opnsense / plugins Goto Github PK
View Code? Open in Web Editor NEWOPNsense plugin collection
Home Page: https://opnsense.org/
License: BSD 2-Clause "Simplified" License
OPNsense plugin collection
Home Page: https://opnsense.org/
License: BSD 2-Clause "Simplified" License
Add a field to set custom port number (Tinc option)
Add field for Mode option: router | switch | hub (Tinc option)
Add field for setting the Ping Time-Out (Tinc option, for slow connections)
Allow FQDN host names in ext. Address field, so that it can work with Dynamic DNS (Tinc supports this according to tinc documentation). Currently field only allows IP address. I think this needs to be changed in 2 places in the GUI:
If you need a tester for this, let me know.
Maybe making fwknob (https://github.com/mrash/fwknop) available as plugin ? Or integrate with core ?
When you install the tinc plugin you see a interface TINC in the interface section / rules section.
You can see the entry in section in the config.xml
You can configure a network/host like it is supposed, you then do a tinc daemon restart. You can see an tinc0 interface on the cli.
Issue 1
If you know reboot, the interface gets lost in opnsense, will though stay on the cli, so it gets created. You cannot really use the assign mode in the interfaces section, since this does not create a tinc like entry with all this dynamic...virtual and all this inside.
Issues 2 if you re-assign the interface in the GUI:
If you though do so and then reboot, you will cause a supernova, since the WAN/LAN interfaces are shifted, so WAN will be lan and you cannot connect to your box.
When using modes like "disabled" or "inactive" in server configuration, the following warning occurs:
unknown keyword 'inactive'. Registered keywords :
[ ALL] id <arg>
[ SSL] ca-file <arg>
[ SSL] check-ssl
[ SSL] ciphers <arg>
[ SSL] crl-file <arg>
[ SSL] crt <arg>
[ SSL] force-sslv3
[ SSL] force-tlsv10
[ SSL] force-tlsv11
[ SSL] force-tlsv12
[ SSL] no-ssl-reuse
[ SSL] no-sslv3
[ SSL] no-tlsv10
[ SSL] no-tlsv11
[ SSL] no-tlsv12
[ SSL] no-tls-tickets
[ SSL] send-proxy-v2-ssl
[ SSL] send-proxy-v2-ssl-cn
[ SSL] sni <arg>
[ SSL] ssl
[ SSL] verify <arg>
[ SSL] verifyhost <arg>
[ALERT] 211/195229 (47201) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 211/195229 (47201) : Fatal errors found in configuration.
However, HAproxy daemon boots up just as normal ignoring that warning.
Hello,
I've successfully installed a LE certificate using the opnsense plugin.
It seems to work, but some clients cannot validate it.
From different SSL checking sites, it seems that the certificate chain is incomplete:
https://www.ssllabs.com/ssltest/analyze.html?d=home.o2r.fr
(same here: https://cryptoreport.websecurity.symantec.com/checker/ and here: https://www.digicert.com/help/ ).
Can you add all the required certs to the full chain ?
Thanks,
Quentin
If we do have a revoke, we should call it on +PRE_DEINSTALL adjusted to +TARGETS files,
then reload templates under +POST_DEINSTALL again...
Needs testing.
It would be very nice to be able to use a pair of OPNsense boxes for HA DHCP for setups where DHCP relay is being used and the OPNsense setup is functioning more like a DHCP server appliance than a full firewall, i.e. there is only one configured interface on the OPN side but we would require multiple networks served via the DHCP server.
I am not awaare of any open source or indeed low cost commercial products that provides a nice, simple GUI for DHCPD and HA configuration like we have in OPNsense, but obviously having to have the DHCP server with a presence in every subnet is not idea, nor often desirable for large networks.
Feature request for someone to write an OSPF or BGP plugin to allow for dynamic routing on internal networks and VPNs.
This would probably use Quagga or Bird in either instance.
using either:
security/py-letsencrypt -- APACHE20
security/letsencrypt.sh (bash) -- MIT
security/py-acme-tiny -- MIT
https://github.com/kuba/simp_le -- GPLv3 licensed
When negating an ACL, the result does not show up in haproxy.conf, i.e. the condition is not inverted.
