Messages

1

23.1 Production Series / Re: OpenVPN not work after update OPNSense from 23.1.1_2->23.1.3

« on: March 16, 2023, 05:56:15 pm »

Well, full reports would help like Ad suggested. Your issue is probably https://github.com/opnsense/core/commit/4b2b60050

Not sure what OpenVPN is expecting here but we will be reverting to the original (deprecated) behaviour and hope they keep supporting it onwards.


Cheers,
Franco

Bingo! that explains why it wasn't taking notice of following line in my config:

data-ciphers-fallback AES-256-CBC

Thanks and regards

2

23.1 Production Series / Re: OpenVPN not work after update OPNSense from 23.1.1_2->23.1.3

« on: March 16, 2023, 05:54:09 pm »

repeating the same message without offering any information I asked for earlier (https://forum.opnsense.org/index.php?topic=32939.msg159704#msg159704) likely isn't going to lead to an improvement. It was sheer luck silverspy18 mentioned static-challenge, otherwise nothing would have changed until now.

Best regards,

Ad

Tough but fair, I use certifficate-based auth so the following command gived no output:

root@opnsense# grep -r auth-user-pass-verify /var/etc/openvpn/*.conf
root@opnsense#

I attach my edited config and the error logs I get on both sides just in case it helps:

# cat /var/etc/openvpn/server2.conf
dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
script-security 3
daemon openvpn_server2
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
data-ciphers-fallback AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local #edited_ip addr#
client-connect "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '2'"
tls-server
server #network mask#
client-config-dir /var/etc/openvpn-csc/2
ifconfig #edited_ip1 ip2#
tls-verify "/usr/local/opnsense/scripts/openvpn/ovpn_event.py '2'"
lport #edited_port#
management /var/etc/openvpn/server2.sock unix
max-clients 2
push "route #edited_route_1 mask#"
push "route #edited_route_2 mask#"
push "route #edited_route_3 mask#"
push "route #edited_route_4 mask#"
push "route #edited_route_5 mask#"
push "route #edited_route_6 mask#"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /usr/local/etc/inc/plugins.inc.d/openvpn/dh.rfc7919
tls-crypt /var/etc/openvpn/server2.tls-crypt
push "dhcp-option DNS #edited_dns_ip#"
push "dhcp-option DOMAIN #edited_localdomain#"
auth-nocache

Server logs:
2023-03-16T16:51:56   Warning   openvpn_server2   #edited IP#:5033 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'   
2023-03-16T16:51:56   Warning   openvpn_server2   #edited IP#:5033 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1553'

Client logs:
2023-03-16 16:54:50 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1553', remote='link-mtu 1569'
2023-03-16 16:54:50 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2023-03-16 16:54:50 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-03-16 16:54:50 [#edited IP#] Peer Connection Initiated with [AF_INET]#edited IP#:#edited_port#
2023-03-16 16:54:51 MANAGEMENT: >STATE:1678982091,GET_CONFIG,,,,,,
2023-03-16 16:54:51 SENT CONTROL [#edited IP#]: 'PUSH_REQUEST' (status=1)
2023-03-16 16:54:51 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2023-03-16 16:54:51 TCP/UDP: Closing socket

Error logs say clear that there was a cipher negotiation so I changed to AES-256-GCM instead of CBC and now it works, seems that AES-256-CBC is considered deprecated now; previous log messages (Interrupted system call (code=4)) confused me...

Thanks for your help.

3

23.1 Production Series / Re: OpenVPN not work after update OPNSense from 23.1.1_2->23.1.3

« on: March 16, 2023, 02:35:03 pm »

Hi,

Still same problem on my system after applying patch:

2023-03-16T13:04:12   Warning   openvpn_server2   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts      
2023-03-16T13:04:11   Error   openvpn_server2   event_wait : Interrupted system call (code=4)

Regards.

4

23.1 Production Series / Re: OpenVPN not work after update OPNSense from 23.1.1_2->23.1.3

« on: March 15, 2023, 06:08:48 pm »

Hi,
Same problem; no luck changing certificate depth to 2.
Same server accepts connections from linux clients, but previously working OpenVPN for Android clients now get this error; no change was made on clients side.

Regards.

5

22.1 Legacy Series / Re: plugins list - short / empty / confused

« on: August 01, 2022, 09:58:52 pm »

Hi again,

I confirm the issue is solved after downgrading pkg to OPNsense's repository version (1.17.5_1) and locking pkg updates.

Regards.

6

22.1 Legacy Series / Re: plugins list - short / empty / confused

« on: August 01, 2022, 03:53:33 pm »

Hi Franco,

Thanks for the info.

Regards.

7

22.1 Legacy Series / Re: plugins list - short / empty / confused

« on: July 31, 2022, 12:39:37 am »

Same problem to me, it started on same version and continues after upgrade to v22.7; didn't find a fix so far.

Regards

8

Tutorials and FAQs / Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

« on: February 02, 2019, 09:33:40 pm »

Hi,

After reading all configuration guides for dnscrypt-proxy plugin and several testing I wasn't able to make it work with unbound, only with dnsmaq and dnscrypt-proxy instance running on 127.0.0.2:53 and 127.0.0.2 as the only dns server on System-> settings; but with this configuration I found a problem because on boot dnsmasq is started before dnscrypt-proxy so system can't resove domains. Creating an script to start dnscrypt-proxy before dnsmasq at boot time finally solved it.
I hope this info may be useful to others.

Regards.

9

18.7 Legacy Series / Re: New Plugin Dnscrypt-Proxy

« on: February 02, 2019, 09:31:44 pm »

Hi,

After reading all configuration guides for dnscrypt-proxy plugin and several testing I wasn't able to make it work with unbound, only with dnsmaq and dnscrypt-proxy instance running on 127.0.0.2:53 and 127.0.0.2 as the only dns server on System-> settings; but with this configuration I found a problem because on boot dnsmasq is started before dnscrypt-proxy so system can't resove domains. Creating an script to start dnscrypt-proxy before dnsmasq at boot time finally solved it.
I hope this info may be useful to others.

Regards.

10

18.7 Legacy Series / Re: MultiWAN default route error

« on: November 21, 2018, 11:41:52 pm »

Issue is better described here:

https://github.com/opnsense/core/issues/2186

Regards.

11

18.7 Legacy Series / Re: MultiWAN default route error

« on: November 21, 2018, 01:56:27 am »

Hi,

On multiWAN scenarios (in my case a PPPoE and a DHCP) default route is automatically configured on the wrong WAN interface so package updates and navigation fail; there are several messages in the forum reporting similar issues.

Regards.

12

18.7 Legacy Series / MultiWAN default route error

« on: November 20, 2018, 01:53:07 am »

Hi,

Any update on MultiWAN default route not being set properly? I've read is a known bug.

Regards.

13

18.7 Legacy Series / Re: First time install problem: Booting from USB stick hangs

« on: November 03, 2018, 12:42:34 am »

Hi,

I run across the same problem installing OPNsense on an old device; it seems USB booting has some bugs in current OPNsense images.

The only way I was able to perform installation was using first a FreeBSD Release Mini-Memstick image and later
installing OPNsense using opnsense-bootstrap method:

https://forum.opnsense.org/index.php?topic=4526.0

https://github.com/opnsense/update/blob/master/README.md

Hope this is usefull and saves time to others.

Regards.