OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of hansdampf »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - hansdampf

Pages: [1]
1
24.7 Production Series / NUT (Network UPS Tool) doesnt start up on reboot
« on: August 08, 2024, 04:14:39 pm »
I am using the apcupsd for the UPS which is connected via USB to OPNsense. I have configured the NUT service to offer the UPS to my NAS (Xigmanas), which is using NUT as UPS-tool.
So far, the service works as expected, both OPNsense and Xigmanas show the UPS as living and working. But when i restart OPNsense the NUT service is the only service which doesnt start up, even when i wait more time for the system to get settled.
Eventually i am missing something to get the NUT start up?

Logs show this:

entry after starting NUT manually:
2024-08-08T16:02:07   Warning   upsd   /usr/local/etc/nut/upsd.users is world readable   
2024-08-08T16:02:07   Warning   upsd   /usr/local/etc/nut/upsd.conf is world readable

Logs after reboot show many entries of this:   
2024-08-08T16:02:02   Error   upsmon   UPS [usv]: connect failed: Connection failure: Connection refused

2
General Discussion / Nextcloud Backup failure Solution
« on: July 19, 2024, 04:53:05 pm »
I encountered a constant communication failure in conjunction with the latest Nextcloud v29 and after fiddling some days i found a solution which made the service work.

Failures were like "Error while fetching filelist from Nextcloud '/.' path", "Cannot get real username", "cannot execute MKCOL"

So the first thing was the annoying "Setup Cache..." inside Nextcloud Administration...
I decided to install redis to get rid of that messages.
And finally this resulted in a working Backup!
But! again some strange things happened...
I installed the corresponding php83-pecl-redis Extension to access Redis,
configured redis to use socket,
secured redis with Auth-password (i am a bit paranoid).
To create the auth-password there are some tips around the world, but the only working password-creation which worked was:
Code: [Select]
openssl rand 60 | openssl base64 -AChanged the corresponding files (config.php of Nectcloud) and redis.conf.
Most important step was adding user www (or www-data), depending of the used server.
Tested:
Code: [Select]
sudo -u www redis-cli -s /var/run/redis/redis.sock ping
(error) NOAUTH Authentication required.again by passing the password:
Code: [Select]
sudo -u www redis-cli -s /var/run/redis/redis.sock -a openssl-created-password ping
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
PONGAt this moment the configuration of Nextcloud-Backup from OPNsense didnt throw out any more errors and its working as expected!
It "should" work without password, but in my case it didnt. Maybe its because of the redis.conf entry
"protected-mode yes" which i didnt want to change.
Hopefully that helps others to get it working!

3
General Discussion / Nextcloud Backup strange error
« on: July 09, 2024, 08:54:03 pm »
I am having a really strange error whit my nextcloud-backup:

Code: [Select]
2024-07-09T08:44:40 Error config {"url":"https:\/\/nas.xxx.xyz:8443\/nextcloud\/remote.php\/dav\/files\/opnsense\/OPNsense-Backup","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":60.034358,"namelookup_time":0.001119,"connect_time":0,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"","certinfo":[],"primary_port":0,"local_ip":"","local_port":0,"http_version":0,"protocol":0,"ssl_verifyresult":0,"scheme":"","appconnect_time_us":0,"connect_time_us":0,"namelookup_time_us":1119,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":60034358,"effective_method":"MKCOL"}
2024-07-09T08:44:40 Error config cannot execute MKCOL
My nextcloud is sitting on a xigmanas, certs are generated from opnsense, the nas shows cert is ok, valid and trusted (self signed) -> "http_code":0 and "ssl_verifyresult":0.
But what i dont understand is the MKCOL-error. Searching the net doesnt show up relevant infos...
My opnsense is the latest (OPNsense 24.1.9_4-amd64). Same with my xigmanas, nextcloud is 29.0.3.
There are no errors in my nextcloud installation, i generated the App-password for use with the opnsense-backup.

Any help would be great!

4
24.1 Legacy Series / ACME Client fails to renew since update
« on: June 20, 2024, 10:20:10 pm »
Hello again,
yesterday i noticed that my acme certs failed to renew:

/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --renew --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/yyyy.21871376' --certpath '/var/etc/acme-client/certs/yyyy.21871376/cert.pem' --keypath '/var/etc/acme-client/keys/yyyy.21871376/private.key' --capath '/var/etc/acme-client/certs/yyyy.21871376/chain.pem' --fullchainpath '/var/etc/acme-client/certs/yyyy.21871376/fullchain.pem' --domain '*.domain.ddnss.de' --days '1' --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/xxxx.93537913_prod/account.conf''

The cert was successfully created/renewed on April, the only change was the latest update of opnsense (and the prevoious updates), i didnt change any of the acme settings...

