Messages

Hey OPNsense people! :-)

As "vbandke" already describes here: https://forum.opnsense.org/index.php?topic=35482.0

I found the same log messages on one of my devices with OPNsense 23.7:

Code Select Expand


2023-09-11T12:26:39
Warning
dpinger
Gateway: duplicated entry "WAN_GW_2" in config.xml needs manual removal


Gateway section in config.xml:

Code Select Expand


<gateways>
    <gateway_item>
      <interface>wan</interface>
      <gateway>192.168.yyy.zzz</gateway>
      <name>WAN_GW_2</name>
      <priority>255</priority>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval>1</interval>
      <descr>WAN gateway</descr>
      <defaultgw>1</defaultgw>
    </gateway_item>
    <gateway_item>
      <descr>Interface WAN Gateway</descr>
      <defaultgw>1</defaultgw>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>192.168.yyy.zzz</gateway>
      <monitor_disable>1</monitor_disable>
      <name>WAN_GW_2</name>
      <interval>1</interval>
      <weight>1</weight>
    </gateway_item>
    <gateway_item>
      <interface>opt1</interface>
      <gateway>172.xxx.yyy.zzz</gateway>
      <name>vpn-server</name>
      <priority>255</priority>
      <weight>1</weight>
      <ipprotocol>inet</ipprotocol>
      <interval/>
      <descr>vpn-server intern</descr>
      <monitor_disable>1</monitor_disable>
    </gateway_item>
  </gateways>


Versions on my device:

Code Select Expand


Versions
OPNsense 23.7.3-amd64
FreeBSD
13.2-RELEASE-p2
OpenSSL
1.1.1v 1 Aug 2023


Should we be worried about this?
Should something be done about this?
And if so, what exactly?


Greetings.

Got it now... Thanks again :-)

The password dialog is gone after uninstalling 2.6.0 and installing 2.5.8.

I noticed the extra sentence in release notes regarding OpenVPN situation. Good work!

There is a reason for the wording "All (recommended)". Just leave it at that. The firewall rules will prevent anyone from accessing your Unbound via WAN - unless you specifically allow that.

OK I will try it with this setting. Thanks!
My (successful) workaround until now was restarting Unbound every hour via scheduled task :-D

If you only want one host to resolve one particular record would you not be better off doing something with that hosts host file and simply tell that host what that domain resolves to? Seems like a lot of extra trouble to go to getting the firewall involved at if I understand your use case correctly. If you think the IP might change more often a little bash script on another machine that can resolve all host name could make the update every 5 minutes or something if you'd with right?

Good point! I have to think about this and speak to communication partner. Thanks!

I guess there is no other way without actively "filtering" dns request traffic. Then your idea is the easier way.

Thanks for your input franco and tiermutter!
I am not sure, if I understand the problem here :-|

Is the problem caused by changes in OpenVPN Client?
I cannot see a change here, but maybe I don't fully understand: https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst

I updated my server side (OPNsense) now and exported the VPN configuration - same dialog for password input comes up.

I have kind of similar problem here on my machine, after updating OpenVPN Windows Client from 2.5.8 to 2.6.0.

I click on "Connect" via the tray icon and enter my username and password, as always.
After clicking "OK" then a (for me) new dialog comes up, asking for Private Key Password. Which password is meant?

I never set a password for private key. The files were exported via OPNsense export function.

Tue Feb 14 10:41:03 2023 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Tue Feb 14 10:41:03 2023 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
Tue Feb 14 10:41:03 2023 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
Tue Feb 14 10:41:03 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Tue Feb 14 10:41:03 2023 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Tue Feb 14 10:41:44 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 14 10:41:44 2023 OpenSSL: error:0308010C:digital envelope routines::unsupported
Tue Feb 14 10:41:44 2023 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Tue Feb 14 10:41:44 2023 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Tue Feb 14 10:41:44 2023 SIGUSR1[soft,private-key-password-failure] received, process restarting

What exactly is your problem? Can you describe with more details please? :-)

If you know what the answer is going to be (say it's always 172.17.17.1) then you can over-ride the host/domain with a local instance of unbound.

I already did this and added two override entries. Thanks!

Do you mean constrain the request or the answer? Sounds like you mean the answer coming back.

I want to restrict the clients request, so that the client can not request any hostnames (e.g. from the internet) but _only_ the overrides.

