If you use AzireVPN or PIA with OpenVPN you can tunnel all your traffic via VPN tunnel in order to hide from Geoblocking or censorship.

To use this also with OPNsense here a short guide how to set up a server and client with OPNsense. Configuration for e.g. Android should be quite the same.

Server

Since the plugin is still in development install via Console:
# opnsense-code plugins
# cd /usr/plugins/net/wireguard
# make upgrade

After this you have it under VPN – WireGuard and do the following like in the screenshots below

This is the Endpoint, so your client. Insert the pubkey and give it a Tunnel Address, I used 10.12.12.2/24. Endpoint address can be empty, so any address is allowed.

Create a new server instance, give it Tunnel Address 10.12.12.1/24 and link your newly created Peer.

Enable the service and go to Firewall – Rules to add a new Firewall rule. If you don’t see tab WireGuard just edit an existing rule, change nothing and save again. Then you should see the tab.

For testing just allow everything. 

Now go to Firewall – NAT – Outbound and add a new rules, interface WAN and set as source your Tunnel Network 10.12.12.0/24

This would mean that packets from 10.12.12.0/24 leaving WAN are natted.

In my case it’s LAN since this central OPNsense only has one interface.

Client

On the client install the pkg same as above and again go to WireGuard, create Endpoint with pubkey from server, create a server instance and link the endpoint, enable and you are good. Packets are pushed via VPN. In the screenshots look at the values, they are a bit different that in server since we add 0.0.0.0/0

When your imported certificate chain does not match the one on LDAPS you wont be able to connect by encrypted connection. 

As a workaround you could use HAProxy since it let’s you disable certificate chain verification. Please don’t use this in mission critical networks since an attacker could use this as a MITM target.

Install HAProxy the usual way and do the following:

Create a Real Server

Create a Backend Pool

Create a Public Service

Finally Enable the service.

Now you can create a new LDAP backend and point it to localhost 389, it will be forwarded to your DC with LDAPS (636)

Intro

Short installation and configuration instructions for WireGuard Plugin 0.3 devel with AzireVPN (see also notes at the end).

Installation

Installation in devel mode only works via CLI:

# opnsense-code plugins
# cd /usr/plugins/net/wireguard
# make upgrade

Then you’ll see the menu under VPN – WireGuard

Setup

Login into your Azire account and request a config for WireGuard.

Go to tab Endpoints, add a new one and fill out the public key from the config file, Tunnel Address as 0.0.0.0/0 and the VPN host in Endpoint Address

Normally the creation of a new server instance would create a new keypair. Since the keys with Azire are managed by them you have to include the private key from the text file you downloaded and set as Tunnel Address the one in the config

Choose your Endpoint in the dropdown list of Peers.

Then go to tab General and enable the service. If everything is well the tunnel is up and your default is now via WireGuard. To make more out of it, go to Interfaces – Asssignments and assign your wg0 interface. 

IMPORTANT: Never enable this interface!! Just tick the lock to prevent interface remove. You can enable, rename the interface and disable again so it’s name is not just optX.

Now you can enable the Interfae and set IPv4 to none

After this you can create a gateway in order to set route via Firewall rules

Now you can set a Firewall rule and push your LAN of whatever through it:

So, now you push all you LAN via the tunnel, what’s missing is a NAT rule so you are nattet in the tunnel. Go to Firewall – NAT – Outbound and set to Hybrid or Manual. Then add a rule like below and choose your assigned IP from the config file:

That’s it! 

If you have questions ping me (mimugmail) in IRC, OPNsense Forums or Reddit. Also available in Twitter (mimu_muc) to help out!

P.S.: Perhaps you have to restart the service since the assignment of the interface without IPv4 removes the current setup.

P.P.S.: ATM the routing via groups doesn’t work when the interface is disabled, we’ll have to fix this in core (may take some weeks). For now you can just use the routing received via the server instance (like 0.0.0.0/0).

Lately I had to connect a Mellanox SN2100 to a Cisco SG550 via 40-10 breakout cable. There were multiple VLANs and sadly VLAN 1 for the core. The firewall connected to all networks had trunkports on all 40G’s besided VLAN 1 which was a standard access port.

Setting „switchport mode trunk“ on both ends worked for all VLANs besides VLAN 1 so I started to google around and found some articles in cisco community that „switchport mode general“ is better for multi vendor connections, so I tried this. Sadly then all other VLANs also didn’t  work.

Then I started to search on Mellanox pages and found:

https://community.mellanox.com/docs/DOC-2332

 

So there’s a mode hybrid to allow all VLANs and access mode vlan 1 for native. In Catalyst IOS this is standard mode trunk but not here. I set the mode to hybid, tagging all VLANs and access mode vlan 1. Still doesn’t work with mode general on Cisco (remember, most compatible in multi vendor) and then switched to mode trunk on SG and boom .. that’s it.

 

In summary, when you want to trunk between Mellanox Onyx and Cisco SMB Switches, set trunking mode to hybrid and access vlan 1 (or the native one on cisco side) and mode trunk on the SMB switch!

Here you go guys, we had extended the FreeRADIUS plugin by LDAP, but with no search filters.

Now there’s the thing to go, really simple, just look at the Pull Request and learn how easy it is to extend plugins:

 

https://github.com/opnsense/plugins/pull/488/files

Tested against OpenLDAP and Windows AD 🙂

 

After finishing our lldpd plugin I added an auto-refresh to the neighbor tab so you don’t have to click it all the time for updates.

Really easy to do:

 

 

Move the API call into a function and call it in the ready handler with an intervall.

./configure –add-dynamic-module=/opt/ModSecurity-nginx –build=nginx-plus-r11 –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=‘-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2′ –with-ld-opt=‘-Wl,-z,relro -Wl,-z,now -Wl,–as-needed‘

There are many guides for tuning Zabbix and DB.

Here’s what I did in my environment (only DB):

innodb_buffer_pool_size = 2G
innodb_buffer_pool_instances = 8
innodb_flush_log_at_trx_commit = 0
innodb_io_capacity = 500