create your local webserver CRT and use a CA intermediate to do that, I like to create seperate chains..
Download the server.p12 archive upload it safely to your server f.i. '/etc/ssl/localcerts'
Extract the archive and create the CRT.
Set some sane permissions on it!
Point your server to use the newly installed CRT.
Open your browser and page and see the secure connection is establisched immediately.
Make sure your system/browser know's the intermediate.


========
Openvpn:
There is a good entry in the wiki already


I probably made mistakes, your feedback is valuable.

This guide is based on Linux/Unix though should work for other platforms too, correct me if I'm wrong here.
I don't know how to add CRT's to your phone, please refer to your phones guide for a how to or google.
You can also put the CRT's system wide, check your distro/OS how to do that.
If you have a nice chain, please add it so this can become a fine guide for 'self signers'.
Forgive me for the bad makeup, I make it better over time, the goal is to create a wiki entry about this topic ;)
Keep it trusted mark
#15
Hello all,

Trying the Nextcloud backup, but I seem to bump into something and keep getting

The following input errors were detected:

    communication failure
   

after hitting 'Setup/TestNextcloud'
   
My Nextcloud server is Debian specs are:
4.9.0-6-amd64
nextcloud 13.0.4
a separate user for Opnsense backups, TOTP enabled(which shouldn't matter since app id is used)
a app password for Opnsense
Nextcloud machine firewall set to allow Opnsense

The same method is used for an android phone a mediaplayer and ArchLinux on a different account, they seem to work fine.

Logs contain no info about this or I'm looking for the wrong ones.
Live view shows all connections are allowed.
Tried with 2fa and without (on Nextcloud) and logout to activate the change, the failure is the same.

Thanks mark

edit: one thing I forgot to mention may be important or not !?
I'm NOT running my Nexcloud server on:
nextcloud.server.domain
Instead I have it on:
server.domain/nextcloud
#16
18.1 Legacy Series / [solved] revert patch
May 31, 2018, 05:04:18 PM
Hi all,

I patched QR code by hand :opnsense-patch 2f247f2
see https://forum.opnsense.org/index.php?topic=6885.msg39230#msg39230

Now I tried to update to 18.1.9 but the patch is in the way  ;)

I tried: opnsense-patch -R 2f247f2, but revese is not compiled with opnsense-patch, I see it is in patch, but, can I use that too?
Or is there another way to proceed?

Thanks mark

edit:sorry if it's the wrong subforum, thought of this 2 late

edit2: NVM excuting the same patch reverts it, it's updating now thanks  8)
#17
18.1 Legacy Series / [solved] 2FA
May 30, 2018, 06:51:10 PM
Hi all,

Thanks for all the labour done on opnsense already. Kept my eye on opnsense from teh beginning and installed it a few times and am now 'officially' migrated to it from pfsense.
Everything works as expected, though, there are a few things and they may be features.
I use 2FA for openvpn and an admin to login, both work fine. But I have that same admin login on SSH using keys (I know SSH is not part of 2FA, plans?) and was able to elevate my rights becoming root with su, without 2FA enabled.
After enabling 2FA su to root was not possible anymore. Since I can login on SSH (keyfile) using the admin who is using 2FA, I want to become root (doesn't use 2FA) why be bothered by 2FA since the login with token won't work anyway?

Thanks mark