Do you have an "interfaces" selected in the Unbound settings? Because it can have these counter-productive effects. ;)


Cheers,
Franco

Under Services: Unbound DNS: General

"Network Interfaces"
I have selected two interfaces. One is the LAN interf. Second is a OVPN-client interf.

"Outgoing Network Interfaces"
None interface is selected, but it shows "All (recommended)".

Question is: Should i select an interface or better leave it unselected with "All (recommended)?

@superfox
Hi!
can you share last errors from unbound and backend logs at the time when unbound stops please ?

I already share the logs you mentioned in my initial (first) post. Or do you mean different logs?
If yes, where (in the menu) to find them exactly?
Thx!

At the time it stopped it shows, just before it, " trigger config changed event".  Do you know what that even could be?

nope, no idea what event that could be. How can i find more information about "config changing events"?

maybe a little map could help here, using your terms. Please complete... :-)


[loc-01_client-network]
|
[location-01-opnsense_vpn-server]
|
|
|
[location-02-opnsense_vpn-client]
|
[loc-02_client-network]


On [loc-02_client-network] you are now able to access servers, printers etc. in [loc-01_client-network]. But the opposite direction does not work?

any idea?
anyone?

I have already tried this: reinstall unbound package via System - Firmware - Packages

Is there a way to reset the configuration and maybe temporary files of unbound, without returning whole opnsense to factory settings? 

Hi there

using the on-board tools of opnsense - is it possible to limit a hosts dns request to one specific resource record?

For a network(interface), i can limit the access to unbound to one host, using a firewall rule. Now i want to limit the dns request of this host to one specific resource record,
so that this host is only able to resolve, for example "server.domain.test" to "172.17.17.1", and not anything else.

I think i have to use advanced plugins for this task, but i wanted to ask you guys first :-)

Hi community :-)

My unbound dns stops sporadically and then does not restart automatically. If I then start the service manually, it runs again for a while.

Versions

Code Select Expand



OPNsense 22.7.2-amd64
FreeBSD 13.1-RELEASE-p1
OpenSSL 1.1.1q 5 Jul 2022

unbound 1.16.2



What I have found so far:

