Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Amanaki

Pages: [1]

Virtual private networks / Help request: Wireguard full tunnel routing for external client

« on: March 07, 2022, 10:39:55 pm »

I have a simple setup with single LAN only network 10.34.10.10/24 and a wireguard client configured for VPN access to external VPN provider. For DNS, I am using a template to forward all DNS requests to NextDNS anycast servers. All clients on LAN network are policy based routed to external VPN and are working as expected.

Today, I added a new external client device using Road Warrior and got a connection to OPNsense but cannot seem to route the client back out over my existing Wireguard VPN tunnel connection.

Have tried various different methods but the client only returns my WAN ip address instead of my VPN providers addresss. Settings are as follows:

---------------------
Servers (OPNsense):

VPN: WireGuard > Local:

Interface: WG0
Listen: 51821
Tunnel address: 10.11.1.52/16
DNS: Blank
Peers: VPN_PROVIDER
Disable Routes: Checked
Gateway: 10.11.1.51
Monitor IP: VPN provider IP address

Interface: WG1
Listen: 51831
Tunnel address: 172.16.16.2/24
DNS: Blank
Peers: iPAD_CLIENT
Disable Routes: Unchecked
Gateway: Blank
Monitor IP: Blank

------------------------------------
Clients (OPNsense):

VPN: WireGuard > Endpoints:

Name: VPN_PROVIDER
Allowed IPs: 0.0.0.0/24
Endpoint Address: VPN provider address
Endpoint port: 51822

Name: iPAD_CLIENT
Allowed IPs: 172.16.16.20/32
Endpoint Address: Blank
Endpoint port: Blank

------------------------
External Remote Client (iPAD):

Addresses: 172.16.16.20/32
Listen port: 51831
DNS: Blank

Peer:

Allowed IPs: 0.0.0.0/0
Endpoint: a.b.c.d:51831

------------------------------------------
NAT and Rules (OPNsense):

Firewall: Rules: WAN

Interface: WAN
Direction: In
Proto: UDP
Source: any
Ports: any
Destination: WAN address
Destination Port: 51831

Firewall: Rules: Wireguard (Group)

None

Firewall: Rules: WG0

None

Firewall: Rules: WG1

None

Firewall: Rules: LAN

Interface: LAN
Direction: In
Proto: TCP/UDP
Source: ALL_CLIENTS (Alias for all LAN clients)
Destination invert: Checked
Destination: PRIVATE_NETWORKS (Alias for RFC1918_Networks)
Ports: WAN_SERVICE_PORTS (Alias containing service ports)
Gateway: WG0 Gateway (to VPN provider)

Firewall: NAT: Outbound

Interface: WG0
Source: Local_Networks (Alias) 10.34.10.10/24
NAT Address: Interface Address

How can I properly route all traffic from my external client down existing VPN provider tunnel?

TIA.
Manaki

General Discussion / GEOIP Blocking Rule Failure Targeting Port 0

« on: March 04, 2022, 02:11:52 am »

Hi,

Have GEOIP blocking enabled on my IPv4 only firewall and have started seeing regular entries from a blocked country (CN) - in this case.

Upfront - my firewall settings advanced max states setting is set to 2000000

Attached screenshots of:

1. Log event showing the origin country CN was not blocked
2. GEOIP Alias definition
3. Floating rules for In + Out on WAN interface

Any ideas, suggestions on how to resolve or improve?

Thanks.

General Discussion / [SOLVED] Unable to Obtain Secure WEBGUI Connection After SSL Installation

« on: March 03, 2022, 08:44:03 am »

In case this helps someone else:

To get SSL working properly on your OPNsense firewall, you must have the TCP port set to 443.

--------------------------------

Dear all,

Loosely following a couple of tutorials https://forum.opnsense.org/index.php?topic=23339.0 and https://www.wolffhaven45.com/2017/11/07/intranet-ssl-certificate-for-pfsense-using-lets-encrypt--cloudflare/ to setup SSL for OPNsense WEBGUI access but after many failures to get a secure green padlock connection running we have opted to ask for help.

