Messages

The client - now comes the fun part - says connected. The VPN at the OpenVPN says -connected. The firewall protocol says - nothing.

I will try to reexport the client. Kind of strange as the local OpenVPN connection TCP is actually a copy of the one of UDP just with different peers, but who knows...

Hi

I have successfully setup one Wireguard VPN. It works inside out network and outside. So Yay!
However, I copied this VPN to a second one, differences are: Different port, different IP range.
I cannot get this to work, i.e. my client does not show "handshake".

Few things:
- We have two WAN, so both Wireguard clients have 2 peers
- The WAN is coming via a fritz box and exposed host to the OPNSense port
- The different IP ranges are necessary as in our experience from time to time e.g. Hotels use the same internal IP range as we do, so no routing is possible. Therefore we have multiple VPN instances to make sure "one of them works"

I know, I know "I copied everything but..." usually means "but forgot something". I have checked mutiple times all settings (gateways, interfaces, rules, NAT, shaping, Wireguard) and cannot find a difference.
Basically I am asking where to look protocol wise to do debugging. Or any other tip if this is fundamentally wrong what I was thinking.

Troubleshooting - Well I am on it. But I am a bit running against walls here and do not even know where to look for anymore.
As I said - it worked with an older OpnSense version and broke one day (sorry, as always many other things to do, TCP one continued to problem was postponed, at last 2 major upgrades since then).

Troubleshoot the new instance: How? Precisely? There is not even a connection attempt in the log. With the "old" server, I get connected but no routing. So I am much further there. How can I troubleshoot the new server?

>Tried with the phone using the mobile connection, not the wifi?
Yes. internally (works/worked fine previously and still with Port 443), with Wifi at a different place and with the normal network connection.
The laptop at two different sites, one internal WIFI and an unconnected wifi.

I have tested the allow all rule - now change.

If you mean a route in the OpenVPN Rules "Source" OpenVPN Network to any, I have this. Does not change anything.

"So this would be a good time to migrate to the new connections."
Well, I always believe it is a good time to do this if the "old" config is running, so you know when it breaks how it was working before.

I tried already multiple times to "just make a new UDP VPN" with the new config, but I do not even get a connection yet. So currently trying to get the "old" config back to work.

I tried a Laptop with Linux and an Android phone to work: Both failed on both UDP instances to route anything into the VPN, name lookup etc.
They get an IP out of the range, the connection claims to be up. Whenever I get a connection via one of the UDP servers, no routing into the VPN is possible. With TCP it works fine.
All servers are identically configured, only the ports and UDP/TCP settings are different, firewall rules seem to be fine, too.

Hi
I am stuck at the same point here, but I am using unbound.
In the client config: "allowed IPs to pass tunnel" is the IP of the gateway 192.168.30.1/32
The tunnel in the instances is configured as 192.168.30.0/24
No DNS in the interfaces selected (although I tried to set 192.168.30.1, too, but that did not change anything)
I can open the pages with entering the IP address, but cannot lookup any DNS name.
Unbound runs on "all" interfaces.

Gateway and interface for the Wireguard instance is configured as described here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am running with 2 WANs and copied the configuration to both of them (although wireguard only runs on one WAN at this time).

Any ideas?

The Wireguard itself connectecs fine, in the app also the "correct" DNS server 192.168.30.1 is shown.

EDIT: Resolved: The DNS is not x.x.x.1 but x.x.x.0 to be set then it is working fine.

Hi

I have since some time a problem with OpenVPN:
I have setup 4 legacy servers on two outside WAN lines.
- WAN is coming in via fixed IPs on FritzBoxes -> Forward Host (OpnSense).
- Two OpenVPN Servers (legacy), one UDP 1194, the other 1195, each bound to a different WAN
- Two OpenVPN Servers (legacy), Port 443 TCP, one to each WAN line

When I connect via UDP I get a connection. That means IMHO that the OpenVPN is setup correctly so far.
However, I cannot do any name resolution (time out), ping to any computer in the connected network etc.
Basically I get "VPN connected" and get "offline".

When I connect to the Port 443 VPN it works almost fine (see below), i.e. on any Linux PC everything works perfectly as expected. On Android, too.

I tried various firewall rules (I don't think I changed anything to stop working, as I use the VPN daily I should have noticed instantly) either using the OpenVPN nets directly, an Alias with all combined, or the OpenVPN_Network presetting. Nothing changes anything, on the UDP line it does not seem to get routed.

All OpenVPNs have set the DNS to the real IP of the OpenSENSE (which runs unbound), not any guessed IP from the OpenVPN network.

As I have the update to the new network ahead of me, I'd prefer to get the UDP running to translate "port by port" to the configuration and switch off "seamless" the system instead cutting off all remote VPN users all at once.

Any ideas, any one? Am I missing a "new" firewall rule that is mandatory here and might have been introduced even a couple of major versions ago that stopped working suddenly?

Firewall live view BTW does not show anything blocked, making it more confusing, unbound does not show a connection attempt.

