Messages

106

23.7 Legacy Series / Re: Using own CA for certificates within OPNSense . How?

« on: November 05, 2023, 07:47:18 pm »

Because your self-signed certs are not trusted by your Mac/Browser? Get a Letsencrypt or import into your Mac...

I did:

Imported both keys into the key management of my MacBook
Marked both (CA and intermediate) as fully trusted

Ok, might not have been as clear as I thought. I will modify my post to make it clear.

107

23.7 Legacy Series / Using own CA for certificates within OPNSense . How?

« on: November 05, 2023, 07:29:28 pm »

Hi,

being annoyed by the frequent warnings about self-signedd certificates I decided to create my own CA and certificates.

So I followed the documentation:

• Created a CA (self-signed)
• Created an intermediate CA (signed by above CA)
• Created a server certificate with the FQDN of this OPNSense
• Downloaded the CA and Intermediate keys (not the private ones)
• Imported both keys (CA and intermediate CA) into the key management of my MacBook
• Marked both (CA and intermediate) as fully trusted
• Switched the wegui certificate from my OPNSense to the certificated I created above.
• Accessed the webGUI

Unfortunately I am still getting the "untrusted" warnings. I can examine the certificate and it is the one I generated about. So OPNSense seems to present the correct one. But why does my MAC complain?
Firefox still shows same warning and Safarie tells me "Certificate does not comply the defaults".


Anyone having an idea?

Thanks!

/KNEBB

108

High availability / Strange Behaviour with Multi-WAN

« on: November 01, 2023, 10:26:51 pm »

Hi,

I have a Multi-WAN setup with one fibre and one DSL connection (both more or less same speed 100 vs. 150Mbit/s).
Today I had the impression my OpnSnse just used one interface.
Looks like it it true:
See attached pic.
Starting from 06:00am only red was seen for incoming packets (100%) while on the second interface 100% where on the other interface for outgoing packets.

Someone able to explain this? The gateway group is configured for same Tier (Layer1) so they should be used more or less equally.
Oh, a hint: at 05:55am the 24h automated reconnect for the dynamic interface takes place.

Strange.... explanaytions or ideas?

/KNEBB

109

Virtual private networks / [SOLVED] Re: Wireguard with two WAN Interfaces - to which is it listening?

« on: October 27, 2023, 01:01:57 pm »

Nevermind.

Created my own script on the client which runs based on /etc/crontab.

Code: [Select]

#!/bin/bash

#!/bin/bash
#set -x
#logger "BACKUP started"
IP="10.10.10.1"
static="123.45.78.97"   # is static address

function reset()
{
ifdown wg0
sleep 2s
ifup wg0
sleep 10s
return
}

function test()
{
OK=0
ping -i 1 -c 1 -q $1 &>/dev/null ||OK=1
echo $OK
}

function replace()
{
# get current dynIP
new=( $(host dyn.dns.fqdn|grep address|awk -F\  '{ print $4 }') )
old=`grep "dyn.dns.fqdn" /etc/hosts|awk -F\  '{ print $1 }'`
if [ "$static" = "$old" ]; then
sed -i "0,/$old/s//$new/" /etc/hosts
else
if [ "$new" = "$old" ]; then
sed -i "0,/$old/s//$static/" /etc/hosts
else
sed -i "0,/$old/s//$new/" /etc/hosts
fi
fi
return
}


BO=0
BO=$(test $IP )
while [ $BO -eq 1 ]
do
echo "Verbindung fehlerhaft"
replace
reset
BO=$(test $IP )
if [ $BO -eq 1 ]; then
sleep 10m
BO=$(test $IP )
fi
done

I had not time to test, though. But it should work.

Thanks for your input!
/KNEBB

110

Virtual private networks / Re: Wireguard with two WAN Interfaces - to which is it listening?

« on: October 27, 2023, 11:57:38 am »

Hi,

thanks for your reply. I realized I did not have the ALLOW filters set on my second WAN interface. So when the first one dropped the client was not able to connect anyways.  Wireguard indeed was listening to both interfaces.

Following now the dynamic DNS part.

I now have a fixed IP interface (fibre) and a dynamic IP interface (DSL). The second one with dynDNS configured.

Is there any chance to configure my (Debian-) client to try the second interface when the connection drops? Just when reconnecting?

Thanks!

/KNEBB

111

Virtual private networks / [SOLVED] Wireguard with two WAN Interfaces - to which is it listening?