Domain:

We own a domain (fictional here) mydomain.xyz and the nameservers are pointing to Cloudflare. We do not have or require any hosting.

OPNsense firewall hostname:

Our firewall has beupone as the system Hostname and runs on port 588.

In Cloudflare we added a cname record for the firewall hostname (beupone) pointing to mydomain.xyz resulting in beupone.mydomain.xyz.

General steps:

Installed ACME Client -> Created account -> Added challenge type -> Created certificate successfully

After doing so, we choose the new certificate in System -> Settings -> Administration -> SSL Certificate (beupone.mydomain.xyz)

Trying to access https://beupone.mydomain.xyz:588 fails.

Have attached a few pictures of our settings in case it helps.

Anyone encountered this issue or have any tips on how we can make it work?

Thanks.

19.7 Legacy Series / Encrypting Local WiFi Network Traffic With Wireguard

« on: October 27, 2019, 04:18:37 am »

Hi all,

Have been searching for a solid guide to follow but am yet to come across anything that resembles my use case requirement. Not sure if it can even be done but here goes.

What I am wanting to do is use Wireguard to encrypt my local WiFi network traffic. I do not need it to go externally as all my traffic is currently routed through an OpenVPN client connection.

My setup is as follows:

Firewall Appliance -> Netgear Router AP Mode -> Wireless Clients

OS-Wireguard is installed on my firewall.

Any and all help is greatly appreciated.

18.7 Legacy Series / OpenVPN Client Killswitch

« on: January 14, 2019, 03:11:49 am »

Hi all,

May seem like a simple question but I would really appreciate some help with this post I created many weeks ago.

https://forum.opnsense.org/index.php?topic=10533.msg48173#msg48173

In simple terms, I need to stop any traffic from being routed to the clearnet if my VPN client connection fails or drops out for some reason.

Any help would be greatly appreciated please.

Thanks,
Amanaki

18.7 Legacy Series / Firewall Rules for DNSCrypt Proxy v2

« on: January 13, 2019, 04:19:12 am »

Hi all,

So, I am NOT using the new os-dnscrypt-proxy plugin as it does not yet support DNS blocking.

That said, I installed v2 manually and confirm it is working as expected on my LAN network.

However, I have a number of VLANs and I want to know what/if any firewall rules I need to place to cater for dnscrypt-proxy.

I have enclosed screenshot of what I have so far on one of the VLANs but cannot confirm it is working.

Help anyone?

Thanks,
Amanaki

18.7 Legacy Series / [SOLVED] DNS Blocking with DNSCrypt-Proxy AKA os-dnscrypt-proxy

« on: January 11, 2019, 12:51:24 am »

Hi all,

So, after migrating to OPNsense after many years of using OpenWRT, I got DNSCrypt-Proxy v2 working by installing it manually, adding my own custom blacklists, and configuring the .toml file to perform DNS blocking the way I had it working before.

With the recent release of the new os-dnscrypt-proxy, I performed a fresh install of OPNsense and decided to give this new plugin a try.

After installing and configuring it, it seems to be working the way I expect but one thing that is really bothering me is that I cannot get my DNS blocking configuration back as it seems any edits one makes to the dnscrypt-proxy.toml file are not persistent. Another words, they are overwritten by the plugin every single time.

Has anyone else had any experience with this for DNS blocking and if so, is it even possible to get DNS blocking working or do I need to revert back to manual configuration?

Thanks.

EDIT: I have received confirmation that DNS blocking is not supported in the plugin just yet.

18.7 Legacy Series / [SOLVED] Supressing Bogon Network Log Noise in Firewall

« on: January 06, 2019, 10:24:10 pm »

Hi all,

I am running a fresh install with OPNsense 18.7.9-amd64 with IPv6 disabled in firewall and all interfaces along with blocking of private networks on my WAN interface. I am not using any upstream devices, my firewall is connected directly to our fiber inlet.

I am noticing a lot of logs with private addresses on the WAN interfaceand wondering if there is any way that one can ignore/suppress them?

Enclosed are two screenshots with samples.

Thanks.