Thanks for any ideas where to look.

Please beat me to death with a network switch!
This problem with the legacy OpenVPN is simpler than though: I have (sorry for not posting it) a FritzBox before the OpnSense and have the OpnSense as exposed host. Well, if you switch a physical nework card, the IP changes and you have a different IP adress...

The migration worked therefore.

Now, let's see if I get the new OpenVPN interface to cooperate....

Hi,
I am currently running 25.10 business imported from 25.7. community.

AFTER the import I upgraded the old appliance to 26.1, and the VPN still works fine as previously.
The NEW appliance is not yet updated, as I had to get the old one back online due to the VPN issue.

NOW I want to make sure to understand the VPN issue and have it running with the NEW OpenVPN interface. But this is were I am stuck: I do not get the new OpenVPN instanced to work, i.e. no connection from the clients.

I followed the instructions in the documentation, but were not able to get it up and running. Is there a more detailed instruction that helps with debugging?

Hi
I need to post a stupid question and hope for an intelligent answer:
I am using since long openvpn for our roadwarriors and others. That works well with the legacy setup up to 26.1. Community edition.
I tried a few times to convert it to the "new setup" but never succeeded.

Now a necessary hardware upgrade made us switch to the business editoion.
After a few hickups we got everything up and running in 25.10 business - except openvpn. There is no contact possible, client stucks at "waiting for reply"

Heres what I did:

- started the new appliance out of the box wir 25.y business
- restored backup from 25.7.
- assigned interfaces
- reboot
- installed missing plugins
- updated opnsense to 25.10

All works well, except no VPN.
Plugging tje "old" applicance in: bang. Works. Upgraded the old community to 26.x. no change except the warning that openvpn server is depreciated.

So anyone any idea what the problem might be and how to get openvpn up and running?

Also a comprehensible howto for the new openvpn interface wohld be great. I tried the path from the manual with no success whatever (the old took about 5min and worked perfectly)

Also maybe some good instructions for wireguard and the chances to operate it in china but that is off topic (and I have not tried everything with wireguard yet).

Any help will be apreaciated.

Thank you.

I have the same subject here and just want to confirm that I am not running into some walls here:

- We run an older Deciso appliance with OPNSense Community edition and just upgraded to a brand new including business edition.

So, we can import the config of the 25.7. community into the 25.10. business? What about if we decide to do the community upgrade to 26.1 before we have the new appliance ready?

Hi
I have been using OPENVPN for years. Now the "old" plugin is legacy, so I converted all settings to the "new" instances. However, when I turn off the client/servers from the old settings and start the "instances", I cannot connect anymore.

As this is business critical for me, I wonder what I am doing wrong. Is there a comprehensive how-to for the conversion of the old settings to the new? I had to guess a few fields as they are named differently, but I believe I got it okay. No error message except "time out" to be found.

I am prety sure that OpnSense did not have an auto-update feature so far. *However* it seems to do this now. I was away and just checked back on OpnSense after two weeks and to my suprise it claims to be on 25.1.5_5. A hotfix that just came out this monday, after an update that came out last week.

Being *very* sure that I did not install either update, I still checked to "check for updated". And then all that came was "System is rebooting Rebooting".


After a while, it goes back to the dashboard. As it did not boot I tried to reboot from the energy menu - no effect.

Also, my *av services do not start and "intrusion detection" regularily breaks down.

I am very confused. Is there a new autoupdate feature? Does it update itself now?

And why can't I reboot? What is the problem? I tried many things short from pulling the plug.

Hi
I have a confusing problem which I cannot figure out:
- I have a number of Samsung A9+ tablets configured in the LAN
- The tablets can access the internet and internal zones and download the *Play Services* Updates without problem
- They cannot download the Samsung Update (Software/Firmware Update)
- If I plug them into our Guest Network, all works fine
- When I do a live inspection of the Firewall protocol with the source of the corresponding IP I only get "pass to router, "Anti Lockout Rule"" no other message.

I really do not understand where it stalls. Any idea?

I am using unbound as DNS with some standard ad-blockers, but as I can access the internet fine, this is not an issue, isn't it?

Any help for understanding how to trace the problem would be apreaciated.

Hi
I installed quite a while ago a Rocket.chat server (snap) behind my OPNSense firewall and used a turourial for getting this done (it is done via automations, took a bit but works well).
Now I try the same with a postfix/cyrus setup I have behind my firewall. Opening a port 80 to this host is out of question.

The reason I want to do this is, that currently a few anti-spam engines (may they rot in hell) decline our emails due to "non verifiable certificate chain". We are forwarding all our email to a relay of our uplink and download everything via fetchmail (all on a server behind the firewall).

With a let's encrypt SSL certificate for our postfix host I hope to be able to solve the problem.

Anybody knowing where to find or having maybe written such a tutorial will be sure of my never ending thanks for pointing me to it.

I honestly did not look into the postfix service of OPNsense so I do not know if that would solve my issues easier. Any suggestions welcome.

And: Happy New Year!