Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Amanaki

Pages: [1] 2 3

Virtual private networks / Re: OPNSense and NordVPN

« on: March 07, 2022, 11:36:17 pm »

Did you add an interface, gateway and NAT rule on this config? Sounds like you want to use selective routing is that right?

Although for Wireguard, the principles are the same on this how to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html# give it a try and see how you go.

Manaki

Virtual private networks / Help request: Wireguard full tunnel routing for external client

« on: March 07, 2022, 10:39:55 pm »

I have a simple setup with single LAN only network 10.34.10.10/24 and a wireguard client configured for VPN access to external VPN provider. For DNS, I am using a template to forward all DNS requests to NextDNS anycast servers. All clients on LAN network are policy based routed to external VPN and are working as expected.

Today, I added a new external client device using Road Warrior and got a connection to OPNsense but cannot seem to route the client back out over my existing Wireguard VPN tunnel connection.

Have tried various different methods but the client only returns my WAN ip address instead of my VPN providers addresss. Settings are as follows:

---------------------
Servers (OPNsense):

VPN: WireGuard > Local:

Interface: WG0
Listen: 51821
Tunnel address: 10.11.1.52/16
DNS: Blank
Peers: VPN_PROVIDER
Disable Routes: Checked
Gateway: 10.11.1.51
Monitor IP: VPN provider IP address

Interface: WG1
Listen: 51831
Tunnel address: 172.16.16.2/24
DNS: Blank
Peers: iPAD_CLIENT
Disable Routes: Unchecked
Gateway: Blank
Monitor IP: Blank

------------------------------------
Clients (OPNsense):

VPN: WireGuard > Endpoints:

Name: VPN_PROVIDER
Allowed IPs: 0.0.0.0/24
Endpoint Address: VPN provider address
Endpoint port: 51822

Name: iPAD_CLIENT
Allowed IPs: 172.16.16.20/32
Endpoint Address: Blank
Endpoint port: Blank

------------------------
External Remote Client (iPAD):

Addresses: 172.16.16.20/32
Listen port: 51831
DNS: Blank

Peer:

Allowed IPs: 0.0.0.0/0
Endpoint: a.b.c.d:51831

------------------------------------------
NAT and Rules (OPNsense):

Firewall: Rules: WAN

Interface: WAN
Direction: In
Proto: UDP
Source: any
Ports: any
Destination: WAN address
Destination Port: 51831

Firewall: Rules: Wireguard (Group)

None

Firewall: Rules: WG0

None

Firewall: Rules: WG1

None

Firewall: Rules: LAN

Interface: LAN
Direction: In
Proto: TCP/UDP
Source: ALL_CLIENTS (Alias for all LAN clients)
Destination invert: Checked
Destination: PRIVATE_NETWORKS (Alias for RFC1918_Networks)
Ports: WAN_SERVICE_PORTS (Alias containing service ports)
Gateway: WG0 Gateway (to VPN provider)

Firewall: NAT: Outbound

Interface: WG0
Source: Local_Networks (Alias) 10.34.10.10/24
NAT Address: Interface Address

How can I properly route all traffic from my external client down existing VPN provider tunnel?

TIA.
Manaki

General Discussion / GEOIP Blocking Rule Failure Targeting Port 0

« on: March 04, 2022, 02:11:52 am »

Hi,

Have GEOIP blocking enabled on my IPv4 only firewall and have started seeing regular entries from a blocked country (CN) - in this case.

Upfront - my firewall settings advanced max states setting is set to 2000000

Attached screenshots of:

1. Log event showing the origin country CN was not blocked
2. GEOIP Alias definition
3. Floating rules for In + Out on WAN interface

Any ideas, suggestions on how to resolve or improve?

Thanks.

General Discussion / [SOLVED] Unable to Obtain Secure WEBGUI Connection After SSL Installation

« on: March 03, 2022, 08:44:03 am »

In case this helps someone else:

To get SSL working properly on your OPNsense firewall, you must have the TCP port set to 443.

--------------------------------

Dear all,

Loosely following a couple of tutorials https://forum.opnsense.org/index.php?topic=23339.0 and https://www.wolffhaven45.com/2017/11/07/intranet-ssl-certificate-for-pfsense-using-lets-encrypt--cloudflare/ to setup SSL for OPNsense WEBGUI access but after many failures to get a secure green padlock connection running we have opted to ask for help.

