Messages

I'm trying to copy a letsencrypt cert fetched from OPNSense over to Proxmox.  I am doing it using the automations in the acme client plugin.

I set one up, ensured all values are correct, and tried running it. 

I see in the logs page

Code Select Expand


2024-05-06T00:25:02-04:00 opnsense AcmeClient: running automations for certificate: example.com
2024-05-06T00:22:18-04:00 opnsense AcmeClient: running acme.sh deploy hook failed (acme_proxmoxve)
2024-05-06T00:22:18-04:00 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --deploy --syslog 6 --log-level 1 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/5c1886fae0f214.11


When I try to run the command manually, as below, I get the error.

Code Select Expand


# /usr/local/sbin/acme.sh --deploy --syslog 6 --log-level 1 --server 'letsencrypt' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/5c1886fae0f214.11888858' --certpath '/var/etc/acme-client/certs/5c1886fae0f214.11888858/cert.pem' --keypath '/var/etc/acme-client/keys/5c1886fae0f214.11888858/private.key' --capath '/var/etc/acme-client/certs/5c1886fae0f214.11888858/chain.pem' --fullchainpath '/var/etc/acme-client/certs/5c1886fae0f214.11888858/fullchain.pem' --domain 'cclloyd.com' --deploy-hook proxmoxve

[Mon May  6 00:58:28 EDT 2024] The deploy hook acme_proxmoxve is not found.
(exit 1)


Trying to run it with `--deploy-hook acme_proxmox_ve` also failed.


I'm running OPNSense 24.1.6 and os-acme-client 4.2

In case anyone in the future finds it, this worked for me.

Code Select Expand


chmod +w /boot/device.hints

# Add this line to /boot/device.hints
hint.sdhci_pci.0.disabled="1"


Attached is the screen after 2 iterations of the error.  That error repeats itself maybe 10 times (not sure how many).  But it does EVENTUALLY boot after like 5 minutes maybe. 

What is causing this.  I've searched for the same error and see a few people with similar issues but no resolution.

The computer this is running off of is a fitlet2 with the following specs:

Code Select Expand


fitlet2 - build-to-order
    CPU: Atom x7-E3950 [CE3950]
    RAM: 4 GB [D4] $34.80
    TPM: Not installed
    Storage:  M.2 SATA 32 GB [M32S]
    FACET-Card: FC-M2LAN 2x Gbit Ethernet [FLAN]
    Top cover: Standard top-cover
    Temperature range:  Commercial temperature range 0°C to 45°C
    DC input:  Standard DC input range 7V - 20V


It's worth noting again that OPNSense works, entirely, in this state.  But startup takes about 20x longer than it should because it keeps waiting for whatever that is.

OPNSense version on that is 22.1.

So then what would I use for the addresses?  The end goal is the VM be accessible from everything on the 10.0.0.0/16 subnet and vice versa.

My whole LAN resides on the same `10.0.0.0/16` subnet currently.  The addresses I want to use for wireguard clients is `10.0.2.0-10.0.2.255`.

Client:

Code Select Expand


[Interface]
Address = 10.0.2.10/16
ListenPort = 42001
PrivateKey = redacted


[Peer]
PublicKey = redacted
Endpoint = vpn.example.com:42001
# Route only vpn trafic through vpn
AllowedIPs = 10.0.0.0/16
# Route ALL traffic through vpn
#AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21


Server:

Code Select Expand


interface: wg0
  public key: redacted
  private key: (hidden)
  listening port: 42001

peer: redacted
  endpoint: PUBLIC:42001
  allowed ips: 10.0.2.10/32
  latest handshake: 1 minute, 45 seconds ago
  transfer: 1.86 KiB received, 2.43 KiB sent
  persistent keepalive: every 21 seconds


Situation: I'm trying to create a site-to-site tunnel with a VM in the cloud.  Currently it can connect to OPNSense's wireguard and traffic can flow freely between OPNSense (10.0.0.1) and the VM (10.0.2.10).  But trying to access any other LAN IP from the VM will timeout, and vice versa.

So trying to ping 10.0.0.20 from the VM fails, and 10.0.0.20 can't ping the VM.

