opnsense / plugins Goto Github PK

As we now have collectd available from the default repo would someone like to make this pluggable.

We use it for remote monitoring of opnsense boxes that I do not have direct access to, imagine they are behind someone else network that permits outbound connections but not inbound, we use the graphite plugin to send stats back to a remote server without needing to worry about a VPN tunnel.

Collectd can do a whole lot more beyond this, maybe it could be a good replacement for some of the RRD backend stuff? - There are plugins that could monitor other processes such as unbound, ntp, openvpn and so on.

https://collectd.org/features.shtml

GUI Ideas:

Enable / disable various plugins.
Set targets for sending data to remote collectors via graphite etc.
Some basic options to configure plugin variables.

Needs testing.

when you put a FQDN in a certificate name request, you get: Should be a string between 1 and 255 characters.

if you remove all the special characters (INCLUDING PERIODS(!!)), it sends the unqualified name as the CN= to LE, and gets a 400 error:

[Sun Feb 5 00:00:07 CST 2017] new-authz error: {"type":"urn:acme:error:malformed","detail":"DNS name does not have enough labels","status": 400}
[Sun Feb 5 00:00:07 CST 2017] The new-authz request is ok.

This makes it IMPOSSIBLE to generate a certiificate.

Also, it is unclear what is supposed to go in the secret field of the validation request. The whole key file, or just the secret or what.

When flipping it off/on, the filter must be reloaded, otherwise the ftp-proxy cannot be reached.

Minor bonus: add versioning info to model:

keep version OPNsense\FtpProxy\FtpProxy (0.0.0)

There are a couple of extra steps to be done, courtesy of Makefile.feld

# echo "xenguest_enable=\"YES\"" >> /etc/rc.conf.local
# ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh

via: https://forum.opnsense.org/index.php?topic=1289.0

via: @fabianfrz

using either:

security/py-letsencrypt -- APACHE20
security/letsencrypt.sh (bash) -- MIT
security/py-acme-tiny -- MIT

https://github.com/kuba/simp_le -- GPLv3 licensed

via: https://forum.opnsense.org/index.php?topic=2319.0

One should be able to add additional configuration settings at the very end of each listen address for example:

npn http/1.1
npn spdy/2
accept-proxy npn http/1.1
accept-proxy npn ssh/2.0

As a workaround, one could currently add those settings at the very end of "Advanced SSL options". However, one needs to add some SSL settings first, e.g.:

no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA npn http/1.1

When you install the tinc plugin you see a interface TINC in the interface section / rules section.
You can see the entry in section in the config.xml

You can configure a network/host like it is supposed, you then do a tinc daemon restart. You can see an tinc0 interface on the cli.

Issue 1
If you know reboot, the interface gets lost in opnsense, will though stay on the cli, so it gets created. You cannot really use the assign mode in the interfaces section, since this does not create a tinc like entry with all this dynamic...virtual and all this inside.

Issues 2 if you re-assign the interface in the GUI:
If you though do so and then reboot, you will cause a supernova, since the WAN/LAN interfaces are shifted, so WAN will be lan and you cannot connect to your box.

It would be nice to have sslh (http://www.rutschle.net/tech/sslh.shtml) as a service, or even as an option for a port forward rule. It's great to forward for example wan:443 to a ssh server, https server, openvpn server and something else (RDP for example)

Ofcourse you can use it on many ports, so having the option to configure multiple instances would be a must. (Hench the suggestion to have it under port forward as an option, it could then just spawn copies for each rule like you would with a proxy program)

Hi,

If you want to reach networks behind OPNSense, which are not part of the TINC-Subnet, you have to create routing rules.
But it's not possible, because you cant't choose the tinc0 as GW Interface. The tinc0 interface is not shown in the GUI (except on the firewall site)

Greetings
Tobias

Hey thanks for the awsome project guys. I have OPNsense running on a Vbox virtual machine.
I want to enable usb support to use a dualband wifi dongle to have my wireless devices connecting to OPNsense.

When I run pkg install virtualbox-ose-additions it says it cant be found,

unable to update OPNsense repository

Now i heard something about a different install manager? But I can't find anything about it?

Thanks

The best description might be this screenshot: https://goo.gl/k1ffYu

I get a 200, response is empty, but the dialog stays open, no host is created in the end and now validation error is shown

When negating an ACL, the result does not show up in haproxy.conf, i.e. the condition is not inverted.

@AdSchellevis punch me if its just me, or my poor knowledge about tinc. I tried to read the docs and map what i seen there against what the forms ask for

Network:

1. Network: his machines internal address to use and network mask for the whole network
   What does that mean - do you expect a address or a network? What does this field mean in general

2. Subnet: This machines part of the network
   What part - i am not able to get

Host:

1. hostname: The hostname for the selected machine in the network
   What does "selected machine" means?

2. ext address/port: "this machine"
   Any reason why i would re-enter this information since they are already part of the network?

