Messages

Hi,

I was going through GUI for options to set static IP for roadwarrior client. There is a fault in GUI guidance. The field in client config: IPv4 " VPN: OpenVPN: Client Specific Overrides: Tunnel Settings: Tunnel Network" states:

"This is the IPv4 virtual network used for private communications between this client and the server expressed using CIDR (eg. 10.0.8.0/24). The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface."

Sounds a lot like description for the variable that I'd need. However if I put there: "192.168.118.1 192.168.118.2" in order to get the server to use .1 and client .2 from the tunnel network, I get the error:

"The following input errors were detected:
The field 'IPv4 Tunnel Network' must contain a single valid ipv4 CIDR range."

So clearly the instruction in the GUI is wrong. I assume it would rather set the virtual client network CIDR, and the GUI is actually missing the "ifconfig-push" option that I'd need.

I would've created an issue about that, but I couldn't find the repo for this plugin.

I'd have a wish that this GUI misguidance was fixed, and the ifconfig-push option was added.

You are right, I forgot about that :) I recall it got fixed, but it must have beem the one on the previous screen, where the desceiptions used to be similarly messed up. Or was it HA proxy? Somewhere else ut got already fixed.

Hi,

any chance this little annoying bug would get fixed? See screenshot how the descriptions get encoded the web way, so special characters and spaces get en oded wrongly.

arkiaamua%252520edelt%2525E4v%2525E4%252520ilta

That should show "Arkiaamua edeltävä ilta", which means The night before weekday.

I just also set it up for myself today. There is a step missing from the guide. I wish who could update this?

It is not serving DNS to the GUESTNET. If you use DnsMasq, You need to go to Services -> Dnsmasq DNS -> Settings, and there enable the interface in "Network Interfaces" option. In my settings it was listening only to LAN. After that, it works like a charm. Super!

I see the GUI generates client specific lines to /var/etc/openvpn-csc/1/impipi file:

iroute 192.168.1.0 255.255.255.0
push "redirect-gateway def1"
push "redirect-gateway def1"

and I see from log that the interna route (iroute) get's applied into openvpn:

openvpn[10947]: impipi/37.130.YYY.X:57049 MULTI: internal route 192.168.1.0/24 -> impipi/37.130.YYY.X:57049

but the host route is not created. Everything works if I do manually:

route add -net 192.168.1.0/24 192.168.118.3

So question is, how to make OPNSense create that route? How to get it done automatically at client connect?

For details, my other clients are laptops and mobiles, so the openvpn server type is: Remote access SSL/TLS + user auth.

This is probably a bit buggy. I added client specific overrides. Firstly, a separate network just to make sure the client get's the .1 for that network. Secondly, I filled the "IPv4 Remote Network" field with client's own network. However this didn't create any routes into OPNsense, nor can I even ping the machine from other. Client can not access any of the services in OPNSense LAN network.

I see the Firewall does not create rules for OpenVPN network other than the server default. So I removed the client specific ipv4 network to get the client back to openvpn default net. Now I can again ping the LAN machines from client.

But... still, OPNSense doesn't create the routes for client network. So site to site doesn't work towards client network. Isn't this a bug?

There seems to be client specific overrides, which could enable setting routes. I'll try tomorrow.

Hi,

I have a RasPi client which connects fine to openvpn in OPNSense. And raspi routes fine to my homenet. I'd like to route back to net behind raspi. OPNSense is the default gw at home.  How to do this?

I tried adding router into opnsense list of routes. Somehow it didn't work. How should be this done?

Let's assume home net is:
192.168.100.0/24, opnsense is 192.168.100.1

OpenVPN net is:
192.168.200.0/24, where both opnsense and client get addresses. Let's assume they would be .2 and .3. These are not static btw.

RasPi is in net:
192.168.300.0/24

How do I tell opnsense to route to 192.168.300.0 via 192.168.203?

I confirm this works for PS4. It even didn't take PS4 reboot, just going to menu showed it's Type2.

I opened only ports > 1024 for upnp, and it worked even with that.

Thanks!

Just want to thank the developers and confirm that the patches made in issue fixes the problem. Great work!

https://github.com/opnsense/plugins/issues/769

If you can't wait for the update, here are the patch apply commands:
opnsense-patch 6e759fb
opnsense-patch 31e3f7

And an update, I was wrong that rules get lost. They all work in underlaying system, it's just the GUI that fails to show them properly.

So the system keeps running, but it's not possible to change or make sense of anything via GUI.

BTW, this is being handled in issue: https://github.com/opnsense/plugins/issues/769

So if anyone has ideas, please put them there.

Hi,

my certs won't t get renewed, and now I can't get new ones. It might be due having many HAproxy rules, perhaps one of them breaks acme.

Does anyone have idea where this loop fails at? What is it trying to do, and which might break it?

Code Select Expand


[Sat Aug  4 09:42:41 EEST 2018] ok, let's start to verify
[Sat Aug  4 09:42:41 EEST 2018] Verifying:mydomain.com
[Sat Aug  4 09:42:41 EEST 2018] d='mydomain.com'
[Sat Aug  4 09:42:41 EEST 2018] keyauthorization='snipped'
[Sat Aug  4 09:42:41 EEST 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:41 EEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Sat Aug  4 09:42:41 EEST 2018] wellknown_path='/var/etc/acme-client/challenges/.well-known/acme-challenge'
[Sat Aug  4 09:42:41 EEST 2018] writing token:snipped to /var/etc/acme-client/challenges/.well-known/acme-challenge/snipped
[Sat Aug  4 09:42:41 EEST 2018] Changing owner/group of .well-known to root:wheel
[Sat Aug  4 09:42:41 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:41 EEST 2018] payload='{"resource": "challenge", "keyAuthorization": "snipped"}'
[Sat Aug  4 09:42:41 EEST 2018] POST
[Sat Aug  4 09:42:41 EEST 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped
[Sat Aug  4 09:42:41 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:42 EEST 2018] _ret='0'
[Sat Aug  4 09:42:42 EEST 2018] code='202'
[Sat Aug  4 09:42:42 EEST 2018] sleep 2 secs to verify
[Sat Aug  4 09:42:44 EEST 2018] checking
[Sat Aug  4 09:42:44 EEST 2018] GET
[Sat Aug  4 09:42:44 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped
[Sat Aug  4 09:42:44 EEST 2018] timeout=
[Sat Aug  4 09:42:44 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:45 EEST 2018] ret='0'
[Sat Aug  4 09:42:45 EEST 2018] Pending
[Sat Aug  4 09:42:45 EEST 2018] sleep 2 secs to verify
[Sat Aug  4 09:42:47 EEST 2018] checking
[Sat Aug  4 09:42:47 EEST 2018] GET
[Sat Aug  4 09:42:47 EEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snipped'
[Sat Aug  4 09:42:47 EEST 2018] timeout=
[Sat Aug  4 09:42:47 EEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sat Aug  4 09:42:47 EEST 2018] ret='0'
[Sat Aug  4 09:42:47 EEST 2018] Pending
[Sat Aug  4 09:42:47 EEST 2018] sleep 2 secs to verify


It keeps doing that timeout loop. What is blocking it, any log which to follow for acme challenge?

Here's screenshot

Some of this was caused by dnsmasq getting broken at upgrade. One needs to change interfaces:ALL option yo LAN, as described in other posts. Still the gui at least is broken for HAproxy, listing rules as uuids in server configs.