System: Log Files: Backend

Code Select Expand



2022-08-31T12:43:49 Error configd.py [7b7b624c-2a32-4a1d-a8e5-4fa4875f837b] Script action stderr returned "b'pgrep: Cannot get process list (kvm_getprocs: No such process)'"
2022-08-31T12:43:49 Notice configd.py [7b7b624c-2a32-4a1d-a8e5-4fa4875f837b] request Unbound status
2022-08-31T12:43:46 Notice configd.py [7c06539d-ae9d-493f-a696-3567b07ca28b] system status
2022-08-31T12:43:46 Error configd.py [45b92ad9-45f4-41ea-ac69-5b73abb033c3] Script action failed with Command '/usr/local/opnsense/scripts/unbound/wrapper.py -s ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 482, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/unbound/wrapper.py -s ' returned non-zero exit status 1.
2022-08-31T12:43:45 Notice configd.py [45b92ad9-45f4-41ea-ac69-5b73abb033c3] loading stats
2022-08-31T12:43:45 Error configd.py [76f8a633-fc77-48c3-b780-22d35cd7f195] Script action stderr returned "b'pgrep: Cannot get process list (kvm_getprocs: No such process)'"
2022-08-31T12:43:45 Notice configd.py [76f8a633-fc77-48c3-b780-22d35cd7f195] request Unbound status
2022-08-31T12:43:44 Notice configd.py [167990da-81ff-4444-a836-64888bf0dc2b] system status
2022-08-31T12:43:44 Error configd.py [b91649df-08e7-4c7b-ab44-56f93c73e1a2] Script action stderr returned "b'pgrep: Cannot get process list (kvm_getprocs: No such process)'"
2022-08-31T12:43:44 Notice configd.py [b91649df-08e7-4c7b-ab44-56f93c73e1a2] request Unbound status
2022-08-31T12:42:59 Notice configd.py [ad177214-9b91-4306-ad14-07d52072d6af] system status
2022-08-31T12:42:59 Error configd.py [bd2096a6-cccf-402d-ae98-55dd7a89b814] Script action stderr returned "b'pgrep: Cannot get process list (kvm_getprocs: No such process)'"
2022-08-31T12:42:59 Notice configd.py [bd2096a6-cccf-402d-ae98-55dd7a89b814] request Unbound status
2022-08-31T12:42:58 Notice configd.py [040d5049-8d73-4d63-bf0d-5fa7567881e6] system status
2022-08-31T12:42:58 Error configd.py [680fff2f-f3d3-48cd-95d4-9dfdf5396b17] Script action stderr returned "b'pgrep: Cannot get process list (kvm_getprocs: No such process)'"
2022-08-31T12:42:58 Notice configd.py [680fff2f-f3d3-48cd-95d4-9dfdf5396b17] request Unbound status
2022-08-31T12:42:56 Notice configd.py [4e20584a-dc7d-450b-a923-1f6d4e857726] system status
2022-08-31T12:42:53 Notice configd.py [d7de2405-b080-4f7e-83b2-f2f7a4bbe062] system status
2022-08-31T12:42:41 Notice configd.py [1a26828b-555f-4d1a-9dc4-e79e253a3889] system status
2022-08-31T12:42:41 Error configd.py [c54d0619-d8db-4189-a815-1975b4d19194] Script action stderr returned "b'pgrep: Cannot get process list (kvm_getprocs: No such process)'"
2022-08-31T12:42:41 Notice configd.py [c54d0619-d8db-4189-a815-1975b4d19194] request Unbound status
2022-08-31T12:41:58 Notice configd.py [d6f3afb4-60f9-4c96-b62f-a37c3c768559] system status
2022-08-31T12:41:56 Notice configd.py [ea1acff8-5d8f-40f5-ab12-c07e3d4ea9f4] system status
2022-08-31T12:41:54 Notice configd.py [bae352de-b0e2-4039-8796-2b7f55eb15ed] system status
2022-08-31T12:41:52 Error configd.py [7f1af965-bf67-4b82-8daf-abba38ed3489] Script action stderr returned "b'pgrep: Cannot get process list (kvm_getprocs: No such process)'"
2022-08-31T12:41:52 Notice configd.py [7f1af965-bf67-4b82-8daf-abba38ed3489] request Unbound status
2022-08-31T12:41:52 Debug configd.py OPNsense/Unbound/* generated //usr/local/etc/unbound_dhcpd.conf
2022-08-31T12:41:52 Debug configd.py OPNsense/Unbound/* generated //var/unbound/root.hints
2022-08-31T12:41:52 Debug configd.py OPNsense/Unbound/* generated //usr/local/etc/unbound.opnsense.d/miscellaneous.conf
2022-08-31T12:41:52 Debug configd.py OPNsense/Unbound/* generated //usr/local/etc/unbound.opnsense.d/domainoverrides.conf
2022-08-31T12:41:52 Debug configd.py OPNsense/Unbound/* generated //var/unbound/private_domains.conf
2022-08-31T12:41:52 Debug configd.py OPNsense/Unbound/* generated //usr/local/etc/unbound.opnsense.d/dot.conf
2022-08-31T12:41:52 Debug configd.py OPNsense/Unbound/* generated //tmp/unbound-blocklists.conf
2022-08-31T12:41:52 Notice configd.py generate template container OPNsense/Unbound/core
2022-08-31T12:41:52 Notice configd.py [39d8922f-9fe9-454e-a070-05f62ef0f05a] generate template OPNsense/Unbound/*
2022-08-31T12:41:51 Notice configd.py [19c6d916-5719-4ab6-a209-21f3bdb615f2] Stopping Unbound
2022-08-31T12:41:50 Notice configd.py [c2a777f2-e762-4c13-87b6-f6a6600a3bf0] trigger config changed event
2022-08-31T12:41:44 Notice configd.py [961760b8-2ef5-4a60-881b-f3f361f1db58] system status
2022-08-31T12:41:43 Notice configd.py [39027822-e5fe-417f-8acc-73991a3607da] request Unbound status