3. subnet: This machines part of the network
   Same as in network, what does "This machine" and "of the network" means.

4. public key:
   since the Network is selected above, why do i need to reenter this here?

Do not get me wrong on this, its for sure that i do not get the terminolgy right and you are so deep into this topic that its crystal clear for you.

But maybe we can get this done for the general purpose user and use more descriptive words?

Thank you!

Adding the following to the syslog plugin in haproxy.inc will allow local logging without privileges:

'local' => '/var/haproxychroot/var/run/log'

Not sure how much needs to be changed on the GUI side.

Note that this core feature won't make it into 16.1.16.

Hi guy,

i've just installed the plugin for let's encrypt yesterday (following this #66). The creation of the certificate was good when i check log. But when i go in settings -> administration -> add let's ecncrypt as certificate -> system default

I've lost the GUI, and impossible to recover it through WAN or even throught LAN...

How i can resolv that ? Did you have any idea about that ? I've not find any information in logs

If we do have a revoke, we should call it on +PRE_DEINSTALL adjusted to +TARGETS files,
then reload templates under +POST_DEINSTALL again...

Hi Ad, this isn't severe, but I think we should keep track of this. Installed all plugins at once on a fresh 16.7.8 and it gave me the following errors:

Nov 15 15:26:21	configd.py: [1a459910-41df-408a-8c17-9439741483d4] Inline action failed with OPNsense/Tinc OPNsense/Tinc/tinc_deploy.xml 'NoneType' object has no attribute '__getitem__' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 308, in generate raise render_exception Exception: OPNsense/Tinc OPNsense/Tinc/tinc_deploy.xml 'NoneType' object has no attribute '__getitem__'
Nov 15 15:24:48	configd.py: [4ba75234-bf0b-4000-a785-fac8860cc9a2] Inline action failed with OPNsense/HelloWorld OPNsense/HelloWorld/helloworld.conf 'collections.OrderedDict object' has no attribute 'helloworld' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 308, in generate raise render_exception Exception: OPNsense/HelloWorld OPNsense/HelloWorld/helloworld.conf 'collections.OrderedDict object' has no attribute 'helloworld'
Nov 15 15:23:57	configd.py: [c8538f17-c3de-4152-822a-9cee9a25c264] Inline action failed with OPNsense/HAProxy OPNsense/HAProxy/haproxy.conf 'collections.OrderedDict object' has no attribute 'HAProxy' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 505, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 52, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 308, in generate raise render_exception Exception: OPNsense/HAProxy OPNsense/HAProxy/haproxy.conf 'collections.OrderedDict object' has no attribute 'HAProxy'

Hi,

when there will be the vnstat plugin on opnsense ? If there is anything I can help to make it work, please tell me. I am none from Forum !

thanks,

When using modes like "disabled" or "inactive" in server configuration, the following warning occurs:

unknown keyword 'inactive'. Registered keywords :
[ ALL] id <arg>
[ SSL] ca-file <arg>
[ SSL] check-ssl
[ SSL] ciphers <arg>
[ SSL] crl-file <arg>
[ SSL] crt <arg>
[ SSL] force-sslv3
[ SSL] force-tlsv10
[ SSL] force-tlsv11
[ SSL] force-tlsv12
[ SSL] no-ssl-reuse
[ SSL] no-sslv3
[ SSL] no-tlsv10
[ SSL] no-tlsv11
[ SSL] no-tlsv12
[ SSL] no-tls-tickets
[ SSL] send-proxy-v2-ssl
[ SSL] send-proxy-v2-ssl-cn
[ SSL] sni <arg>
[ SSL] ssl
[ SSL] verify <arg>
[ SSL] verifyhost <arg>
[ALERT] 211/195229 (47201) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 211/195229 (47201) : Fatal errors found in configuration.

However, HAproxy daemon boots up just as normal ignoring that warning.

Update March 17, 2016: this was done for packages, similar commit will land here soon...

• Add a field to set custom port number (Tinc option)

• Add field for Mode option: router | switch | hub (Tinc option)

• Add field for setting the Ping Time-Out (Tinc option, for slow connections)

• Allow FQDN host names in ext. Address field, so that it can work with Dynamic DNS (Tinc supports this according to tinc documentation). Currently field only allows IP address. I think this needs to be changed in 2 places in the GUI:

1. In the This Host of the Network section: Possible solutions (but I'm not sure!): Allow FQDN host name or allow to use keyword 'dynamic' (consistent with Gateway IP Address field under gateways), or replace with interface binding dropdown box (since this is the listen to IP address)?
2. Under Hosts (when creating a new host): Allowing FQDN host names in the ext. Address field.

If you need a tester for this, let me know.

It would be very nice to be able to use a pair of OPNsense boxes for HA DHCP for setups where DHCP relay is being used and the OPNsense setup is functioning more like a DHCP server appliance than a full firewall, i.e. there is only one configured interface on the OPN side but we would require multiple networks served via the DHCP server.

