Messages

Indeed, with 'custom' it is possible to use DtDNS with the foolowing url https://www.dtdns.com/api/autodns.cfm?id=DNS_ADDRESS&pw=PASSWORD&ip=%IP% as described in http://www.dtdns.com/dtsite/updatespec.
Thanks for the tip.

Is there anything like %IP% which could be used to replace the hostname and the password?

Also I cannot figure out the exact result matching pattern. After updating, the returned message is <html><head><style></style></head><body>Host <Hostname> now points to %IP%.
</body></html>. But when I fill the result match box with that string there is an error

Code Select Expand

opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: (Error) Result did not match.

it does not appear in the drop down list of 'Service type'.

Hello,

Does Opnsense support DtDNS for the Dynamic DNS service?

Thanks

I have finally localised the openvpn server.conf file in /var/etc/openvpn/ on freebsd.

Here is its content:

Code Select Expand


dev ovpns1
verb 6
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.0.185
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn-server-certificate' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet


No, they use different subnet address. Moreover I do not want my Openvpn client to access the LAN, only connect to the vpn server and browse the web from there.

What could kill my client?

After recreating the VPN and CA/Certificates using the config mentionned in my first post, this the log I can extract now:

Client:

Code Select Expand

Sat Jan 20 16:47:30 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
Sat Jan 20 16:47:30 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Enter Auth Username:
Enter Auth Password:
Sat Jan 20 16:47:37 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.185:1194
Sat Jan 20 16:47:37 2018 UDP link local (bound): [AF_INET][undef]:0
Sat Jan 20 16:47:37 2018 UDP link remote: [AF_INET]192.168.0.185:1194
Sat Jan 20 16:48:05 2018 event_wait : Interrupted system call (code=4)
Sat Jan 20 16:48:05 2018 SIGINT[hard,] received, process exiting

Server (log level 6):

Code Select Expand

Jan 20 16:48:08 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [86] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #6 ] [ ] pid=0 DATA len=0
Jan 20 16:47:52 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [94] to [AF_INET]192.168.0.80:44618: P_ACK_V1 kid=0 pid=[ #5 ] [ 0 ]
Jan 20 16:47:52 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Jan 20 16:47:52 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [86] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Jan 20 16:47:44 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [98] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #3 ] [ 0 ] pid=0 DATA len=0
Jan 20 16:47:44 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Jan 20 16:47:40 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [98] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #2 ] [ 0 ] pid=0 DATA len=0
Jan 20 16:47:40 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [98] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 TLS: Initial packet from [AF_INET]192.168.0.80:44618, sid=3a540cb4 c5d03502
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 LZO compression initializing
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Re-using SSL/TLS context
Jan 20 16:47:38 openvpn[81406]: MULTI: multi_create_instance called

The event_wait : Interrupted system call (code=4) is a manual [Ctrl +C] as the client get stuck on the previous line.

My setup is like this:
WAN -- modem/router -- "local WAN" -- opnsense/openvpn -- LAN

What I mentionned as WAN in my previous messages correspond to "local WAN" in the setup.
The modem/router is only configured as basic DHCP server.

When using the Remote Access (User auth) mode, the result is the same. LAN side connected, WAN side not.
No change if I do not verify the server CN.

Do you mean the Host Name Resolution field?

Trying the different possibilities only changes the remote directive. The one I mentionned in my client configuration file is my wan address for this setup.

I am using OpenVPN 2.4.4 x86_64-pc-linux-gnu as client.

When exporting the client, I choose either Archive or Others which are working on the LAN side.

The export Others gives the following client configuration:

Code Select Expand


dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 192.168.0.185 1194 udp
lport 0
verify-x509-name "openvpn-server-certificate" name
auth-user-pass
remote-cert-tls server
comp-lzo adaptive

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1


Where can I see the server.conf file, the one used to configure the openvpn server on the opensense drive? So far I only see a file with plenty of functions but nothing stating the explicit directives to configure the server.

I have recreate the CA after removing the old one.
I have created 2 Certificates: 1 server, 1 client using the certificate authority I create just before. Then reassigned the client certificate to the user and the CA and server certificate to openvpn server.
The end result is the same, LAN connection ok, WAN nok.

I played also with the Server Mode and in the 3 cases (SSL/TLS, Auth, SSL/TLS+Auth), LAN connection was ok, WAN nok.

In SSL/TLS+Auth mode, the CA is no present. Eventhough I added it to the exported files and added the line "ca name of my ca file" in the ovpn file, nothing has changed in the result.

Thanks for your help. It is not mentionned in the text but I have tried several times to setup the VPN, including (re)creating CA and Certificates. If the connection is possible from the LAN side, I suppose the CA and Certificates are correct otherwise the client could not connect?

Hello Everyone,

I am using Opnsense 17.7.11, and would like to setup a VPN.

Based on these 2 tutorials:
https://www.kirkg.us/posts/building-an-openvpn-server-with-opnsense/
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

I have configured openvpn resulting in the following setup:

Server:
Server Mode:                Remote Access (SSL/TLS + User Auth)
Backend for authentication: Local Database
Protocol:                   UDP
Device Mode:                tun
Interface:                  WAN
Local port:                 1194
TLS Authentication:         enable
DH Parameters Length:       2048
Encryption algorithm:       AES-256-CDC (256 bit key, 128 bit block)
Auth Digest Algorith:       SHA512 (512-bit)
Hardware Crypto:            No Hardware Crypto Accelearation
Certificate Depth:          One (Client+Server)
IPv4 Tunnel Network:        10.0.8.0/24
Redirect Gateway:           selected
Concurrent connections:     10
Compression:                Enabled with Adaptative Compression
Disable IPv6:               selected
dynamic IP:                 selected
Address Pool:               selected
Topology:                   selected
I do not need to access the LAN with the VPN so I did not set the IPv4 Remote Network setting.

Client export:
Host Name Resolution:       Interface IP Address
Verify Server CN:           Automatic - Use verify-x509-name
Use Random Local Port:      selected

And the firewall rules created by the wizard:
Interface     Proto    Source Port Destination Port           Gateway
WAN:     pass IPv4 UDP *      *    WAN address 1194 (OpenVPN) *
OPENVPN: pass IPv4     *      *    *           *              *
No other rules are set on these interfaces.

With this setup, my client can connect to the OpenVPN server without any problem from the LAN side.

However from the WAN side (set on a private ip) the connection is not possible using the same client/user.

The client message stucks there:
Thu Jan 18 18:30:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.185:1194
Thu Jan 18 18:30:40 2018 UDP link local (bound): [AF_INET][undef]:0
Thu Jan 18 18:30:40 2018 UDP link remote: [AF_INET]192.168.0.185:1194

and the following messages appears on my opnsense log:
TLS Error: TLS handshake failed
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)


The port 1194 on the WAN side is correctly opened, which is confirmed using nmap:
PORT     STATE         SERVICE
1194/udp open|filtered openvpn

Spying the connection with wireshark, indicates that the packets are [Malformed Packet]. No idea if it is a/the problem or not.

Is there anyone having a clue to solve this problem?

Thanks!