Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - unquietwiki

#1
Thanks for the quick reply; I'll try it later. Seems counter-intuitive, from a UI perspective.
#2
Hey everyone. So I support a site that has nascent IPv6 support from its ISP via DHCPv6. Internally, we use a ULA to support internal traffic over our VPN, virtual machines, & local site systems. However, there is not presently an obvious way for me to have both a "tracked" IPv6 LAN address, as well as a static address for the ULA. Some other folks have suggested virtual IP, or IP alias; but as of 22.1, the only netmasks for those addresses are 32 or less, which means IPv4-only.  ??? Please advise. Thank you.
#3
I ran into some weird stuff with tying that FreeRADIUS setup to IPsec. EAP-RADIUS doesn't seem to work with it authenticating against LDAP/AD.

https://forum.opnsense.org/index.php?topic=26429.0
#4
Hey all. Using instructions from https://docs.opnsense.org/manual/how-tos/ipsec-road.html & https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html ; and a lot of trial-and-error with the cipher keys; I can connect my Windows 11 system to OPNsense. However, two issues remain....

1. I have FreeRADIUS set up to authenticate via LDAPS to an Active Directory server. However, while it authenticates in OPNsense, it gets password errors for VPN users. Making a local VPN user gets around this, but...

2. The client gets a subnet mask of 255.255.255.255. It's immediately unclear from the documentation if you need to use a dedicated IP range with a virtual IP, and/or routing rules to connect that to the LAN IP ranges (using IPv4 & IPv6 at the remote site).

I feel like this stuff may have been working before in the past, but maybe not now? Please advise. Thanks.

Added details....

1. Regarding the authentication issue, the error I see in the FreeRADIUS logs...

QuoteLogin incorrect (mschap: FAILED: No NT-Password. Cannot perform authentication)

2. Regarding the routing issue, I did see this in the IPsec log...

Quoteinstalling route failed: (VPN IPV6 ADDR)/128 via (WAN IPV4 GATEWAY) src (LAN IPV6 ADDR) dev em0
adding PF_ROUTE route failed

3. Regarding IPsec connectivity & the tutorials given, the default set of Windows ciphers don't neatly overlap with it, and give inconsistent behavior; reporting this to Microsoft. The default working CIPHER for EAP-RADIUS, came out to be ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ

Microsoft report: https://aka.ms/AAfj0rb

is initiating an IKE_SA

Quotereceived proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024

initiating a Main Mode IKE_SA

Quotereceived proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
#5
Hey all. As of 21.7 , this appears to be the required parameters for AD user search. The answers in this post helped me sort this out; thanks!

Bind User: CN=FreeRADIUS,CN=Managed Service Accounts,DC=AD,DC=EXAMPLE,DC=ORG

Base Domain: DC=AD,DC=EXAMPLE,DC=ORG

User Search: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})

Group Search: (memberOf=CN=Users,DC=AD,DC=EXAMPLE,DC=ORG)
#6
If you look up the spec for this online, it comes with an AMD APU that's rated for 1080P gaming @ 15W, and has both 1gbit and 2.5gbit Realtek NICs. Anyone use this kind of setup yet? Also pondering running it as a KVM host, with OPNsense as a VM; I've done that before on other systems. Thanks.
#7
Hey all. I've used ZeroTier on OPNsense before, and as of last week, I work for them now! I'm trying to get some feedback on use and make folks aware of some additional support resources. It's especially awesome that it works in OPNsense since you can use it to create a cross-network appliance with other solutions.


Thanks!
#8
It seems despite DHCP being set to have leases on a 6-12h period, I have a backlog of leases going back to August. Just updated to 16.1 from 15.7, so curious to see if there's a safe way to purge the old expired leases, or if a feature could be added to wipe out all expired or offline leases. Thanks!
#9
Acknowledged that the fix is in. Thanks!!!  :)
#10
Updated to 15.7.7_1 today, and had rebooted later on for a different reason. After coming back online, and changing some stuff in the DNS resolver config & restarting the service, an odd hiccup occurred. Started getting a lot of errors like the following, and the resolver service was stuck in down mode....

Aug 5 19:14:03    unbound: [1878:0] error: Error in SSL_CTX use_certificate_file crypto error:02001002:system library:fopen:No such file or directory
Aug 5 19:14:03    unbound: [1878:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
Aug 5 19:11:50    unbound: [44668:0] fatal error: could not set up remote-control
Aug 5 19:11:50    unbound: [44668:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Aug 5 19:11:50    unbound: [44668:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Aug 5 19:11:50    unbound: [44668:0] error: Error in SSL_CTX use_certificate_file crypto error:02001002:system library:fopen:No such file or directory
Aug 5 19:11:50    unbound: [44668:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem

Doing some digging around, I was able to get it going again by using the SSH shell to do the following....

* chown unbound:wheel /var/unbound
* sudo -u unbound unbound-control-setup
* chown -R root:wheel /var/unbound
* unbound-control reload

The OS is running on an SSD, and I am using a "nano" build, so maybe this is some race condition?