"
Caddy did not start after 25.4.1 update because Caddy fails to start with a no longer available DNS plugin, this also leads to a config error in the Caddy Plugin. I know this was planned due to maintanance effort, but please delay something like this in Business Edition until next major release or place a warning in the patchnotes.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.1, 25.4 Series / 25.4.1 and removed DNS providers broke Caddy an Business Edition
August 08, 2025, 08:16:10 PM #2
25.7 Series / Re: Vulnerability detected in security audit
August 02, 2025, 01:06:43 PM #3
25.1, 25.4 Series / Re: Attention: os-caddy-2.0.0 will remove DNS Providers (except Cloudflare)
May 19, 2025, 08:51:50 PM
noooo ;(
Now i have to fight with the buildin ACME Client and Azure DNS-01 again, it just worked with Caddy.
Now i have to fight with the buildin ACME Client and Azure DNS-01 again, it just worked with Caddy.
#4
24.7, 24.10 Series / Re: Business 24.10.2: acme-client version 4.7 contains sftp upload bug
March 31, 2025, 10:56:48 AM
Hi,
i can confirm this issue, we see this on our firewalls, OPNsense created a crashlog for that, i submitted the crash (if this does something).
i can confirm this issue, we see this on our firewalls, OPNsense created a crashlog for that, i submitted the crash (if this does something).
#5
24.7, 24.10 Series / OPNsense 24.10.2_6 corrupting IPSec config?
March 30, 2025, 03:33:13 PM
Hi all,
since yesterday, i have a hell of a ride with my OPNsense Business installations. All of them running 24.10.2_6 and i have massive issues with IPSec connections.
One Firewall is standalone and on another site, i have a pair building an CARP Cluster. Trouble starts as soon i try to edit something on a IPSec connection or just press save in one connection, several connections fail to start, under Status Overview i can see atleast one connection always appear twice, but with the protocol Version "1" instead of IKEv1 or IKEv2. There are some connections that always work and some that always fails since then. For affected connections, i cant see any outgoing traffic on my wan interface, only incoming.
I see a lots of "charon 28998 - [meta sequenceId="18483"] 04[NET] error writing to socket: Network is down" spam in /var/log/ipsec.log
ipsec status show these strange status, these are the entrys without a proper IKE Protokol in the status windows on my screenshot.
(unnamed)[63]: CONNECTING, x.x.x.x[%any]...x.x.x.x[%any]
Same happens to my CARP Cluster, but here it only affects the master firewall where i edit connections. When i make my backup to master, all ipsec connections work fine, even after syncing from the master to my backup, connections still work.
For me it looks like editing IPSec connections corrupts something and break several existing connections.
Surricata is disabled, no filtering software, i can ping all ipsec wan endpoint. Loading an older config before that issue does not help. Atleast my CARP Backup is doing well for now.
I am out of ideas.
since yesterday, i have a hell of a ride with my OPNsense Business installations. All of them running 24.10.2_6 and i have massive issues with IPSec connections.
One Firewall is standalone and on another site, i have a pair building an CARP Cluster. Trouble starts as soon i try to edit something on a IPSec connection or just press save in one connection, several connections fail to start, under Status Overview i can see atleast one connection always appear twice, but with the protocol Version "1" instead of IKEv1 or IKEv2. There are some connections that always work and some that always fails since then. For affected connections, i cant see any outgoing traffic on my wan interface, only incoming.
I see a lots of "charon 28998 - [meta sequenceId="18483"] 04[NET] error writing to socket: Network is down" spam in /var/log/ipsec.log
ipsec status show these strange status, these are the entrys without a proper IKE Protokol in the status windows on my screenshot.
(unnamed)[63]: CONNECTING, x.x.x.x[%any]...x.x.x.x[%any]
Same happens to my CARP Cluster, but here it only affects the master firewall where i edit connections. When i make my backup to master, all ipsec connections work fine, even after syncing from the master to my backup, connections still work.
For me it looks like editing IPSec connections corrupts something and break several existing connections.
Surricata is disabled, no filtering software, i can ping all ipsec wan endpoint. Loading an older config before that issue does not help. Atleast my CARP Backup is doing well for now.
I am out of ideas.
#6
24.7, 24.10 Series / Re: AcmeClient domain validation failed (dns01)
January 23, 2025, 03:45:23 PM
We have the same issue, it stopped working on two OPNsense Firewalls on 27.7.12. ACME complains about invalid key, but the key is correct. We tried changing the key, but no luck.
Maybe a result of "plugins: os-acme-client 4.7[1]" update in 27.7.12. Some certificates inthe first week of the year got successfully updated.
