Topics

Hi all, I have created 2 different certificate authorities: one for site to site VPN (Site_2_Site_VPN_CA) and one for Road Warrior VPN (Road_Warrior_VPN_CA). The first created authority is the one for site to site VPN. Both VPNs are managed with VPN:OpenVPN:Instances.

Now, if I use a server certificate signed by Road_Warrior_VPN_CA for the Road Warrior VPN and create a user with a certificate also signed by the same CA (Road_Warrior_VPN_CA), I receive the following error when I'm trying to connect the user:

Code Select Expand

2025-01-23 17:19:16 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2025-01-23 17:19:16 UDP link local (bound): [AF_INET][undef]:0
2025-01-23 17:19:16 UDP link remote: [AF_INET]x.x.x.x:1194
2025-01-23 17:19:16 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-01-23 17:19:16 VERIFY ERROR: could not extract CN from X509 subject string ('C=xx, ST=xx, L=xx, O=xx, OU=xx, emailAddress=xx@xx.xx') -- note that the username length is limited to 64 characters
2025-01-23 17:19:16 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2025-01-23 17:19:16 TLS_ERROR: BIO read tls_read_plaintext error
2025-01-23 17:19:16 TLS Error: TLS object -> incoming plaintext read error
2025-01-23 17:19:16 TLS Error: TLS handshake failed
2025-01-23 17:19:16 SIGUSR1[soft,tls-error] received, process restarting

But if I use a server certificate signed by the first CA (Site_2_Site_VPN_CA) and a user with a client certificate also signed by Site_2_Site_VPN_CA, the VPN connects without problems.

I'm using the following version:
 
OPNsense 24.10.1-amd64 - Business Edition
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

Thank you in advance.

Regards.

Hi all, I've configured a site to site VPN (TAP mode) between 2 OPNsense appliances and I've noticed that on the client side of the VPN in System:Gateways:Configuration now there are 2 more gateways related to the VPN, one for IPv4 and one for IPv6.

Is it normal? I've disabled these 2 gateways, but I'm not able to delete them.

The VPN is bridged with a LAN interface and is working without problems.

These are some information about my installation on both OPNsense appliances:

OPNsense 24.10.1-amd64 (Business Edition)
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

Many thanks in advance for your replay.

Cheers.

Hi, I've followed this tutorial to obtain a site to site VPN (OpenVPN):

Setup SSL VPN site to site tunnel

At some point in the tutorial I've found this:

Copy the public part of the certificate authority to the firewall at Site A (use the download button and copy the contents into a new CA on this host)

If I do as suggested, the VPN cannot be established and I receive an error saying the check of the CA is failing.

So I've tried importing the public part of the certificate authority along with the private part and then it worked.

May i have any problem with this kind of configuration? Is the tutorial correct?

Many thanks in advance for your replies.

Cheers

Hi all, I'm trying to realize a site to site VPN throught OpenVPN. I'm following this link:

Setup SSL VPN site to site tunnel

At some point in the page it states the following:

Leaf Certificate - Type Server - Site B: Set the Common Name to the FQDN of this machine.

Is it mandatory to insert a real DNS name as the FQDN or is it possible to use a public static IP address?

Many thanks in advance.

Cheers

Hi all,

is there something similar to the Linux netstat-nat command in OPNsense? It would be very handy for me.

Thank you in advance.

Cheers.

Hi all,

after upgrading to 22.1.5 I'm not anymore able to surf the web from LAN. The problem seems to be the lack of Outbound NAT rules for WAN interfaces (I'm using Multi-WAN, but for single WAN the problem is the same).

In the page "Firewall: NAT: Outbound" (I'm using "Automatic outbound NAT")  I can see all the rules, but the output of the command "pfctl -sn" shows nothing in regards. In another OPNsense installation, where I did not upgrade to 22.1.5, I can see these rules launching the same command ( "pfctl -sn" ) from shell.

Is there a way to add these rules manually from the command line, so I can state that this is the problem?

Many thanks in advance.

Cheers

Hi all,

I am experiencing connection problems trying to get load balancing between 2 gateways: 1 PPPoE and 1 RCF1918.

These are my gateways:

Name                 Interface    Protocol    Priority                     Gateway    Monitor IP    
PPPOEGW (active)    PPPINT    IPv4    253 (upstream)    1.2.3.4            1.1.1.1    
RFC1918GW            RFCINT    IPv4    255 (upstream)    192.168.8.1    8.8.8.8

This is my group of gateways:

Group Name    WANGWGROUP

Gateway            Tier
PPPOEGW          1
RFC1918GW      1

Trigger Level  Member down

Sticky connections are enabled under "Firewall->Settings->Advanced" and I've got the rule for DNS on LAN tab as the first rule.

