Recent Posts

1

18.1 Production Series / IPSec Supernet

« Last post by halianelf on Today at 12:24:55 am »

I have an HA pair of OPNsense firewalls and an IPSec tunnel set up between it (local) and home (remote). The tunnel runs to an Ubuntu server running StrongSwan. The local side I have a /24 broken down into a couple /27s and a /25 so I just summarized it as the /24. The tunnel is up and active and if I initiate the traffic from the remote side, everything works as expected. If I initiate it from anything local, it doesn't. Running packet captures, if I start a ping from the remote side, I see it on the IPSec and local interfaces but if I do it from the local side, the packet capture shows it on the WAN interface. Is there something I'm missing to get this to work this way?

2

General Discussion / Route one IP over VPN?

« Last post by conanTheRouter on Today at 12:02:22 am »

Alright! Figured we could sort https://forum.opnsense.org/index.php?topic=4979.0 guide out so that it actually works. I have formatted it a bit and made some small changes to it. Hope this can be a discussion on solving the issues to get this working.

End state:

• User can add client IP to alias list
• Clients are routed through VPN
• If VPN goes down, no Internet access to clients in alias list
• All other clients are not routed through VPN
• If VPN goes down, clients not listen in alias list still have Internet access

My current machine is:
OPNsense 18.1.10-amd64
FreeBSD 11.1-RELEASE-p10
OpenSSL 1.0.2o 27 Mar 2018


Step 1:
Download your certificate from your VPN provider. You should as a minimum get a certificate, password and username.

Step 2:
Navigate to System > Trust > Authorities, "Add or import CA"
 - Descriptive name: VPNCA (I use mullvad VPN)
 - Certificate data: (paste the contents of your CA.crt file here)
 - Certificate Private key: (paste the contents of your user.key file here) (if you have any!)
 - Serial for next Certificate : None

SAVE

Step 3:
Navigate to VPN > OpenVPN > Clients, "add client"
Edit the following settings: (some may differ depending on your VPN provider)

 - Server Mode: Peer to Peer (SSL/TLS)
 - Protocol: UDP (check your ovpn file)
 - Device Mode: tun (check your ovpn file)
 - Interface: (Your WAN interface)
 - Local port: 443 (check your ovpn file)
 - Server Host or Address: 123.45.67.890 (check your ovpn file)
 - Server Port: 443 (check your ovpn file)
 - Server host name resolution: Ticked
 - Description: "Name of your VPN Provider"

User Authentication Settings
 - Username/pass: enter your username
 - Renegotiate time: leave empty

Cryptographic Settings:

 - TLS Authentication: unticked
 - Peer Certificate Authority: Select "VPNCA" or whatever you called the description in step 2.
 - Client Certificate: None (Username and password required)
 - Encryption: Check your VPN Provider, mine was AES-256-CBC (256 bit key, 128 bit lock)
 - Auth Digest Algorithm: SHA1(160-bit) (Check with your VPN Provider)
 - Disable IPV6: Ticked
 - Advance Configuration: "Paste the below data into the field"
   
  persist-key;
  persist-tun;
  remote-cert-tls server;
  reneg-sec 0;
  sndbuf 524288;
  rcvbuf 524288;
  fast-io;
 
- Verbosity level: 3

SAVE

Step 5:
Check to see if your VPN connection is online,

Navigate to VPN > OpenVPN >  Connection Status

You should see "Status" UP with your "Remote Host" IP address supplied from the VPN Provider

Now check the log file for the words "Initialization Sequence Completed"

If you see "openvpn[36641]: MANAGEMENT: Client disconnected". Thats okey, thats your client checking the status.

Step 6:
Navigate to Interfaces > Assignments
 - Select the pull down menu under "new interface" and make sure the "ovpnc1" option is selected
 - Click the orange "+" button
 - Tick Enable Interface and Save
 - Description = VPN (note this is a "Virtual" interface, its not referenced to an physical Ethernet port)
 - IPV4 Configuration type = DHCP
 - IPV6 = None
 - Note: Leave all other settings as default (empty/unticked)

Step 7:
Navigate to Firewall > Aliases > View
 - Add a new Alias
 - Name: VPNTraffic
 - Description : VPNTraffic
 - Type: Host(s)
 - First entry: 192.168.X.X

!!!WARNING!!! Dont dodge this step, even if you think you know what im doing, the whole point of making aliases is important, and it wont work without them.

