Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Luma

Pages1
#1
German - Deutsch / GELÖST - Kein Zugriff vom WAN
May 19, 2019, 03:24:16 PM
Hallo zusammen

Ich habe OPNsense mit 2 Interfaces neu aufgesetzt:
- LAN: 192.168.1.1


- WAN: 192.168.231.5


Web-GUI läuft auf Port 80, SSH-Server auf Port 22. Beide hören auf allen Interfaces. Soweit klappt alles, Web-GUI und SSH-Zugriff vom LAN funtioniert.

Eigentlich sollte doch auch die Web-GUI und der SSH-Zugriff vom WAN Interface klappen. Dies geht aber leider nicht.

Folgende Regel ist definiert:


Wenn ich einen Zugriff (Web-Gui oder SSH) vom der IP 192.168.231.10 auf die WAN-Adresse (192.168.231.5) mache, sehe ich dies auch im Firewall-Log:


Aber leider bekomme ich keine Antwort.

Woran kann das liegen? Was ist hier falsch?

Danke für die Hilfe.
Gruss Lumax.
#2
German - Deutsch / GELÖST - VPN via UDP geht, via TCP nicht
April 18, 2019, 09:18:45 AM
Hallo zusammen

Ich habe erfolgreich einen VPN UDP Server definiert. Klappt alles.

Client Log UDP:
Code Select
Thu Apr 18 08:52:06 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Apr 18 08:52:06 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 18 08:52:06 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Thu Apr 18 08:52:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.231.4:1194
Thu Apr 18 08:52:06 2019 UDP link local (bound): [AF_INET][undef]:0
Thu Apr 18 08:52:06 2019 UDP link remote: [AF_INET]192.168.231.4:1194
Thu Apr 18 08:52:06 2019 [xxxxxx.xxx] Peer Connection Initiated with [AF_INET]192.168.231.4:1194
Thu Apr 18 08:52:07 2019 open_tun
Thu Apr 18 08:52:07 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{322A20D5-0A7D-4DAE-A181-61DA82ECA223}.tap
Thu Apr 18 08:52:07 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.235.6/255.255.255.252 on interface {322A20D5-0A7D-4DAE-A181-61DA82ECA223} [DHCP-serv: 192.168.235.5, lease-time: 31536000]
Thu Apr 18 08:52:07 2019 Successful ARP Flush on interface [5] {322A20D5-0A7D-4DAE-A181-61DA82ECA223}
Thu Apr 18 08:52:07 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Apr 18 08:52:13 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 18 08:52:13 2019 Initialization Sequence Completed
Thu Apr 18 08:52:39 2019 SIGTERM[hard,] received, process exiting


Da ich aber UDP Ports nicht vorwarden kann, brauche ich einen TCP VPN Server.

Kein Problem, dachte ich. In der Server-Konfiguration UDP auf TCP umgestellt, dasselbe bei der Client-Konfiguration. Leider kann dann keine Verbindung hergestellt werden:

Client Log TCP:
Code Select
Thu Apr 18 09:05:30 2019 us=760599 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Apr 18 09:05:30 2019 us=760599 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 18 09:05:30 2019 us=760599 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Thu Apr 18 09:05:30 2019 us=761095 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Apr 18 09:05:30 2019 us=761095 Need hold release from management interface, waiting...
Thu Apr 18 09:05:31 2019 us=228772 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Apr 18 09:05:31 2019 us=336010 MANAGEMENT: CMD 'state on'
Thu Apr 18 09:05:31 2019 us=336405 MANAGEMENT: CMD 'log all on'
Thu Apr 18 09:05:31 2019 us=516510 MANAGEMENT: CMD 'echo all on'
Thu Apr 18 09:05:31 2019 us=517999 MANAGEMENT: CMD 'bytecount 5'
Thu Apr 18 09:05:31 2019 us=518991 MANAGEMENT: CMD 'hold off'
Thu Apr 18 09:05:31 2019 us=520479 MANAGEMENT: CMD 'hold release'
Thu Apr 18 09:05:31 2019 us=522959 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Apr 18 09:05:31 2019 us=522959 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Apr 18 09:05:31 2019 us=522959 Control Channel MTU parms [ L:1623 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Thu Apr 18 09:05:31 2019 us=522959 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Thu Apr 18 09:05:31 2019 us=523455 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Thu Apr 18 09:05:31 2019 us=523455 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Thu Apr 18 09:05:31 2019 us=523455 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.231.4:1194
Thu Apr 18 09:05:31 2019 us=523455 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Apr 18 09:05:31 2019 us=523455 Attempting to establish TCP connection with [AF_INET]192.168.231.4:1194 [nonblock]
Thu Apr 18 09:05:31 2019 us=523455 MANAGEMENT: >STATE:1555571131,TCP_CONNECT,,,,,,
Thu Apr 18 09:07:32 2019 us=669700 TCP: connect to [AF_INET]192.168.231.4:1194 failed: Unknown error
Thu Apr 18 09:07:32 2019 us=670590 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Thu Apr 18 09:07:32 2019 us=670590 MANAGEMENT: >STATE:1555571252,RECONNECTING,init_instance,,,,,
Thu Apr 18 09:07:32 2019 us=670590 Restart pause, 5 second(s)
Thu Apr 18 09:07:33 2019 us=683907 SIGTERM[hard,init_instance] received, process exiting
Thu Apr 18 09:07:33 2019 us=683907 MANAGEMENT: >STATE:1555571253,EXITING,init_instance,,,,,