On earlier run i had an exit code 2, so i removed the OSCP staple setting:
/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '2': '/usr/local/sbin/acme.sh --renew --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/yyyy.21871376' --certpath '/var/etc/acme-client/certs/yyyy.21871376/cert.pem' --keypath '/var/etc/acme-client/keys/yyyy.21871376/private.key' --capath '/var/etc/acme-client/certs/yyyy.21871376/chain.pem' --fullchainpath '/var/etc/acme-client/certs/yyyy.21871376/fullchain.pem' --domain '*.igorius.ddnss.de' --days '1' --ocsp --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/xxxx.93537913_prod/account.conf''

The txt-record gets written on ddnss.de, but the verification afterwards fails.
At the moment i have to wait a week, i think that 5 tries are reached.
Has anyone else seen that errors?

 

5
24.1 Legacy Series / OpenVPN refuses to start after reboot
« on: February 10, 2024, 12:28:52 pm »
Since 424.1 and with 24.1.1 OpenVPN doesnt start automatically, i have to restart the daemon manually.
The log doesnt show anything regarding a failure or anythig else. Only notices about reconfiguring and syncing.
Code: [Select]
2024-02-09T14:34:47 Notice opnsense /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface OVPN.
2024-02-09T14:34:47 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure vpn (execute task : openvpn_configure_do(,opt1))
2024-02-09T01:30:27 Notice opnsense /usr/local/etc/rc.newwanipv6: Resyncing OpenVPN instances for interface LAN.
2024-02-09T01:30:27 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn (execute task : openvpn_configure_do(,lan))
2024-02-09T01:30:09 Notice opnsense /usr/local/etc/rc.newwanipv6: Resyncing OpenVPN instances for interface WAN.
2024-02-09T01:30:09 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn (execute task : openvpn_configure_do(,wan))
2024-02-09T01:29:29 Notice opnsense /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
2024-02-09T01:29:29 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure vpn (execute task : openvpn_configure_do(,wan))
2024-02-09T01:29:18 Notice opnsense /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
2024-02-09T01:29:18 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure vpn (execute task : openvpn_configure_do(,wan))
2024-02-09T01:28:05 Notice opnsense /usr/local/etc/rc.newwanipv6: Resyncing OpenVPN instances for interface LAN.
2024-02-09T01:28:05 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn (execute task : openvpn_configure_do(,lan))
2024-02-09T01:27:49 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-02-09T01:27:49 Notice kernel <118>>>> Invoking start script 'openvpn'

6
24.1 Legacy Series / NTP-Server problem
« on: February 10, 2024, 12:01:16 pm »
After upgrading to 24.1 and 24.1_1 i encountred a strange problem with the ntpd:
Sometimes i got answers from the public servers, time got synced (Sync Source   2001:638:610:be (stratum 1, .PTB.)
But sometimes there was no sync. Looking at the logs i saw
Code: [Select]
2024-02-10T11:53:08 Informational ntpd failed to init interface for address fd00::225:90ff:fea8:83
2024-02-10T11:53:08 Error ntpd unable to create socket on em0 (7) for fd00::225:90ff:fea8:83#123
2024-02-10T11:53:08 Error ntpd bind(25) AF_INET6 fd00::225:90ff:fea8:83#123 flags 0x11 failed: Address already in use
2024-02-10T11:53:08 Informational ntpd failed to init interface for address fe80::225:90ff:fea8:83%1
2024-02-10T11:53:08 Error ntpd unable to create socket on em0 (6) for fe80::225:90ff:fea8:83%1#123
2024-02-10T11:53:08 Error ntpd bind(25) AF_INET6 fe80::225:90ff:fea8:83%1#123 flags 0x11 failed: Address already in use
So i stopped the daemon and realized that it was started twice: Had to stop it 2 times via the Stop-button.
After stopping and waiting a moment, i started it again and it works again and syncs.

