Messages

Is one of the ends on a link using CGNAT?

I saw something similar recently.

After creating new certificates and exporting the profiles, windows clients reported that there was an unknown parameter in the config file.

Upgrading the windows client to 2.6.5 resolved the issue.

On my Debian derivatives (Mint/Cinnamon) I installed wireguard-tools.

Generated the keys using:

$ umask 077
$ wg genkey | tee private.key | wg pubkey > public.key

(I also generate a shared secret)

These were stored in /etc/wireguard/

The fields I set in the conf file are:

[Interface]
Address = x.x.x.x/32
DNS =
PrivateKey =
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey =
PreSharedKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint =

I also use a Wirguard toolbar Applet to start/stop the tunnel.

HTH

[Tunnel Settings]

As far as the "Connections (new)" section is concerned, I'm an old crusty OPNsense user, having switched over around 2016. I'm still confused what this "Connections (new)" section is for.

It is a replacement for VPN: IPsec: Tunnel Settings which has now been deprecated.

From the 23.7 release notes:

o IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is recommended.  An appropriate EoL announcement will be made next year.

I am making progress in that I can now get a tunnel up. It is running with no changes to the Draytek end of the connection. That is I am using the same connection profile on the Draytek to either the old Tunnel Settings or new Connections [new] profile on the OPNsense firewall.

My next hurdle is that when using the Connections [new] profile I am not seeing any traffic moving across the firewall. This is not consistent with what I saw when migrating OPNsense to OPNsense tunnels.

A question that also comes to mind is that for future tunnels I'll need to create additional pre-shared keys [in VPN: IPsec: Pre-Shared Keys] with the same Local Identifier.  The creation of pre-shared keys prevents duplicates but allows multiple Local Identifiers with unique Remote Identifiers. How does the local/remote authentication know which of the multiple Local Identifiers to use?

Ich habe kürzlich etwas Ähnliches gemacht.

Ich habe mich für eine UND-Einheit mit 2,5 GB Intel NICs entschieden Es ist leistungsstark genug, dass die CPU-Auslastung normalerweise 0 % anzeigt.

https://www.amazon.co.uk/dp/B0C2KQYF5Y?ref=ppx_yo2ov_dt_b_product_details&th=1

Es gab ein YouTube-Video über das Produkt, das ich nützlich fand. https://www.youtube.com/watch?v=h7U4fCj_Pos

Before I consider upgrading to 23.7 I need to migrate 24 VPN's currently configured via Tunnel Settings to Connections [new] .

While I have already moved some of the OPNsense to OPNsense tunnels I have still to get a Draytek tunnel running.

They are all currently configured using the same template, so if I get get one running I'll be able to get the rest done.


Draytek configuration:

- Dial-out, Always on
- IKEv2
- PSK
- AES with authentication
- IKE Phase 1 aes256/sha256/dh14  [aes256-sha256-modp2048]
   I have also tried aes256/sha256/dh21 [aes256-sha256-ecp521]
- IKE Phase 2 aes256/sha256
- IKE phase 1 key lifetime 86400
- IKE phase 2 key lifetime 86400
- pfs enabled

I have also created and tested a Draytek profile that will handle dial-in and Dial-out to see if this would work.

The reason for the Dial-out setting is that a few of the Draytek sites have more than one subnet. If the OPNsense firewall originates the connection then only the primary subnet SA establishes. If the Draytek router originates the connection then all SA's establish.

As already noted in the forum, and when I migrated an OPNsense to OPNsense tunnel, the ESP rules were not automatically created. From watching the traffic I have created rules to cover ESP, ISAKMP and IPsec NAT-T.

One thing I am not sure about is that having created a Pre-Shared Key entry for the connection using an email addresses as the Local Identifier, that this email address is what is used in the Local Authentication Id field when Authentication is Pre-Shared Key (which is what I have used).

If anyone has managed to get a Connections [new] for Draytek router I would appreciate any tips.

In the OpenVPN server configuration check that the number concurrent connections meets your needs and that you are not restricting the number of sessions elsewhere in your configuration.

I leave it set to the default value and have many 10's of users able to remote-in at the same time.

Thanks.

0.0.0.0/0 Already set

And that was the tutorial I used when configuring the tunnel.

Simplified diagram attached.

We have

- vlans A1 and B1 exchanging traffic
- vlans A2 and B2 isolated from each other
- vlan A1 able to use WAN B

I'm trying to get vlan B1 to be able to use WAN A

Site A is running OPNsense (my end). Site B is running Linux iptables.

At site A traffic from site B can be seen routing out via WAN A, but site B does not see the return traffic.

I have no problem in getting the Site-to-Site traffic passing.

But I'm having limited success on doing the far-end break-out, currently it is working from A to B, but not B to A.

I have not found anything in the forum, so could someone point me to any documentation that might help?

Thank you.

SSD's have a write life.

I've seen disks from a number of manufactures reach this point after which the disk only operates in read only mode.

The A&A support site has a couple of pages that might help (I can see you don't need to use a VLAN).

General router page https://support.aa.net.uk/General_Router_Settings

OPNsense configuration https://support.aa.net.uk/Router_-_OPNsense

Edit:

Rather than created a dedicated PPPoE in Point-to-Point Devices, try creating the interface with an IPv4 Configuration Type of PPPoE

I have an A&A fibre [CityFibre] as one of the links on an OPNsense box.

I set the PPPoE gateway to the allocated /32 [on VLAN  911 for CityFibre].

Then defined the /24 to the same physical interface and added the non-gateway addresses as virtual IP's.

HTH

My road-warrior VPNs are working again with 23.1.3

I am seeing the same behavior with Android phones.

In my case I have never needed to do anything on the OPNsense end. Resetting/restarting the phone brings the connection up again.

It seems to be more of a problem when the phone is more mobile. I have all my phones set to use cellular data for the connection (no WiFi at any time). They are also set to have the VPN always on and to route all traffic via the tunnel.