Messages

1

20.7 Production Series / OpenVPN Client Specific Overrides

« on: December 23, 2020, 10:48:01 am »

Hi,
I'm facing a problem with OpenVPN's Client Specific Overrides: even overrides are configured, no entry is generated to /var/etc/openvpn-csc/<serverid>.

What is the trigger to generate these entries?

Thanks

2

20.7 Production Series / Re: internet but no internet

« on: August 07, 2020, 07:10:03 am »

Can you actually ping any host on the internet from the firewall?

Sent from my ONEPLUS A6003 using Tapatalk

3

20.7 Production Series / Re: How can I access the opnsense web gui domain through openvpn?

« on: August 07, 2020, 07:07:25 am »

Hi,
In System > Settings > Administration, is Listening Interfaces configured to "All interfaces"?

Maybe a packet trace reveals more details about the issue? Either via the web UI Interfaces > Diagnostics > Packet Capture or via the shell using

Code: [Select]

tcpdump -i ovpns1 -n port 443
Br
Manuel

Sent from my ONEPLUS A6003 using Tapatalk

4

20.7 Production Series / Re: Why using stunnel via NAT only?

« on: August 02, 2020, 09:40:23 pm »

Thanks for explanation! So the reason is more a stability issue than a security issue?

5

20.7 Production Series / Re: internet but no internet

« on: August 02, 2020, 10:55:33 am »

Hi,

you mention that you can ping some hosts in the Internet. What is not working then?

You also mention that during flushing the ARP cache the internet does not work... How long does that actually take? Normally it should be an action of a few milliseconds.

Maybe the issue is that your ISP router somehow glues the MAC address of your router? In that case you could fake the OPNsense's box's MAC address on the WAN port.

BR
Manuel

6

20.7 Production Series / Why using stunnel via NAT only?

« on: August 02, 2020, 09:24:11 am »

Hi,

the stunnel documentation and as well the GUI help on the plugin's configuration mention, that it's safest to bind stunnel to localhost only and use NAT to forward traffic to stunnel. On the other hand online help for NAT mentions that NAT should not be used as a security measure.

So my question would be:
Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?

Thanks and BR
Manuel

7

20.7 Production Series / Re: GEOIP blocking no longer working 20.7

« on: August 01, 2020, 12:20:16 pm »

Hi,

I cannot confirm your problem on my OPNsense instance. It works for me.
Maybe your API key expired?

BR
Manuel

8

20.7 Production Series / Routed IPsec looses static routes

« on: August 01, 2020, 12:18:54 pm »

Hi,

there was already an issue reported for 20.1, but this seems still not to be resolved for 20.7: static routes which target into a routed IPsec interface (e.g. ipsec2000) keep disappearing. I can observe this on several OPNsense instances and did not really find a workaround, but manually pressing the "Apply" button in the routing configuration.

How to troubleshoot this? Which service is responsible for applying static routes?

Thanks and BR
Manuel

9

17.1 Legacy Series / OpenVPN and Intermediate Root CA

« on: March 19, 2017, 09:32:52 pm »

Hi,

I'm struggling with OpenVPN and a more or less simple CA hierarchy. My CA chain looks like this:

Code: [Select]

Root CA (external)
   +-- Server Certificate
   \-- Client Sub-CA (internal of OPNsense)
      +-- user1
      +-- user2
      \-- usern

All CAs are installed into OPNsense. As a "Peer Certificate Authority" I have configured the "Client Sub-CA", as this is the CA directly signing the user certificates. The OpenVPN "Server Certificate" is the Server Certificate, which is not signed by the same CA as the user certificates, but its ancestor.

When trying to connect to this OpenVPN server I receive an error of VERIFY ERROR: depth=1, error=unable to get issuer certificate: Client Sub-CA. So OpenVPN is complaining, that it cannot verify the configured "peer certificate authority". This is strange in some way, as I have configured this CA manually as a trusted certification authority, so why shall it's root be validated?

Anyway, the solution to this is, simply adding the "Root CA" to the OpenVPN's certificate (/var/etc/openvpn/server1.ca), but my question is if it is a valid and intended behaviour, that OpenVPN questions my configured peer certificate authority.

10

16.7 Legacy Series / DNS override with source IP "hides" DNS server from LAN

« on: August 15, 2016, 01:37:04 pm »

Hey,

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: 10.2.0.1/16 (re0)
IPsec tunnel to: 10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq: 10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense: 10.1.1.1 255.255.255.255 via 10.2.0.1 re0

Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.

BR
Manuel

11

16.1 Legacy Series / Re: Update from OPNsense 15.7.25-amd64 fails

« on: March 13, 2016, 07:47:40 am »

Thanks, franco, that fixed the update!

Manuel

12

16.1 Legacy Series / [SOLVED] Update from OPNsense 15.7.25-amd64 fails

« on: March 12, 2016, 06:43:42 pm »

Hi,

just wanted to update a OPNsense 15.7.25-amd64 box to 16.1, but the update always fails at the same point:

Code: [Select]

root@detroid:~ # opnsense-update
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (70 candidates): 100%
Processing candidates (70 candidates): 100%
Checking integrity... done (3 conflicting)
Checking integrity... done (0 conflicting)
The following 63 package(s) will be affected (of 0 checked):

...

[6/63] Extracting ca_root_nss-3.22.2: 100%
[7/63] Deinstalling isc-dhcp42-relay-4.2.8...
[7/63] Deleting files for isc-dhcp42-relay-4.2.8:   0%/usr/local/lib/libpkg.so.3: Undefined symbol "openat"

BR,
Manuel

13

15.7 Legacy Series / Re: Access GUI from an External network (not the internet!)

« on: January 22, 2016, 05:52:16 pm »

Hi,
if I understand your scenario correct, you don't need to configure any NAT for this setup (or do you use outbound NAT for any of the interfaces?). I guess that just some filter rules are blocking the connection. Could you post your active rules (e.g. Firewall: Diagnostics: pfInfo, Rules)?

I don't understand:

I think the issue is that the IP I am coming from is a 172.26.x.x address, which is unknown to Opensense, though its card is connected the same as every other device on network 1...

Is the IP 172.16.x.x actually part of the same subnet as network 2 (172.26.0.0/20)? What do you mean "connected the same as every other device"?

14

15.7 Legacy Series / Re: WAN Gateway Become offline after restarting 4G internet Modem

« on: January 13, 2016, 04:19:05 pm »

Hi,
do you use a static IP configuration on the WAN port or DHCP?

If you use DHCP: you can tune the timeout and retry intervals in the Interfaces setting page.
If you use a static IP: how's the behavior if you connect a different device than OPNsense? Maybe the 4G modem needs some time to start up?

15

German - Deutsch / Re: System Backup in beliebigen Ordner oder eigene Cloud?

« on: January 11, 2016, 05:36:42 pm »

Ab wann soll den die Plugin Schnittstelle kommen?

16.1

Wenn man scp verwenden möchte, geht das ja jetzt schon (man muss nur SSH aktivieren).

Ah, habe nicht gesehen, dass es ja sogar ein config backup gibt unter /conf/backup.