Topics

1

Virtual private networks / WireGuard: description for endpoints possible?

« on: March 10, 2021, 01:37:55 pm »

I wonder if someone can give me a hint on this problem:

- I have added a few dozens of WG endpoints;
- each of them is for a single user;
- the user ids (which I already have and cannot easily change) contain characters like -, _,.
- endpoint name can only contain only letters and digits
- I give each user a unique number, e.g. user-A => wg100, user-B => wg101, etc.
- it works, but from the UI I cannot tell which endpoint corresponds to which user

So I wonder if it is possible add a description field to each endpoint.

Another approach is to remove chars which is not letter/digit from user-ids, and then use that stripped user-id as name for endpoint. So I would end up with names like wg0userA, wg0userB etc. There is a danger that after stripping non letter/digit chars, there might be some name collision which is hard to control.

2

Virtual private networks / WireGuard: how to add endpoints using command-line?

« on: March 07, 2021, 10:08:37 pm »

Hello,

I am new to WireGuard. I have followed the official docs and could connect 1 client to WireGuard on my opnsense server. Now I would like to add a few dozens of endpoints for my users -- each user gets his/her own wg config. Can I do that via command line? Can I simply edit /usr/local/etc/wireguard/wg0.conf and then issue /usr/local/etc/rc.d/wireguard restart?

3

20.1 Legacy Series / Added a static route to another host in LAN, traffic gets blocked by firewall

« on: August 07, 2020, 05:26:01 pm »

Hello,

I have a very simple OPNsense setup with 1 iface WAN and 1 iface LAN 192.168.30.1/24. I have done just minimal configuration to get it work (= setting IPs, networks, DNS).

Now I am trying to achieve this: I would like to reroute packets  to net 192.168.40.0/24 to another host in LAN, IP = 192.168.30.5

I did the following:
- add a gateway int_router =  192.168.30.5, iface LAN
- add a route 192.168.40.0/24 -> int_router

However I get stuck at this point: packets w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule".

It seems there is already a default rule on LAN iface: "Default allow LAN to any rule", but this rule doesn't work as expected.

I also tried to add a floating rule which allows traffic on LAN iface, both in/out direction, but it doesn't work either.


Any hint what can I try?

Regards,
Tony

4

20.1 Legacy Series / Is it possible to use OpenVPN with my own PKI?

« on: June 15, 2020, 10:30:21 pm »

I am trying to setup OpenVPN using the certificates generated by my own PKI. I did the following:

- setup OpenVPN following the official docs to make sure it works using OPNsense own root CA

- use my root CA to create an intermediate CA (on another host)

- use the intermediate CA to generate certificates (1 for server + 1 for client) for OpenVPN

- copy the certs to OPNsense and import them using https://github.com/pluspol-interactive/opnsense-import-certificate

- create a user in OPNsense

- link the client cert to the user

- openvpn > Client export to get the client files. But I get stuck here: the user I created doesn't show in the list to be exported.

Perhaps I don't need the client cert on OPNsense, however I wanted to export the client from OPNsense to ensure the config is correct.

What am I missing here? Any hint/tip would be much appreciated.

5

20.1 Legacy Series / Load-balancing outgoing OpenVPN traffic -- is it possible?

« on: April 14, 2020, 10:00:41 pm »

Hi,

I am new to OPNsense and I hope this is the right place to post my question:

I have an OPNsense instance with multi-wan and OpenVPN. I have followed the excellent docs at https://docs.opnsense.org/manual/how-tos/multiwan.html and things seem to work fine, except this issue: the outgoing traffic always goes through the default gateway, which is picked by OPNsense randomly (?) at boot time.

I have already added the gateway group to Firewall > Rules > openvpn iface as the gateway for traffic coming into openvpn iface. According to the docs it seems that it should work but probably I am still missing some steps. I wonder if you could give me a hint how to process further:

(1) Is load-balancing outgoing OpenVPN traffic supported by OPNsense (I think it is, just double checking)
(2) What I could do to debug the problem? I am familiar with linux cli but I am willing to learn freebsd commands if needed.

thanks in advance for any hint.

Edit: the relevant policy based routing part looks as follows (output from pfctl, with IPs slightly changed). Yes pppoe1 and pppoe2 have the same gateway, it's not a mistake.

Code: [Select]

pass in quick on openvpn route-to { (pppoe2 10.20.30.1), (pppoe1 10.20.30.1), (em1 123.123.123.123 } round-robin sticky-address inet from (openvpn:network) to any flags S/SA keep state label "8ba5d5e9091ff2cd49e87a66cc467e3b"