Topics

Hello everyone,

I'm working on an existing infrastructure which is a new infrastructure to me. The network previously used three SonicWalls (one per site). Because of a very limited budget, only the main site can be migrated right now.

Current setup:
Main site: OPNsense (running on the latest business edition release) with two DSL lines (static IPs: 1.1.1.1 and 2.2.2.2) in failover mode, plus an LTE connection that is manually activated only if both DSL lines fail.
Two remote sites: each with a SonicWall, a single DSL line, and a dynamic IP (changes almost daily)

I'm trying to establish two site-to-site VPNs (one per remote site). Previously, both SonicWalls connected to 1.1.1.1 using IKEv1 Aggressive Mode. I'm trying to replicate this with OPNsense, but only one VPN connection works at a time.
Right now both VPNs are configured in IKEv1 Main Mode, i tried it with Aggressive Mode but it didnt seem to work at all.

The issue:
Site A: uses AES256-SHA256-ECP256 – connects successfully
Site B: uses AES256-SHA256-MODP2048 (the highest supported by that SonicWall) – fails to connect

Log shows:
Received proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Configured proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256

I've created two separate IPsec configs on OPNsense with the correct proposals. Both use 1.1.1.1 as the local address and 0.0.0.0/0 as remote peer.
Both have different local IKE IDs, remote IKE IDs and Pre Shared Keys which of course match with the corresponding remote site.
However, OPNsense seems to match only by IP and not by IKE ID. As a temporary workaround, I let Site A connect to 1.1.1.1 and Site B to 2.2.2.2. Ultimately, both should prefer 1.1.1.1 and automatically fail over to 2.2.2.2 if the primary DSL fails.

Is there a way to get this to work with the current SonicWalls and the OPNsense?

Hello,

since the latest version of HAProxy now supports OCSP stapling I thought it would be a good idea to switch from the "workaround-script" to the official option.

However the option is not working for me. The system log shows the error below.

Code Select Expand

2021-04-06T03:42:01 configd.py[18127] [b2eb554c-4009-4e75-9e58-3f8a1a64e656] Script action stderr returned "b'WARNING: no nonce in response\nResponse verify OK\nWARNING: no nonce in response\nResponse verify OK'"
2021-04-06T03:42:00 configd.py[18127] [b2eb554c-4009-4e75-9e58-3f8a1a64e656] update haproxy ocsp data

I also made some pictures of my config.
https://imgur.com/a/XM9tpZt

Hallo,

ich habe bei mir die OPNsense als Reverse Proxy im Einsatz.

Bisher benötigte ich ich nur ein Zertifikat für eine meiner WAN IPs.
Allerdings benötige ich jetzt ein weiteres Zertifikat für eine meiner anderen WAN IPs.

Wie kann ich das erreichen?
Ich weiß, wie ich ein zweites WAN Interface auf der OPNsense anlege und die anderen Einstellungen tätige.
Aber wie kann ich dem ACME Client sagen, dass er WAN1 für Zertifikat1 und WAN2 für Zertifikat2 nutzen soll?

Denn wenn ich das zweite Zertifikat erstellen möchte, nutzt ACME den default Gateway (WAN1), wodurch die Erstellung fehlschlägt, weil die Domain nicht zur IP passt.

Hello,

I have set up my OPNsense as a reverse proxy using HAProxy and Let's Encrypt.

Right now I only have one certificate for my domain1.browne.com that has WAN1_IP.
However I need another certificate for my domain2.browne.com that has WAN2_IP.

My setup looks like this:
WAN1_IP (10.1.1.1) --> domain1.browne.com --> already uses a LE certificate (certificate1)
WAN2_IP (10.1.1.2) --> domain2.browne.com --> doesn't use LE certificate, but needs one (certificate2)

I know how to create the 2nd WAN interface and all that...
But how do I tell the ACME client to use WAN1 to generate certificate1 and use WAN2 for certificate2?

When I try to get certificate2 the ACME client on OPNsense always uses the default gateway, which is in my case WAN1 (10.1.1.1). The certificate generation then fails because certificate2 is resolving domain2 (10.1.1.2) during acme challenge. So the IP (WAN1) requesting the certificate (certificate2) is not matching to the IP of the domain (domain2) listed inside the certificate.

I am running HAProxy as a reverse proxy in HTTP / HTTPS (SSL offloading) mode using Let's Encrypt ACME on OPNsense.
Everything is working fine and I am right now fine tuning my setup.

The only thing left to do is to get OCSP stapling to work!
My certificate already contains the OCSP Must Staple extension.


SSL Labs

Code Select Expand

This server certificate supports OCSP must staple but OCSP response is not stapled.

Firefox brings this, once I use a certificate with the OCSP must staple extension.

Code Select Expand

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

How do I proceed from here on?
I had a look at all the HAProxy settings but couldn't really figure out how to set up OCSP stapling.


Regards
browne

Hello,

I already set up HAProxy as a reverse proxy on port 443 with ACME for some web servers, Exchange, ....

Right now I am struggeling with adding our remote desktop gateway server.
https://www.haproxy.com/documentation/haproxy/deployment-guides/remote-desktop/rdp-gateway/
I want to use the "SSL bridging mode" in order to get rid off the certificate errrors.

If I understand everything there correctly I will need a seperate frontend for the RDP gateway because of some special settings and of course on another port than 443. Sadly I failed with just copying the given config as I didn't figure out where to set all the options.

Is there someone who has already set up haproxy with a remote desktop gateway server and would be so kind to share his config?

(Sorry for double posting this here and in the "Web Proxy Filtering and Caching" sub forum. But I thought more people would read it here.)

Best regards
browne

Hello,

I already set up HAProxy as a reverse proxy on port 443 with ACME for some web servers, Exchange, ....

