Messages

76

21.7 Legacy Series / Re: https access to ntopng not working

« on: November 16, 2021, 06:28:14 am »

benyamin - thank you, when I saw the post from mimugmail above I posted a question on the ntop discord support channel.  I will wait a bit to hear what they say and report back here assuming I get a response.

As for the potential bug, the OPNsense 'full help' for the Services: ntopng Enterprise: Settings - HTTP(S) Port field reads: "HTTP port this service listens on. To enable HTTPS on this port please select a certificate below.".

Having that said, one thing I will point out is the OPNsense screens are entitled "ntopng Enterprise", and I am using the ntopng Community edition.  So it may also be that the NTOP folks say that https is only supported on the Enterprise edition and not on the community edition.

In any case, as it stands, if an OPNsense code fix is not required, perhaps a documentation clarification may be.

Again, I will wait to see what the NTOP folks say and post back here.

77

21.7 Legacy Series / Re: https access to ntopng not working

« on: November 15, 2021, 05:22:54 pm »

bump

78

Virtual private networks / Re: Client can't connect to new OpenVPN Server

« on: November 14, 2021, 08:37:01 pm »

Not sure if this will be your issue or not, but I just spent most of the last few hours resolving this myself.

Turns out that on the Google Play store there is an app called "Openvpn" and another "Openvpn for Android".  I was working with the first, but it was not working for me.  When I downloaded "OpenVPN for Android" and imported my exported .opvn file it worked like a charm.   

The following Youtube video was what led me to that solution:
https://www.youtube.com/watch?v=0E0wYNmMQMo

Hope this will be of help.

79

21.7 Legacy Series / Re: https access to ntopng not working

« on: November 11, 2021, 02:09:34 pm »

Attached is the screen in advanced mode, with full help turned on.

That it allows access to either http or https via the same port does appear to be what the screen is suggesting should be possible.

However, according to what the screen seems to be saying, it really should just work as configured but does not.

I really don't know what "If you want to secure the connection feel free to setup HAProxy or Nginx as a reverse proxy (SSL offloading)." means or how to approach that.

80

21.7 Legacy Series / https access to ntopng not working

« on: November 11, 2021, 12:21:54 am »

I have created a certificate for xxx.duckdns.org (where xxx is my unique duckdns.org identifier).

With it, I can securely sign on to my opnsense box with an url of:
https://xxx.duckdns.org

In conjunction with opnsense I am also using ntoping.

I can sign on to my ntopng dashboard by using either:
http://192.168.1.1:3000/
or
http://xxx.duckdns.org:3000/

However, I can not sign on securely using either:
https://192.168.1.1:3000/
or
https://xxx.duckdns.org:3000/

Using Chrome I get ERR_SSL_PROTOCOL_ERROR, using Firefox I get SSL_ERROR_RX_RECORD_TOO_LONG.

The attached screenshot shows how I have opnsense configured in relation to the above.  For DNS mode, I have tried all options.

I have ensured both browsers are configured to use TLS 1.3 (as a few related posts from long ago indicated that might be an issue).

Any help would be appreciated.

81

21.7 Legacy Series / Re: valid certificate invalid for use with opnsense

« on: November 08, 2021, 10:56:15 pm »

Thank you - that helped quite a bit.

I've got it working (hopefully now for good) with your help, as well as Frigth's help from a few days back on this post:  https://forum.opnsense.org/index.php?topic=25450.0

In short, when I originally set it up, I tried to enter
https:\\xxxx.duckdns.org  (where xxx was my duckdns identifier)
in the url line.   

However, at that time, I got a message "A potential DNS Rebind attack has been detected. Try to access the router by IP address instead of by hostname.".

Accordingly, I tried using https:\\hostname, which as described in my post linked to above, is "opnsense" (i.e. https:\\opnsense ), and it worked fine - so I just left it at that.

However, when I came back to it yesterday, using https:\\opnsense no longer worked. 

In attempting to make it work today I added both "opensense" and "xxx.duckdns.org" in System - Settings - Administration - Alternate Hostnames, as suggested by Fright.

Also, after reading your reply, I tried https://xxx.duckdns.org in the url line and it worked!

Great, hope it stays working!

Also, I've gone back and updated System - Settings - Administration - Alternate Hostnames to only contain xxx.duckdns.org  (that is to say I removed the value of "opnsense" that I previously additionally had in that field ) and it continued to work.

Thanks again for your (and Fright's) help!

82

21.7 Legacy Series / valid certificate invalid for use with opnsense

« on: November 08, 2021, 06:58:05 pm »

Further to this post here: https://forum.opnsense.org/index.php?topic=25450.0

I was able to securely sign-on to opnsense with a certificate issued via duckdns.org just fine, for about a day.

