Messages

Thanks for the suggestion! I was trying not to complicate things too much. But I was able to get this working, here were my general steps for anyone finding this topic:

   
• Copied https://git.zx2c4.com/wireguard-tools/tree/contrib/reresolve-dns/reresolve-dns.sh to a new directory: /usr/local/manualwgtools/reresolve-dns.sh
• followed this guide to add a cron task: https://forum.opnsense.org/index.php?topic=2263.msg8504#msg8504
• Using command: bash /usr/local/manualwgtools/reresolve-dns.sh /usr/local/etc/wireguard/wg1.conf
• set cron task in GUI

Thank you for the feedback and suggestion. I may raise a request for this in the GUI. However, I like to also try running a cron task for this as well. I'm stuck pretty early on. I cannot find where the wireguard-tools script reresolve-dns.sh would be installed in opnsense?

I hope its not too offensive to resurrect this thread. I found this topic after have the same issue with two dynamic opnsense endpoints for a site to site tunnel.

pfsense has implemented a solution to this with their do-over wireguard implementation. Hopefully opnsense would be willing to do something similar. Here is the developer discussing this feature and how it works: https://www.youtube.com/watch?v=kI3xoSGMRuU&start=566&end=907

Has anyone found any other solution for this? One of my dynamic endpoints is remote, so restarting the tunnel is inconvenient when the dynamic IP changes, and the tunnel drops.

When a TOTP server is enabled, is there a way require TOTP for some accounts but not for others?

I noted related thread https://forum.opnsense.org/index.php?topic=9690.msg44232, but this does not address my question.

An admin account would login with TOTP with full GUI privlages. A user (with only vpn and password manager GUI privlage), would be able to login without TOTP.

I have found that enabling both Local and Local+TOTP authentication servers, allows admin user to login in both with and without TOTP. When only Local+TOTP a user cannot login.

Is there a way to enable the admin to login only with TOTP, and still allow the user to login without TOTP?

I run a Wireguard server on my Opnsense VM, which runs behind my firewall/NAT, which is currently pfsense. I realize this is not ideal and complicates things quite a bit, but this is my setup currently.

Wireguard works perfectly when I am outside of my network. I forward the port from the WAN to my opnsense instance.

However, I cannot seems to get return packets to my client when attempting to connect via the LAN on wifi. This is of particular issue when I am outside my network with wireguard working on my phone, I return home, and then lose all connetivity, until I turn off wireguard. This has been inconvenient at times, and I hope to have a seamless transition when come from the WAN to the LAN, without turning off wireguard.

I have seen multiple ways that this could be addressed, however, nothing has worked so far for me. I do not want to do any split DNS as this would cause other issues for me. I have tried:
-Various port forwarding rules on LAN
-NAT reflection (on pfsense)
-Outbound NAT (on opnsense)
-1:1 NAT
-Many combinations of the above settings

Troubleshooting comments:
-When I directly enter the LAN IP of the opnsense wireguard server, and I connect from the LAN, I do receive packets, and all appears to work correctly.

Ultimately, as seen in the screenshots below, I think the packets appear to be received by the server, but the response packets seems to not make it back to the client when on the LAN.

https://imgur.com/a/EIwyetG

Has anyone got this working in a similar way? Or have any recommendations that I should try?

Thank you!

Is there a Let's Encrypt Acme page in the documentation site (docs.opnsense.org)? I have been unable to find it. I am wondering if there is an example of "automations" as indicated under the Edit Certificate page. I assume a command to restart webgui and/or haproxy would go here. Any help would be appreciated!

By default the GUI listens on all interfaces. But if you have more than a single interface attached (usually a WAN) then WAN access is locked per firewall. Typically, opening a WAN port with a pass rule for 443 TCP enough to fix this.

On 18.1, the GUI is able to listen on specific interfaces, although it should be said that the former still applies and setting this can be dangerous if you have no way to recover access (console or SSH).


Cheers,
Franco

I previously tried an allow any-to-any rule, and that didn't work. I tried binding the GUI to WAN on 18.1, no luck either. Each time, once I created the openvpn server, via the wizard, I would be unable to connect to the GUI.

Though I would not do this on system attached to an untrusted network e.g. internet.  But it can be handy for dev environment.

Here was my problem and Franco provided solution.
https://forum.opnsense.org/index.php?topic=7010.0

This solved it for me! Thanks NOYB and franco! I am running the instance behind another NAT firewall to get familiar with OPNsense, hence the single WAN interface. I liked the native TOTP authentication in OPNsense and wanted to try that out with openvpn.

* Disable reply-to in the firewall rule that you use to pass your access.

Once I did this, I was able to access the GUI after the openvpn server was created. Thanks again!

Any chance you have found a resolution to this? I am testing a virtual install of OPNsense and having the exact same issue.