Topics

1

19.1 Legacy Series / [SOLVED] Problems with DNS of OpenVPN clients

« on: March 14, 2019, 12:05:25 pm »

Hi,
I am running a Road-Warrior setup which runs pretty fine, except that sporadically the DNS for my local network is not working on my VPN-clients. Sometimes they can ping e.g. host01.mylocaldomain.lan and sometimes they can't.

As a workaround I tried to set static DHCP leases for my local network hosts and on top of this override DNS entries for those static IPs (I am using Unbound DNS). But then my local clients (e.g. host01) aren't able to reach the Internet. I already tried to fix this by setting the gateway explicitely but without success.

Hopefully somebody can give me a hint. Thank you very much for your time.

Kind regards

2

18.7 Legacy Series / Redirect Gateway excludes not always Local Network

« on: October 19, 2018, 01:22:02 pm »

Hi,

during my testings with OpenVPN is recognized, that the Redirect Gateway option excludes the Local Network setting when I am creating or editing an OpenVPN service. But it does not when I am in the setup wizard. See screenshots attached.

Is this desired behavior?

Greetings, David

3

18.7 Legacy Series / [SOLVED] OpenVPN not working

« on: October 17, 2018, 10:20:47 am »

Hi,
I am trying to configure OpenVPN on my OPNsense (v18.7.5) following this guideline: https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html.
(Btw.: I am aware of the upcoming updates on this documentation. See: https://github.com/opnsense/docs/issues/23). But independently of this, OpenVPN should work.

My problem is, that my client (MacOS 10.14) is not able to connect.

The test-setup is as follows:

• Server WAN address: 192.168.2.146/24
• Client IP address: 192.168.2.71
• I disabled 'Block private networks' on WAN
• OpenVPN is configured to listen on port 11944
• IPv4 tunnel network is 10.0.0.0/24
• WAN interface allows IPv4 UDP for the WAN address and port 11944
• OpenVPN interface allows IPv4 from 10.0.0.0/24 to LAN net (also tried with any...)

When I am trying to connect I get the following output:

2018-10-17 10:03:42 *Tunnelblick: Established communication with OpenVPN
2018-10-17 10:03:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63256
2018-10-17 10:03:42 MANAGEMENT: CMD 'pid'
2018-10-17 10:03:42 MANAGEMENT: CMD 'auth-retry interact'
2018-10-17 10:03:42 MANAGEMENT: CMD 'state on'
2018-10-17 10:03:42 MANAGEMENT: CMD 'state'
2018-10-17 10:03:42 MANAGEMENT: CMD 'bytecount 1'
2018-10-17 10:03:42 MANAGEMENT: CMD 'hold release'
2018-10-17 10:03:55 MANAGEMENT: CMD 'username "Auth" "136"'
2018-10-17 10:03:55 MANAGEMENT: CMD 'password [...]'
2018-10-17 10:03:55 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-10-17 10:03:55 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-10-17 10:03:55 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2018-10-17 10:03:55 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.146:11944
2018-10-17 10:03:55 Socket Buffers: R=[786896->786896] S=[9216->9216]
2018-10-17 10:03:55 UDP link local (bound): [AF_INET][undef]:0
2018-10-17 10:03:55 UDP link remote: [AF_INET]192.168.2.146:11944
2018-10-17 10:03:55 MANAGEMENT: >STATE:1539763435,WAIT,,,,,,
2018-10-17 10:04:55 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-10-17 10:04:55 TLS Error: TLS handshake failed
2018-10-17 10:04:55 SIGUSR1[soft,tls-error] received, process restarting
2018-10-17 10:04:55 MANAGEMENT: >STATE:1539763495,RECONNECTING,tls-error,,,,,
2018-10-17 10:04:55 MANAGEMENT: CMD 'hold release'

I already checked that the WAN interface receives UDP traffic on port 11944.

Currently, I do not have a clue, what the problem is and why the TLS handshake fails. I also tried a complete fresh installation.

My problems seems similar to this one: https://forum.opnsense.org/index.php?topic=7675.0. But also changing from UDP to TCP is not changing anything.

Thank you for any hint.

Greetings, David

PS: if any further information is needed, I will provide it of course.

UPDATE:
I read from several sites, that testing the VPN functionality from the same network is not recommended/often not working. I am in the same situation, as my client lies in the same network (192.168.2.0/24).

UPDATE 2:
When I am moving the OpenVPN server from WAN to LAN interface the client connects successfully. In the German forum a very similar topic is currently discussed: https://forum.opnsense.org/index.php?topic=9932.0.

4

18.7 Legacy Series / [SOLVED] ntpd can't allocate memory

« on: October 16, 2018, 01:55:41 pm »

Hi,

I set up a new OPNsense 18.7. Upgraded to 18.7.4 successfully and wanted to test out 2FA with a TOTP server as documented here: https://docs.opnsense.org/manual/how-tos/two_factor.html.

Unfortunately this does not work as expected. As the TOTP highly depends on time sync I checked NTP and it seems that there are some problems regarding this service. I get the following log messages while analyzing the log of ntpd:

ntpd[27311]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
ntpd[27311]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
ntpd[27311]: mlockall(): Cannot allocate memory

Can this be the cause of a nonfunctional TOTP server? How can I solve this?

Thank you very much for you help.

UPDATE:
Yesterday, I totally ignored the fact, that I had selected a token length of 8 and my OTP-Generator (FreeOTP app) is only capable of generating tokens with a length of 6 digits (douh!). After changing this to 6 digits, the 2FA functionality works. Nevertheless, does the inability of allocating memory mean any problems?