Topics

1

19.1 Legacy Series / Solved Nextcloud backup failure, self-signed certs

« on: July 03, 2019, 05:50:57 pm »

Hi guys,

A while ago, a feature was added to (19.1.7), namely

adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4

If you are a Nextcloud user using self-signed certs., like me, your backup may be failing, check this! If this is the case, the solution is to still add your self-signed CA to 'ca-root-nss.crt', after this the backup to your cloud will continue to work.

@franco, in forum post https://forum.opnsense.org/index.php?topic=12615.msg58252#msg58252 you said in #4 this feature was added, though, I'm experiecing the opposite and using the above solution.

Thanks, mark

2

Hardware and Performance / AP use provided by OPNsense

« on: June 04, 2019, 05:45:45 pm »

Hi there,

Just a question about the builtin AP use.
I'm using a few very cheap access points :
Ralink Technology, Corp. RT5370 Wireless Adapter
which shows itself as:
Shenzhen Ogemray Technology Co., Ltd.

Now, it's not that they have troubles, in fact they work very well for a 5 dollar AP, and a few years already.
My question is: if I change something in the configuration of the AP, say the WPA-pre-shared key or  intra-BSS communication, after doing that, the whole machine needs to be rebooted for the AP to become visible again, a simple save and apply won't do the trick, is that predictable(normal) behavior?

Thanks, mark

3

19.1 Legacy Series / [Solved}remove some files after update

« on: May 02, 2019, 02:57:56 pm »

Hi there,

Have upgraded my box just now and everything seems to work as expected, thanks for that 
Now I saw some files that could be removed, just to be on the safe side, I can safely remove:

/usr/local/etc/ssl/cert.pem  suricate/classification.config and suricata/suricata.yaml

Thanks
Grettings mark

4

Tutorials and FAQs / Live in a terminal

« on: September 25, 2018, 07:14:34 pm »

Hello OPNsensers,

I'm (very) curious of other users scripts and shell adaptions
With that I mean: do you tweak your shell, what does your .cshrc.mine look like, did you add some useful code/script to OPNsense?
I could find a BSD forum and ditch it there, but that don't seem right and besides that OPNsense is my only BSD ATM.
So moderators, I hope this is allowed and we can share some shell/scripting code for OPNsense here?, this could have some value for all of us, thanks.
If you decide to join in and add scripts, please, rather add SH code than BASH, I have it installed but most of us don't, thanks.

Let me do the kickoff right away 

My .cshrch.mine

Code: [Select]

# $FreeBSD$
#
# .cshrc.mine - csh resource script, read at beginning of execution by each she
ll
#
# see also csh(1), environ(7).
# more examples available at /usr/share/examples/csh/
#
# few aliases I like to have
#alias sum       'cksum /usr/local/share/certs/ca-root-nss.crt | sort | diff sum.txt -'
alias tm        tmux attach
alias vim       vi

# Tab completion and - correction
if ($?prompt) then
        set autocorrect =       ambiguous
        set complete    =       enhance
        set correct     =       cmd
endif

# some extra program completions
complete sysctl 'n/*/`sysctl -Na`/'
complete man 'p,*,c,'

# BSD is functional but pretty colorless, let's change that

# Let 'ls' have some color
setenv CLICOLOR yes

# Basic colors
set     red="%{\033[1;31m%}"
set   green="%{\033[0;32m%}"
set    blue="%{\033[1;34m%}"
set  yellow="%{\033[1;33m%}"
set magenta="%{\033[1;35m%}"
set    cyan="%{\033[1;36m%}"
set   white="%{\033[0;37m%}"
set     end="%{\033[0m%}"

# Colored prompt
set prompt="${cyan}%n${red}@%m ${white}%~ ${cyan}%%${end} "

# Colored man pages, I dislike the undelining of everything..
setenv LESS_TERMCAP_mb `echotc md; echotc AF 4`
setenv LESS_TERMCAP_md `echotc md; echotc AF 4`
setenv LESS_TERMCAP_me `echotc me`
setenv LESS_TERMCAP_se `echotc me`
setenv LESS_TERMCAP_so `echotc md; echotc AF 1; echotc AB 4`
setenv LESS_TERMCAP_ue `echotc me`
setenv LESS_TERMCAP_us `echotc md; echotc AF 2`

