OPNcentral Plugin

Started by Hunger6780, November 05, 2024, 12:51:20 PM

Previous topic - Next topic
November 05, 2024, 12:51:20 PM Last Edit: November 05, 2024, 12:53:54 PM by Hunger6780
Hey guys, I've been having a really tough time with the OPNcentral plugin...I've followed the instructions to the "T" and I'm still getting a curl timeout error.

The error is: cURL error 28: Failed to connect to xxxxxxxxxxxx.localdomain port 443 after 20009 ms: Timeout was reached (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://xxxxxxxxxxx.localdomain/api/core/firmware/status?payload=eyJpbnRlcmZhY2VzIjpbIkAlZjhjb2...

I can successfully resolve DNS to the domain name and I have disabled SSL temporarily for testing.

Any help is greatly appreciated.

You mean OPNcentral fails to connect to a managed OPNsense? SSL is mandatory for that.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

So I'm understanding correctly, you must have a valid self-signed SSL cert or must have a valid 3rd party SSL cert? For clarification, we are testing this with a valid self-signed certificate but we have "Validate SSL" unchecked on our firewall that is managing other firewalls.

Try to use the IP address and if that works use a different FQDN without .local or .localdomain.

Try using a real FQDN that is not using Unbound Overrides but has a real zone.
Hardware:
DEC740

@Monviech, we've tried both IP and FQDN. Both give the same curl error. We are currently doing this over an IPsec VPN tunnel which IS allowing traffic both ways. We've also tried port forwarding to our internal LAN interface IP but still no luck.

Quote from: Hunger6780 on November 05, 2024, 12:57:02 PM
So I'm understanding correctly, you must have a valid self-signed SSL cert or must have a valid 3rd party SSL cert? For clarification, we are testing this with a valid self-signed certificate but we have "Validate SSL" unchecked on our firewall that is managing other firewalls.

You don't need a valid cert - if "Validate SSL" is unchecked to my understanding any cert will do.
But you cannot disable SSL and connect via plain text HTTP. Your initial post suggested that is what you are trying.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Sorry about that, no, we are using https over port 8443 but still receiving the curl error using a self-signed certificate with "Validate SSL" unchecked on both the managed firewall and the managing firewall.

November 05, 2024, 01:16:14 PM #7 Last Edit: November 05, 2024, 01:19:46 PM by Monviech
Is the target firewall using the Business Edition too?

EDIT: If you are using 8443 add the firewall like this:

https://example.com:8443

Your curl shows it tries port 443.


https://docs.opnsense.org/vendor/deciso/opncentral.html#add-firewall-nodes-to-the-central-host
Hardware:
DEC740

Yes, both firewalls are using the Business Edition and yes, the original post has 443 but we changed it to 8443 on both ends for testing.

November 05, 2024, 01:24:07 PM #9 Last Edit: November 05, 2024, 01:32:37 PM by Monviech
You should try to get a response from the web interface of the target firewall by trying this in the source firewall:

curl -v https://example.com:8443

And if that does not work you have a firewall issue (e.g. not allowing access to port 8443) or routing/policy issue with the IPsec tunnel. (Maybe the source IP is not what you expect and the traffic doesn't pass through the tunnel since the SPD does not allow it)

Use "tcpdump" additionally on both hosts, or the packet capture in the GUI.

EDIT: Also, WebGUI not listening on "all (recommended)" can also be an issue.
Hardware:
DEC740

Did you find a solution?

We have nearly the same issue: For us the Plugin uses the WAN Interface instead of the IPSec Interface. We can see that in the firewall logs.