I am not awaare of any open source or indeed low cost commercial products that provides a nice, simple GUI for DHCPD and HA configuration like we have in OPNsense, but obviously having to have the DHCP server with a presence in every subnet is not idea, nor often desirable for large networks.

For theme packages it would be practical to be able to build them without an ABI or ARCH in it's specs.

Since FreeBSD doesn't provide NAT64 natively, maybe Tayga could fill that role? I have no experience with Tayga, though, and I don't know if it'd work with all IPv6 setups (like TunnelBroker).

by haproxy plugin exist possibility to use multiple certificates by ssl offloading and this also works without any issues
what i am missing is possibility to choose default certificate if SNI is not provided
by default is used first created (oldest) certificate...

Could you add an example for a creating a cron job?

Thanks in advance

Currently our LE plugin does not import LE CA certificates, but instead bundles them directly with the LE certificate (see

Maybe a better approach would be to import the LE Authority (from the LE certificate fullchain) as a new CA (if it does not exist yet) and link the LE certificate to this CA after the import. I'd use the import_ca() function in this case (found here https://github.com/opnsense/core/blob/4169afd16e614a418aa08d017f21258121aae32a/src/www/system_camanager.php#L33-L72).

The benefit is obviously no hackish bundled CA and likely better application support (HAProxy is able to handle the bundled CA cert properly, but other applications may not – lighttpd?).

I assume that #77 might be related to this.

Would be nice to see an easy way to enable a free ICAP. Maybe http://c-icap.sourceforge.net/ if it's any good.

When enabling SSL in server configurations, default value "no verify" should be added (=default behavior in pfSense).

We should store the result of the attempt to issue/renew a certificate and show this information in the GUI. A simple success/failure status should be sufficient.

Via: https://forum.opnsense.org/index.php?topic=4456.msg16931#msg16931

Some cards have best practices for sysctl tweaks.... a plugin should collect and enforce them automatically.

Using the latest version 16.7, the HAproxy plugin does not respect SSL for servers.
Even though the SSL option was enabled, the resulting haproxy.conf file misses the addition "ssl" at the end of the server entry.

If the HAProxy plugin is not run as root (default), the log will only contain startup messages:

Oct 11 16:47:00 fw1 haproxy[70395]: Proxy foo_frontend started. 
Oct 11 16:47:00 fw1 haproxy[70395]: Proxy foo_backend started. 

But any additional logging will not be available, i.e. messages regarding health checks:

Oct 11 16:52:50 fw1 haproxy[9070]: Health check for server foo_backend/host3 succeeded, reason: Layer7 check passed, code: 200, info: "HTTP content check matched", check duration: 14ms, status: 3/3 UP. 

Refering to #26, one should be able to define advanced SSL verification options to have it enabled (similar to what pfSense offers). Otherwise the HAproxy plugin cannot be used appropriately within production environments.

Hello,

I've successfully installed a LE certificate using the opnsense plugin.
It seems to work, but some clients cannot validate it.

From different SSL checking sites, it seems that the certificate chain is incomplete:
https://www.ssllabs.com/ssltest/analyze.html?d=home.o2r.fr
(same here: https://cryptoreport.websecurity.symantec.com/checker/ and here: https://www.digicert.com/help/ ).

Can you add all the required certs to the full chain ?

Thanks,

Quentin

Maybe making fwknob (https://github.com/mrash/fwknop) available as plugin ? Or integrate with core ?

For details see https://forum.opnsense.org/index.php?topic=3153.0

• fix POST issue: {"errorMessage":"Error at /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php:520 - array_key_exists() expects parameter 2 to be array, string given (errno=2)"}
• copyright header style updates
• change menu location
• adjust squid.conf and rc.conf.d/squid
• alt-auth hook to prevent local user authentication
• unwind auth server vs. squid authenticator
• protect exec() calls with exec_safe()
• GUI updates for actions
• testing during 16.7.x series
• Use a drop-down list for Domain Version
• /etc/rc.conf.d/ssoproxyad is not sourced because the service is "squid" <-- need an /etc/rc.conf.d/squid DIRECTORY instead

Currently required patching for 16.7.7:

# opnsense-patch -c plugins 57cfcddf 916d315

Feature request for someone to write an OSPF or BGP plugin to allow for dynamic routing on internal networks and VPNs.

This would probably use Quagga or Bird in either instance.

@fichtner: The logfile looks distorted in the GUI right now. Do you have some advise how I might fix this? :)

acme.sh added more DNS validators recently, including linode which I'd love to use.

I'd be happy to provide a PR myself if someone could point me to instructions for how to test my changes. Or does it suffice if I just add the new files from/in the dnsapi/ folder and make the corresponding changes in the UI and PHP files?

Thank you!