SAVE

Step 8:
Navigate to Firewall > NAT > Outbound

 - Select "Manual outbound NAT generation" (Leave the default generated WAN rules AS IS)
 - Add a new rule

Rule 1.
(if not autogenerated)
 - Interface: WAN
 - TCP/IP Version: IPv4
 - Protocol: any
 - Source address: Singel host or Network -> 127.0.0.0/8
 - Destination port: other -> 500
 - Static port: ticked
 - Translation / target: Interface address
 - Description: "Rule for ISAKMP - localhost to WAN"

Rule 2.
(if not autogenerated)
 - Interface: WAN
 - TCP/IP Version: IPv4
 - Protocol: any
 - Translation / target: Interface address
 - Source address: Singel host or Network -> 127.0.0.0/8
 - Description: "Rule for - localhost to WAN"

Rule 3.
(if not autogenerated)
 - Interface: WAN
 - TCP/IP Version: IPv4
 - Protocol: any
 - Translation / target: Interface address
 - Source address: Singel host or Network -> 192.168.1.0/24
 - Destination port: other -> 500
 - Static port: ticked
 - Description: "Rule for ISAKMP - LAN to WAN"

Rule 4.
(if not autogenerated)
 - Interface: WAN
 - TCP/IP Version: IPv4
 - Protocol: any
 - Translation / target: Interface address
 - Source address: Singel host or Network -> 192.168.1.0/24
 - Description: "Rule - LAN to WAN"

Rule 5.
 - Interface: VPN (The one you created in Step 6)
 - Source: VPNTraffic ( The alias you created in Step 7)
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)
 NOTE: Leave ALL other options as default/any

Rule 6. (Same as Rule 1, but....)
 - Destination port: 500 (Select "Other" from dropdown menu and enter 500 in the field)
 - Static Port: Ticked
 NOTE: Leave ALL other options as default/any

Rule 7.
 - Interface: VPN (The one you created in Step 6)
 - Source: Single host or network, 127.0.0.0 / 8
 - Translation / target: Interface Address (as in, just select "Interface address" from the dropdown menu)

NOTE: Leave ALL other options as default/any
NOTE: Make sure the above rules "are above" your auto generated WAN outbound rules when looking at the entire list from top to bottom.

APPLY SETTING

Step 9.
Navigate to Firewall > Rules > LAN

NOTE: The order of Rules from top to bottom on this page matter:
Starting at the top, you should have the "Anti-Lockout Rule"
Next, start adding rules as follows:

Rule 1. (The Rule to pass selected clients traffic out via the VPN)
 - Interface: LAN
 - TCP/IP Version: IPv4
 - Source: VPNTraffic (Alias)
 - Gateway: VPN_DHCP (ie, the auto-generated VPN Gateway option)

Rule 2. (Pass all other traffice out via the defaul gateway "WAN")

 - Interface: LAN
 - TCP/IP Version: IPv4
 - Source: Any
 - Gateway: WAN_PPPoE (ie, the auto-generated WAN Gateway, the name might be different depending
on your WAN connection method)

Apply settings

Do-to:
So I made small changes to the previous how-to. And it seems for now that client/s listen in the alias is tunneled through VPN. But if the VPN goes down (is stopped) the client still have Internet access but without VPN. Clients not listed in alias doesn't have Internet access, why?

3

General Discussion / Re: Why does adding a OPNVPN client break my internet connection?

« Last post by marjohn56 on June 24, 2018, 11:38:20 pm »

I've not read the document you quote, so I cannot be specific, all I will say is things can and do change. Obviously I use a VPN and sometimes use VLANs for testing purposes, I just use the VPN wizard to create the VPN. VLANs I do manually of course.


The question really is, if you replicate the rules manually that the wizard creates, does it work?

4

Web Proxy Filtering and Caching / Re: access specific service behind firewall based on specific URL-path

« Last post by andre4 on June 24, 2018, 11:03:35 pm »

thank you Fabian, that sounds like exactly what i try build. I had a quick look on the squid project pages. Squid seems to be able to handle Connect. However they state that it should be used "carefully". Hence they disabled Connect by standard, however it can be enabled.

Given my idea of reducing the public attack surface by hiding responses to specific URLs, i wonder what you think about this? Is this a valuable idea to enhance security in combination with typical 2FA? Or do you think it is more an additional potential security hole?

Another benefit from my point of view is more flexibility in the management of incoming ports. E.G. I could use 443 as single port exposed to internet for several types of connection to my internal site as the target service is encoded in the URL-path. 

