Messages

1

22.1 Legacy Series / Certificate verification on devel stream

« on: June 25, 2022, 10:07:30 pm »

I've started up one of my devel machines after a longer time being offline. I faced the issue with not being able to update due to server certificate validation issues with the let's encrypt upstream. After some recommendations in other threads I removed all Let's Encrypt roots and intermediates from the certificate trust, then I switched to a HTTP mirror and accomplished to update.
Now I'm facing the situation that when trying to change to the devel stream (mirror type 'Development') I get verification errors, but on the community stream updating is possible via the same mirror even using HTTPS (default mirror - pkg.opnsense.org).

Code: [Select]

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.9 (amd64/OpenSSL) at Sat Jun 25 22:00:51 CEST 2022
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:

How is server certificate verification related to the chosen release type?? I'm out of ideas what to try (curl https://pkg.opnsense.org actually works without issues).

2

22.1 Legacy Series / Re: [RESOLVED] IPSec VPN - Tunnel Settings Phase 2 add entry button missing

« on: February 22, 2022, 10:27:02 pm »

I think the user interface can really be improved here, as such exceptions from the rule are really counterintuitive.

3

22.1 Legacy Series / IPSec VPN - Tunnel Settings Phase 2 add entry button missing

« on: February 22, 2022, 08:28:10 pm »

Hi
The add P2 button is actually located next to the corresponding P1 entry.

4

22.1 Legacy Series / Re: Ipsec throughput poor

« on: February 10, 2022, 07:27:30 pm »

Try to enforce a max. MSS value on the IPSec interface using a normalization rule in Firewall > Advanced > Normalization. See an example attached.

http://cloud.tapatalk.com/s/620558dfc945d/Safari%20-%2010.02.2022%20at%2019%3A24.pdf

5

22.1 Legacy Series / Dual-stack IPsec route-based tunnel

« on: January 30, 2022, 05:40:07 pm »

Hi,
anyone already accomplished a dual-stack IPv4 and IPv6 route-based IPsec tunnel? I want to use IPv4 and IPv6 (in Phase 2) in a single tunnel, is this possible?
Whenever I add the IPv6 Phase 2 the tunnel removes the IPv4 network endpoints:

Before (IPv4 only):

Code: [Select]

ipsec2000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec2000 prefixlen 64 scopeid 0x9
        inet 172.16.0.4 --> 172.16.0.8 netmask 0xffffffff
        groups: ipsec
        reqid: 2000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

After (IPv4 and IPv6 added on P2):

Code: [Select]

ipsec4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec4 prefixlen 64 scopeid 0x9
        inet6 fdfa:8191:4040:2000::4 --> fdfa:8191:4040:2000::8 prefixlen 128
        groups: ipsec
        reqid: 4
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Any ideas?

6

22.1 Legacy Series / Re: 22.1rc1 slow in Hyper-V

« on: January 19, 2022, 08:02:19 pm »

Cannot confirm your experience on an Azure VM:

Code: [Select]

mf@opnsense-dev:~ % speedtest

   Speedtest by Ookla

     Server: Claranet Benelux B.V. - Amsterdam (id = 30847)
        ISP: Microsoft Corporation
    Latency:     2.53 ms   (0.26 ms jitter)
   Download:  3093.84 Mbps (data used: 3.2 GB )                               
     Upload:   956.58 Mbps (data used: 864.6 MB )                               
Packet Loss:     0.0%
 Result URL: https://www.speedtest.net/result/c/abd6703b-9231-498c-97b6-98533a3df037
mf@opnsense-dev:~ % uname -r
13.0-STABLE

7

22.1 Legacy Series / Re: 22.1rc1 slow in Hyper-V

« on: January 16, 2022, 02:21:40 pm »

I run two VMs in Asure. I assume that’s also Hyper-V running in the background. Didn’t recognize any performance issues so far, but as those are dev. VMs they are not heavily used.

8

21.7 Legacy Series / Re: Help needed with Domain based routing

« on: January 06, 2022, 08:20:39 pm »

Can you share your VPN configuration? Especially the networks in the tunnel.

9

21.7 Legacy Series / Re: Help needed with Domain based routing

« on: January 06, 2022, 04:53:37 pm »

Not sure if I understand correctly what you want to achieve, but I assume you want to route HTTP traffic for certain websites via a different site (to connect to the HTTP server using a different public IP).

I assume the VPN tunnel is not foreseen to have other IP addresses than internal ones (local net and remote net are typically private IPs), but the domain.com resolves to a public IP which is not part of the tunnel network.
If so, then extend your VPN tunnel ranges.

If I'd get the task, I'd do it a slightly other way:

• Override the DNS entry of domain.com on the local OPNsense instance to any IP internal address which can traverse the VPN
• On the remote side make sure to have a outbound NAT rule which matches also the local LAN (not only the remote LAN)

10

22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1

« on: January 06, 2022, 08:49:35 am »

I'd say its worth to start a discussion via github

opnsense/core#5464 it is 

11

Web Proxy Filtering and Caching / Re: nginx default_server

« on: January 05, 2022, 07:46:23 pm »

Does that even make sense for https? I intentionally only implemented it for http.

You mean because it will most likely be a certificate mismatch to the hostname in all cases? One could use wildcard certificates to overcome this.

12

22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1

« on: January 05, 2022, 07:44:05 pm »

You can add that in the Tunables section of System > Settings without manually editing files.

I believe it should be enabled by default anyway (or at least loaded automatically upon enabling of the IPsec service).
It should go to /usr/local/etc/rc.loader.d/20-modules I’d say.

13

22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1

« on: January 05, 2022, 07:42:14 pm »

Thanks that was the issue…
Seems like with the move from HardenedBSD to FreeBSD the module needs to be loaded explicitly now…?

Will you create a PR or shall I?

14

21.7 Legacy Series / Do ramdisk setting work?

« on: January 05, 2022, 02:06:02 pm »

Hi,
I've also checked both settings and my mount points look like this:

Code: [Select]

mf@houston:~ % mount
/dev/gpt/rootfs on / (ufs, local, noatime, soft-updates)
devfs on /dev (devfs, local, multilabel)
tmpfs on /var (tmpfs, local)
tmpfs on /tmp (tmpfs, local)
devfs on /var/dhcpd/dev (devfs, local, multilabel)
devfs on /var/unbound/dev (devfs, local, multilabel)

Checked on OPNsense 21.7.7 (but having this set since many releases).

15

Web Proxy Filtering and Caching / Re: nginx default_server

« on: January 04, 2022, 09:05:15 pm »

The default_server option has been implemented in 21.7.7.

Unfortunately only for http - for https it's still missing. See https://github.com/opnsense/plugins/issues/2741