Messages

1

24.7 Production Series / Re: DHCPv4 not working after upgrade to 24.7.4_1-amd64

« on: September 21, 2024, 09:04:41 am »

I just lost ipv4 dhcp. i updated already days ago, but today all the sudden it won't serve. I will pull in the very latest updated and see. Overall I have had to reboot my apu2 box several times after the upgrade due network being sluggish.

Dis you find out any reason for the failure? By quick look I see nothing in logs.

2

Virtual private networks / Re: third wireguard peer won't show up

« on: July 25, 2022, 08:12:02 pm »

Problem solved after several hours of wondering. And of course, it was a user problem again (me!). I found this issue, where someone had the same problem and he reminded it's not enough to save peers and apply, but they need to be listed in server peers list separately.

I know it's my bad, but it is easy to miss. It might be worth adding a remindender text in the dialog where one creates new peers. Or better yet, ask there to which servers you want to assign the peer to, having the list there too. As such it's super easy to miss.

https://github.com/opnsense/plugins/issues/2926

3

Virtual private networks / Re: third wireguard peer won't show up

« on: July 25, 2022, 10:05:43 am »

See attached client list screenshot.

4

Virtual private networks / [solved] third wireguard peer won't show up

« on: July 25, 2022, 10:00:21 am »

Hi,

I got my first two wg peers to connect. But as I added the third peer, it won't get picked from gui to system configs. OPNsense is the latest version at the date, OPNsense 22.1.10-amd64. The config is just the same as the two previous ones, listing name, public key and allowed ip (192.168.116.22/24).

But when I apply the settings, only the two first ones are written into wg0 config file, also seen from gui in peer list. The third one never gets there. See Peer List view:

Code: [Select]

interface: wg1
  public key: (hidden)
  private key: (hidden)
  listening port: 55555

peer: (hidden)
  endpoint: 1.1.11.24:24472
  allowed ips: 192.168.116.21/32
  latest handshake: 10 minutes, 34 seconds ago
  transfer: 4.89 MiB received, 1.00 GiB sent

peer: (hidden)
  endpoint: 1.1.1.24:26682
  allowed ips: 192.168.116.20/32
  latest handshake: 36 minutes, 6 seconds ago
  transfer: 340.61 KiB received, 480.98 KiB sent

How can this be? I have tried saving and applying it several times, but the third one never get's there. Also restarted the wg several times. The config of peer is just like the others, only pubkey and ip are different. What am I missing?

5

Virtual private networks / Re: setting up wg interface ruins routing

« on: July 24, 2022, 11:36:32 pm »

Aaaand found the final error. There some copy paste problem, I had the server pub key also set to android peer in opnsense. do'h, some hours well spent

I try to see if I get to delete the post.

6

Virtual private networks / Re: setting up wg interface ruins routing

« on: July 24, 2022, 11:26:47 pm »

oops, private key pasted, reconfiguring 

7

Virtual private networks / Re: setting up wg interface ruins routing

« on: July 24, 2022, 11:19:22 pm »

changing the allowed ips to 192.168.116.<client>/32 fixed the routing, but still, no response from the wireguard to android.

8

Virtual private networks / Re: setting up wg interface ruins routing

« on: July 24, 2022, 11:13:45 pm »

here is the config:

Code: [Select]

root@OPNsense:~ # cat /usr/local/etc/wireguard/wg1.conf
[Interface]
PrivateKey = xxx
Address = 192.168.116.1/24
ListenPort = 55555

[Peer]
PublicKey = yyyH8kTI=

AllowedIPs = 0.0.0.0/0

[Peer]
PublicKey = xxxoKxM=

AllowedIPs = 0.0.0.0/0


I wonder if it's due the allowed IPs, but gui won't allow to save until the field is filled. I want all traffic allowed from the client.

9

Virtual private networks / setting up wg interface ruins routing

« on: July 24, 2022, 11:04:13 pm »

Hi,

I've used this evening struggling with wireguard. I followed this guide [1] which tells to setup interface wg1 for the wg. There is some oddity in wg plugin, it doesn't list the first peer for example in list configs, which baffled me for a while, but I see from command line it's in config file.

However adding interface wg1, like instructed in guide, ruins networking. It seems to guide all traffic to this wg1. Which leads nowhere, naturally. Routing table looks like this, see the first line:

Code: [Select]

root@OPNsense:~ # netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          link#9             US          wg1
default            87-92-128-1.rev.dn UGS        igb0

Which to me tells the wg1 grabs the traffic from LAN. As soon as I disable the wg1, the 0.0.0.0/1 line disappears, and the routing becomes normal and I get to internet from LAN.

Why is this, what did I do wrong?


[1] https://docs.opnsense.org/manual/how-tos/wireguard-client.html

10

General Discussion / Re: 22.7 openvpn dropping dh option - clients?

« on: July 14, 2022, 06:50:29 am »

Thank you.

11

General Discussion / 22.7 openvpn dropping dh option - clients?

« on: July 13, 2022, 08:44:33 pm »

Hi,

I was reading changelog for 22.7-rc1, and it says dh option gets dropped for openvpn. What needs to be done for client configs to make them being able to continue working?

Do I need to reconfigure all clients not to have dh option, and then update the box, and they somewhow get back connected?

As if I don't, I loose access to clients and they won't be able to connect back any longer after 22.7 update, right?

12

21.7 Legacy Series / Re: ACME client problems

« on: May 06, 2022, 08:24:15 am »

Did you sort this out? I noticed that my certs expired, and it seems this problem is on my opnsense. Last renewal seemed to have happened around the time you created the post.

13

General Discussion / automatic certificate renewal for clients?

« on: October 31, 2021, 08:44:28 pm »

Hi,

I was thinking a way to get my home intranet service SSL certs automatically renewed. I don't like that all random stuff at home have self signed certs from some different dummy CA. I would like to make trust to OPNSense CA at home, and issue home certs from OPNSense.

But I don't want to do them manually. Is there an automated way for clients to ask for a new cert, and reinstall it when needed? Like what freeipa and certmonger does? Therr you define the cert in freeipa, and it keeps cert valid by automatically renewing it. Then clients use certmonger to keep the cert files updated, and services restarted when cert gets renewed.

Any similar method for OPNSense?

14

High availability / Re: haproxy endpoint monitoring

« on: March 28, 2021, 10:59:26 pm »

Telegraf is the name of the influxdb database where OPNsense sends the data. You can name it as you wish, but you gotta have it. Did you set it up?

15

High availability / Re: haproxy endpoint monitoring

« on: January 04, 2021, 04:20:06 pm »

Seems to be you need to be logged in to see the attached screenshots and json, in case you wonder what I'm talking about.