In "System->Settings->General" I have got this:

DNS Server
1.1.1.1 PPPOEGW
8.8.8.8 RFC1918GW

and this:

Gateway switching    Allow default gateway switching  (enabled)

Then I have set the Gateway field to WANGWGROUP for the rule "Default allow LAN to any rule".

Now when I navigate the web I'm experiencing strange issues: sometimes it works, sometimes it timeouts...

Is there anything I'm missing with this setup? How could I troubleshoot this problem?

Versions:

OPNsense 21.7.5-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021

Thank you in advance.

Cheers,
Svenny

Hi all,

I've got an OPNsense installation with 2 VLAN (VLAN10 and VLAN20), and I've noted under "Firewall: Rules: VLAN10" there are 3 "Automatically generated rules" but I cannot see the same under "Firewall: Rules: VLAN20".

So I would kindly ask how these rules are assigned to interfaces under firewall?

Thank you in advance.

Cheers,
Svenny

Hi all, I'm trying to set Dynamic DNS (FreeDNS service) with a multiWAN (2 gateways) installation but I always receive the IP of the default gateway as an answer to DNS queries. For Dynamic DNS configuration I've choosen the right "Interface to monitor" for each interface.

I read the following post where the problem had already been highlighted in the past:

https://forum.opnsense.org/index.php?topic=5692.0

I tested some command on the shell with curl which return the same IP address:

Code Select Expand


root@OPNsense:~ # curl --interface pppoe0 ifconfig.me
1.2.3.4
root@OPNsense:~ # curl --interface re1 ifconfig.me
1.2.3.4


Is there a way to resolve this issue?

Many thanks in advance.

Cheers,
Svenny

I received the following log:

Code Select Expand



Jun 29 16:41:40 OPNsense.localdomain php-cgi[64680]: /services_dyndns_edit.php: Dynamic DNS (mypersonal.domain.com): _checkStatus() starting.
Jun 29 16:41:40 OPNsense.localdomain php-cgi[64680]: /services_dyndns_edit.php: Dynamic DNS (mypersonal.domain.com): Current Service: freedns
Jun 29 16:41:40 OPNsense.localdomain php-cgi[64680]: /services_dyndns_edit.php: Dynamic DNS (mypersonal.domain.com): PAYLOAD: Error 404 : Page not found
Jun 29 16:41:40 OPNsense.localdomain php-cgi[64680]:
Jun 29 16:41:40 OPNsense.localdomain php-cgi[64680]: /services_dyndns_edit.php: Dynamic DNS (mypersonal.domain.com): (Unknown Response)



Cheers,
Svenny

Hi all,

I've tried to add an Android Gateway to my OPNsense setup through the use of a Raspberry Pi and an Android phone working in USB tethering. This gateway is going to be connected when needed. I'm not going to use it in a Multi-WAN environment, just using it through policy routing. It's working nicely but I have found some "anomalies", probably because I didn't follow the steps in a correct order...

I've assigned my re1 interfaces as OPT1 and I've configured it:

Code Select Expand


IPv4 address -> 192.168.42.214/24
IPv4 Upstream Gateway -> Auto-detect


The I've configured the gateway as follows:

Code Select Expand


Name      Interface Protocol Priority Gateway      Monitor IP
ANDROIDGW OPT1 IPv4 255    192.168.42.129 8.8.4.4


Then I've added a rule to accept traffic for DNS from LAN:

Code Select Expand


Protocol Source Port Destination Port Gateway
TCP/UDP *         *     This Firewall 53 (DNS)


Followed by policy routing rule for the Android Gateway:

Code Select Expand


Protocol Source   Port Destination Port Gateway
any          IP_My_PC     *              *             *      ANDROIDGW


I thought that being OPT1 connected to a gateway OPNsense would have added a rule for it in the Outbound NAT, but it's not like this. The only rule for Outbound NAT is for the WAN:

Code Select Expand


WAN LAN networks, Loopback networks, OPT1 networks, 127.0.0.0/8, 10.10.0.0/24


And OPT1 interface is there as if OPNsense would treat it as an internal interface. So I switched Firewall:NAT:Outbound mode to Hybrid and added a rule for NAT on OPT1 and it just worked.

I've tried also to setup the OPT1 interface "IPv4 Upstream Gateway" as "ANDROID GW 192.168.42.129" (instead of Auto-detect) but that does not change things.

So I'm here to ask: is there a way to tell OPNsense that OPT1 is not an internal interface and it should not be listed as source in the WAN Outbound NAT rule? is there a way to add automatic Outbound NAT rule for an interface connected to a gateway?

Sorry for the long post and many thanks in advance for your time.

Cheers, Sven

Hi all,

I want to offer my users the opportunity to change their password, so through "System: Access: Users: System Privileges" I gave them the "System: User Password Manager" permission. This is intended for VPN password changing every 90 days, so the users are able to change their password without admin intervention.

Is it safe to give out this kind of permission? (Access to the OPNsense GUI is allowed only via LAN.)

Many thanks in advance.