However, I came back to this yesterday and am now getting a message saying the certificate is not valid, however, when I go into the details of the certificate it says it is valid.

Attached is what I am seeing with respect to the invalid/valid certificate in chrome, as well as my related Settings window in opnsense.

I tried clearing the cache, clearing the associated cookies, using an incognito session, rebooting, turning off my pc's firewall (Bitdefender), turning off advanced thread defence (also in Bitdefender) but nothing helped.

I also tried checking and unchecking the "Disable web GUI redirect rule" option on the opnsense settings window, but to no avail.

I even tried exporting the certificate from opnsense and importing it into my windows trusted certificates using certmgr.msc but that didn't help either.

I'm not fully sure this is an opnsense issue, but the certificate was created via opnsense using the duckdns option so perhaps??

In any case, any help would be appreciated.

edit: I could not upload the setting windows due to its size, it can be viewed here:
https://ibb.co/pLNJP9X

also this one:
https://ibb.co/G3vGbcQ

83

21.7 Legacy Series / Re: Having trouble getting signing certificate to work

« on: November 05, 2021, 12:59:16 pm »

Frigth: thank you.

For those that may run into the same issue.

When I try to access the router by IP address, I get an unsecured connection.

When I browse to my duckdns.org address I get "A potential DNS Rebind attack has been detected. Try to access the router by IP address instead of by hostname."

So what is needed in the url line is:

https://opnsense

where the word "opnsense" is the hostname as defined in  OPNSense - Systems - Settings - General - Hostname.

This gives me a secure connection.

84

21.7 Legacy Series / Having trouble getting signing certificate to work

« on: November 05, 2021, 05:24:47 am »

Following the instructions of this video:
https://www.youtube.com/watch?v=IR41duTqN6Y
with updates to reflect changes in opnsense since the video was produced, I was able to create a signing certificate using my duckdns.org account.

However, while the OPNSense - Services - Certificate entry is enabled and is showing as issued, and while the OPNSense - System - Administration - Settings - System - SSL Certificate for my duckdns.org account appears in the dropdown list, and is selected.

when I browse to my opnsense url at https://192.168.1.1/ I still get told it is an unsecured location.

Here is what my opnsense System:Trust:Certificates window says about the certificate (with my certificate name  manually redacted to xxx below):

xxx.duckdns.org (ACME Client)

CA: No, Server: Yes   R3 (ACME Client)    CN=xxx.duckdns.org
    Valid From:   Thu, 04 Nov 2021 22:59:06 -0400
    Valid Until:   Wed, 02 Feb 2022 21:59:05 -0500

Any help would be appreciated.

85

21.7 Legacy Series / Re: backup entire opnsense machine

« on: October 22, 2021, 01:04:02 am »

Thank you, I know virtually nothing about the Linux environment, but you've given me some keywords to google so hopefully, that will be all I need to get going!

86

21.7 Legacy Series / backup entire opnsense machine

« on: October 21, 2021, 10:18:09 pm »

What is the best way to backup an entire opnsense machine (i.e. not just the configuration files but the entire box)?

87

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 09:33:13 pm »

In terms of reverting settings,
I unchecked 'Use IPv4 connectivity" and 'Send IPv6 prefix hint"
applied the changes and rebooted.

With these changes, the DHCPv6 Server continued to work just fine.

Again, with thanks for your help opnfwb and franco!

88

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 09:12:20 pm »

It's working!

There is a setting on my Rogers router that says "Residential Gateway Function" which I changed from Enabled to Disabled.

After that, and a reboot of the router, the opnsense DHCPv6 Server was able to start.

Unfortunately, now I can't seem to sign on to my Rogers Router any more - so I will have to figure that one out.

I will also now try and revert back the new settings I had made to the opnsense box, and will post back here to confirm if they were needed or not - not that the "Residential Gateway Function" is disabled.

Thank you so much for your time and help opnfwb and franco!

89

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 08:47:13 pm »

Here is what is in the log after I click the start service button on the lobby/dashboard screen:

https://ibb.co/8rw1dx0

90

21.1 Legacy Series / Re: DHCPv6 Server not starting following most recent firmware update

« on: June 29, 2021, 05:41:55 pm »

Thanks.

On the Interfaces - [WAN_Rogers] window

I checked 'Use IPv4 connectivity" (it was previously unchecked)
I left "Request only a IPv6 prefix" unchecked
I left "DHCPv6 Prefix Delegation Size" set at 64
I checked 'Send IPv6 prefix hint" (it was previously unchecked)

saved and applied the changes.

However, sadly, the DHCPv6 Server will still not start.