Domain:

We own a domain (fictional here) mydomain.xyz and the nameservers are pointing to Cloudflare. We do not have or require any hosting.

OPNsense firewall hostname:

Our firewall has beupone as the system Hostname and runs on port 588.

In Cloudflare we added a cname record for the firewall hostname (beupone) pointing to mydomain.xyz resulting in beupone.mydomain.xyz.

General steps:

Installed ACME Client -> Created account -> Added challenge type -> Created certificate successfully

After doing so, we choose the new certificate in System -> Settings -> Administration -> SSL Certificate (beupone.mydomain.xyz)

Trying to access https://beupone.mydomain.xyz:588 fails.

Have attached a few pictures of our settings in case it helps.

Anyone encountered this issue or have any tips on how we can make it work?

Thanks.

19.7 Legacy Series / Encrypting Local WiFi Network Traffic With Wireguard

« on: October 27, 2019, 04:18:37 am »

Hi all,

Have been searching for a solid guide to follow but am yet to come across anything that resembles my use case requirement. Not sure if it can even be done but here goes.

What I am wanting to do is use Wireguard to encrypt my local WiFi network traffic. I do not need it to go externally as all my traffic is currently routed through an OpenVPN client connection.

My setup is as follows:

Firewall Appliance -> Netgear Router AP Mode -> Wireless Clients

OS-Wireguard is installed on my firewall.

Any and all help is greatly appreciated.

Tutorials and FAQs / Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS

« on: July 10, 2019, 02:09:44 am »

Hey franco,

Many thanks for your help.

I managed to get all the way through the installation phase. It's a shame the mods to this section didn't provide an update to compliment the excellent guide(s) written by @directnupe.

Now I am just trying to figure out how to select localhost on the interfaces section when the option to select it is no longer there! Another change perhaps??

Many thanks,
Amanaki

Tutorials and FAQs / Re: SOLVED (DNS Privacy Project) DNS OVER TLS WITH GETDNS+STUBBY OPNSENSE PORTS

« on: July 09, 2019, 12:46:01 am »

Hi all,

Using this guide, I am trying to get Stubby / GetDNS running on my machine but I have come across an issue in step # 3 which is preventing me from going further.

My fresh install:

OPNsense 19.1.10-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
Unbound 1.9.2

This is the step I am having problems with:

Code: [Select]

Step 3: - Proceed and complete Opnsense Ports install with the following commands: ( Note that is designed for Opnsense 18.7 Variants; however, I believe that it will work with all Opnsense versions - but I have not tested that proposition. )

# cd /etc
# fetch https://raw.githubusercontent.com/opnsense/tools/master/config/18.7/make.conf

Returns the following errors:

Code: [Select]

root@OPNsense:~ # cd /etc
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record

As can be seen, I tried modifying the path provided in the guide but it won't work in the command line. I am not sure what is wrong. Perhaps I have missed something with all the changes.

Help please!

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 16, 2019, 02:39:38 pm »

Ok. I will add this on downtime and see if it makes any difference to my DNS results.

Thanks.

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 15, 2019, 11:24:57 pm »

No such file or directory!

Code: [Select]

root@OPNsense:~ # cat /etc/rc.conf.d/dnscrypt_proxy
cat: /etc/rc.conf.d/dnscrypt_proxy: No such file or directory

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 14, 2019, 10:33:39 pm »

Services -> Unbound DNS -> General -> Enable Forwarding Mode = UNCHECKED

Ok, so my interpretation your instruction is to use a windows client on my network, flush its dns cache, then visit a website, is that correct?