7
German - Deutsch / Hostnamen Auflösung vom dhcpv4 mit IPv6...
« on: January 18, 2024, 08:14:26 pm »
Eine neue Frage zu IPv6:
Die hosts in  meinem Netzwerk haben alle via DHCP eine statische IP vergeben bekommen.
Gibt es eine (hoffentlich) einfache Lösung, damit die hosts auch via IPv6 mittels ihres Namens erreichbar sind?
Muß ich hierfür im DHCP6 auch alle einzeln zuweisen, oder gibt es eine andere Möglichkeit, die Zuordnungen zu bekommen?

8
German - Deutsch / (Gelöst) IPv6 hinter Fritzbox mit netcologne
« on: January 18, 2024, 01:28:49 am »
Ich versuche seit Tagen, IPv6 ans Laufen zu bekommen, ich habe das ganze nach Anleitung der opnsense-Hilfe durchprobiert.
Die FB ist eingerichtet: Freigabe Exposed Host zum opnsense (sie bekommt eine IPv4-Adresse via DHCP mit fest zugewiesener Adresse).
Bei IPv6 Einstellungen sind alle 3 Haken gesetzt.
Bei Netzwerk - Einstellungen - IPv6 ist eingestellt:
ULA immer zuweisen,
Auch IPv6-Präfixe zulassen angehakt,
Diese FRITZ!Box stellt den Standard-Internetzugang zur Verfügung angehakt,
RA-Präferenz mittel,
DNSv6 Server angehakt,
im DNS-Server-Feld steht eine von der FB zugewiesene Adresse: fd09:0:0:0:xxx:xxx:xxx:ffc9,
DHCP-Server aktivieren ist an,
DNS-Server und IA_PD zuweisen.
Bei Präfixe zeigt er an:
WAN2001:4dd0:xxxx:xxxx::/64
Delegiert2a0a:axxx:xxxx:80::/57
Nichts bei Heim- oder Gastnetz.

Bei der opnsense ist beim WAN-Interface
IPv6 Konfigurationstyp DHCPv6,
Konfig-Typ einfach,
Präfix anfordern an,
Präfixdelegationsgröße 57,
Sende Präfix-Hinweis an.

Das LAN-Interface ist gesetzt:
IPv6 Schnittstelle WAN,
IPv6-Präfix-ID 0x1,
Manuelle Konfiguration an.

Router Advertisements LAN: Assistiert, Prio normal, Stelle Standardgateway zur Verfügung ist an, Rest wie Vorgabe: Also alles leer.
DHCPv6-Server ist an.
Subnetz: 2a0a:xxxx:xxxx:81::
Verfügbarer Bereich: 2a0a:xxxx:xxxx:81:: - 2a0a:xxxx:xxxx:81:ffff:ffff:ffff:ffff
Bereich: 2a0a:xxxx:xxxx:81::2:0:0 - 2a0a:xxxx:xxxx:81:2:0:0:ffff
Verfügbare Größe zeigt er 58
Rest ist leer, nur ein Haken bei Ändere Zeit...

Zusätzlich habe ich ein Port-Forwarding für IPv6 ICMP eingefügt mit Ziel LAN-Netz, damit die Erreichbarkeit vom ping6 gegeben ist (der ipv6-test.com zeigte unter IPv6 sonst "filtered" an.

Mein Problem: In dem Moment, wenn ich die RA einschalte, egal welchen Wert (unmanaged, managed, assistiert usw.), ist meine Inetrnet-Verbindung weg. Ich kann IPs via ping und ping6 erreichen, aber der Browser findet nichts mehr. RA aus, und alles ist wieder da.
Bei IPv6-Test.com sieht das so aus:
Bild 1: Router Advertisements aus
Bild 2: Router Advertisements an

Was kann da falsch laufen? Ich habe die letzten Tage alles mögliche probiert, auch mal die automatische RA-Konfiguration getestet (LAN-Interface Haken bei "Manuelle Konfiguration" raus)
An meinem Mac sah ich, daß der Router nicht via IPv6 angegeben wurde bei DHCPv6, wenn ich den auf manuell stelle und die IPv6 LAN-Adresse der opnsense angebe und eine Adresse aus dem verfügbaren Bereich eintrage, dann sind alle 3 DNS-Ergebnisse beim IPv6-test.com grün. Nur IPv4 bleibt aus.
Ich wäre über jedwede Hilfe sehr dankbar. - Meine IPv6-Kenntnisse sind sehr rudimentär...


