Route-based VPN between OPNSense and StrongSwan

Today I’ve spent a little bit of my time to figure out how to move away from policy-based VPN in favour of a route-based one instead. I was eyeing the concept for a while now and wanted to use it in my home lab to solve a couple of problems I was trying to turn a blind eye to. Without further ado, please follow the guide below to set up a route-based VPN between a StrongSwan-based peer (on RPi 3+) and an OPNSense appliance.

Continue reading

Zabbix – Recognize bare-metal and virtual machines

This afternoon was spent on searching for ways to auto-register clients and assign them into different policies based on whether they’re virtual or not and, to my surprise, I couldn’t find an out-of-the-box way of achieving this with Zabbix.

After looking into different Zabbix agent calls and modules, I found a way I could use to reliably tell whether it’s a baremetal machine or not.

Continue reading

Defining encryption domains per VPN peer in CheckPoint

Vendors generally implement VPNs in a way where phase 1 and phase 2 settings are defined per VPN peer (aka 3rd party we will be establishing the VPN tunnel with) which gives us the flexibility in regards to subnets we will be using for phase 2.

CheckPoint, however, does things a little bit differently which can sometimes give us couple of hours of pain when troubleshooting. Learn how to force CheckPoint to switch to the “traditional” way of configuring phase 2 settings in this guide!

Continue reading

Zabbix – Monitoring SSL certificate expiry dates and alerting when it’s due to expire

Nowadays almost every website provides an encrypted way of communication between itself and end user. I would love to say it’s because web administrators these are concerned about their visitors’ data safety but, while that might also be true in some cases, browsers these days will show a big “ERRRR, SOMETHING’S WRONG!” warning message when we try to connect to a non-HTTPS website.

While obtaining the certificates is pretty much free nowadays (as long as we’re OK with the amount of trustworthiness we get by running a Let’s Encrypt! certificate) and some providers will even help us put them in the right place, we still have to remember to renew our certificates every now and then. If we don’t then, oh well. We’re back to square one because having expired certificate is as good as having no certificate at all when it comes to browsers screaming at us.

Continue reading

OPNSense – Monitor number of connected OpenVPN users with Zabbix

Hello everyone!

Recently I’ve been toying around with my new, fully featured lab. I couldn’t decide what kind of firewall I’d like to use (obviously considering the fact that I was trying to avoid getting anything commercial). I really enjoyed using pfSense in the past but felt like the UI was a bit dated. Fortunately, OPNSense exists!

After configuring everything and setting up remote access I decided to set up a Zabbix server in my new environment to keep an eye on various things. The one thing I couldn’t monitor, however, was the amount of remote users connected to my OpenVPN server hosted on my OPNSense firewall.

I read a couple of articles, as well as few stackoverflow questions and thought to myself – alright, that won’t be pretty. And it’s not. But hey, it works!

Continue reading