18.7 Legacy Series / [SOLVED] DHCP - Deny Unknown Clients Issue

« on: January 06, 2019, 09:54:27 pm »

Hi All,

I'm trying to understand why the DHCP server on one of my VLAN networks is still handing out addresses to unknown clients when I have the "Deny Unknown Clients" option checked on my network settings.

My basic understanding is that this setting is a security feature that prevents unknown clients from gaining access to ones network and that only the devices setup with static addresses will be handed IP addresses from the DHCP server.

Not sure if its relevant but this network is connected to a decommissioned router which is used as an external WiFi access point for our IoT devices.

Setup as follows:

VLAN_20
Static IP: 10.34.20.1/24
DHCP Range: 10.34.20.100 -> 10.34.20.199

For each IoT device on the above network, I have entered the device MAC address and static IP address outside of the above range. For example, device # 1 = 10.34.20.200 and so forth..

I am running OPNsense 18.7.9-amd64 and have enclosed a screenshot of my settings in the GUI confirming that this option is selected.

Ideas anyone?

18.7 Legacy Series / Help with UPnP Config for Gaming Network

« on: December 27, 2018, 10:59:39 pm »

Hi everyone,

Home user trying to get an unrestricted gaming network going for my two teenage sons who play a variety of games on steam, origin and ps4.

Below is a summary of my network which runs on a dedicated VM with three physical network interfaces.

vtnet0 - WAN DHCP client from ISP
vtnet1 - Unassigned for VLANs
vtnet2 - LAN - 10.1.10.1/24

VLANs on vtnet1 are as follows:

VL10_ADM 10.10.10.1/24 - Admin
VL20_IOT 10.10.20.1/24 - IOT/WiFi/OpenVPN
VL30_CLR 10.10.30.1/24 - Unrestricted gaming network
VL40_SEC 10.10.40.1/24 - Secure network no access to WAN
VL50_DMZ 10.10.50.1/24 - Media network only

I installed OS UPnP and it appears in the services menu but I am needing some help satisfying the following instructions that were displayed after the installation was completed: -

For this dameon to work, you must modify your pf rules to add an anchor in both the NAT and rules section. Both must be called 'miniupnp'

Am hoping that someone would be kind enough to show me an example or talk me through what I need to do to get this working? I can provide screenshots of my NAT and fw rules if required just let me know.

Many thanks,
Manaki

18.7 Legacy Series / Floating Rules for GeoIP Country Blocking Not Working

« on: December 06, 2018, 04:10:32 pm »

Hi all,

Have been tinkering with blocking known attack source countries but cannot seem to get this working as expected.

I read that the IDS method was essentially replaced with the alias method and have followed the guides I have found on this forum to try it out with no luck.

I have enclosed screenshots of my alias and firewall rules to help with identifying where I might be going wrong.

Any ideas?

Thanks,
Manaki

18.7 Legacy Series / Do Not Allow Any Traffic Through Firewall if OpenVPN Connection is Disconnected

« on: December 06, 2018, 03:23:28 pm »

Hi all,

This is my first post here. I am relatively new to OPNsense after a few years of using consumer grade routers flashed with OpenWRT and DD-WRT to manage our home network.

My current setup consists of an upstream consumer router (facing my ISP) running latest version of OpenWRT. I have it setup with a dedicated (always on) OpenVPN connection with a killswitch that does not allow the routing of any traffic if the OpenVPN connection goes down for any reason.

Downstream, I have OPNsense 18.7.7-amd64, FreeBSD 11.1-RELEASE-p15, OpenSSL 1.0.2p 14 Aug 2018 running on a virtual machine.

I currently have it setup and running nicely with DNScrypt-proxy, a few VLANS for segmentation and a few basic firewall rules. My network consists of 8 mixed OS clients, so it is very small. Nothing fancy at all.

Assuming I have an OpenVPN connection running on my OPNsense installation, I am wanting to know if I can actually apply the same method to not route any traffic at all through the firewall if my OpenVPN connection goes down on my OPNsense machine and if so, how would I go about getting this setup?

Thanks,
Naki

Pages: [1]