OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of 8191 »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - 8191

Pages: [1] 2 3 ... 6
1
22.1 Legacy Series / Certificate verification on devel stream
« on: June 25, 2022, 10:07:30 pm »
I've started up one of my devel machines after a longer time being offline. I faced the issue with not being able to update due to server certificate validation issues with the let's encrypt upstream. After some recommendations in other threads I removed all Let's Encrypt roots and intermediates from the certificate trust, then I switched to a HTTP mirror and accomplished to update.
Now I'm facing the situation that when trying to change to the devel stream (mirror type 'Development') I get verification errors, but on the community stream updating is possible via the same mirror even using HTTPS (default mirror - pkg.opnsense.org).

Code: [Select]
***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.9 (amd64/OpenSSL) at Sat Jun 25 22:00:51 CEST 2022
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:

How is server certificate verification related to the chosen release type?? I'm out of ideas what to try (curl https://pkg.opnsense.org actually works without issues).

2
22.1 Legacy Series / Re: [RESOLVED] IPSec VPN - Tunnel Settings Phase 2 add entry button missing
« on: February 22, 2022, 10:27:02 pm »
I think the user interface can really be improved here, as such exceptions from the rule are really counterintuitive.

3
22.1 Legacy Series / IPSec VPN - Tunnel Settings Phase 2 add entry button missing
« on: February 22, 2022, 08:28:10 pm »
Hi
The add P2 button is actually located next to the corresponding P1 entry.

4
22.1 Legacy Series / Re: Ipsec throughput poor
« on: February 10, 2022, 07:27:30 pm »
Try to enforce a max. MSS value on the IPSec interface using a normalization rule in Firewall > Advanced > Normalization. See an example attached.

http://cloud.tapatalk.com/s/620558dfc945d/Safari%20-%2010.02.2022%20at%2019%3A24.pdf

5
22.1 Legacy Series / Dual-stack IPsec route-based tunnel
« on: January 30, 2022, 05:40:07 pm »
Hi,
anyone already accomplished a dual-stack IPv4 and IPv6 route-based IPsec tunnel? I want to use IPv4 and IPv6 (in Phase 2) in a single tunnel, is this possible?
Whenever I add the IPv6 Phase 2 the tunnel removes the IPv4 network endpoints:

Before (IPv4 only):
Code: [Select]
ipsec2000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec2000 prefixlen 64 scopeid 0x9
        inet 172.16.0.4 --> 172.16.0.8 netmask 0xffffffff
        groups: ipsec
        reqid: 2000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

After (IPv4 and IPv6 added on P2):
Code: [Select]
ipsec4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
        tunnel inet 80.123.123.49 --> 51.21.21.19
        inet6 fe80::222:68ff:fe12:b78b%ipsec4 prefixlen 64 scopeid 0x9
        inet6 fdfa:8191:4040:2000::4 --> fdfa:8191:4040:2000::8 prefixlen 128
        groups: ipsec
        reqid: 4
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Any ideas?

6
22.1 Legacy Series / Re: 22.1rc1 slow in Hyper-V
« on: January 19, 2022, 08:02:19 pm »
Cannot confirm your experience on an Azure VM:

Code: [Select]
mf@opnsense-dev:~ % speedtest

   Speedtest by Ookla

     Server: Claranet Benelux B.V. - Amsterdam (id = 30847)
        ISP: Microsoft Corporation
    Latency:     2.53 ms   (0.26 ms jitter)
   Download:  3093.84 Mbps (data used: 3.2 GB )                               
     Upload:   956.58 Mbps (data used: 864.6 MB )                               
Packet Loss:     0.0%
 Result URL: https://www.speedtest.net/result/c/abd6703b-9231-498c-97b6-98533a3df037
mf@opnsense-dev:~ % uname -r
13.0-STABLE

7
22.1 Legacy Series / Re: 22.1rc1 slow in Hyper-V
« on: January 16, 2022, 02:21:40 pm »
I run two VMs in Asure. I assume that’s also Hyper-V running in the background. Didn’t recognize any performance issues so far, but as those are dev. VMs they are not heavily used.

8
21.7 Legacy Series / Re: Help needed with Domain based routing
« on: January 06, 2022, 08:20:39 pm »
Can you share your VPN configuration? Especially the networks in the tunnel.

9
21.7 Legacy Series / Re: Help needed with Domain based routing
« on: January 06, 2022, 04:53:37 pm »
Not sure if I understand correctly what you want to achieve, but I assume you want to route HTTP traffic for certain websites via a different site (to connect to the HTTP server using a different public IP).

I assume the VPN tunnel is not foreseen to have other IP addresses than internal ones (local net and remote net are typically private IPs), but the domain.com resolves to a public IP which is not part of the tunnel network.
If so, then extend your VPN tunnel ranges.

If I'd get the task, I'd do it a slightly other way:
  • Override the DNS entry of domain.com on the local OPNsense instance to any IP internal address which can traverse the VPN
  • On the remote side make sure to have a outbound NAT rule which matches also the local LAN (not only the remote LAN)

10
22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1
« on: January 06, 2022, 08:49:35 am »
Quote from: mimugmail on January 06, 2022, 07:39:23 am
I'd say its worth to start a discussion via github

opnsense/core#5464 it is  ;)

11
Web Proxy Filtering and Caching / Re: nginx default_server
« on: January 05, 2022, 07:46:23 pm »
Quote from: bimbar on January 05, 2022, 04:42:30 pm
Does that even make sense for https? I intentionally only implemented it for http.
You mean because it will most likely be a certificate mismatch to the hostname in all cases? One could use wildcard certificates to overcome this.

12
22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1
« on: January 05, 2022, 07:44:05 pm »
Quote from: pmhausen on January 05, 2022, 07:35:02 pm
You can add that in the Tunables section of System > Settings without manually editing files.
I believe it should be enabled by default anyway (or at least loaded automatically upon enabling of the IPsec service).
It should go to /usr/local/etc/rc.loader.d/20-modules I’d say.

13
22.1 Legacy Series / Re: Cannot establish IPsec tunnel with 22.1
« on: January 05, 2022, 07:42:14 pm »
Thanks that was the issue…
Seems like with the move from HardenedBSD to FreeBSD the module needs to be loaded explicitly now…?

Will you create a PR or shall I?

14
21.7 Legacy Series / Do ramdisk setting work?
« on: January 05, 2022, 02:06:02 pm »
Hi,
I've also checked both settings and my mount points look like this:

Code: [Select]
mf@houston:~ % mount
/dev/gpt/rootfs on / (ufs, local, noatime, soft-updates)
devfs on /dev (devfs, local, multilabel)
tmpfs on /var (tmpfs, local)
tmpfs on /tmp (tmpfs, local)
devfs on /var/dhcpd/dev (devfs, local, multilabel)
devfs on /var/unbound/dev (devfs, local, multilabel)

Checked on OPNsense 21.7.7 (but having this set since many releases).

15
Web Proxy Filtering and Caching / Re: nginx default_server
« on: January 04, 2022, 09:05:15 pm »
Quote from: bimbar on January 03, 2022, 06:32:37 pm
The default_server option has been implemented in 21.7.7.
Unfortunately only for http - for https it's still missing. See https://github.com/opnsense/plugins/issues/2741

Pages: [1] 2 3 ... 6
OPNsense is an OSS project © Deciso B.V. 2015 - 2022 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2