I did as above using dnsprivacy.org then checked my dnscrypt-proxy logs and found the following entries:

Code: [Select]

[2019-01-14 08:18:57]	127.0.0.1	dnsprivacy.org	A	PASS
[2019-01-14 08:18:57]	127.0.0.1	dnsprivacy.org	A	PASS
[2019-01-14 08:18:57]	127.0.0.1	dnsprivacy.org	A	PASS
[2019-01-14 08:18:57]	127.0.0.1	dnsprivacy.org	A	PASS
[2019-01-14 08:18:57]	127.0.0.1	org	DNSKEY	PASS
[2019-01-14 08:18:57]	127.0.0.1	org	DNSKEY	PASS
[2019-01-14 08:18:57]	127.0.0.1	dnsprivacy.org	DS	PASS
[2019-01-14 08:18:57]	127.0.0.1	dnsprivacy.org	A	PASS
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	DNSKEY	PASS
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	DNSKEY	PASS
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	AAAA	SYNTH
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	AAAA	SYNTH
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	AAAA	SYNTH
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	AAAA	SYNTH
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	AAAA	SYNTH
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	AAAA	SYNTH
[2019-01-14 08:18:58]	127.0.0.1	dnsprivacy.org	DNSKEY	FORWARD

On another note, I think I have stumbled across an issue where a file is missing inside my configuration.

In the install notes, there is a reference to a config file in the following path:

'etc/rc.conf'

Using winscp, I cannot find it at all...

The dnscrypt-proxy files I have are:

'usr/local/etc/rc.d'
'usr/local/etc/dnscrypt-proxy/dnscryptproxy.toml'

I initially installed 18.7.6 and not sure if this was caused by upgrading to the current version being 18.7.10.

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 14, 2019, 10:37:32 am »

I am not familiar with any CLI commands for unbound, but I assume this is what you were after.

Code: [Select]

unbound: [21146:1] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:2] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:0] info: start of service (unbound 1.8.3).
unbound: [21146:0] notice: init module 1: iterator
unbound: [21146:0] notice: init module 0: validator
unbound: [86555:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: service stopped (unbound 1.8.3).
unbound: [86555:0] info: start of service (unbound 1.8.3).
unbound: [86555:0] notice: init module 1: iterator
unbound: [86555:0] notice: init module 0: validator
unbound: [86555:0] notice: Restart of unbound 1.8.3.

Below are settings I have for dnscrypt-proxy and unbound. I can post my entire .toml file if you need as well. Note I use Plex and do not use any IPv6 at all.

Dnscrypt-proxy .toml file includes the following for forwarding rules:

Code: [Select]

lan 127.0.0.1
10.in-addr.arpa 127.0.0.1
192.in-addr.arpa 127.0.0.1
254.169.in-addr.arpa 127.0.0.1

Unbound additional config includes:

Code: [Select]

server:
   do-not-query-localhost: no
   private-domain: "plex.direct"

forward-zone:
        name: "."        
        forward-addr:127.0.0.1@5353

The thing that really strikes me about this is when I was an OpenWRT user, I always got dnsleak tests back with the country I was connected to. For example, if my server selection in .toml file was set to cloudflare, then if I connected my vpn client to NL for instance, the dnsleak test would show the cloudflare server as being in NL as opposed to my home country.

Thanks again for taking the time to help out. I am keen to get to the bottom of this issue.

Amanaki

18.7 Legacy Series / Re: Firewall Rules for DNSCrypt Proxy v2

« on: January 14, 2019, 08:21:32 am »

Ok, below I have enclosed dnscrypt-proxy daemon logs and test outputs with CLI.

Code: [Select]

[2019-01-14 14:08:44] [NOTICE] dnscrypt-proxy 2.0.19
[2019-01-14 14:08:44] [NOTICE] Loading the set of blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-blacklist]
[2019-01-14 14:08:45] [NOTICE] Loading the set of forwarding rules from [/usr/local/etc/dnscrypt-proxy/forwarding-rules]
[2019-01-14 14:08:45] [NOTICE] Loading the set of IP blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-ip-blacklist]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2019-01-14 14:08:46] [NOTICE] [cloudflare] OK (DoH) - rtt: 31ms

Code: [Select]