« on: October 27, 2023, 11:32:44 am »

Hi all,

I recently added a second WAN interface (one fiber and one DSL now) and it is working really fine (using by default both interfaces, in case of a failing line just using the remaining one).

Wireguard is working fine, my clients (road warrior setup) can easily connect to the local LAN.,

Now due to a excavator digging too deep the fibre line was cut. No worries, the DSL was still ok and I did not even really notice the cut of the line.

Additional Information: I do not use DynamicDNS so the DSL line get a new IP address every time. Therefore my clients are fixed to use the fiber-IP when connecting to Wireguard.

But Wireguard had some serious hickup and I had to do some manual steps (restart....) to get it back up and running after the line was back.

My questions regarding my setup:

• To which of the two WAN interface is Wireguard listening? Is this configurable?
• How can I figure out to which is it listening?
• Can I use DynamicDNS to make sure the client will always use the active IP?

Thanks for letting me know and any hints.

/KNEBB

112

23.7 Legacy Series / Re: MTU issue through Wireguard

« on: September 10, 2023, 03:12:39 pm »

You made my day!

Even though I am not using PPPoE here, instead FC connection which has 1500 MTU. So I edited the RED interface and set it to 1500 MTU and 1440 MSS.
Remove any MTU settings on the Wiregueard configs.
No change.

Then I went to Firewall Settings Normalisation just as you suggested. Created a rule for Wireguard group and set the max MSS to 1360.

After this it simply worked!

Wow!

Thanks a lot I had never ever found this without help.

Appreciate your hint!

Thanks
/KNEBB
 

113

23.7 Legacy Series / Re: MTU issue through Wireguard

« on: September 10, 2023, 01:24:48 pm »

The first interesting thing is the connection to some of the devices is working fine. So it might be the failing devices do not take the ICMP MTU packets into account.
However, I recently migrated from ofSense/OpenVPN to OPNSense/Wireguard and with the previous setup I did not have any issues- even though the MTU there was low through WAN as well.

114

23.7 Legacy Series / [SOLVED] MTU issue through Wireguard

« on: September 10, 2023, 10:31:00 am »

Hi,

I have a local network and a remote network both connected through Wireguard VPN with two OPNsese boxes.

I can ping and access nearly all of my remote hosts. But not all. On some of them I have issues:

• access to the device from the same network works fine
• ping works fine to these devices from remote network
• connection through https and Firefox warns me about the self-signed certificate the device uses
• then getting connection timeout

I did a packet trace on both OPNSeses an saw this entry multiple times:

Code: [Select]

IPv4, length 610: 192.168.1.254 > 192.168.1.252: ICMP 192.168.9.50 unreachable - need to frag (mtu 1420), length 576
So the OPNSense rejects a packet because it need to be defragmented due to low MTU and the device in question has the "don't fragment" (DF) bit set.
This is the packet which causes the ICMP message:

Code: [Select]

ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 53198, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.1.252.80 > 192.168.9.50.49272: Flags [.], cksum 0xe438 (correct), seq 1000:2448, ack 744, win 486, options [nop,nop,TS val 6430537 ecr 851618161], length 1448: HTTP, length: 1448
HTTP/1.1 200 OK
So there is an issue with the MTU size. Default MTU size on Wireguard is 1.420 which is too low for the 1.500 packet the device sends.
Now my question: How can I configure it so the packets go through?
And obvisously why is path MTU discovery not working?

Thans fpr ideas/ hints!
/KNEBB

115

Virtual private networks / Re: Roadwarrior and WireGuard - How to get it working?

« on: September 04, 2023, 01:26:27 pm »

Update:

I had the wron "local" address on my Wireguard server- I entered the network address (10.10.10.0/24) instead of host address (10.10.10.1/24).

Fixed this and now I can ping my wireguard IP from my client.

First success. Now I have to check how I can tell my client to set the additional routes to my local networks when connected. Any hints?

/KNEBB

116

Virtual private networks / Re: Roadwarrior and WireGuard - How to get it working?

« on: September 04, 2023, 01:18:17 pm »

Hi,

thanks for replying. Interesting to see your configuration as there is nowhere written down the IP address of the server to connect to.

Anyways. I already mentioned in the [Interface] section my wireguard complains about bad syntax. The "Address="" statement will not work here. I guess it is a version issue. But so far I can not upgrade to up-to-date Debian and I am stuck at v11.


