Topics

1

17.1 Legacy Series / [SOLVED] OpenVPN in 17.1.4

« on: March 29, 2017, 07:41:13 pm »

Hi Franco,

It seems that the tunnelblick xor patch was not integrated in openvpn in 17.1.4
I saw in the changelog that there was a patch consolidation for openvpn. Any chance to have this back?

2

15.7 Legacy Series / OpenVPN gateway issue

« on: September 07, 2015, 06:07:32 am »

Hi,

I've found a strange problem with OpenVPN.
I've setup OpenVPN as a client on OPNsense.
If I keep the field "IPv4 Remote Network/s" empty, the OPNsense web interface will report the wrong ipv4 gateway for the interface ovpncX
In "Status > Interface" and "Status > Gateway" the gateway IP displayed is the Network mask (for example 255.255.255.0).
In console, using ifconfig I can see the interface gateway is correct and I can ping the remote gateway.

The issue is that apinger use the value found in the web interface to measure the availability, using the option to ping the gateway result in the ovpncX interface always down.

If I input anything in the field "IPv4 Remote Network/s" then the gateway is displayed correctly. I use this as a workaround at the moment i just input 4.4.4.4/32 in remote network and the gateway is displayed correctly.

I haven't been able to pinpoint the root cause yet but it seems the issue is in the way OPNsense get the gateway IP from OpenVPN after the connection is established.

I couldn't check the status for IPv6 as the VPN server i've used does not implement it.

Let me know if you need me to run some test.

3

15.7 Legacy Series / [SOLVED] unbound issue

« on: August 18, 2015, 05:11:12 pm »

Hi,

not sure in which categorie I should post this one but I have found that unbound is generating an error every time I restart it :

warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024. Config for less fds or compile with libevent.

It's not a blocking issue as it's been working fine at the moment.

4

15.1 Legacy Series / [SOLVED] OpenVPN xor patch

« on: May 08, 2015, 04:39:19 am »

Hello everyone,

I mostly use OpenVPN as a client to be able to overcome some local information access limitation. I live in a place where DPI make it difficult to access internet and now makes it very difficult to use OpenVPN so I've been looking for way to fight it. I've stumbled on a user made patch to enable scrambling of OpenVPN packet : https://github.com/clayface/openvpn_xorpatch
I've decided to give it a try and it turns out that it works quite well so I though I would share the way to recompile openvpn to have this function until (if it's possible) the patch is included in the default OPNsense install

Pre-requisite
A working installation of FreeBSD 10.1 with an updated port tree and working Internet connection
To test it, an already working site to site OpenVPN setting or an OpenVPN provider that support scramble obfuscate

First, let's put the XOR patch among the OpenVPN port files
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#cp openvpn_xorpatch-master/openvpn_xor.patch /usr/port/security/openvpn/files

Edit Makefile in your favorite editor
At the beginning of the file add the following line
EXTRA_PATCHES+=     ${FILESDIR}/openvpn_xor.patch:-p1

Now we have to select the compilation options
#make config
PW_SAVE is mandatory for login with user/password
Select other options at your discretion

Recommended to select OpenSSL for SSL/TLS

Validate the options then build with the following:
#make install

the patched openvpn is located in /usr/local/sbin/openvpn
you can copy this file to your OPNsense box with scp with x.x.x.x as your box IP address
#scp /usr/local/sbin/openvpn root@x.x.x.x:/usr/local/sbin/openvpn

now in the OpenVPN advanced configuration (to be the same on both client and server) add a line
scramble obfuscate <XOR string>

Hope it helps