Messages

This issue is due to the same VPN IP Pool being used in multiple countries sometimes (depending on the server you are connected to).
You can continue to enjoy simultaneous VPN connections to multiple countries till you get to the point where the VPN pool is trying to offer an IP from a pool to which you already have a connection to using another client profile.

Check the log to verify this and find a combination of servers that do not run into conflict.
That way your tunnel and it's routing remain clean and bug-free.

To make your job easy.  I quickly wrote this step by step configuration guide to make use of let's encrypt client on OPNSense to obtain wild card cert (one cert for all your servers under the same domain name).

[tail -f /var/log/acme.sh.log]

1) Are you sure you have API Key to manage DNS records for your DNS record update programmatically?
Last time, I had checked with google support for same issue and they do not offer API to populate DNS records programmatically using API key.

Work Around:
1) I created free account with http://cloudflare.com/ and listed by google domain there.
it gave me two cloudflare DNS servers.

2) After that, I registered my google domain to use custom DNS server of cloudflare.

3) from your cloudflare user profile, you will fine global API key which you can configure in validation DNS-01 validation method of let's encrypt client and try to renew cert.

Tip:

1) Enable ssh acccess temporrily to your OPNSense and tail -f /var/log/acme.sh.log to see what let's encrypt cleint is doing and where it's failing.

2) Ensure your key lengh is 2048. Anything higher doesn't work. I learned this hard way.

3) If you still have issues, post /var/log/acme.sh.log for us to understand. Don't worry this log won't have anythign confidential in it.

[Firewall: Rules: LAN]

Do you have a firewall rule allowing the traffic on LAN? If not, then it won't pass that traffic across since normal LAN traffic just chats to each other, but since the firewall is acting as the bridge between these networks you need to allow it.

This is correct. Can you post a screenshot of Firewall: Rules: LAN?

[Ensure rule you create the following steps mentioned below is sitting on top of pass LAN rule.]

The following are the perfect steps. The only thing I want to add is order.

Ensure rule you create the following steps mentioned below is sitting on top of pass LAN rule.

Are you sure this device is being allowed to contact other destinations (non 443/TCP) in Internet?

Could you please upload another screenshot showing it (blur whatever is needed).

If you configure it like:

LAN Interface inbound
Source -> Device IP
Destination -> Invert LAN
Protocol -> ANY
Action -> Block/Drop

And apply, it should work.

I have exactly the same issue as you have described.
I have posted my outbound rule configuration and firewall blocking my WG client connection in post below.

https://forum.opnsense.org/index.php?topic=16667.msg75866#msg75866

If you kindly share your NAT outbound rule configuration, I would appreciate.

Thank you.

[Progress:]

I followed the instruction as per documentation.
https://wiki.opnsense.org/manual/how-tos/wireguard-client.html

Progress: Using Peer iPad, I am able to connect to WireGuard VPN successfully. (See iPad.log attached)
Issue: To route all the traffic using WireGuard VPN Tunnel only, I configured  0.0.0.0/0 in Allowed IPs. With that I see all the traffic coming to my OPNSense router. However, it's not going out. (See FW_Rule.png and FW_View.png attached)

I think that I have followed instructions correctly as documented in Step 2c - Assignments and Routing.

However, firewall live view suggests that traffic from the client is blocked.

Can someone please guide me on how to correct the firewall rule to allow internal and external access for WireGuard VPN users?

[4096]

Compared the log of unsuccessful production environment with a staging environment and learn that it was getting stuck at the reading key.

I changed the key size from 4096 to 2048 and tried again and this time, Lets Encrypt client worked as expected and I got wild card cert key.

Lesson learned here is that Lets Encrypt Client doesn't seem to support 4096 key.
Perhaps it might support for single-server cert which I have not verified.
However, it definitely didn't work for wild card cert request.

I would be submitting a bug report on github because 4096 key worked for wild card cert in a staging environment.

