Topics

1

21.1 Production Series / Let's encrypt renewal automation

« on: May 04, 2021, 12:04:18 pm »

Hi there,

My Let's encrypt certificate never auto renews and I am not sure why.   I have to do this manually every time which is extremely tedious!  I wonder if I have something set wrong in the schedule page or something.  Could someone share the settings they use to make sure this works?

2

20.7 Legacy Series / Unbound keeps stopping

« on: January 05, 2021, 12:30:03 pm »

Been ages since I've had any issue with OpnSense and I am running on 20.7.7 (installed) with Unbound at 1.13.0 (though have noticed that an _1 is now there and updated).

My problem is that unbound keeps stopping, and that breaks everything.  It seems to do this fairly randomly but it is a pain when it does!  Now I know the challenge I can just get on the switch and start it again, however I feel like it may be possible to autostart it with Monit if it fails.  Has anyone done this or got a pointer to some information on how to make that work?

3

20.7 Legacy Series / Wireguard and 20.7

« on: August 31, 2020, 12:15:25 pm »

I've been using Wireguard for quite some time now and its been great.

Saturday I upgraded my router to 20.7 (finally) and now I have discovered that wireguard is no longer functioning.  It makes connections fine and wireguard client is seeing data sent to the wireguard server on my opnsense box but nothing coming back.

On the server I look in the configuration and this sees data being received and sent from the client.  Which suggests that the data being sent is not getting off the router.   When I ping from the client the address of the VPN server I get no response.

Feels like something has changed in the routing or rules.  I've not made any changes so I don't think it is me.  Does anyone have any pointers to where to look to fix this?

4

20.7 Legacy Series / Upgraded to 20.7 now Wife cannot connect to work - I'm in trouble - any ideas

« on: August 30, 2020, 02:17:02 pm »

Yesterday everything was fine.  Last night I upgraded to 20.7 and today she cannot connect to her work.

Their system uses Blackberry secure and it no longer attaches on either Wifi or LAN.  I did not changes other than to upgrade to this version.

Anyone have any idea what is new about 20.7 that could cause this issue?  Everything looks good, and all seems to be working normally other than this.  I wondered if something has changed about allowing VPNs or something?

5

20.1 Legacy Series / Amazon Echo discovery across interfaces

« on: July 23, 2020, 04:39:19 pm »

I am looking for advice with getting the above working.

I have a wireless network on one interface and a wired network on a second interface.  The Echo I have is on wireless and the server it needs to reach on the wired interface.

There are any any rules between the two interface currently.  If I try to discover then the echo will fail.  However if I plug the wireless router into the wired router rather than the second interface then the echo will correctly find the devices, proving this is about protocol crossing the interfaces.

I have the mDNS relay enabled and on these two interfaces and that does not help.  From investigation I believe this may be something to do with either SSDP or multicast between the interfaces (or both) however I've not been able to figure out what.  Can anyone out there help?

6

20.1 Legacy Series / HAProxy as forward proxy with SSL

« on: June 22, 2020, 10:07:19 pm »

Hi there I am using the HAProxy service for reverse proxy.

I can happily get the system to work if I only use HTTP, however I wanted to use HTTPS.  I have tried this in two ways.  I have an internal certificate which I generally use with the machine based of a CA on OpnSense.  This works fine internally.  I also have a LE wildcard cert, the problem with this one is it times out so quickly and recently LE on OpnSense has been a bit of a pain.

What I see in the HAProxy logs is " SSL handshake failure".   I have tried this with SSL offloading on and off and with both certificates however I still get the same single message.  Obviously something is not right.  My hope was that it would pass through the certificate and even though I would have a certificate error on the client at least  it would work and the traffic would be encrypted.

Something is wrong with my thinking, anyone know what it is...?

7

20.1 Legacy Series / DHCP4 - Status... what is that?

« on: June 11, 2020, 02:26:32 pm »

When you look at the leases in DHCP there is a table one of the columns of which is labelled status.  What does this actually do?  It seems woefully inaccurate at saying whether a device is actually online or not.  It shows my main router as Offline when clearly it can't be and it shows my switched off mobile phone as connected.

Is there a way to get good information at what is actually connected at what time?

8

20.1 Legacy Series / Trust Certificates - Where are they and can they be deleted?

« on: May 21, 2020, 05:26:00 pm »

Having time on my hands I am tidying up my network as I should have done ages ago.

I have added a CA and some self generated certificates which I selected the option to store on the OpnSense box.  In hindsight I realise that storing this on the only outward facing device on my system may not be the best idea and I should probably move them elsewhere ;-)

Challenge is that I then can't figure out where they are and if there is a tidy up option somewhere that would do this for me?

9

20.1 Legacy Series / Opnsense SSL Certificate - Self generated

« on: May 19, 2020, 10:30:22 am »

I have been using Let's encrypt for the certificate on my router and that worked fine until the last renewal.  Now it fails to renew so I decided to just use a self generated certificate instead.

I have a CA setup and my QNAP has a certificate.  With my CA added to the certificates in Edge all is good.

When I generate a certificate for my Opnsense router though I still get the "Not Secure" on https.  I've tried all the types of certificate and yet still this is the case.  I have checked that the router pings at the name that I am using for the common name.  I cannot figure out why the certificate would not just work.   Anyone got any ideas?

