Messages

1

General Discussion / Re: reverse ssh, but with a catch

« on: February 07, 2023, 03:13:23 pm »

Unfortunately, its not secure enough as the following two shows:

I disagree - those articles you quote discuss attempts to replay the port knock sequence to take advantage of the firewall port that gets opened to the knocking IP.

If you use port knock as a trigger to make an outbound connection, this does not apply since the target of the outbound is not the knocker IP but a DDNS endpoint you control.

For the record, I agree with Patrick that there's nothing wrong with a keypair-secured SSH inbound other than endless connection attempts in your logs. I enjoy a good puzzle though 

Bart...

2

General Discussion / Re: Modify user list view in GUI

« on: February 07, 2023, 09:25:45 am »

Hi Michael, welcome to OPNsense!

This is the users forum - for code customisation you'd likely get more traction with the developers. They are here: https://github.com/opnsense

Bart...

3

General Discussion / Re: reverse ssh, but with a catch

« on: February 07, 2023, 08:45:53 am »

You will likely have an easier time setting up a port knocker SSH call-back on a Linux server behind OPNsense: https://www.tecmint.com/port-knocking-to-secure-ssh/ I'm always wary that the next OPNsense update wipes the config of anything that's not an installed plugin.

You'd obviously change the iptables commands to SSH tunnel up and down commands. You can probably just log out of the shell instead of tearing down the tunnel with a port knock.

Bart...

4

General Discussion / Re: reverse ssh, but with a catch

« on: February 06, 2023, 07:59:39 am »

It will be your luck that you open your laptop just after OPNsense tried to connect to it. It is also not very resilient - if your SSH connection drops you need to wait for an average of 7.5 minutes until it comes back.

What about SSH over a Cloudflare tunnel?

Bart...

5

General Discussion / Re: Separate VLAN for IoT devices

« on: February 06, 2023, 07:52:17 am »

You need separate IP subnets for your network VLANs. You can either change the LAN or IoT subnet to have a different range, or better still both.

E.g. if your current internal network is 192.168.1.0/24 you would split that into two VLAN/subnet parts, like IoT on 192.168.101.0/24  with VLAN number 101 (VLAN and subnet numbers don't have to be the same but it makes things easier to remember) and LAN on 192.168.42.0/24 without a VLAN tag.

Make your internal VLANs different from 192.168.1.0/24 and 192.168.0.0/24 as you will often come across those at coffeeshops, libraries, friends, etc. Having a different number will make it easier to set up VPN remote access later. You can use anything from RFC 1918: https://www.rfc-editor.org/rfc/rfc1918

You will need a VLAN capable managed switch and/or Multi-SSID access point(s). If your IoT devices use ESPHome or ZHA there won't be much to change but if they don't then you may want to consider having your IoT network inherit your current SSID/password. That way you don't have to do hand-to-hand combat with loads of devices.

Bart...

6

Virtual private networks / Re: Missing External Certificate and another OpenVPN client error

« on: January 30, 2023, 08:14:22 am »

Are you using a fresh install of 23.1 like I am or did you upgrade to it or are you stilling an older version of OPNsense?

Mine is ancient and has been upgraded in situ for many years. If nobody else chimes in on this thread with their experiences, I might have some time this week to create a fresh test VM.

Does it work when you add the CA stanza manually to the files? https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV

Bart...

7

Virtual private networks / Re: Missing External Certificate and another OpenVPN client error

« on: January 29, 2023, 06:12:40 pm »

Let's start from the beginning

You are looking for an OpenVPN road warrior configuration with OPNsense as the server and external clients connecting from the WAN side to it, right?
There's about as many queries on this forum for running an OpenVPN client to an external VPN provider (Surfshark, PIA, etc.)

I set up my OpenVPN server on OPNsense using Kirk's guide (crypto references ever so slightly outdated) https://www.kirkg.us/building-an-openvpn-server-with-opnsense/

My downloads from VPN: OpenVPN: Client Export do include the <ca> ... </ca> text block in the ovpn file.

Check your steps against the guide and make sure you haven't missed any.

Bart...

8

General Discussion / Re: how to mimize disk usage

« on: January 29, 2023, 10:18:59 am »

Hi David, on the subject of logging - consider setting up an external log server and redirect your firewall logs to it. System, settings, logging/targets.

A big part of security is being able to work out what happened if something happens 

Bart...

9

Virtual private networks / Re: Missing External Certificate and another OpenVPN client error

« on: January 29, 2023, 10:13:35 am »

Both client and server need to agree on a certificate chain. Have you imported the root CA cert and any intermediate cert(s)?

The most portable way is to add them to the ovpn file inside <ca> ... </ca>

Bart...

10

Virtual private networks / Re: Is routing traffic to specific websites through a specific endpoint possible?

« on: January 26, 2023, 08:36:54 am »

Website no, IP range yes 

With content moving to cloud and CDN providers it becomes increasingly difficult to distinguish between locales. I use a VPN app on my Android TV to switch between geofences.

Bart...

11

Virtual private networks / Re: OpenVPN remote network behind ovpn client not reachable

« on: January 24, 2023, 03:50:59 am »

Add a static route on OPNsense Site 1 for 10.11.104.0/24 via 10.9.1.2

Your reply packets go out of the WAN interface of Site 1 and are being ignored by its ISP router (on account of being RFC1918).

Bart...

12

22.7 Legacy Series / Re: VIP understanding and Firewall Rules

« on: January 22, 2023, 10:31:04 am »

DNS still works on the PC.

DNS is a caching protocol. You need to clear the client cache or resolve a name you haven't resolved recently, e.g. www.femlinkpacific.org.fj (apologies for assuming if you're in fact a woman in the pacific).

Bart...

13

General Discussion / Re: OpenVPN CIDR /24 works but /16 does not

« on: January 22, 2023, 10:26:07 am »

Those errors look unrelated to your routing issue. Check out the routing table of the hosts and routers involved in the end-to-end connection and confirm that the packets go the way you expect with some captures.

Remember that every hop needs to know how to get to the destination and that replies need to find their way back to the source.

Bart...

14

General Discussion / Re: How to use DNS of host network when accessing host services from remote machine?

« on: January 22, 2023, 10:20:54 am »

You need to set up DNS servers that hold zone(s) with A/CNAME records for hosts on both sites. Some multi-master DNS systems exist (notably Microsoft AD integrated DNS) but you generally have to set one primary DNS and replicate to a secondary on the other site. This includes static and dynamic DNS updates. Don't forget to allow both TCP and UDP 53 since the protocol requires both.

A great next step is to read 'DNS and BIND' from O'Reilly (a.k.a. the Cricket book). It is an important skill to master in IT. Don't forget the sysadmin's haiku: https://www.cyberciti.biz/humour/a-haiku-about-dns/ 

Bart...

15

General Discussion / Re: WOL Over Different Subnets

« on: January 18, 2023, 06:05:58 pm »

Only if you bridge them. A WoL magic packet works on layer 2 while firewalls and routers are layer 3 devices