PS is it possible to configure the squid inside opnsense to use first the built-in 2FA for incoming CONNECT request and then to open the CONNECT session? Or would I have to built something around? i understood so far that i can combine the 2FA with every service of opnsense..

Kind regards

Andre 

5

General Discussion / Re: Why does adding a OPNVPN client break my internet connection?

« Last post by conanTheRouter on June 24, 2018, 10:26:06 pm »

Aha nice! Why isn't your 192.168.1.0/24 net listed? 

Because the wizard does not create it.

I would like to run manual rules. Im trying to follow this https://forum.opnsense.org/index.php?topic=4979.0 tutorial but simple stuff seems to break my connection.

And I like the KISS principle. Wizard works, why re-invent the wheel and struggle if you don't have to. 

Hehe ofc =) But when I have a machine that can handle stuff like VPN and VLAN I would like to take advantage of that =)

Do you have any ide why my machine behaves like this?

6

Intrusion Detection and Prevention / Re: link goes down on WAN using IDS/IPS

« Last post by AvdS on June 24, 2018, 07:51:28 pm »

I saw this discussion and I have exactly the same problem:
IDS/IPS enabled on LAN working fine.
IDS/IPS enabled on WAN (without router for firewall) wan interface is going down and up (see log below)
IDS/IPS enabled on WAN (with apple airport expres before)wan interface everything is working fine.

I have a Jetway NF9HB with 4x NIC Intel i211AT Gigabit Ethernet
Processor Intel Celeron N2930 SoC, 1.83GHz – 2.16GHz Burst, Quad-Core

is there already a solution for running IDS/IPS on the WAN without a extra router?
what triggers the wan connection to go down? If I can test something on my firewall to solve the problem please let me know.

Problem Log:
 Jun 22 14:57:42   kernel: igb0: link state changed to UP
Jun 22 14:57:38   kernel: igb0: link state changed to DOWN
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 84.28.94.1.
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: keeping current default gateway '84.28.94.1'
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: setting IPv4 default route to 84.28.94.1
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: no IPv6 default gateway set, assuming wan
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'wan'
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '84.28.94.1'
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 84.28.94.1
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv6 default gateway set, assuming wan
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: On (IP address: 84.28.94.25) (interface: WANzigo[wan]) (real interface: igb0).
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0'
Jun 22 14:57:31   kernel: igb0: link state changed to UP
Jun 22 14:57:27   kernel: igb0: link state changed to DOWN

7

18.1 Production Series / Re: Nexcloud: communication failure

« Last post by qinohe on June 24, 2018, 07:25:59 pm »

Hey fabian, yes that works thanks for the answer.
Now the Nextcloud server is reached trough a webpage served by that same server and thus in the HTTP_REFERER checks,
really I would not have found for a long time,  problem solved for now 

Thanks mark

edit: thanks for this app fabian it works well!
Now I still have a question:
How or when is a backup triggered? is it as soon when changes are made, hmm. just tried that seems to not be the case.
NVM. it's in the wiki   

8

Web Proxy Filtering and Caching / Re: access specific service behind firewall based on specific URL-path

« Last post by fabian on June 24, 2018, 07:04:01 pm »

It is not a transparent proxy - it would be a standard proxy. After the proxy answers with an OK, you will get a normal TCP connection to the backend server which can be any protocol (the proxy will pass though everything in both directions).

9

Web Proxy Filtering and Caching / Re: access specific service behind firewall based on specific URL-path

« Last post by andre4 on June 24, 2018, 06:58:03 pm »

Hello Fabian, thanks for your suggestion and quick reply.

in case of the http proxy and the connect request. Would all communication afterwards as well forwarded transparently by the http proxy to the client which is my intention or is this non-standard? And if this depends, on what? As this is only for my own purposes on owned infrastructure i would not care about the potential men in the middle on my side by the transparent http proxy....

I am just looking into the http request redirect feature of the the HAproxy. However i have no glue if this would work with something not pointing to an http service... or work at all.

PS to explain my intention. Even so security by obscurity is for sure not the best i am trying with that hidden access path to add an additional layer of security for some services exposed to the internet beside two factors which i for sure will deploy... 

Best Andre

10

German - Deutsch / Re: Opnsense bootet nicht ohne serielle Konsole (APU2C4)

« Last post by Benqer on June 24, 2018, 06:45:42 pm »

Habe das 2C4, bei mir hat alles funktioniert.
Hast du OPNsense auch richtig installiert?
Neustes Bios?