Messages

The fix is now in 25.10_2. Authentik works now with "profile email" scope.

Hi,

darf man fragen mit welchem OpenID Provider Ihr eine erfolgreiche Nutzung hinbekommen habt? mit Keycloak und Authentik haben wir hier kein Glück. Als nächstes steht Entra ID an.

I have the same issue with authentik (https://forum.opnsense.org/index.php?topic=48884.msg250257#msg250257).

I was surprised there is not claim field in OPNsense and suspect that opnsense does not request the correct claims.

We tested it with Azure and JumpCloud, it should work with any OpenID Connect certified identity provider.

I use Authentik on my private OPNsense (Business Edition) and plan to use EntraID (Azure) on our company OPNsense for WAF, lets see if this behaves differently.

Anyone having luck with the new SSO feature?

I tried to setup OIDC with Authentik for admin ui login, it forwards to authetik, does auth and jumps back to OPNsense, no login, no error, just the login mask of OPNsense. I enabled "Extensive log (debug)" in OPNsense, but there is absolutly nothing in any of the logs (audit,backend,general,web).

update:
got more log information by looking in /var/log/audit/latest.log

got two lines that containt this:

... OIDC requestUserInfo received --> ...
... Successful login for user '' from: ...

Looks like there is no username, the token provides email and preferedUsername, tried both, but OPNsense shows just ''

Caddy did not start after 25.4.1 update because Caddy fails to start with a no longer available DNS plugin, this also leads to a config error in the Caddy Plugin. I know this was planned due to maintanance effort, but please delay something like this in Business Edition until next major release or place a warning in the patchnotes.

https://gitlab.gnome.org/GNOME/libxslt/-/issues/150

noooo ;(

Now i have to fight with the buildin ACME Client and Azure DNS-01 again, it just worked with Caddy.

Hi,

i can confirm this issue, we see this on our firewalls, OPNsense created a crashlog for that, i submitted the crash (if this does something).

Hi all,

since yesterday, i have a hell of a ride with my OPNsense Business installations. All of them running 24.10.2_6 and i have massive issues with IPSec connections.

One Firewall is standalone and on another site, i have a pair building an CARP Cluster. Trouble starts as soon i try to edit something on a IPSec connection or just press save in one connection, several connections fail to start, under Status Overview i can see atleast one connection always appear twice, but with the protocol Version "1" instead of IKEv1 or IKEv2. There are some connections that always work and some that always fails since then. For affected connections, i cant see any outgoing traffic on my wan interface, only incoming.

I see a lots of "charon 28998 - [meta sequenceId="18483"] 04[NET] error writing to socket: Network is down" spam in /var/log/ipsec.log

ipsec status show these strange status, these are the entrys without a proper IKE Protokol in the status windows on my screenshot.

  (unnamed)[63]: CONNECTING, x.x.x.x[%any]...x.x.x.x[%any]

Same happens to my CARP Cluster, but here it only affects the master firewall where i edit connections. When i make my backup to master, all ipsec connections work fine, even after syncing from the master to my backup, connections still work.

For me it looks like editing IPSec connections corrupts something and break several existing connections.

Surricata is disabled, no filtering software, i can ping all ipsec wan endpoint. Loading an older config before that issue does not help. Atleast my CARP Backup is doing well for now.

I am out of ideas.

We have the same issue, it stopped working on two OPNsense Firewalls on 27.7.12. ACME complains about invalid key, but the key is correct. We tried changing the key, but no luck.

Maybe a result of "plugins: os-acme-client 4.7[1]" update in 27.7.12. Some certificates inthe first week of the year got successfully updated.

Restarting syslog-ng didnt help and the file did not appear. I had a free slot to do a short maintanance reboot, now caddy is up again.

I also have issues on 24.10.1 with caddy no longer starting. /var/log/caddy/caddy.log shows

Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Error: caddy process exited with error: exit status 1

Starting it from console throw the same error:

# caddy run --config /usr/local/etc/caddy/Caddyfile
2025/01/15 22:44:05.709 INFO    using config from file  {"file": "/usr/local/etc/caddy/Caddyfile"}
2025/01/15 22:44:05.709 WARN    No files matching import glob pattern   {"pattern": "/usr/local/etc/caddy/caddy.d/*.global"}
2025/01/15 22:44:05.709 WARN    No files matching import glob pattern   {"pattern": "/usr/local/etc/caddy/caddy.d/*.conf"}
2025/01/15 22:44:05.712 INFO    adapted config to JSON  {"adapter": "caddyfile"}
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory

Deleting this the log section from Caddyfile let it start from console, but i prefer to have logs :)

        log {
                output net unixgram//var/run/caddy/log.sock {
                }
                format json {
                        time_format rfc3339
                }
        }

On two OPNsense machines, netdata was broken after installing 24.7.6. Netdata is no longer starting, it looks like netdata is not properly updated and missing "libprotobuf.so.28.1.0".

"ld-elf.so.1: Shared object "libprotobuf.so.28.1.0" not found, required by "netdata""

I solved it by reinstallating the netdata package from firmware/package, that updated netdata to a new minor version, now it works again.

Installed packages to be UPGRADED:
   netdata: 1.43.2_5 -> 1.43.2_6

Same here, had to kill crowssec to continue the update.