Topics

1

Virtual private networks / What's the direction of VPN - IPSEC or Wireguard?

« on: February 09, 2024, 06:08:46 pm »

This is a broad question. I'm trying to figure out where to migrate my connections.

My IPSEC site-to-site are now labeled as legacy. There is a new connection methodology for that tech. There is also Wireguard as a methodology. But if you add the wireguard plugin there are notes against it.

My use cases are mainly single site-to-site VPNs. Half of the time one side has a static IP. Half the time DuckDNS for both. Also a fair amount of road warriors doing an OpenVPN connection.

One pro of WireGuard is that it works fine with one side static and one side dynamic for site-to-site. From what I've read, the dynamic site is the side that always kicks off the connection. It could also be dual used for road warrior connections.

For road warriors I've had to use only the OpenVPN client bundled in the OPNsense package. New OpenVPN clients don't seem to work with the generated package/key. For me, that'd be another plus for WireGuard. But, the whole

<code>
=====
Message from wireguard-kmod-0.0.20220615_1:

--
At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.
--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Only useful for FreeBSD 12 which is EoL soon.

It is scheduled to be removed on or after 2023-12-31.
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***
</code>

has me confused. This is from a plug-in install.

Thanks for guidance and opinions!

2

General Discussion / Security question - domain or no domain

« on: March 26, 2023, 05:43:01 pm »

Hello,

There is probably no firm 'real' answer to this question. If there is please let me know. In general, is your router more secure if you do not have an external domain associated with it's public IP? For example is router.walmart.com less secure than only using it's static IP of 12.34.56.78?

In this scenario, it is an OPNsense router with out of the box security enabled. There are IPSEC VPN connections to the box - both tunnel links and OpenVPN temporary connections. No other WAN ports open. I like the idea of setting a DNS name to it. I don't see how it would be less secure.

3

General Discussion / manage multiple sites routers

« on: September 09, 2021, 07:53:40 pm »

Hello,

I've been looking but not finding, any help?

We have a couple dozen pfSense routers we support. Some of the sites have IPSEC VPNs, some use OpenVPN for remote access. Most sites are basic single segment networks - DHCP, DNS, NTP. The plan is to migrate them to OPNsense. Is there a tool/service that we can manage all of the routers from a single dashboard?

It can be a limited overview/manager. Something that takes care of 80% of the jobs. For all of the features of OPNsense we only use 10% of them. Items we're looking for are
* sends the remote router's firmware/version
* allows remote kickoff of updates (yes, I know this can be dangerous)
* check status and restart of IPSEC VPNs
* alerts on gateway failures and packet loss alerts (pull sided vs remote pushing?)
* pull config backups from remote routers so we have a backup locally for future jobs/recovery
* since this is a wish list, a feature that we could semi prep the router (WAN static or DHCP), a public/private SSH key exchange (?), when the user plugs it in, we could then attach and do a little deeper config
* this tool would send out email/sms notifications

I imagine you could do a lot of the reporting with Zabbix. Is the plugin current?. There is Monit on the boxes but I haven't looked into its features yet.

And, yes, we'd happily pay for a quality product, anything that saves us work.

Thanks for ideas and input!

4

General Discussion / [SOLVED] same old router+VoIP issues

« on: March 19, 2021, 05:46:42 am »

Hello all,

I'm having a devil of the time trying to get my PBX to talk through the router. My belief is that the root cause is my lack of understanding NAT. Any help would be appreciated.

* PBX (10.10.20.20/24) is on the LAN network
* phone (10.10.20.30/24) is on the LAN network
* external/Internet SIP service provider (SIPstation) appears to see/talk to the PBX
* calls ring from my cell (outside network) to PBX phone (inside network)
* calls ring from PBX phone (inside network) to cell (outside network)
* no audio either way
* I've added NAT port forward; in this 11.22.33.44 is my WAN address
Interface  Proto    Address    Ports    Address             Ports             IP                     Ports    Description    
LAN    TCP    *             *            LAN address    80, 443              *                   *             Anti-Lockout Rule    
WAN    UDP    *             *           11.22.33.44    5060 - 5061       10.10.20.20      5060 - 5061    IncredPBX
WAN    UDP    *             *           11.22.33.44    10000 - 20000   10.10.20.20  10000 - 20000  IncredPBX


* doing that auto-added the Firewall Rules
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description    
IPv4 UDP    *    *    10.10.20.20    5060 - 5061       *         *    IncredPBX 1.1    
IPv4 UDP    *    *    10.10.20.200    10000 - 20000    *         *    IncredPBX 1.2


* I've read some that suggest set NAT Outbound to Hybrid then build a manual rule; I built this but I'm not sure it's valid
- Destination = SIPstation which is an alias to trunk.freepbx.com + trunk1.freepbx.com + trunk2.freepbx.com
- Destination Port = SIPports which is an alias to UDP 5060:5061 + UDP 10000:20000
Interface   Source    Source Port  Destination  Destination Port       NAT Address  NAT Port  Static Port  Description    
WAN     LAN net    udp/ *    SIPstation     udp/ SIPports    Interface address    *      NO        IncredPBX