Messages

[Proposals]

And I have some existing OPNsense to OPNsense tunnels where the Proposals now say Nothing selected.

Though the tunnels are up-and-running OK.

Thanks
Noted

I've had an issue with an OPNsense 23.7.5-amd64 firewall this morning.

2023-10-03T09:53:18   Informational   unbound    [74018:a] info: generate keytag query _ta-4f66. NULL IN
2023-10-03T09:53:15   Notice   unbound    daemonize unbound dhcpd watcher.
2023-10-03T09:53:14   Critical   unbound    [74018:1] fatal error: Could not initialize thread
2023-10-03T09:53:14   Informational   unbound    [74018:1] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
2023-10-03T09:53:14   Informational   unbound    [74018:0] info: start of service (unbound 1.18.0).
2023-10-03T09:53:14   Informational   unbound    [74018:1] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2023-10-03T09:53:14   Error   unbound    [74018:1] error: Could not set root or stub hints
2023-10-03T09:53:14   Error   unbound    [74018:1] error: reading root hints /root.hints 2:9: Syntax error, could not parse the RR's type

I believe from the time the error was logged until the firewall was rebooted DNS requests were not answered.
It appeared that I could not start, stop or restart it from the GUI and CPU usage was 15x normal. Though I could later see a log record showing that Unbound was stopped.

Before it was rebooted I was able to ssh into the firewall and could see that there was a /var/unbound/root.hints  file with a newer timestamp (~12:00) and that the contents matched the root.hints from another firewall.

I was wondering if there is a better/cleaner way to recover from this scenario?

Is one of the ends on a link using CGNAT?

I saw something similar recently.

After creating new certificates and exporting the profiles, windows clients reported that there was an unknown parameter in the config file.

Upgrading the windows client to 2.6.5 resolved the issue.

On my Debian derivatives (Mint/Cinnamon) I installed wireguard-tools.

Generated the keys using:

$ umask 077
$ wg genkey | tee private.key | wg pubkey > public.key

(I also generate a shared secret)

These were stored in /etc/wireguard/

The fields I set in the conf file are:

[Interface]
Address = x.x.x.x/32
DNS =
PrivateKey =
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey =
PreSharedKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint =

I also use a Wirguard toolbar Applet to start/stop the tunnel.

HTH

[Tunnel Settings]

As far as the "Connections (new)" section is concerned, I'm an old crusty OPNsense user, having switched over around 2016. I'm still confused what this "Connections (new)" section is for.

It is a replacement for VPN: IPsec: Tunnel Settings which has now been deprecated.

From the 23.7 release notes:

o IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is recommended.  An appropriate EoL announcement will be made next year.

I am making progress in that I can now get a tunnel up. It is running with no changes to the Draytek end of the connection. That is I am using the same connection profile on the Draytek to either the old Tunnel Settings or new Connections [new] profile on the OPNsense firewall.

My next hurdle is that when using the Connections [new] profile I am not seeing any traffic moving across the firewall. This is not consistent with what I saw when migrating OPNsense to OPNsense tunnels.

A question that also comes to mind is that for future tunnels I'll need to create additional pre-shared keys [in VPN: IPsec: Pre-Shared Keys] with the same Local Identifier.  The creation of pre-shared keys prevents duplicates but allows multiple Local Identifiers with unique Remote Identifiers. How does the local/remote authentication know which of the multiple Local Identifiers to use?

Ich habe kürzlich etwas Ähnliches gemacht.

Ich habe mich für eine UND-Einheit mit 2,5 GB Intel NICs entschieden Es ist leistungsstark genug, dass die CPU-Auslastung normalerweise 0 % anzeigt.

https://www.amazon.co.uk/dp/B0C2KQYF5Y?ref=ppx_yo2ov_dt_b_product_details&th=1

Es gab ein YouTube-Video über das Produkt, das ich nützlich fand. https://www.youtube.com/watch?v=h7U4fCj_Pos

Before I consider upgrading to 23.7 I need to migrate 24 VPN's currently configured via Tunnel Settings to Connections [new] .

While I have already moved some of the OPNsense to OPNsense tunnels I have still to get a Draytek tunnel running.

They are all currently configured using the same template, so if I get get one running I'll be able to get the rest done.


Draytek configuration:

- Dial-out, Always on
- IKEv2
- PSK
- AES with authentication
- IKE Phase 1 aes256/sha256/dh14  [aes256-sha256-modp2048]
   I have also tried aes256/sha256/dh21 [aes256-sha256-ecp521]
- IKE Phase 2 aes256/sha256
- IKE phase 1 key lifetime 86400
- IKE phase 2 key lifetime 86400
- pfs enabled

I have also created and tested a Draytek profile that will handle dial-in and Dial-out to see if this would work.

The reason for the Dial-out setting is that a few of the Draytek sites have more than one subnet. If the OPNsense firewall originates the connection then only the primary subnet SA establishes. If the Draytek router originates the connection then all SA's establish.

As already noted in the forum, and when I migrated an OPNsense to OPNsense tunnel, the ESP rules were not automatically created. From watching the traffic I have created rules to cover ESP, ISAKMP and IPsec NAT-T.

One thing I am not sure about is that having created a Pre-Shared Key entry for the connection using an email addresses as the Local Identifier, that this email address is what is used in the Local Authentication Id field when Authentication is Pre-Shared Key (which is what I have used).

If anyone has managed to get a Connections [new] for Draytek router I would appreciate any tips.

In the OpenVPN server configuration check that the number concurrent connections meets your needs and that you are not restricting the number of sessions elsewhere in your configuration.

I leave it set to the default value and have many 10's of users able to remote-in at the same time.

Thanks.

0.0.0.0/0 Already set

And that was the tutorial I used when configuring the tunnel.

Simplified diagram attached.

We have

- vlans A1 and B1 exchanging traffic
- vlans A2 and B2 isolated from each other
- vlan A1 able to use WAN B

I'm trying to get vlan B1 to be able to use WAN A

Site A is running OPNsense (my end). Site B is running Linux iptables.

At site A traffic from site B can be seen routing out via WAN A, but site B does not see the return traffic.

I have no problem in getting the Site-to-Site traffic passing.

But I'm having limited success on doing the far-end break-out, currently it is working from A to B, but not B to A.

I have not found anything in the forum, so could someone point me to any documentation that might help?

Thank you.

SSD's have a write life.

I've seen disks from a number of manufactures reach this point after which the disk only operates in read only mode.

The A&A support site has a couple of pages that might help (I can see you don't need to use a VLAN).

General router page https://support.aa.net.uk/General_Router_Settings

OPNsense configuration https://support.aa.net.uk/Router_-_OPNsense

Edit:

Rather than created a dedicated PPPoE in Point-to-Point Devices, try creating the interface with an IPv4 Configuration Type of PPPoE