Topics

1

20.1 Production Series / Site to site using OpenVPN with multiple sites

« on: March 31, 2020, 07:52:51 pm »

Is it possible on OPNsense to use one OpenVPN server to multiple sites in a site to site VPN, if the server uses port 1194 then can all other sites connect in using that same port?

For example we'd like our setup to be:
- Site A: The main site
- Sites B, C, and D are in other regions and need to connect back to Site A.

Sites B, C and D have no need to talk to each other.

I'm struggling to find an answer to this on the internet forums and youtube. I did find the following:
https://forum.opnsense.org/index.php?topic=5675.0 and it seemed to be what I was looking for except on one comment it says "works fine with pre shared key" and then said they ended up creating a server for each site.

Edit:
Based off this conversation https://forum.netgate.com/topic/83777/openvpn-multiple-site-to-multisites-routing/13, it looks like you would have to have multiple VPN servers on the main site A firewall to connect each site.
If this is true would it be that if each site was using the same VPN server and coming in on the same port they'd be competing for the same connection?

Kind regards,
penley

2

17.7 Legacy Series / OPNsense vpn -> FreeRadius -> authenticate to AD

« on: November 10, 2017, 07:05:17 pm »

We have a single FreeRadius server we want to use to consolidate user authentication with VPN, wireless, etc.
I have the wireless authenticating against AD through FreeRadius, but I cannot get it to work with the vpn.
The information I'm struggling to find is does it work differently when using VPN, for example do I have to configure the ldap module in FreeRadius?
I have OPNsense vpn pointed at FreeRadius, but each attempt to login produces the Error:
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available

(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

I've tested this using the PAP module and it works, but I'm not sure how to make it authenticate to AD instead.

The OPNsense version is 17.7 and the FreeRadius version is 3.0.


Kind regards,
penley

3

16.7 Legacy Series / Routing vpn users coming in one gateway out a different gateway

« on: October 11, 2017, 07:15:15 pm »

If you have an opnsense setup with two gateways (with two different ISP's) is there a way to route traffic coming in one gateway through the other gateway?
For example if vpn came in on gateway one is it possible to route any traffic coming back to that vpn user through gateway two?


Kind regards,
penley

4

General Discussion / OPNsense NAT

« on: March 09, 2017, 04:03:17 pm »

I have question when setting up NAT.
Setup- OPNsense single WAN port and single Internal port. A few outside IP addresses available.
Goal - NAT only port 443 to internal web server.

I've setup the virtual IP address we will use for the web server. Where I'm confused is do I need to setup a 1:1 NAT (but then how do I only allow port 443?) or is it sufficient to only setup port forwarding to the internal address. Within the port forward configuration set Destination to the external IP intended for the web server?

In the 1:1 NAT I'm unsure how to only allow port 443 and cannot find sufficient examples to show the benefits of 1:1 NAT vs  NAT Port Forward.


Kind regards,
penley

5

General Discussion / DDOS protection

« on: October 07, 2016, 03:57:47 pm »

Does OPNsense by default have dos and ddos prevention or is this something that needs to be configured?
We're not experiencing any issues at the moment, I'm just asking for clarification.

Kind regards,
penley

6

General Discussion / [SOLVED] Upgrading OPNsense from one major release to another

« on: July 28, 2016, 10:16:40 pm »

Hello,

I need some guidance with upgrading OPNsense.
My question is does OPNsense need to be upgraded sequentially? Will it do it on its own or can we jump major versions? For instance I have an OPNsense firewall currently at version 15.7.18_1. It's not been upgraded in a while because it's in production and just now we have some down time to upgrade it. We want to upgrade to the latest version 16.7.

I'll continue to search the forums and post anything I find here.

Kind regards,
penley