Hi Ad, this isn't severe, but I think we should keep track of this. Installed all plugins at once on a fresh 16.7.8 and it gave me the following errors:
Nov 15 15:26:21 configd.py: [1a459910-41df-408a-8c17-9439741483d4] Inline action failed with OPNsense/Tinc OPNsense/Tinc/tinc_deploy.xml 'NoneType' object has no attribute '__getitem__' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 308, in generate raise render_exception Exception: OPNsense/Tinc OPNsense/Tinc/tinc_deploy.xml 'NoneType' object has no attribute '__getitem__'
Nov 15 15:24:48 configd.py: [4ba75234-bf0b-4000-a785-fac8860cc9a2] Inline action failed with OPNsense/HelloWorld OPNsense/HelloWorld/helloworld.conf 'collections.OrderedDict object' has no attribute 'helloworld' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 308, in generate raise render_exception Exception: OPNsense/HelloWorld OPNsense/HelloWorld/helloworld.conf 'collections.OrderedDict object' has no attribute 'helloworld'
Nov 15 15:23:57 configd.py: [c8538f17-c3de-4152-822a-9cee9a25c264] Inline action failed with OPNsense/HAProxy OPNsense/HAProxy/haproxy.conf 'collections.OrderedDict object' has no attribute 'HAProxy' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 308, in generate raise render_exception Exception: OPNsense/HAProxy OPNsense/HAProxy/haproxy.conf 'collections.OrderedDict object' has no attribute 'HAProxy'
acme.sh
added more DNS validators recently, including linode which I'd love to use.
I'd be happy to provide a PR myself if someone could point me to instructions for how to test my changes. Or does it suffice if I just add the new files from/in the dnsapi/
folder and make the corresponding changes in the UI and PHP files?
Thank you!
One should be able to add additional configuration settings at the very end of each listen address for example:
npn http/1.1
npn spdy/2
accept-proxy npn http/1.1
accept-proxy npn ssh/2.0
As a workaround, one could currently add those settings at the very end of "Advanced SSL options". However, one needs to add some SSL settings first, e.g.:
no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA npn http/1.1
For details see https://forum.opnsense.org/index.php?topic=3153.0
For theme packages it would be practical to be able to build them without an ABI or ARCH in it's specs.
Update March 17, 2016: this was done for packages, similar commit will land here soon...
As we now have collectd available from the default repo would someone like to make this pluggable.
We use it for remote monitoring of opnsense boxes that I do not have direct access to, imagine they are behind someone else network that permits outbound connections but not inbound, we use the graphite plugin to send stats back to a remote server without needing to worry about a VPN tunnel.
Collectd can do a whole lot more beyond this, maybe it could be a good replacement for some of the RRD backend stuff? - There are plugins that could monitor other processes such as unbound, ntp, openvpn and so on.
https://collectd.org/features.shtml
GUI Ideas:
Enable / disable various plugins.
Set targets for sending data to remote collectors via graphite etc.
Some basic options to configure plugin variables.
When flipping it off/on, the filter must be reloaded, otherwise the ftp-proxy cannot be reached.
Minor bonus: add versioning info to model:
keep version OPNsense\FtpProxy\FtpProxy (0.0.0)
It would be nice to have sslh (http://www.rutschle.net/tech/sslh.shtml) as a service, or even as an option for a port forward rule. It's great to forward for example wan:443 to a ssh server, https server, openvpn server and something else (RDP for example)
Ofcourse you can use it on many ports, so having the option to configure multiple instances would be a must. (Hench the suggestion to have it under port forward as an option, it could then just spawn copies for each rule like you would with a proxy program)
@fichtner: The logfile looks distorted in the GUI right now. Do you have some advise how I might fix this? :)
Currently our LE plugin does not import LE CA certificates, but instead bundles them directly with the LE certificate (see
show certificate info
button in System -> Trust -> Certificates
.
Maybe a better approach would be to import the LE Authority (from the LE certificate fullchain) as a new CA (if it does not exist yet) and link the LE certificate to this CA after the import. I'd use the import_ca()
function in this case (found here https://github.com/opnsense/core/blob/4169afd16e614a418aa08d017f21258121aae32a/src/www/system_camanager.php#L33-L72).
The benefit is obviously no hackish bundled CA and likely better application support (HAProxy is able to handle the bundled CA cert properly, but other applications may not โ lighttpd?).
I assume that #77 might be related to this.
When enabling SSL in server configurations, default value "no verify" should be added (=default behavior in pfSense).
Refering to #26, one should be able to define advanced SSL verification options to have it enabled (similar to what pfSense offers). Otherwise the HAproxy plugin cannot be used appropriately within production environments.
Hi guy,
i've just installed the plugin for let's encrypt yesterday (following this #66). The creation of the certificate was good when i check log. But when i go in settings -> administration -> add let's ecncrypt as certificate -> system default
I've lost the GUI, and impossible to recover it through WAN or even throught LAN...