9
23.7 Legacy Series / WireGuard Setup with a failure
« on: January 12, 2024, 05:17:02 pm »
Hi,
i set up wireguard the way its described at the online-help: https://docs.opnsense.org/manual/how-tos/wireguard-client.html.
But at the end i got errors when creatíng the gateway and restarting WireGuard:

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid interface gateway address: ''
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WG_GW)
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,WG_GW))
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: Skipping gateway WG_GW due to empty 'gateway' property.

I have set up an OpenVPN-Instance exactly the same way regarding interface, gateway, rules, port-forwarding...
and it works out of the box like a charm. (Gateway dynamic)

Only WireGuard doesnt. I didnt get any traffic passing the tunnel.
So finally i got it working with adding the tunnel-IP xxx.xxx.xxx.1 inside the gateway, dynamic fails. I see here Priority: DEFUNCT.
When i entered the tunnel-IP, the defunct changed to the preset priority and its working like a charm too.
Is it my fault (eventually not understanding the
"When assigning interfaces, gateways can be added to them. This is useful if balancing traffic across multiple tunnels is required or in more complex routing scenarios. To do this, go to System ‣ Gateways ‣ Single and add a new gateway. Choose the relevant WireGuard interface and set the Gateway to dynamic. These scenarios are otherwise beyond the scope of this how-to"
or did i find a glitch?

10
23.7 Legacy Series / Strange Letsencrypt problem
« on: January 12, 2024, 05:00:46 pm »
Hello,
i installed the letsencrypt plugin and set it up to use DNS-01, i need the wildcard-option.
When i tested the whole thing, i used the Letsencrypt Test CA, everything works as expected: Certs are issued and copied to the opnsense, i see them at "Security".
So far, so good.

Now i wanted to change from Test CA to Standard CA, but here it fails:

Code: [Select]
Installing full chain to: /var/etc/acme-client/certs/65***/fullchain.pem
Installing key to: /var/etc/acme-client/keys/65***/private.key
Installing CA to: /var/etc/acme-client/certs/65***/chain.pem
Installing cert to: /var/etc/acme-client/certs/65***/cert.pem
And the full chain certs is there: /var/etc/acme-client/home/xxx.ddnss.de_ecc/fullchain.cer
The intermediate CA cert is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/ca.cer
Your cert key is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/xxx.ddnss.de.key
Your cert is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/xxx.ddnss.de.cer
Cert success.
Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bxyz'
Downloading cert.
Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xx/13xx
Retry after: 3
Order status is processing, lets sleep and retry.
Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xx/13xx'
Lets finalize the order.
Verify finished, start to sign.
wg.xxx.ddnss.de is already verified, skip dns-01.
ovpn.xxx.ddnss.de is already verified, skip dns-01.
xxx.ddnss.de is already verified, skip dns-01.
Getting webroot for domain='wg.xxx.ddnss.de'
Getting webroot for domain='ovpn.xxx.ddnss.de'
Getting webroot for domain='xxx.ddnss.de'
Getting domain auth token for each domain
Multi domain='DNS:xxx.ddnss.de,DNS:ovpn.xxx.ddnss.de,DNS:wg.xxx.ddnss.de'
Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Please add '--debug' or '--log' to check more details.
Error add txt for domain:_acme-challenge.xxx.ddnss.de
Errors happened during adding the TXT record, response=- badauth : Invalid username or password. Authentication failed.
Trying to add TXT record
Adding txt value: ***ABCDEF*** for domain: _acme-challenge.xxx.ddnss.de
Getting webroot for domain='wg.xxx.ddnss.de'
Getting webroot for domain='ovpn.xxx.ddnss.de'
Getting webroot for domain='xxx.ddnss.de'
Getting domain auth token for each domain
Multi domain='DNS:xxx.ddnss.de,DNS:ovpn.xxx.ddnss.de,DNS:wg.xxx.ddnss.de'
Using CA: https://acme-v02.api.letsencrypt.org/directory
I added the full log (stripped private parts and times for clarity/security)
The log contains the "Standard CA" at the bottom of the log, the upper part is using the "Test CA".
I see a  badauth : Invalid username or pasword.

So here my question: Do i have to reregister at letsencrypt plugin (Konten) for the Standard CA?
Or am i missing something else?

Thanks a lot for any help!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2