Server Log TCP:
Code Select
Apr 18 09:05:11 OPNsense openvpn[72934]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Apr 18 09:05:11 OPNsense openvpn[72934]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 18 09:05:11 OPNsense openvpn[72934]: Re-using SSL/TLS context
Apr 18 09:05:11 OPNsense openvpn[72934]: Control Channel MTU parms [ L:1623 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[72934]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[72934]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Apr 18 09:05:11 OPNsense openvpn[72934]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.231.4:1194
Apr 18 09:05:11 OPNsense openvpn[72934]: Socket Buffers: R=[65228->65228] S=[65228->65228]
Apr 18 09:05:11 OPNsense openvpn[72934]: Attempting to establish TCP connection with [AF_INET]192.168.231.4:1194 [nonblock]
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP connection established with [AF_INET]192.168.231.4:1194
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP_CLIENT link local: (not bound)
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP_CLIENT link remote: [AF_INET]192.168.231.4:1194
Apr 18 09:05:11 OPNsense openvpn[26171]: MULTI: multi_create_instance called
Apr 18 09:05:11 OPNsense openvpn[26171]: Re-using SSL/TLS context
Apr 18 09:05:11 OPNsense openvpn[26171]: Control Channel MTU parms [ L:1623 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[26171]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Apr 18 09:05:11 OPNsense openvpn[26171]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Apr 18 09:05:11 OPNsense openvpn[26171]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Apr 18 09:05:11 OPNsense openvpn[26171]: TCP connection established with [AF_INET]192.168.231.4:8471
Apr 18 09:05:11 OPNsense openvpn[26171]: TCPv4_SERVER link local: (not bound)
Apr 18 09:05:11 OPNsense openvpn[26171]: TCPv4_SERVER link remote: [AF_INET]192.168.231.4:8471
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 TLS: Initial packet from [AF_INET]192.168.231.4:8471, sid=6068271c e125605d
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 TLS Error: incoming packet authentication failed from [AF_INET]192.168.231.4:8471
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 Fatal TLS error (check_tls_errors_co), restarting
Apr 18 09:05:11 OPNsense openvpn[26171]: 192.168.231.4:8471 SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 18 09:05:11 OPNsense openvpn[26171]: TCP/UDP: Closing socket
Apr 18 09:05:11 OPNsense openvpn[72934]: Connection reset, restarting [0]
Apr 18 09:05:11 OPNsense openvpn[72934]: TCP/UDP: Closing socket
Apr 18 09:05:11 OPNsense openvpn[72934]: SIGUSR1[soft,connection-reset] received, process restarting
Apr 18 09:05:11 OPNsense openvpn[72934]: Restart pause, 300 second(s)


Müsste doch eigentlich klappen indem ich "nur" das Protokoll umstelle?
Was mache ich falsch?

Muss noch etwas im Zusammenhang mit TLS geändert werden (TLS Fehlermeldungen)?

Im Firewall Log finde ich keinen Hinweis darauf, dass etwas geblockt wird. Alle Regeln sind Protokollunabhängig gestaltet.

Danke für Hilfe.

Gruss Luma
Pages1