[2019-01-14 18:10:16]	127.0.0.1	s.youtube.com	A	REJECT
[2019-01-14 18:10:16]	127.0.0.1	s.youtube.com	A	REJECT
[2019-01-14 18:10:16]	127.0.0.1	s.youtube.com	A	REJECT
[2019-01-14 18:10:16]	127.0.0.1	s.youtube.com	A	REJECT
[2019-01-14 18:10:16]	127.0.0.1	s.youtube.com	A	REJECT
[2019-01-14 18:10:36]	127.0.0.1	mqtt-p4.facebook.com	A	PASS
[2019-01-14 18:10:36]	127.0.0.1	mqtt-p4.c10r.facebook.com	A	PASS
[2019-01-14 18:10:36]	127.0.0.1	mqtt-p4.c10r.facebook.com	A	PASS
[2019-01-14 18:10:36]	127.0.0.1	cdn.fbsbx.com	A	PASS
[2019-01-14 18:10:37]	127.0.0.1	scontent.xx.fbcdn.net	A	PASS
[2019-01-14 18:10:37]	127.0.0.1	scontent.xx.fbcdn.net	A	PASS
[2019-01-14 18:10:37]	127.0.0.1	scontent.xx.fbcdn.net	A	PASS
[2019-01-14 18:10:37]	127.0.0.1	scontent.xx.fbcdn.net	A	PASS
[2019-01-14 18:10:37]	127.0.0.1	fbsbx.com	DS	PASS

Code: [Select]

root@OPNsense:~ # ps ax | grep dnscrypt
50066  -  Is     0:00.00 daemon: /usr/local/sbin/dnscrypt-proxy[50151] (daemon)
50151  -  I      1:32.52 /usr/local/sbin/dnscrypt-proxy -config /usr/local/etc/
71046  0  S+     0:00.01 grep dnscrypt

Code: [Select]

root@OPNsense:~ # drill -p 53 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 926
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   508     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 241 msec
;; SERVER: 127.0.0.1
;; WHEN: Redacted
;; MSG SIZE  rcvd: 46

Code: [Select]

root@OPNsense:~ # drill -p 5353 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8169
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   599     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 18 msec
;; EDNS: version 0; flags: ; udp: 1452
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 17:59:46 2019
;; MSG SIZE  rcvd: 69

Code: [Select]

root@OPNsense:~ # dnscrypt-proxy -resolve dnscrypt.me
Resolving [dnscrypt.me]

Domain exists:  yes, 2 name servers found
Canonical name: dnscrypt.me.
IP addresses:   104.31.74.114, 104.31.75.114
TXT records:    v=spf1 include:spf.messagingengine.com ?all
Resolver IP:    194.132.32.23 (dns2.ipredator.se.)

Code: [Select]

root@OPNsense:~ # drill -p 53 google.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31403
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     599     IN      A       216.58.199.78

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 53 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 18:06:34 2019
;; MSG SIZE  rcvd: 44
root@OPNsense:~ #

Can you spot anything out of the ordinary?

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 05:13:32 am »

Hey thanks. I looked at the previous thread and I noticed a lot of people had issues with it. Also, it does not make any mention of unbound and dnscrypt-proxy either so I wonder if it is a viable option to pursue for my use case.

Regarding your suggestion of floating rules, I do not have not experience with using floating rules at this point, do you have a sample I could refer to or something at least to help get me started in the right direction?

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 04:40:21 am »

Yes, that is right.

I have two networks (VLAN40 + VLAN10) for my teenage boys whom game a lot. It has UPnP for gaming and all so I just isolate them and allow all traffic to WAN directly through ISP.

18.7 Legacy Series / Re: OpenVPN Client Killswitch

« on: January 14, 2019, 04:17:39 am »

Hi abalsam,

Quote

1. Are you looking to restrict a single host to VPN only or the entire network? - the answer to this question would determine what rules to use.

My setup includes LAN and a number of VLANS. I have three VPN clients running. Only two networks require clearnet WAN access. All others are VPN connected and I want none of them to pass traffic to the clearnet if any of the connections drop.

Quote

Do you establish VPN connectivity via an IP address or a hostname (which must be resolved via DNS)? - the answer to this question would determine if DNS should be included or excluded from the kill switch (if I need DNS working to resolve my VPN hostname I can't include it within the kill switch).

I use ExpressVPN and use hostnames for connections which as you pointed out, require DNS resolution.

On the note of DNS, I am using DNScrypt-proxy with unbound.

Also, my NAT, I have changed it to manual and have tried to jimmy a killswitch using NAT but I am not sure if it does anything. I enclosed a screenshot for you.

Thanks for helping :-)

Pages: [1] 2 3