Services: Unbound DNS: Log File

Code Select Expand



2022-08-31T12:41:51 Informational unbound [72587:0] info: 1.000000 2.000000 8
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.524288 1.000000 34
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.262144 0.524288 171
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.131072 0.262144 549
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.065536 0.131072 544
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.032768 0.065536 868
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.016384 0.032768 987
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.008192 0.016384 716
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.004096 0.008192 2
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.002048 0.004096 3
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.001024 0.002048 4
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.000512 0.001024 2
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.000000 0.000001 441
2022-08-31T12:41:51 Informational unbound [72587:0] info: lower(secs) upper(secs) recursions
2022-08-31T12:41:51 Informational unbound [72587:0] info: [25%]=0.0154029 median[50%]=0.0331266 [75%]=0.0924913
2022-08-31T12:41:51 Informational unbound [72587:0] info: histogram of recursion processing times
2022-08-31T12:41:51 Informational unbound [72587:0] info: average recursion processing time 0.073326 sec
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 3: requestlist max 19 avg 0.269115 exceeded 0 jostled 0
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 3: 4721 queries, 392 answers from cache, 4329 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2022-08-31T12:41:51 Informational unbound [72587:0] info: 1.000000 2.000000 8
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.524288 1.000000 27
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.262144 0.524288 180
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.131072 0.262144 568
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.065536 0.131072 485
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.032768 0.065536 857
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.016384 0.032768 996
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.008192 0.016384 727
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.004096 0.008192 6
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.002048 0.004096 5
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.001024 0.002048 3
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.000512 0.001024 1
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.000128 0.000256 1
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.000000 0.000001 426
2022-08-31T12:41:51 Informational unbound [72587:0] info: lower(secs) upper(secs) recursions
2022-08-31T12:41:51 Informational unbound [72587:0] info: [25%]=0.0152966 median[50%]=0.032439 [75%]=0.0919531
2022-08-31T12:41:51 Informational unbound [72587:0] info: histogram of recursion processing times
2022-08-31T12:41:51 Informational unbound [72587:0] info: average recursion processing time 0.073108 sec
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 2: requestlist max 20 avg 0.268531 exceeded 0 jostled 0
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 2: 4698 queries, 408 answers from cache, 4290 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2022-08-31T12:41:51 Informational unbound [72587:0] info: 2.000000 4.000000 1
2022-08-31T12:41:51 Informational unbound [72587:0] info: 1.000000 2.000000 6
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.524288 1.000000 36
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.262144 0.524288 175
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.131072 0.262144 533
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.065536 0.131072 504
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.032768 0.065536 844
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.016384 0.032768 925
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.008192 0.016384 730
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.004096 0.008192 5
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.002048 0.004096 1
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.001024 0.002048 1
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.000000 0.000001 457
2022-08-31T12:41:51 Informational unbound [72587:0] info: lower(secs) upper(secs) recursions
2022-08-31T12:41:51 Informational unbound [72587:0] info: [25%]=0.0148185 median[50%]=0.0325909 [75%]=0.0916074
2022-08-31T12:41:51 Informational unbound [72587:0] info: histogram of recursion processing times
2022-08-31T12:41:51 Informational unbound [72587:0] info: average recursion processing time 0.073665 sec
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 1: requestlist max 24 avg 0.227596 exceeded 0 jostled 0
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 1: 4638 queries, 420 answers from cache, 4218 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2022-08-31T12:41:51 Informational unbound [72587:0] info: 1.000000 2.000000 9
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.524288 1.000000 45
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.262144 0.524288 181
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.131072 0.262144 537
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.065536 0.131072 552
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.032768 0.065536 869
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.016384 0.032768 1003
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.008192 0.016384 747
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.004096 0.008192 7
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.002048 0.004096 1
2022-08-31T12:41:51 Informational unbound [72587:0] info: 0.000000 0.000001 442
2022-08-31T12:41:51 Informational unbound [72587:0] info: lower(secs) upper(secs) recursions
2022-08-31T12:41:51 Informational unbound [72587:0] info: [25%]=0.0153011 median[50%]=0.0327108 [75%]=0.0923381
2022-08-31T12:41:51 Informational unbound [72587:0] info: histogram of recursion processing times
2022-08-31T12:41:51 Informational unbound [72587:0] info: average recursion processing time 0.074328 sec
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 0: requestlist max 22 avg 0.307307 exceeded 0 jostled 0
2022-08-31T12:41:51 Informational unbound [72587:0] info: server stats for thread 0: 4835 queries, 442 answers from cache, 4393 recursions, 0 prefetch, 0 rejected by ip ratelimiting
2022-08-31T12:41:51 Informational unbound [72587:0] info: service stopped (unbound 1.16.2).
2022-08-29T12:48:00 Informational unbound [72587:0] info: start of service (unbound 1.16.2).
2022-08-29T12:47:59 Notice unbound [72587:0] notice: init module 0: iterator