Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - mrpsycho

#1
21.7 Legacy Series / TOR and obfs4 bridges
December 17, 2021, 08:19:29 AM
Hello,

situation: tor is started to being blocked on country wide policy, and obviously it stopped to work.

How it was:
Tor plugin was receiving connections on 9040 port, firewall/NAT was set up to forward all "blocked" traffic to tor. And it was working really cool, till some days ago.

I tried to run fresh tor-browser from same network - it is working without issues.
Also, i've read that: https://blog.torproject.org/tor-censorship-in-russia/ and https://forum.torproject.net/t/tor-blocked-in-russia-how-to-circumvent-censorship/982

noticed, that there are talks about obfs4 bridges. so i've got some bridges, but looks like tor on opnsense doesn't support that.


So asking for advice - are there any workarounds?

#2
Hello,

what is the best way to setup custom settings for nginx reverse-proxy in main part?

for example, i need to configure `worker_rlimit_nofile`?
i saw, that `worker_connections` exist on main configuration in UI... but what about things, which are not added?

also, is it possible to add some vhost.conf file, instead of configuring all thru UI?
would be cool, actually, if there will be special place in `Other` tab to add custom config, where it will be possible to add some things which are not implemented in UI.

ps. why? as it suggested by vendor: https://www.jetbrains.com/help/youtrack/standalone/Reverse-Proxy-Configuration.html#Nginx_Config
#3
Hello,

i need to set static IP for special openvpnclients... but, it doesn't work in the way how it was working on plain openvpn config: i'm trying to add "ifconfig-push 192.168.200.200 255.255.255.0"  to Client Override config.

client can't connect with this setting.

So, if there are problem to set static address - is it possible somehow to get ip addresses thru RestAPI (maybe there are hidden feature) or thru cli interface (like connect thru ssh and run "openvpn get clients")

both ways will work, also like setting static IP
#4
latest opnsense with latest nginx module.

i turned  Learning Mode for every location ON, and still see errors: Unsucessful status code You got banned permanently from this server.

how to turn this blocking rule? or to setup for bypass all traffic?
#5
Hello!

I have setup - opnsense 19.1 (but i updated today, was 18 series, problem the same.)

and 2 openvpn server instances:
* Roadwarriors - Remote Aceess + LDAP auth
* site-to-site - Peer to Peer SSL/TLS

First one working as expected - every client connects and gets to internal network.
Second - client connects, but it cannot access to local network.
Only gate is accessable.

On firewall i see only one OpenVPN tab. (on pfsense every vpn instance creates its own tab).
and i thought, broblem is firewall... but i have only one rule - pass all.

next, i tried to assign ovpns2 interface. And Firewall with this interfaces created. But, it doesn't help too.

what it could be? how to access local network from "Peer to Peer" connection?
#6
Hello,

i'm trying to configure TOR to bypass blocks, that made our government (we are not allowed to use linkedin, slack and telegram, for example).

nowadays, i use additional VPS with openvpn + alias setting to route several services. 
but, now i learned about TOR, and i think it can help me.

i've downloaded package, turned it on, and created setup on local machine - added TOR as Socks Proxy - and i was able to access it.
With that - i found, that all traffic goes thru TOR, which slows down main connections.


Next i found setting "Fascist Mode", but i can't understand how it should work?

if i turn it on - nothing changes.


could you please point me where is my mistake?
#7
Hello,

i'm migrating to  OPNsense from pfsense... and found great module - os-openconnect.
on pf i was using plain openconnect from pkgs.

and it was not very comfortable to use, cause i had to manage NAT rules manually (i wrote a simple script, but it needs to be updated sometimes)
so.

problem is - there is no way to add authgroup, certificate and key in web GUI on opnsense.
So, my workaround - is to edit /usr/local/etc/rc.d/opnsense-openconnect  and add needed keys to the start function:

openconnect_start()
{
        echo "starting openconnect"
          echo ${openconnect_flags}
/usr/local/sbin/openconnect --authgroup SSLVPNClient -c /path/to/crt.cer -k /path/to/crt.key ${openconnect_flags} < /usr/local/etc/openconnect.secret 2>&1 > /dev/null
        sleep 5
ifconfig tun30000 name ocvpn0
ifconfig ocvpn0 group ocvpn
return 0
}


and it works fine.
Where can i create Feature Request for it?


And there is a bug - some servers asks for username with case sensitive requrements. Web GUI doesn't allow it. So i had to remove it in config and put it on rc.d script too