OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of hboetes »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - hboetes

Pages: [1]
1
18.7 Legacy Series / openvpn peer to peer ssl workaround
« on: January 15, 2019, 03:16:50 pm »
After hours of fiddling with a peer to peer SSL that did not work, whereas a peer to peer with shared key did work the following workaround:

Set the tunnel network to a /30

Let me explain: First I set the tunnel network to a /24, and then I noticed the IP on the client side of the tunnel was 10.3.0.6 and 5 and on the server side of the tunnel it was 10.3.0.1 and 2 and the route from the server to the client was pointed at 10.3.0.2.

So then I added the option topology30, which fixed the IP addresses, but no traffic was possible to the client.

After that I came up with a clever workaround, use a /30 for the tunnel network and disable the topology30 option. And... lo and behold... I got my SSL encrypted site to site working.


2
18.7 Legacy Series / vlans on VM, prepare for High Availability
« on: January 09, 2019, 12:32:45 pm »
Hi there,

We were already using OPNsense as a VM and have now bought a hardware appliance. Of course the VM was not set up with a full trunk, but with separate interfaces, for each VLAN one interface.
The appliance obviously becomes a trunk and will get VLANs as network interfaces.

Is this a problem when setting up a HA and config synchronisation?

3
Tutorials and FAQs / Freeipa LDAP authentication HOWTO.
« on: January 04, 2019, 01:30:39 pm »
We have a FreeIPA server for authentication and to allow group members of sysadmins and firewallobservers to access via LDAP I proceeded like this:

  • Import the FreeIPA CA if you didn’t already, it’s probaby on your worstation over here:/etc/ipa/ca.crt
  • Create a user in Freeipa: opnsense, with a strong password
  • Create a group firewallobservers and add the right users to this group, I already had a sysadmin group.
  • In opensense: System → Access → Add a server like in the screenshot, always use the full LDAP account names, with the FQDN.
  • In the extended query you can decide which groups have access to the firewall: Since it’s hard to read:
    |(memberof=cn=systemadministration,cn=groups,cn=accounts,dc=example,dc=com)(memberof=cn=firewallobservers,cn=groups,cn=accounts,dc=example,dc=com)



After that you can go to testers and check if everything works. If that works you can go to users and press the cloud button at the right to import the FreeIPA users. Add them to the right groups and Bob’s your uncle.  8)

If there is anything unclear, please let me know and I’ll improve this How-to.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2