Special thanks to @banym who shared KB article to educate me to use DNS validation because that's the only validation method supported for wild card cert.

Also, by studying the article, I learn how Lets Encrypt Client makes API calls to create txt record by using API calls to DNS providers to get wild card cert.

[4096]

Compared the log of unsuccessful production environment with a staging environment and learn that it was getting stuck at the reading key.

I changed the key size from 4096 to 2048 and tried again and this time, Lets Encrypt client worked as expected and I got wild card cert key.

Lesson learned here is that Lets Encrypt Client doesn't seem to support 4096 key.
Perhaps it might support for single-server cert which I have not verified.
However, it definitely didn't work for wild card cert request.

[CloudFlare.com API]

After chatting with google domain support, I learn that google do not provide API to create a synthetic txt DNS record as per ACME V2 requirement.

so, I changed DNS server to cloudflare and after that using "CloudFlare.com API" I could obtain wild card cert for staging environment successfully.

So, the next logical step was to change Let's Encrypt Environment to Production to get real cert from Let's encrypt CA.
So, I went to Services->Let's Encrypt ->Settings-> Let's Encrypt Environment:
From: Staging Environment
To: Production Environment [default]

Lets Encrypt Client is not Reading key lengh and not creating key and not doing any processing.

Here is all the log entries for attempt to obtain cert for Production Environment.

[Mon Mar 30 01:05:18 UTC 2020]   ACCOUNT_THUMBPRINT='RemovedMyAccountThubPrint'
[Mon Mar 30 01:05:18 UTC 2020]   Calc CA_KEY_HASH='h28g6IEtI2JC8RGXHixEqIZdykK+x125CDpeQ4HHsuc='
[Mon Mar 30 01:05:18 UTC 2020]   _accUri='https://acme-v02.api.letsencrypt.org/acme/acct/81953603'
[Mon Mar 30 01:05:18 UTC 2020]   Already registered
[Mon Mar 30 01:05:18 UTC 2020]   code='200'
[Mon Mar 30 01:05:18 UTC 2020]   _ret='0'
[Mon Mar 30 01:05:17 UTC 2020]   _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.cRb6rHUS -g '
[Mon Mar 30 01:05:17 UTC 2020]   _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Mar 30 01:05:17 UTC 2020]   POST
[Mon Mar 30 01:05:17 UTC 2020]   _ret='0'
[Mon Mar 30 01:05:14 UTC 2020]   _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.cRb6rHUS -g -I '
[Mon Mar 30 01:05:14 UTC 2020]   _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Mar 30 01:05:14 UTC 2020]   HEAD
[Mon Mar 30 01:05:14 UTC 2020]   payload='{"contact": ["mailto: pranav.raval.usa@gmail.com"], "termsOfServiceAgreed": true}'
[Mon Mar 30 01:05:14 UTC 2020]   url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Mar 30 01:05:14 UTC 2020]   Registering account
[Mon Mar 30 01:05:08 UTC 2020]   RSA key
[Mon Mar 30 01:05:08 UTC 2020]   ACME_VERSION='2'
[Mon Mar 30 01:05:08 UTC 2020]   ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Mar 30 01:05:08 UTC 2020]   ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Mon Mar 30 01:05:08 UTC 2020]   ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Mon Mar 30 01:05:08 UTC 2020]   ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Mar 30 01:05:08 UTC 2020]   ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Mon Mar 30 01:05:08 UTC 2020]   ACME_NEW_AUTHZ
[Mon Mar 30 01:05:08 UTC 2020]   ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Mon Mar 30 01:05:07 UTC 2020]   ret='0'
[Mon Mar 30 01:05:05 UTC 2020]   _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.r1p8ee3j -g '
[Mon Mar 30 01:05:05 UTC 2020]   timeout=
[Mon Mar 30 01:05:05 UTC 2020]   url='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 30 01:05:05 UTC 2020]   GET
[Mon Mar 30 01:05:05 UTC 2020]   _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Mon Mar 30 01:05:05 UTC 2020]   ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 30 01:05:05 UTC 2020]   Using config home:/var/etc/acme-client/home
[Mon Mar 30 01:05:05 UTC 2020]   ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'

[Google Cloud DNS API]

https://letsencrypt.org/de/docs/challenge-types/

[Sun Mar 29 18:03:30 UTC 2020] The supported validation types are: dns-01 , but you specified: http-01

Thank you. I now understand that for the wildcard cert renewal, I need to configure DNS API so that ACME validation can be performed by creating a custom txt record.

