Messages

The WireGuard plugin is working great in on 18.7.9, thanks for this.

Would you consider adding an option to download a .conf file for each client/endpoint?  Even more impressive would be to create a QR code as described here:
  https://wiki.debian.org/Wireguard#A3

Any thoughts to add a widget to the dashboard, similar to the one for OpenVPN?

Well, that was pretty painful.

Thank you @anon000 for posting the fix:
  https://forum.opnsense.org/index.php?topic=9284.msg42322#msg42322

This was a lot harder than it needed to be because I made some mistakes setting up the interfaces in the installer before resetting the password.  Seems like the "reset password" option should be available without having to make any other configuration changes.

The second problem was that I couldn't update from 18.7 to 18.7.1 due to a "package manager is not responding" error. The trick to fixing that was to "Prefer IPv4 over IPv6", thanks @pouakai!
  https://forum.opnsense.org/index.php?topic=9432.msg42741#msg42741

OK I found this thread which looks promising:
  https://forum.opnsense.org/index.php?topic=9284.0

I just upgraded from 18.1.13 to 18.7 (not sure why it didn't go to 18.7.1)

Now when I try to login as root via the web it says:
  Wrong username or password.
and root via the console:
  Login incorrect

Any thoughts on how I can get back in?

I do have a backup of the xml file

This is similar to this issue:
  https://forum.opnsense.org/index.php?topic=9529.0
except I have a hardware router and not a VM.

what I would like to see is the ability to create a list of devices (either identified by IP address or MAC address, whichever is easiest) that are allowed to use upnp (or if it's a deny list, then devices on the list would be denied access to upnp, but an allow list would be much easier to work with for most people since usually only a few devices need upnp).  Any device not listed on the allow list (or specifically denied on a deny list) would not be able to use upnp.

Another newbie here. Apologies in advance if I'm misinterpreting something, but... I think OPNsense already does what you're looking for.

I have 17.7.7 with the UPNP plugin installed.  Under Services -> Universal Plug and Play -> Settings, it looks like you would put a checkmark next to "Default deny" and then fill in up to four exceptions. The help shows the expected format.

If the xbox is at 192.168.1.50, then it looks like the setting would be:
  allow 1024-65535 192.168.1.50 1024-65535
At that point, the xbox should be the only device on the network able to use UPNP.

Or am I missing something?

Oh sorry, I didn't see any notifications that there were responses!  Thank you very much for your time.

Thanks for explaining the NetFlow/Insight setting, makes much more sense now :)

Long term it would be great to remove the unused DNS/VPN options from the menu, but it isn't urgent.

If the DNS rebinding exceptions have to remain on the Unbound page, I'd still suggest that they be given a "proper" input box rather than being lumped in the custom area where you have to know the underlying syntax. But it works :) so it probably isn't the most important thing.


I've been reading more and more about the project and it continues to impress. Thanks again to everyone who is working on it!

I thought I'd give some new user feedback on OPNsense in the hopes that it is helpful. This is based on OPNsense 17.7.6

Overall, I am very impressed. There is a lot going on here, but it mostly feels like cohesive system rather than a collection of parts.  Nicely done :)

In terms of things that could be improved...

* I find myself continually clicking the "full help" button. Can this be persistent? So turn it on, and it stays on as you move throughout the site until you turn it off?

* Once you've chosen to use Unbound, can we remove the option for Dnsmasq? Similarly, is there a way to remove the IPsec VPN option if you only plan to use OpenVPN?

* It is strange to enable "DNS Rebinding Checks" under System -> Settings -> Administration, but then go to Services -> Unbound -> General -> Custom to put in exceptions:

Code Select Expand

  server:
  private-domain: "plex.direct"
  private-domain: "unraid.net"
It would be more natural if you could add a list of exceptions (in the form of "plex.direct,unraid.net") right after enabling the check, and then have the Dnsmasq/Unbound plugins figure out what to do with the exceptions.

* When configuring NetFlow for use with Insight, what is the appropriate value for "Destinations"? The "full help" suggests an IP with port 2550 whereas the manual suggests 127.0.0.1:2056, but there is no indication of what sort of collector is at the destination and whether it is already installed as part of OPNsense.  As a side topic, once you input 127.0.0.1:2056, the interface won't let you remove it.

* I setup FreeRADIUS per these instructions:
https://wiki.opnsense.org/manual/how-tos/freeradius.html
https://wiki.opnsense.org/manual/how-tos/user-radius.html
https://wiki.opnsense.org/manual/how-tos/user-local.html
but two key pieces of information were missing:
1. You need to setup the OPNsense router as a client on FreeRADIUS before you can use it.
2. After creating a user in FreeRADIUS, you need to create the same user in the local database (with a scrambled password) if you want to integrate with the rest of the system.

In terms of making a more cohesive system, I would really like to see the System -> Access -> Users page have an indicator of some sort specifying whether a given user has a FreeRADIUS account or not, and a link to create/edit one.  And similarly, the Services -> FreeRADIUS -> User list should indicate whether the FreeRADIUS user has a corresponding local account and have a link to create/edit it.

Anyway, many thanks to the development team for all the work you've put into this project. I'm excited to see where it goes!