Any other ideas when checking my configuration?

thanks!
/KNEBB

117

Virtual private networks / Re: Roadwarrior and WireGuard - How to get it working?

« on: September 04, 2023, 11:30:24 am »

Hi,

you are right- somehow I did not see the correct docs and mixed it up with net-2-net.

However, I now tried again and followed the official documentation you mentioned.

Still no luck

My client is running Debian 11.7 with wireguard v1.0.20210223-1. To be upgraded once Wireshark up and running.

I did add the file /etc/network/interfaces.d/wg0:

Code: [Select]

# indicate that wg0 should be created when the system boots, and on ifup -a
auto wg0

# describe wg0 as an IPv4 interface with static address
iface wg0 inet static

        # the IP address of this client on the WireGuard network
        address 10.10.10.2/32

        # before ifup, create the device with this ip link command
        pre-up ip link add $IFACE type wireguard

        # before ifup, set the WireGuard config from earlier
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf

        # after ifdown, destroy the wg0 interface
        post-down ip link del $IFACE

I did create the the file /etc/wireguard/wg0.conf:

Code: [Select]

# define the local WireGuard interface (client)
[Interface]
#Address = 10.10.10.2/32
# contents of file wg-private.key that was recently created
PrivateKey = 8On*ix0k0=

#ListenPort = 39026
# define the remote WireGuard interface (server)
[Peer]

# contents of wg-public.key on the WireGuard server
PublicKey  = ZA6*ipXg=

# the IP address of the remote network(s)
AllowedIPs = 192.168.8.0/24

# public IP address and port of the WireGuard server
Endpoint = [public ip of server]:51280
There is one issue with the documentation on step 7:
When adding the "address" statement to thew wg0.conf  as written I am getting a parsing error:

Code: [Select]

root@client:/etc# ifup wg0
Line unrecognized: `Address=10.10.10.2/32'
Configuration parsing error
ifup: failed to bring up wg0

So I uncommented it in wg0.conf and added it to /etc/network/interfaces.d/wg0 as shown above.

I created the interface and the rules according to documentation.

But still no luck

On my client I see:

Code: [Select]

root@netcup:/etc# wg
interface: wg0
  public key: 27Pu1yyz*p9Yqo+HqVTU=
  private key: (hidden)
  listening port: 51838

peer: ZA6BNlmf7z*jj32rKDDh5l6WipXg=
  endpoint: publicsrvip:51280
  allowed ips: 192.168.8.0/24
Anyone having hints how to get it up and running?
Thanks!

/KNEBB

118

Virtual private networks / Re: [SOLVED] Doc unclear for Wireguard Site-2-Site

« on: August 28, 2023, 06:00:04 pm »

Hi,

thansk for the advice. I haven't had time to check again. So am I right I put here the remote network ranges in?

Thanks!

/KNEBB

119

German - Deutsch / bind verweigert Client-Anfragen

« on: August 28, 2023, 08:17:47 am »

Moin,

ich habe hier das aktuelle bind-Plugin installiert (und die anderen entsprechend deaktiviert).

ACLs definiert (192.168.8.0/24 -GRUEN/ lokales Netz), aktiviert.
In der Konfig angegeben, dass er auf "GRUEN" Client-Anfragen beantworten soll.

Trotzdem bekomme ich immer ein "SERVFAIL" an den Client zurück. Gehe ich per ssh direkt auf die OPNsense, löst er mir alles sauber auf.
Das Logfile hilft mir auch nicht weiter:

Code: [Select]

2023-08-28T08:13:24.556000 query-errors Informational client @0x84289eb60 192.168.8.2#50719 (www.zdf.de): query failed (failure) for www.zdf.de/IN/A at query.c:7824
2023-08-28T08:13:24.551000 resolver Informational resolver priming query complete: failure
Irgendwie sehe ich gerade den Wald vor lauter Bäumen nicht.... hat jemand eine Idee?

Danke!
/KNEBB

120

23.7 Legacy Series / bind configuration file?

« on: August 28, 2023, 07:34:02 am »

Hi,

I am new to OPNsese and I want to import my zone configuration into it.

So I installed the bind package and now I can easily add zones and add entries. But as I have a good amount of entries- where can I find a local file on OPNsese so I can cut&paste my records?

Adding them one by one through the web gui is a pain...

Thanks!

/KNEBB