# Unset used colors
unset red green blue yellow magenta cyan white end

My .tmux.conf

Code: [Select]

set -g default-terminal "screen-256color"

# interval is up to you, but it may use precious cpu time if set to 1
set-option -g status-interval 30
set-option -g status-right-length 60
set-option -g status-left-length 120

set -g status-bg colour237
set -g status-fg colour237
set -g mouse on

set -g status-left '#[fg=blue] #(hostname -s) #[fg=colour41]*#[fg=blue] #(sh bin/tmx temp)C #[fg=colour41]* #[fg=blue]#(sh bin/tmx mem) #[fg=colour41]* #[fg=blue]#(sh bin/tmx sum)  '
set -g status-right '#[fg=blue]#(sh bin/tmx avg)#[fg=colour41]* #[fg=blue]%H:%M'

# Attach a running session or create a fresh one
new-session -n $HOST

Script called by tmux, I use it for the statusbar,

Code: [Select]

#!/bin/sh
set -xe

temp () {
  var1=$(sysctl -n dev.cpu.0.temperature | awk '{printf "%3.0f\n",$1}')
  var2=$(sysctl -n dev.cpu.1.temperature | awk '{printf "%3.0f\n",$1}')

  echo "scale=1; ($var1 + $var2) / 2" | bc
}

mem () {
  mem_real=$(sysctl -n hw.realmem)
  pagesize=$(sysctl -n hw.pagesize)

  inact_count=$(sysctl -n vm.stats.vm.v_inactive_count)
  free_count=$(sysctl -n vm.stats.vm.v_free_count)

  mem_inact=$(printf "%s\\n" "$inact_count *$pagesize" | bc)
  mem_free=$(printf "%s\\n" "$free_count * $pagesize" | bc)

  mem_avail=$(printf "%s\\n" "$mem_inact + $mem_free" | bc)
  mem_used=$(printf "%s\\n" "$mem_real - $mem_avail" | bc)

  printf "%s\\n" "$(("$mem_used * 100 / $mem_real"))"%
  exit 0
}

avg () {
  sysctl -n vm.loadavg | sed 's/{//g;s/}//g'
}

sum () {
  if [ "$(cksum /usr/local/share/certs/ca-root-nss.crt | \
      awk '{printf "%-1s %s\n", $1 , $2}')" \
      != "$(awk '{printf "%-1s %s\n", $1 , $2}' ~/sum.txt)" ]; then
    echo nss-mismatch
  fi
}

if [ "$1" = temp ]; then
  temp
elif [ "$1" = mem ]; then
  mem
elif [ "$1" = avg ]; then
  avg
elif [ "$1" = sum ]; then
  sum
else
  printf "Usage: sh tmx (temp mem or avg) \\n"
fi

exit 0

That's it, enjoy
Greetings, mark

edit:remove hard enter (CR)
edit2:add function sum to script

5

General Discussion / robust remote safety

« on: August 23, 2018, 06:43:01 pm »

Hello all,

I have a question which I'm not sure if it is or is not and will not test it on my only OPNsense host, anyway, If I am connected to OPNsense trough SSH and  (hypothec) my shell breaks and I loose connection with it.
1. Nothing happens OPNsense is protected against this breakage.
2 Depending on where you were in the upgrade process you're screwed.

If it were 1, sorry for the noise.
If it were 2 however then I would like to request to make Tmux a standard package or plugin even if that would make sense.
The reason is Tmux can prevent damage being done from any kind of remote breakage like accidentally killing a shell and would be sane added safety, don't say it wont happen to you 

Now if you ask me I'm a true believer and have been saved by Tmux more than once and think it should be on every running host to hold the fortress and so I have it, but what do you think about it?  I mean we all want a safer securer but also more robust firewall

Thanks mark

edit: assume breakage happens when in the middle of an upgrade.

6

18.7 Legacy Series / [solved] install mc-light from ports failed, sorta

« on: August 16, 2018, 09:10:33 pm »

Hey all, trying to install MC which has gmake as (make) dependency.

The problem lies here, it seems to not get installed no error.