10

20.1 Legacy Series / Wildcard Let's Encrypt on Cloudflare suddenly failing

« on: May 03, 2020, 01:05:48 pm »

This morning my router did not want to let me in because the certificate has expired and I had to use the emergency override to get access to the menus.

I assumed the script had failed ran it manually and the challenge that keeps coming up is

Error add txt for domain:_acme-challenge.mydomain.com

Problem I have is finding anything about this in the documentation.  If you create this with CertBot the content for the TXT field is given to you, however I cannot find any note of it in in the ACME plugging.  My suspicion is that this is because the script should do this for you, and mine somehow does not get correct access to cloudflare any more.  I re-setup the access to cloudflare to just make sure, however I am still getting the same issue.

Has something changed in recent versions, or has anybody had similar with cloudflare?  Any clues that might help me get this working again would be really helpful.

11

20.1 Legacy Series / DHCP Leases and DNS registration

« on: February 21, 2020, 12:00:34 pm »

Just trying to work out why my DNS is not returning the right address for DHCP registered names, even after flushing the DNS cache.

When I look at the DHCP leases there is a column for Offline/Online.  This does not seem to accurately flag whether something is online or offline, you can happily ping devices marked as offline.  Is this right or an aberation on my box.

Anyway the box I should see is showing up there with the hostname in place and an ipaddress which although shows offline is actually pingable and I can access the box using the ip address.  If I try to ping the name, or do an NSLookup it gets a different address, potentially one that it had earlier?  I tried flushing the local cache on the box I'm working on but this still happens.

Is there anyway to see directly the DHCP registered names in Unbound?  It feels like there should be however I cannot find one.  How do I go about debugging this kind of thing?  I know I can put in Overrides, I was just looking to avoid that if possible due to the additional management involved. 

12

19.7 Legacy Series / Let's encrypt renewal

« on: November 04, 2019, 10:03:18 pm »

I started getting messages from Let's Encrypt about my certificate going out of validity.  Which was weird because I had set it up to auto renew.

When I looked in the log file there is an error saying that certificate is not issued for the domain.  That's strange thought I and went in and manually hit the orange renew button.  Again the log had the same message so before I did anything else I hit the small refresh button on the certifcate line (the one that looks like a C).  This time I got a successful renewal.  In amongst the log I notice that it writes a TXT entry to the DNS that I suspect verifies it when creating the certificate.  That does not happen with the renewal, I assume it expects that to be there.

I am using CloudFlare to host the DNS and I have never removed a txt record.  Has anyone seen this behaviour before or have a suggestion for how I can avoid needing to do this manually again next time?

13

19.7 Legacy Series / Wireguard and Android(Samsung)

« on: August 29, 2019, 02:56:03 pm »

With some help and perserverance I have Wireguard working 100% on my PCTablet.  When I connect I get shown I get info like below and it all just works

peer: **********************************************=
  endpoint: <address>:55703
  allowed ips: 192.168.100.2/32
  latest handshake: 24 seconds ago
  transfer: 16.36 MiB received, 9.47 MiB sent

Using the Android client on my samsung phone and an identical config with only the address changed I assumed that would work too.  This time not though.  I get no entry for that connection other than allowed ips:   Though the client comes on I cannot tell if the link is established.  With a ping tool I have checked that the interface IP appears on the phone and that there is some form of route noted.  Nothing seems to travel that route though :-(  Anybody managed to get this working on Android?

14

19.7 Legacy Series / Self signing and CA's - anyone make this work?

« on: August 26, 2019, 10:30:06 pm »

Using the Let'sEncrypt pluggin I have happily provided a certificate for my NAS that works well, with one little exception.  Let'sEncryp only allows a short renewal and this means I therefore have to keep updating my certificate.  Surprisingly there seems no good universal way to achieve this renewal of certificates so I thought I would create my own CA and issue my own certificates to use internally.

followed the instructions and all that works.  Issued a certificate, great.  Can I get a browser to see it is allowable?  Not a chance.  They show it is a valid certificate, however they refuse to have the padlock in place.

I've added the CA to the certificate authorities and the Intermediate to the intermediate version.  Still no dice.  Has anyone anywhere managed to get this to work?

15

19.7 Legacy Series / Using Wireguard now have two in rules..

« on: August 22, 2019, 10:22:46 am »

I decided I would go ahead and use wireguard for a VPN and followed through your instructions. 

Initially I decided I would set it up without the 0.0.0.0/0 rule and it all worked fine.  In Rules I had had a Wireguard option appear and I set a rule to allow all traffic.

Now I decided to move to using 0.0.0.0/0 on the client.  I added the Interface as instructed, Nat rules etc and off it went no problem.  Success.  Now it is working I can add my phone to this.  Done and it works then came the challenge.

I went into Rules and I had two Wireguard entries.  One was there originally and had my Rule.  One had obviously appeared when I created the interface (which I named Wireguard).  It was working so I thought it just a wrinkle.  Unfortunately I notice that the rules had not been applied and applied them.  Now I cannot get Wireguard to work any more.

I've tried allowing the any rule in the second wireguard but that did not work.  Something is confused and if feels like I should remove a Wireguard from the rules, however there is no way to do that.  Anyone got any ideas for next steps?