Unrecognized Local IP Addresses and sensei causing OpenVPN connection reset ?

Started by luckylinux, May 10, 2024, 11:00:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 10, 2024, 11:00:07 AM Last Edit: May 10, 2024, 11:21:03 AM by luckylinux
I installed Zenarmor yesterday on my OPNSense Instance, but I must be doing something wrong ...

I see lots of IPs in the 10.x.y.z range reported as "Local Hosts", but the only "Local Hosts" should be 10.20.x.y (my OpenVPN Management Interface).

I now turned OFF "Anonymize Local IP Addresses" since there are some reports online that this might cause Genuine IPs to look "different".

I went through all the Tabs in OPNSense Zenarmor but didn't find any Option to "Change" what "Local Host" means. I don't know if there is such a setting or if I'm confusing with Suricata IDS/IPS (which I now turned OFF).

OPNSense Zenarmor should currently be listening on WAN Interface (some traffic is going on) and DMZ Interface (no Client on that  Interface, so it should be empty).

a. Is there an Option to change what "Local Host" means ?
b. Is there an Option to restart ZenArmor without rebooting the OPNsense Firewall ?

The only Option I found after disabling "Anonymize Local IP Addresses" was to "Clear the Database", after which I did "Reset Database + Reinstall Database", then "Check Index".

(on a separate issue the OpenVPN Interface, which is EXCLUDED from ZenArmor - and my WAN IP is added to the Exclusion Zone, keeps connecting-disconnecting-connecting-disconnecting every 60 seconds or so, even if Ping from Client-to-Server and Server-to-Client works correctly and a bunch of Allow Rules have been put in place to prevent such Issues)

Thank you for your help  :)

EDIT 1: I see now, in the "ZenArmor Dashboard", when Hovering the Mouse over the "Engine" Box, that "Stop" / "Restart" / "Enter Bypass" buttons appear

EDIT 2: Too early to tell, but after the Reboot it seems that the "Local Hosts" so far include the WAN IP Gateway and other "Neighbors" in the Same Subnet. But none of those is my Gateway. Apparently, when getting the IP Address via DHCP on the WAN Interface, I am getting assigned a /26 Subnet. Weird ...

Since I have my Server at Hetzner I followed these Guides ...

For the Proxmox VE Host, I had configured the vmbr0 Interface (Main WAN Interface) to /32 Subnet (single IP Address) according to: https://docs.hetzner.com/robot/dedicated-server/network/net-config-debian-ubuntu/

For the OPNSense VM I followed instead this Guide (Bridged Networking with additional IP+dedicated MAC for OPNSense): https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve , specifically the Section "Guest system Bridged (Debian 12)". For the Static IP Configuration they also use a /32 Subnet here (single IP Address), but strangely via DHCP (which they also say it's possible to do), then it's getting a /26 Subnet. The MAC Address on the WAN Interface of OPNSense has the correct MAC Address ...
May 10, 2024, 04:14:05 PM #1
Hi,

Thanks for choosing Zenarmor. Anonymize Local IP is the correct point to solve the different IP issue. And you need to clear Device DB as well, not to wait 1 month to clear passive devices in Settings - Reporting & Data - Device Identification - Clear Device DB.

- The best practice is to protect the LAN interface with Zenarmor. The localhost means the source addresses on the protected interface. There is no option to set a Localhost in Zenarmor menu.

For OpenVPN issue, are you sure that the same VPN account is not using on another device
May 10, 2024, 05:31:52 PM #2
For OpenVPN it would seem it was just the "management interface" (whatever that means) that was getting up-down-up-down etc. It's only something that it's typically shown in very verbose log settings (verb > 5 I believe).

As I said I already cleared the ZenArmor Database (and rebooted), so that should be fine now.

About LAN Interface ... well ... then I guess I should just protect the DMZ, is that what you are saying ? I don't really have a LAN Interface on a server.

Then I will also have to switch Suricata back on on the WAN interface, it ZenArmor doesn't protect it.
May 13, 2024, 12:21:20 PM #3
Could you please provide feedback using the instructions below so that we can examine the configuration and logs and respond faster.

Can you share the logs and configuration by following the instructions in the below link?

https://www.zenarmor.com/docs/support/reporting-bug
May 13, 2024, 01:01:09 PM #4
Quote from: IHK on May 13, 2024, 12:21:20 PM
Could you please provide feedback using the instructions below so that we can examine the configuration and logs and respond faster.

Can you share the logs and configuration by following the instructions in the below link?

https://www.zenarmor.com/docs/support/reporting-bug
I'm not convinced it's a bug on the part of ZenArmor though (for the OpenVPN Part at least).
May 13, 2024, 07:01:23 PM #5
Hi,
Yes, actually, Open VPN issue is not related to Zenarmor as well, but it will be better to check the logs and config files to look into the issue.
Print
Go Up Pages1
User actions