I assume the issue is somewhere with rules, but I can't find out where.  Can someone help me figure out why the VM can't connect to other devices on my LAN?

Attached are the rules I currently have applied.

Some network info:
- 10.0.0.0/16 is the LAN subnet
- 10.0.2.0/24 is the range of addresses I will assign to wireguard clients
- 10.0.0.1/16 is the OPNSense LAN address
- 10.0.2.10/16 is the intended VM address.
- wg_networks is an alias for 10.0.2.0/24
- WG0 is the interface I created for wireguard
- WireGuard interface is the hidden interface that the plugin creates.

I'm working on setting up WireGuard to tunnel between cloud VMs and my local network.  I'm unsure however as to what exactly Im supposed to put for some addresses.

OPNSense LAN address: 10.0.0.1/16
VM WAN address: X.X.X.X
VM desired LAN address: 10.0.1.42/16


Current VM wg0.conf

Code Select Expand

[Interface]
# set address to next address
Address = 10.0.1.42/16
ListenPort = 51820
PrivateKey = REDACTED
# I want it to use OPNSense for DNS to resolve internal names
DNS = 10.0.0.1



[Peer]
PublicKey = P9EmfDRcTCDxzjCDuXkPY8kBieWmx337zusMIqEUfTE=
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/16
PersistentKeepalive = 21


Attached is the OPNSense config.

I have 2 FreeIPA servers set up in HA configuration.  I want to be able to go to https://ipa.example.com and view the web UI.

Problem is however, when I do said thing, it rewrites the URL to https://ipa1.example.com/ipa/ui/

How can I prevent this so that it continues to use ipa.example.com?

I have a FreeIPA server setup to manage lan.example.com.  I want to be able to access the web UI on ipa.example.com with ACME certs, so I set up HAProxy to do so.

Real server: ipa1 ipa-server1.lan.example.com:443

Backend: ipa1

Frontend: listen ipa.example.com:443

And it works... somewhat.  It does properly redirect to the backend.  But it seems to be getting rewritten to the lan.example.com host.

Ex, when I visit it, the URL changes from ipa.example.com to ipa-server1.lan.example.com/ipa/ui/.

How can I prevent that host rewrite so that it stays as ipa.example.com?  When it redirects it also prevents using the proper SSL certificate because its connecting directly to the backend now.

I'm planning on using metallb with bgp configuration for a kubernetes 3 node cluster on my home network.  I plan to use BGP instead of layer2 because I frequently get timeout errors with layer2.  I am currently uncertain if this is due to OPNSense or MetalLB. 

I figured that if I configure BGP, then the timeout issues will go away.  However, I can't find any information on how to configure BGP in OPNSense. 

How would I configure BGP to allow for allocation of IP addresses between 10.0.15.0-10.0.15.255?

Am I able to add wildcard overrides to unbound? 

Say, if an override doesn't exist for SOMETHING.example.com, it will default to the override for *.example.com.

Or if it doesn't find any match, but ends in example.com, have it forward to that IP.

I'm trying to add LDAP auth to my OPNSense installation.  I got the server set up and can confirm it works with the tester by entering a valid username/password.  I'm using FreeIPA as the LDAP server. 

But I don't see any import icon when I go to System > Access > Users. 

Details for System > Access > Servers > FreeIPA server:
Hostname: ipa.example.com
Port: 389
Peer CA: OPNSense
Bind Credentials: (blank)
Base DN: dc=example,dc=com
Authentication containers: cn=users,cn=compat,dc=example,dc=com
User naming attribute: uid


Am I doing something wrong?

I have a bunch of subdomains (ex1.example.com, ex2.example.com, ...) pointing to my OPNSense router (10.0.0.1).  I also have HAProxy to proxy requests on 443 to their respective backends.

I don't recall changing anything, but now, they won't work from the outside.  Only if the DNS resolves to 10.0.0.1, and not my WAN ip, will it proxy the traffic correctly to their backends.  If you try from WAN, it gives the warning about DNS rebind attack.

How can I prevent this behavior and make it proxy correctly?

Is there a file that contains the contents of the output of the command `radvdump`?  I need to enable radvd on my dd-wrt wireless router to be able to get an ipv6 address and it would work best if I can just copy its radvd to the radvd location on dd-wrt.