Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
other:networking:opnsense:quickreferences

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
other:networking:opnsense:quickreferences [2021/03/22 00:33] rodolicoother:networking:opnsense:quickreferences [2025/01/10 19:59] (current) rodolico
Line 32: Line 32:
       - Enter URL       - Enter URL
       - Click Apply       - Click Apply
-    - Firewall Aliases | New +    - Firewall Aliases | New (Plus Sign) 
-      - Name - Something you can remember+      - Name - Something you can remember, alpha-numeric and underscored only
       - Type - GeoIP       - Type - GeoIP
       - Select regions/countries to be included       - Select regions/countries to be included
         - NOTE: If you are wanting to **exclude everything but** some countries, ie block all but, you can simply list the countries you want to have access, then use the **NOT** value in the rules         - NOTE: If you are wanting to **exclude everything but** some countries, ie block all but, you can simply list the countries you want to have access, then use the **NOT** value in the rules
       - Enter an optional description       - Enter an optional description
-      - Click Save+      - Click Apply
     - Firewall | Rules | WAN     - Firewall | Rules | WAN
       - Action - Block       - Action - Block
Line 52: Line 52:
  
 **Note**: On the rules, order is important. Any Pass rule that exists prior to this rule will negate it. For example, if you have your VPN rules before this, VPN will work from other countries. Put this as high in the list as possible. **Note**: On the rules, order is important. Any Pass rule that exists prior to this rule will negate it. For example, if you have your VPN rules before this, VPN will work from other countries. Put this as high in the list as possible.
 +
 +===== OpenVPN DNS Issues =====
 +
 +On a Chromebook, we have had an issue where making a VPN Connection using OpenVPN kills DNS. Sites can not be reached on the Chromebook while the VPN is active.
 +
 +It appears ChromeOS will kill its DNS entries when a VPN connection is made, even if no DNS is in the configuration. Once the VPN connection is stopped, DNS resumes.
 +
 +The solution is to add a DNS entry to your Road Warrior (Remote Access) vpn server.
 +
 +  - VPN | OpenVPN | Servers
 +  - Select the server in question for edit
 +  - Find DNS Servers (under client) and enter one or more DSN servers (by IP address)
 +    - Hint: if you put a forwarding DNS server within the network you are connecting to, some Operating Systems will allow you to connect by FQDN
 +    - Adding DNS Default Domain will allow you to find "acme.example.local" by simply entering "acme"
 +    - Adding multiple domains separated by comma's will allow you to find the same, but across multiple domains.
 +    - Putting a check mark in //Force DNS cache update// will help Windows machines to use the new server list
 +    - Putting a check in //Prevent DNS leaks// will disable all other DNS servers for the duration of the VPN session (Windows only)
 +    - Save, then re-export the client configuration files
 +
 +===== Admin User =====
 +
 +In many cases for small business, you want to have a user who can perform administrative functions on the router. This is an excellent alternative to supplying everyone with the root password. You can not, however, simply give all permissions, as some conflict. Following will give a group admin rights, without making them a member of the admin group and keeping the root password secure.
 +
 +  - System | Access | Groups
 +  - Add new group by clicking the plus sign
 +  - Create a name (I called it sysadmin), set a description, then add one or more users.
 +  - Save
 +  - Edit new group
 +  - Edit permissions (pencil, under Assigned Privileges)
 +  - Search for //All Pages// and select that (GUI All pages)
 +  - Do not add or remove anything else
 +  - Save
 +  - The users you have added to this group can not log in, with their own credentials, and manage the router
 +
 +===== Limited access user =====
 +
 +In some cases, you need to give an end user limited rights. They need to be able to log into the router's WebUI and perform some limited functions. This will show you how to allow a user to A) change their own password and B) reboot the router.
 +
 +  - System | Access | Groups
 +  - Create new group by clicking plus sign
 +  - Group Name: Reboot, Description: whatever, Add users to group
 +  - Click Save
 +  - Edit the new group
 +  - Click the pencil under //Assigned Privileges//
 +  - Search for, and enable, reboot (//GUI Diagnostics: Reboot System//)
 +  - Search for, and enable, password (//GUI System: User Password Manager//)
 +  - Search for, and enable, login (//GUI Lobby: Login / Logout / Dashboard//)
 +  - Save
 +
 +The user(s) you have as a member of this group will be able to login, change their password, and reboot the system.
  
 ===== Links ===== ===== Links =====
   * https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html   * https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
   * https://docs.opnsense.org/manual/aliases.html   * https://docs.opnsense.org/manual/aliases.html
 +  * https://forum.opnsense.org/index.php?topic=38493.0
other/networking/opnsense/quickreferences.1616391209.txt.gz · Last modified: 2021/03/22 00:33 by rodolico