Messages

Hi Franco,

I just recognized, that the intermediate certs are being sent, if they are simply stored as CA certs. I've tried that before, but unfortunately Chrome caches the received certs and so I thought it didn't work...

So, problem solved: works as designed. ;)

Thanks,
Manuel

Hola,
Yo uso OPNsense con un alix2d13 y todo funciona bien. El único problema que yo tengo es, que durante el upgrade la función "RAM disk on /tmp and /var" necesito ser desactivado!
Claro, que no puedes usar servicios que necesitan mucho RAM, como proxy o IDS.

Saludos,
Manuel

Hi Ad,

I had the same change in my queue, but did not want to commit it until I actually got IPsec to work, which is not the case until now.

Even the private key is now listed within ipsec.secrets, the certificates from /usr/local/etc/ipsec.d/certs are not loaded (to be checked with ipsec listcerts). Any idea why?

BR,
Manuel

Did anyone actually accomplish a RSA based IPsec with OPNsense? I think I've found a bug which prevents the ipsec.secrets to be written at all for certificates...  :-\

src/etc/inc/vpn.inc:414:

Code Select Expand

            if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {

The config value for Mutual RSA is rsasig, which means that strpos returns 0, which is being interpreted as false here...

Hi,

I'd like to configure an IPsec tunnel with RSA authentication. As identifiers (local and peer) I'd like to use the DN of the used X.509 certificates. What do I need to configure for the My identifier and Peer identifier fields to accomplish that?

I've tried with "ASN.1 destinguished Name" with and without value in the corresponding text field, but I always receive the error charon: 13[IKE] <con2|8> no private key found for '<detroid.lan.xxx.net>'. My cert has a DN like CN=detroid.lan.xxx.net,emailAddress=detroid@lan.xxx.net,O=xxx,L=Vienna,ST=Vienna,C=AT.

Anyone already accomplished a IPsec RSA tunnel without explicitly configuring the certificate DNs?

I just recognized, that ipsec did not even load my certificate... Calling ipsec listall only lists CA certificates, no end entity certificates. Also the configured certificate is not listed in ipsec.secrets. Shouldn't it be there?

Thanks,
Manuel

Thanks for the fast reply. I'll post the output once the problem occurs again. Unfortunately I've rebooted the box, since I was afraid of overheating (it already hat 77°C)...

Hi,

one of my OPNsense boxes has almost constant 100% CPU load since a few days. Interestingly the top command of FreeBSD does not work as expected by me, i.e. the sum of the CPU column does not match the total CPU load (see also e.g. this thread on unix.SE).

How can I find out what's causing the high CPU load?

Here some command output:

Code Select Expand


root@detroid:~ # vmstat 5
procs      memory      page                    disks     faults         cpu
r b w     avm    fre   flt  re  pi  po    fr  sr ad0 da0   in   sy   cs us sy id
2 0 0   1876M  3094M   108   0   0   0   185  10   0   0  781  868  875 70 19 11
2 0 0   1866M  3102M 22626   0   0   0 24790  21   7   0 2445 12832  909 78 22  0
2 0 0   1822M  3105M 22811   0   0   0 24790  21   7   0 2359 12778  697 79 21  0
2 0 0   1690M  3100M 22781   0   0   0 24228  21   7   0 2374 12581  736 78 22  0
2 0 0   1880M  3090M 22707   0   0   0 23975  21   9   0 2372 24626  759 79 21  0
3 0 0   1876M  3092M 22881   0   0   0 24790  21   7   0 2423 12801  823 76 24  0
2 0 0   1872M  3096M 22802   0   0   0 24817  20  14   0 2450 12769  908 79 21  0
2 0 0   1760M  3101M 22705   0   0   0 24739  22   7   0 2430 12682  846 78 22  0
2 0 0   1884M  3091M 22942   0   0   0 24172  21   7   0 2406 12734  805 80 20  0
2 0 0   1879M  3092M 22943   0   0   0 24790  20   7   0 2376 12788  737 78 22  0
2 0 0   1872M  3097M 23947   0   0   0 26480  21   7   0 2367 14015  799 76 24  0