This is what I did:

sudo opnsense-code ports
cd /usr/ports/devel/gmake/
sudo make install

The log contained the following:
Aug 16 20:44:52    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/su
Aug 16 20:44:52    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/su
Aug 16 20:44:28    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/make install
Aug 16 20:44:28    sudo: opnadmin : TTY=pts/0 ; PWD=/usr/ports/devel/gmake ; USER=root ; COMMAND=/usr/bin/make install

Thanks mark

edit;forgot to mention it has worked in the past, I have bash & tmux installed 

7

Documentation and Translation / Share docs

« on: July 04, 2018, 04:30:19 pm »

Hello, I have build a clean container setup for building the docs, cloned the repo and did build the docs, uploaded the result to a local web server and tested it.
Very nice, I never worked with Sphinx nor ReadTheDocs before but I may just convert my own local wiki to it, works beautiful.
Now if I understand I can just throw my .rst in the right dir. with the imgages appended & in the right dir. and it will build right? That would be very very easy. 
Also, forgive my noob ness here, but I have question about git I don't use it much: I fork the repo to my own github account than do the adjustments push them back to my account.
You guys would be notified when I pushed the change to my own account, right...

Thanks mark

edit: just added my own page, nice, though that page is not ready but this super easy, I like it

8

Tutorials and FAQs / How to create self signed trusted chains

« on: July 02, 2018, 09:19:11 pm »

Hello all,


A liitle guide for home 'sensers' not willing to buy or make use of free CRT's or not able to do so.

Set up a chain of trust for your OPNsense and use OPNsense to do that for other local network services.

Though it's not complicated, backup before you proceed.

Once done we would only have one self signed CRT for the OPNsense chain, the root CA which is never exposed.
The number of self signed CA's & signed intermediates is up to you of course, always keep in mind, the chain... and the common name...
Use understandable descriptions for your CRT's

====================
Right lets start the fun part
First go to trust/Authorities and create an internal CA.
This will be the root CA, it does nothing besides sign intermediate CA's, we don't expose nor abuse this one.

Now create a second CA signed by the first one you created and let it be intermediate.
This intermediate will sign the CRT for the OPNsense webserver

Head to trust/Certificates and create the server CRT, use the intermediate to sign it.

Head back to Authorities and download the intermediate CRT and open your browser/preferences & head to certificates/Authorities
Import the intermediate CA CRT you just saved, U still need to trust it.

Go to system/settings/Administration and set the dashboard to use the newly installed CRT for the webgui.
Remove any old OPNsense CRT from your browser restart it (don't know if this step is actually neccesary)
Open up OPNsense dashboard & be presented with a secure site trusted by you and therefore by your browser.


============
Nexcloud users:
Your Nexcloud server is in a local/lab environment.
This one is a little trickier than the previous one.
OPNsense don't know nothing about the self signed CA's intermediates etc. on your OPNsense box
Using self signed CRT's for the backup to Nextcloud can be done roughly the same way we did for OPNsense.
In this case you need to add the root CA to OPNsense CRT store 'ca-root-nss.crt',
and not the intermediate otherwise you would get something like 'verify_result 2',
which means the issuer is unknown because of an incomplte chain --> the CA is missing in this case

There is no need to expose your OPNsense root CA , create at least the next chain:
'CA --> intermediate-CA --> server-crt.'
Download the CA.crt from OPNsense, upload it back to OPNsense, do it safe using something like SCP at least and add it to the store, like this:
'cat nextcloud-CA.crt >> /usr/local/share/certs/ca-root-nss.crt'.
You can't use 'cp' because it needs to be appended to the excisting CRT which is a single file.

Upload the *.p12 server CRT archive from OPNsense to your Nextcloud server.
Extact the archive into a single PEM file: '#openssl pkcs12 -in nextcloud-crt.p12 -out nextcloud-crt.pem -nodes'
Now create the CRT from the PEM '#cp nextcloud-crt.pem nextcloud-crt.crt'
Point your webserver to use the CRT, no need to add the key separately it's included in the CRT.
If you don't want this, check some guides
Some sane permissions '400' read only owner is sufficent, no one going/needs to change it.