My domain is serviced by Google domain. "Google Cloud DNS API" is the closest match among list of available options.

Is there any article or documentation on how to obtain, "JSON Key" to configure this option?

[root@OPNsense:~ # cat /var/log/acme.sh.log]

root@OPNsense:~ # cat /var/log/acme.sh.log
[Sun Mar 29 18:03:25 UTC 2020] HEAD
[Sun Mar 29 18:03:26 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Mar 29 18:03:26 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g  -I  '
[Sun Mar 29 18:03:26 UTC 2020] _ret='0'
[Sun Mar 29 18:03:26 UTC 2020] POST
[Sun Mar 29 18:03:27 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Mar 29 18:03:27 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sun Mar 29 18:03:27 UTC 2020] _ret='0'
[Sun Mar 29 18:03:27 UTC 2020] code='201'
[Sun Mar 29 18:03:27 UTC 2020] Le_LinkOrder=' https://acme-v02.api.letsencrypt.org/acme/order/81932777/2822543509'
[Sun Mar 29 18:03:27 UTC 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/81932777/2822543509'
[Sun Mar 29 18:03:27 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/3637170129'
[Sun Mar 29 18:03:27 UTC 2020] payload
[Sun Mar 29 18:03:29 UTC 2020] POST
[Sun Mar 29 18:03:29 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/3637170129'
[Sun Mar 29 18:03:29 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Sun Mar 29 18:03:29 UTC 2020] _ret='0'
[Sun Mar 29 18:03:29 UTC 2020] code='200'
[Sun Mar 29 18:03:30 UTC 2020] d='*.homelabusa.com'
[Sun Mar 29 18:03:30 UTC 2020] Getting webroot for domain='*.homelabusa.com'
[Sun Mar 29 18:03:30 UTC 2020] _w='/var/etc/acme-client/challenges'
[Sun Mar 29 18:03:30 UTC 2020] _currentRoot='/var/etc/acme-client/challenges'
[Sun Mar 29 18:03:30 UTC 2020] entry
[Sun Mar 29 18:03:30 UTC 2020] Error, can not get domain token entry *.homelabusa.com
[Sun Mar 29 18:03:30 UTC 2020] The supported validation types are: dns-01 , but you specified: http-01
[Sun Mar 29 18:03:30 UTC 2020] pid
[Sun Mar 29 18:03:30 UTC 2020] No need to restore nginx, skip.
[Sun Mar 29 18:03:30 UTC 2020] _clearupdns
[Sun Mar 29 18:03:30 UTC 2020] dns_entries
[Sun Mar 29 18:03:30 UTC 2020] skip dns.
[Sun Mar 29 18:03:30 UTC 2020] _on_issue_err
[Sun Mar 29 18:03:30 UTC 2020] Please check log file for more details: /var/log/acme.sh.log

I followed the direction from https://docs.opnsense.org/manual/how-tos/wireguard-client.html and I get the following entries in the attached log.

However, my internet traffic is not going via 76.117.73.5.
Also, I tried to connect to allowed traffic configured on the endpoint on OpenSense router and can't access it either.
Could you please suggest how do I go about fixing it?

Thank you. That worked.

I am unable to boot ESX VM using OPNsense-19.1.4-OpenSSL-vga-amd64.img file.
I even tried to rename .img file as .iso and it didn't help.
Can someone help me configure OpnSense VM for ESXi 6.5?