Code Select Expand

last pid: 96282;  load averages:  2.10,  2.15,  2.11                                                       up 32+22:38:05  09:47:15
81 processes:  4 running, 76 sleeping, 1 waiting
CPU: 62.5% user,  0.0% nice, 37.5% system,  0.0% interrupt,  0.0% idle
Mem: 47M Active, 270M Inact, 499M Wired, 412M Buf, 3100M Free
Swap:
Not displaying idle processes.
  PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
   11 root          2 155 ki31     0K    32K RUN     1 177.9H   1.07% idle
   12 root         16 -72    -     0K   256K WAIT    1 568:38   0.39% intr
14978 root          1  52    0 16972K  2456K wait    1 184:12   0.20% sh
65062 root          1  52    0 16972K  2456K wait    0 207:45   0.10% sh
59697 root          1  20    0 21824K  2964K CPU0    0   0:00   0.10% top
95634 root          1  72    0   113M 22216K RUN     0   0:00   0.00% php
96282 root          1  72    0   109M 20504K CPU1    1   0:00   0.00% php

The system has a AMD G-T40E processor with 2 cores.

Thanks,
Manuel

Hi Neo,

Have a look at System: Settings: Admin Access, Alternate Hostnames.

Or do you intent to exclude a specific client? That's AFAIK not possible right now, so you would need to disable the rebind protection at all. But why is that required for your setup?

BR,
Manuel

Hi,
I also ran into a similar need for this option: I want to gracefully shutdown the tunnel if the remote host intentionally goes down. Currently that's not possible with the setting ping-restart. As far as I found out, OpenVPN does not allow overriding or disabling previously set options, so there is currently no clean way a user can override this setting from the GUI.
So I also opt for this additional configuration option.

Manuel

Hi,

currently when configuring an interface to IPv6: None, the interface still gets a local-link IP, if IPv6 is globally enabled. Is that intended?

Manuel

Hi,

am I doing something wrong, or is it a bug to not being able to create firewall rules for "Group" interfaces?

In my understanding the idea of group interfaces is, that a single created firewall rule will be applied to several interfaces at the same time (similar to "floating rules"). So I've created a group interface, assigned two interfaces and I can see the corresponding tab in the "Firewall: Rules" view. Nevertheless, when clicking the add button, I am not able to select the group interface from the interface list...

Thanks,
Manuel

I use it on an alix2d13, without any problems in operations. For obvious reasons things like suricata (IDS) and squid (proxy) do not work with 256MB of RAM.

When updating I often ran into problems, since OPNsense loads the packages to update into the /tmp RAM disk. I could successfully update the last time by disabling the RAM disk, rebooting (to actually disable the RAM disk), perform the upgrade, and (optionally) enable the RAM disk again. If you do not use the RAM disk, maybe you do not have any troubles at all...

I use the DNS forwarder, the DHCP server, IPSec VPN, and traffic shaping, without any notice of performance impact. See attached screenshot for RAM/CPU usage.

What is puzzles me is NAT rules. I cannot get it to work at all. The rules are very basic and i've already tried out all the combinations of Source/Destination interfaces i can think off but without results.

you said that browsing and OpenVPN access is working, so NAT seems not totally broken to me.

Do you browse the web using a private IPv4 address, or using IPv6?

Hi,
is it possible to configure lighttpd to send also intermediate certificates of the configured web UI certificate chain?

Thanks,
Manuel

Seems like OPNsense has troubles with paravirt of KVM... I've changed the root disk from virtio (FreeBSD device vtbd) to sata (FreeBSD device ada) and now the installer works without any error. Generally FreeBSD has paravirt drivers for virtio, so I guess it might be related with the nanobsd(?)/OPNsense installer...