OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of elektroinside »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - elektroinside

Pages: 1 ... 9 10 [11] 12 13 ... 39
151
18.1 Legacy Series / Re: TLS Error: TLS handshake failed
« on: March 21, 2018, 05:03:49 pm »
I have Remote Access (SSL/TLS + User Auth).

This is my server conf:

Code: [Select]
dev ovpns1
verb 0
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
client-connect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
client-disconnect /usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh
tls-server
server [edited] [edited]
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'SSLVPN+Server+Certificate' 1"
lport 443
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DOMAIN [edited]"
push "dhcp-option DNS [edited]"
push "register-dns"
push "dhcp-option NTP [edited]"
push "redirect-gateway def1"
client-to-client
duplicate-cn
route [edited] [edited]
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
topology subnet
reneg-sec 0
auth-nocache

For the client, on Windows, I use Viscosity and i exported the client config from the OPNsense GUI. Works fine for me.
For Android, I use OpenVPN connect. Also works fine.
Just saw some minor things i could probably optimize here, but nothing related to authentication.

152
18.1 Legacy Series / Re: TLS Error: TLS handshake failed
« on: March 21, 2018, 03:57:50 pm »
There is a very good tutorial on how to create the server here: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Is it similar to your setup?

Sure thing, you're welcome!

153
18.1 Legacy Series / Re: TLS Error: TLS handshake failed
« on: March 21, 2018, 03:05:26 pm »
Whenever I have this error, I usually recreate the CA, server certificate and client certificate as well. 99% of times it works and way faster than debugging the actual problem.

154
Development and Code Review / Re: Implementing Dpinger
« on: March 21, 2018, 12:15:12 pm »
Great work! I also had some issues with things related to the functionality of apinger, while testing different multiwan scenarios, with clean, default settings. So maybe dpinger will do a better job.

Thank you for you work!

155
18.1 Legacy Series / Re: PPPoE reconnect loop
« on: March 19, 2018, 09:02:54 am »
Quote from: schnipp on March 18, 2018, 02:17:41 pm
I have created a new bug report (#2267) https://github.com/opnsense/core/issues/2267

Thanks. Let's see what progress we'll have.

156
General Discussion / Re: Long time pfsense user - new to OPNsense
« on: March 17, 2018, 07:35:22 pm »
Hi there!

We are definitely interested in IPsec performance tests with OPNsense. Please feel free to post whatever you may find.

Thank you and a warm welcome to OPNsense !

157
General Discussion / Re: Alias for dynamic WAN adress -> Any solution?
« on: March 17, 2018, 07:31:45 pm »
Services : Dynamic DNS
It's not an alias, and i see no reason why would you need an alias if you have a ddns, but you can create an alias once you set up a ddns.

158
18.1 Legacy Series / Re: Run a script after VPN up ( Windows )
« on: March 17, 2018, 06:20:09 am »
Or take a look at this:

http://www.sparklabs.com/support/kb/article/running-batch-vbs-scripts-when-connected-disconnected/

If you would like to use the GUI, that can run batch and vbs scripts. You can combine everything to get exactly what you want.

159
18.1 Legacy Series / Re: Run a script after VPN up ( Windows )
« on: March 16, 2018, 07:09:58 pm »
Yes it does.. not to load one inside viscosity, but use the command line version and get feedback from it to act upon.
https://www.sparklabs.com/support/kb/article/controlling-viscosity-with-scripting-windows/

160
18.1 Legacy Series / Re: Aliases aren´t fine
« on: March 16, 2018, 05:09:42 pm »
Quote from: john9527 on March 16, 2018, 04:44:03 pm
Quote from: elektroinside on March 16, 2018, 10:18:34 am
Are you all guys using aliases for local hostnames? Why? Why?
I prefer to use static IPs only for my network components (switches, APs, etc) and have all my clients get addresses via DHCP.

Then I add the appropriate local hostnames to an alias 'MEDIA_PLAYERS' for example, and write rules that restrict their access to only certain LAN clients (also an alias of local hostnames called 'MEDIA_SERVERS')

Overcomplicated and unnecessary design with too much work for the fw and prone to errors... I do agree that the best design is using DHCP, but only after configuring static leases for each LAN client.

With your design, you have to make sure that if the client changes its IP, that is registered in the DNS resolver (this involves 2 failing points: the DNS server and the client). Then, when a rule is hit involving the alias, the fw has to query the DNS server to resolve the hostname configured in the alias. If, for whatever reason this fails, several attempts will be made to resolve the query in many different ways (with or without DNS suffix etc). If this fails, it will be forwarded to the upstream DNS servers. If this fails, then you will get an error. So too much, unnecessary work.. prone to failures.

Not to mention that everything will eventually end up to an IP address anyways...

161
18.1 Legacy Series / Re: Aliases aren´t fine
« on: March 16, 2018, 02:21:05 pm »
Exactly. There is no DNS failure involved in this case.
If the DNS lookup fails for any reason, the alias cannot work.

But, as always, I would recommend to fix all DNS issues and use a properly configured DNS server/chain to resolve dns queries.

162
18.1 Legacy Series / Re: Aliases aren´t fine
« on: March 16, 2018, 10:18:34 am »
Are you all guys using aliases for local hostnames? Why? Why?

163
18.1 Legacy Series / Re: [CALL FOR TESTING] Speculative Execution Kernel Patch for amd64
« on: March 16, 2018, 09:26:15 am »
Keeps working well for me, awesome work guys! Well done!

164
18.1 Legacy Series / Re: Run a script after VPN up ( Windows )
« on: March 16, 2018, 09:23:35 am »
Unfortunately, Viscosity is a little unstable occasionally... but you could try to combine the two, of course :)

165
18.1 Legacy Series / Re: Run a script after VPN up ( Windows )
« on: March 15, 2018, 11:08:12 pm »
I think you could schedule a task (every 1 min is the lowest if i remember correctly) that runs a powershell or batch script, which verifies if you get an ip address on the OpenVPN interface, confirm that it's working by pinging something on the other side and execute stuff if it does... Just an idea, didn't actually try anything like this.

Pages: 1 ... 9 10 [11] 12 13 ... 39
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2