OPNcentral Plugin

[Hunger6780]

Hey guys, I've been having a really tough time with the OPNcentral plugin...I've followed the instructions to the "T" and I'm still getting a curl timeout error.

The error is: cURL error 28: Failed to connect to xxxxxxxxxxxx.localdomain port 443 after 20009 ms: Timeout was reached (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://xxxxxxxxxxx.localdomain/api/core/firmware/status?payload=eyJpbnRlcmZhY2VzIjpbIkAlZjhjb2...

I can successfully resolve DNS to the domain name and I have disabled SSL temporarily for testing.

Any help is greatly appreciated.

[Patrick M. Hausen]

You mean OPNcentral fails to connect to a managed OPNsense? SSL is mandatory for that.

[Hunger6780]

So I'm understanding correctly, you must have a valid self-signed SSL cert or must have a valid 3rd party SSL cert? For clarification, we are testing this with a valid self-signed certificate but we have "Validate SSL" unchecked on our firewall that is managing other firewalls.

[Monviech (Cedrik)]

Try to use the IP address and if that works use a different FQDN without .local or .localdomain.

Try using a real FQDN that is not using Unbound Overrides but has a real zone.

[Hunger6780]

@Monviech, we've tried both IP and FQDN. Both give the same curl error. We are currently doing this over an IPsec VPN tunnel which IS allowing traffic both ways. We've also tried port forwarding to our internal LAN interface IP but still no luck.

[Patrick M. Hausen]

So I'm understanding correctly, you must have a valid self-signed SSL cert or must have a valid 3rd party SSL cert? For clarification, we are testing this with a valid self-signed certificate but we have "Validate SSL" unchecked on our firewall that is managing other firewalls.

You don't need a valid cert - if "Validate SSL" is unchecked to my understanding any cert will do.
But you cannot disable SSL and connect via plain text HTTP. Your initial post suggested that is what you are trying.

[Hunger6780]

Sorry about that, no, we are using https over port 8443 but still receiving the curl error using a self-signed certificate with "Validate SSL" unchecked on both the managed firewall and the managing firewall.

[Monviech (Cedrik)]

Is the target firewall using the Business Edition too?

EDIT: If you are using 8443 add the firewall like this:

https://example.com:8443

Your curl shows it tries port 443.


https://docs.opnsense.org/vendor/deciso/opncentral.html#add-firewall-nodes-to-the-central-host

[Hunger6780]

Yes, both firewalls are using the Business Edition and yes, the original post has 443 but we changed it to 8443 on both ends for testing.

[Monviech (Cedrik)]

You should try to get a response from the web interface of the target firewall by trying this in the source firewall:

curl -v https://example.com:8443

And if that does not work you have a firewall issue (e.g. not allowing access to port 8443) or routing/policy issue with the IPsec tunnel. (Maybe the source IP is not what you expect and the traffic doesn't pass through the tunnel since the SPD does not allow it)

Use "tcpdump" additionally on both hosts, or the packet capture in the GUI.

EDIT: Also, WebGUI not listening on "all (recommended)" can also be an issue.