How i can resolv that ? Did you have any idea about that ? I've not find any information in logs
by haproxy plugin exist possibility to use multiple certificates by ssl offloading and this also works without any issues
what i am missing is possibility to choose default certificate if SNI is not provided
by default is used first created (oldest) certificate...
There are a couple of extra steps to be done, courtesy of Makefile.feld
# echo "xenguest_enable=\"YES\"" >> /etc/rc.conf.local
# ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh
when you put a FQDN in a certificate name request, you get: Should be a string between 1 and 255 characters.
if you remove all the special characters (INCLUDING PERIODS(!!)), it sends the unqualified name as the CN= to LE, and gets a 400 error:
[Sun Feb 5 00:00:07 CST 2017] new-authz error: {"type":"urn:acme:error:malformed","detail":"DNS name does not have enough labels","status": 400}
[Sun Feb 5 00:00:07 CST 2017] The new-authz request is ok.
This makes it IMPOSSIBLE to generate a certiificate.
Also, it is unclear what is supposed to go in the secret field of the validation request. The whole key file, or just the secret or what.
@AdSchellevis punch me if its just me, or my poor knowledge about tinc. I tried to read the docs and map what i seen there against what the forms ask for
Network:
Network: his machines internal address to use and network mask for the whole network
What does that mean - do you expect a address or a network? What does this field mean in general
Subnet: This machines part of the network
What part - i am not able to get
Host:
hostname: The hostname for the selected machine in the network
What does "selected machine" means?
ext address/port: "this machine"
Any reason why i would re-enter this information since they are already part of the network?
subnet: This machines part of the network
Same as in network, what does "This machine" and "of the network" means.
public key:
since the Network is selected above, why do i need to reenter this here?
Do not get me wrong on this, its for sure that i do not get the terminolgy right and you are so deep into this topic that its crystal clear for you.
But maybe we can get this done for the general purpose user and use more descriptive words?
Thank you!
Hi,
when there will be the vnstat plugin on opnsense ? If there is anything I can help to make it work, please tell me. I am none from Forum !
thanks,
via: @fabianfrz
Since FreeBSD doesn't provide NAT64 natively, maybe Tayga could fill that role? I have no experience with Tayga, though, and I don't know if it'd work with all IPv6 setups (like TunnelBroker).
Hey thanks for the awsome project guys. I have OPNsense running on a Vbox virtual machine.
I want to enable usb support to use a dualband wifi dongle to have my wireless devices connecting to OPNsense.
When I run pkg install virtualbox-ose-additions
it says it cant be found,
unable to update OPNsense repository
Now i heard something about a different install manager? But I can't find anything about it?
Thanks
Currently required patching for 16.7.7:
# opnsense-patch -c plugins 57cfcddf 916d315
Could you add an example for a creating a cron job?
Thanks in advance
Hi,
If you want to reach networks behind OPNSense, which are not part of the TINC-Subnet, you have to create routing rules.
But it's not possible, because you cant't choose the tinc0 as GW Interface. The tinc0 interface is not shown in the GUI (except on the firewall site)
Greetings
Tobias
We should store the result of the attempt to issue/renew a certificate and show this information in the GUI. A simple success/failure status should be sufficient.
Via: https://forum.opnsense.org/index.php?topic=4456.msg16931#msg16931
Adding the following to the syslog plugin in haproxy.inc will allow local logging without privileges:
'local' => '/var/haproxychroot/var/run/log'
Not sure how much needs to be changed on the GUI side.
Note that this core feature won't make it into 16.1.16.
Some cards have best practices for sysctl tweaks.... a plugin should collect and enforce them automatically.
The best description might be this screenshot: https://goo.gl/k1ffYu
I get a 200, response is empty, but the dialog stays open, no host is created in the end and now validation error is shown
Would be nice to see an easy way to enable a free ICAP. Maybe http://c-icap.sourceforge.net/ if it's any good.
If the HAProxy plugin is not run as root (default), the log will only contain startup messages:
Oct 11 16:47:00 fw1 haproxy[70395]: Proxy foo_frontend started.
Oct 11 16:47:00 fw1 haproxy[70395]: Proxy foo_backend started.
But any additional logging will not be available, i.e. messages regarding health checks:
Oct 11 16:52:50 fw1 haproxy[9070]: Health check for server foo_backend/host3 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP content check matched", check duration: 14ms, status: 3/3 UP.
Using the latest version 16.7, the HAproxy plugin does not respect SSL for servers.
Even though the SSL option was enabled, the resulting haproxy.conf file misses the addition "ssl" at the end of the server entry.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.