Your backup should run on first test.
Download the intermediate CRT and add it to your browser.
Your Nextcloud frontend is now also a trusted site.
Want to remove the CA from the OPNsense store, just use 'vi' and remove the part below '#End of file', if you did only add this CRT!!

WARNING: If 'ca_root_nss' is updated your input is removed, add the CRT overnew, you may script/automate this but I don't see the real advantage it's 5 seconds work.

Performing a 'Health' audit would raise an alert:'checksum mismatch for /usr/local/share/certs/ca-root-nss.crt' which is obvious,
You still check though... perform a audit health check before you add the CA, if okay add the CA and than make a new sum and save it  'cksum ca-root-nss.crt > /home/user/sum.txt'


======================
Servers on your local subnets
The procedure is the same.
'CA --> intermediate-CA --> server-crt'
Create your local webserver CRT and use a CA intermediate to do that, I like to create seperate chains..
Download the server.p12 archive upload it safely to your server f.i. '/etc/ssl/localcerts'
Extract the archive and create the CRT.
Set some sane permissions on it!
Point your server to use the newly installed CRT.
Open your browser and page and see the secure connection is establisched immediately.
Make sure your system/browser know's the intermediate.


========
Openvpn:
There is a good entry in the wiki already


I probably made mistakes, your feedback is valuable.

This guide is based on Linux/Unix though should work for other platforms too, correct me if I'm wrong here.
I don't know how to add CRT's to your phone, please refer to your phones guide for a how to or google.
You can also put the CRT's system wide, check your distro/OS how to do that.
If you have a nice chain, please add it so this can become a fine guide for 'self signers'.
Forgive me for the bad makeup, I make it better over time, the goal is to create a wiki entry about this topic
Keep it trusted mark

9

18.1 Legacy Series / [solved] Nexcloud: communication failure

« on: June 24, 2018, 04:58:16 pm »

Hello all,

Trying the Nextcloud backup, but I seem to bump into something and keep getting

Code: [Select]

The following input errors were detected:

    communication failure
    after hitting 'Setup/TestNextcloud'
   
My Nextcloud server is Debian specs are:
4.9.0-6-amd64
nextcloud 13.0.4
a separate user for Opnsense backups, TOTP enabled(which shouldn't matter since app id is used)
a app password for Opnsense
Nextcloud machine firewall set to allow Opnsense

The same method is used for an android phone a mediaplayer and ArchLinux on a different account, they seem to work fine.

Logs contain no info about this or I'm looking for the wrong ones.
Live view shows all connections are allowed.
Tried with 2fa and without (on Nextcloud) and logout to activate the change, the failure is the same.

Thanks mark

edit: one thing I forgot to mention may be important or not !?
I'm NOT running my Nexcloud server on:
nextcloud.server.domain
Instead I have it on:
server.domain/nextcloud

10

18.1 Legacy Series / [solved] revert patch

« on: May 31, 2018, 05:04:18 pm »

Hi all,

I patched QR code by hand :opnsense-patch 2f247f2
see https://forum.opnsense.org/index.php?topic=6885.msg39230#msg39230

Now I tried to update to 18.1.9 but the patch is in the way 

I tried: opnsense-patch -R 2f247f2, but revese is not compiled with opnsense-patch, I see it is in patch, but, can I use that too?
Or is there another way to proceed?

Thanks mark

edit:sorry if it's the wrong subforum, thought of this 2 late

edit2: NVM excuting the same patch reverts it, it's updating now thanks 

11

18.1 Legacy Series / [solved] 2FA

« on: May 30, 2018, 06:51:10 pm »

Hi all,

Thanks for all the labour done on opnsense already. Kept my eye on opnsense from teh beginning and installed it a few times and am now 'officially' migrated to it from pfsense.
Everything works as expected, though, there are a few things and they may be features.
I use 2FA for openvpn and an admin to login, both work fine. But I have that same admin login on SSH using keys (I know SSH is not part of 2FA, plans?) and was able to elevate my rights becoming root with su, without 2FA enabled.
After enabling 2FA su to root was not possible anymore. Since I can login on SSH (keyfile) using the admin who is using 2FA, I want to become root (doesn't use 2FA) why be bothered by 2FA since the login with token won't work anyway?

Thanks mark