Right now I am struggeling with adding our remote desktop gateway server.
https://www.haproxy.com/documentation/haproxy/deployment-guides/remote-desktop/rdp-gateway/
I want to use the "SSL bridging mode" in order to get rid off the certificate errrors.

If I understand everything there correctly I will need a seperate frontend for the RDP gateway because of some special settings and of course on another port than 443. Sadly I failed with just copying the given config as I didn't figure out where to set all the options.

Is there someone who has already set up haproxy with a remote desktop gateway server and would be so kind to share his config?

Best regards
browne

EDIT:
Solved: https://forum.opnsense.org/index.php?topic=19169.0

Hallo,

ich verlinke hiermit mal meinen englischen Post, da ich gesehen habe, dass im deutschen Forum deutlich mehr Aktivität zu verzeichnen ist.
https://forum.opnsense.org/index.php?topic=17801

Wie bereits dort erwähnt, habe ich bisher ACME und einen Server MEX1 erfolgreich konfiguriert.
Meinen zweiten Server SQLHOST habe ich genau wie den ersten konfiguriert, lediglich die condition unterscheidet sich.
Trotzdem komme ich nicht auf den zweiten Server, da haproxy scheinbar auf die Konfiguration des ersten Servers zurückgreift, was für mich keinerlei Sinn ergibt.

Beweisen lässt sich meine Vermutung, in dem ich unter dem reiter "Reale Server" meinen MEX1 deaktiviere, dann bekomme ich beim Aufruf der URL des SQLHOST statt einem 404 Fehler plötzlich einen 503 Fehler.
Aktiviere ich den Eintrag für MEX1 wieder und ändere NUR die URL-condition des SQLHOST von "esweb" auf "owa" ab, werde ich sofort zum Exchange Server weitergeleitet, obwohl im Server Eintrag die IP des SQLHOST Servers hinterlegt ist.


Log beim Aufruf der URL

Code Select Expand

haproxy[3465]: 192.168.223.215:57161 [23/Jun/2020:13:41:54.003] MEX1_frontend~ MEX1_backend/MEX1 1/0/0/2/3 404 118 - - ---- 1/1/0/0/0 0/0 "GET /esweb/ HTTP/1.1"

haproxy.conf

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: redirect_acme_challenge ()
frontend redirect_acme_challenge
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: MEX1_frontend (my.domain.net/owa)
frontend MEX1_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    mode http
    option http-keep-alive
    default_backend MEX1_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: MEX1_condition
    acl acl_5ede305aa428f7.91112437 path_beg -i /owa

    # ACTION: MEX1_rule
    use_backend MEX1_backend if acl_5ede305aa428f7.91112437

# Frontend: LetsEncrypt_Frontend ()
frontend LetsEncrypt_Frontend
    bind 192.168.223.181:80 name 192.168.223.181:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/
    # ERROR: unsupported action type
    # ACTION INVALID:

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: ESWEB_frontend (my.domain.net/esweb)
frontend ESWEB_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    mode http
    option http-keep-alive
    default_backend ESWEB_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: ESWEB_condition
    acl acl_5ee219894dbd78.15910750 path_beg -i /esweb

    # ACTION: ESWEB_rule
    use_backend ESWEB_backend if acl_5ee219894dbd78.15910750

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: MEX1_backend ()
backend MEX1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server MEX1 192.168.200.12:443 ssl verify none

# Backend: ESWEB_backend ()
backend ESWEB_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server SQLHOST 192.168.200.21:443 ssl verify none


Hello,

I am currently setting up haproxy in my network.
I got the acme automation working and was also able to configure the first server.

I then cloned each setting of the first server (MEX1) and adapted them to match the 2nd server (SQLHOST - esweb).

Somehow I am unable to access the 2nd server via haproxy, it just gives me a 404 error. The first still works fine.
What makes me curious are the log entries, it seems that the config for my SQLHOST is pointing to the backend / frontend of my MEX1 server, which makes no sense at all.

Code Select Expand

haproxy[3465]: 192.168.223.215:57161 [23/Jun/2020:13:41:54.003] MEX1_frontend~ MEX1_backend/MEX1 1/0/0/2/3 404 118 - - ---- 1/1/0/0/0 0/0 "GET /esweb/ HTTP/1.1"

If I disable the server entry of MEX1 I get a 503 error when trying to access it, which makes sense, but in the same time the 2nd server now also gives a 503 error.

Below is my haproxy config.

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: redirect_acme_challenge ()
frontend redirect_acme_challenge
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: MEX1_frontend (my.domain.net/owa)
frontend MEX1_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    mode http
    option http-keep-alive
    default_backend MEX1_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: MEX1_condition
    acl acl_5ede305aa428f7.91112437 path_beg -i /owa

    # ACTION: MEX1_rule
    use_backend MEX1_backend if acl_5ede305aa428f7.91112437

# Frontend: LetsEncrypt_Frontend ()
frontend LetsEncrypt_Frontend
    bind 192.168.223.181:80 name 192.168.223.181:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/
    # ERROR: unsupported action type
    # ACTION INVALID:

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: ESWEB_frontend (my.domain.net/esweb)
frontend ESWEB_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    mode http
    option http-keep-alive
    default_backend ESWEB_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: ESWEB_condition
    acl acl_5ee219894dbd78.15910750 path_beg -i /esweb

    # ACTION: ESWEB_rule
    use_backend ESWEB_backend if acl_5ee219894dbd78.15910750

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: MEX1_backend ()
backend MEX1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server MEX1 192.168.200.12:443 ssl verify none

# Backend: ESWEB_backend ()
backend ESWEB_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server SQLHOST 192.168.200.21:443 ssl verify none


I hope you guys can help me out here.
browne