Maybe a result of "plugins: os-acme-client 4.7[1]" update in 27.7.12. Some certificates inthe first week of the year got successfully updated.
#7
Web Proxy Filtering and Caching / Re: Caddy won't start
January 21, 2025, 03:47:55 PM
Restarting syslog-ng didnt help and the file did not appear. I had a free slot to do a short maintanance reboot, now caddy is up again.
#8
Web Proxy Filtering and Caching / Re: Caddy won't start
January 15, 2025, 11:42:28 PM
I also have issues on 24.10.1 with caddy no longer starting. /var/log/caddy/caddy.log shows
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Error: caddy process exited with error: exit status 1
Starting it from console throw the same error:
# caddy run --config /usr/local/etc/caddy/Caddyfile
2025/01/15 22:44:05.709 INFO using config from file {"file": "/usr/local/etc/caddy/Caddyfile"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.global"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.conf"}
2025/01/15 22:44:05.712 INFO adapted config to JSON {"adapter": "caddyfile"}
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Deleting this the log section from Caddyfile let it start from console, but i prefer to have logs :)
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Error: caddy process exited with error: exit status 1
Starting it from console throw the same error:
# caddy run --config /usr/local/etc/caddy/Caddyfile
2025/01/15 22:44:05.709 INFO using config from file {"file": "/usr/local/etc/caddy/Caddyfile"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.global"}
2025/01/15 22:44:05.709 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.conf"}
2025/01/15 22:44:05.712 INFO adapted config to JSON {"adapter": "caddyfile"}
Error: loading initial config: loading new config: setting up default log: opening log writer using &logging.NetWriter{Address:"unixgram//var/run/caddy/log.sock", DialTimeout:0, SoftStart:false, addr:caddy.NetworkAddress{Network:"unixgram", Host:"/var/run/caddy/log.sock", StartPort:0x0, EndPort:0x0}}: dial unixgram /var/run/caddy/log.sock: connect: no such file or directory
Deleting this the log section from Caddyfile let it start from console, but i prefer to have logs :)
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}
#9
24.7, 24.10 Series / netdata broken after 24.7.6 update
October 09, 2024, 06:27:29 PM
On two OPNsense machines, netdata was broken after installing 24.7.6. Netdata is no longer starting, it looks like netdata is not properly updated and missing "libprotobuf.so.28.1.0".
"ld-elf.so.1: Shared object "libprotobuf.so.28.1.0" not found, required by "netdata""
I solved it by reinstallating the netdata package from firmware/package, that updated netdata to a new minor version, now it works again.
Installed packages to be UPGRADED:
netdata: 1.43.2_5 -> 1.43.2_6
"ld-elf.so.1: Shared object "libprotobuf.so.28.1.0" not found, required by "netdata""
I solved it by reinstallating the netdata package from firmware/package, that updated netdata to a new minor version, now it works again.
Installed packages to be UPGRADED:
netdata: 1.43.2_5 -> 1.43.2_6
#10
24.7, 24.10 Series / Re: Stuck at update 24.7.6 (no more)
October 09, 2024, 06:21:21 PM
Same here, had to kill crowssec to continue the update.
#11
24.7, 24.10 Series / Re: After Upgrade to 24.7.4 Zerotier not working
September 13, 2024, 02:23:29 PM
Same issue on my end.
I run a Zerotier Tunnel between a OPNsense Business Edition (home) and OPNsense Community running at my hoster. Right after updating to 24.7.4 on the OPNsense Community Edition, Zerotier is dead. Both Zerotier installations are shown as online, but none of the devices can ping each other on their Zerotier IP or any other IP that is routed over this Tunnel.
I try to downgrade my OPNsense to 24.7.3 as a solution for now.
Update: Downgrade with "opnsense-revert -r 27.7.3_1" worked, traffic is fliowing again :)
I run a Zerotier Tunnel between a OPNsense Business Edition (home) and OPNsense Community running at my hoster. Right after updating to 24.7.4 on the OPNsense Community Edition, Zerotier is dead. Both Zerotier installations are shown as online, but none of the devices can ping each other on their Zerotier IP or any other IP that is routed over this Tunnel.
I try to downgrade my OPNsense to 24.7.3 as a solution for now.
Update: Downgrade with "opnsense-revert -r 27.7.3_1" worked, traffic is fliowing again :)
#12
Virtual private networks / Re: ZeroTier sessions from all interfaces?
July 12, 2024, 10:21:13 PM
I think Zerotier does this for multipath, if there are multiple ways out, it uses them. You can add options to ignore certain networks for transport.
try adding this to your zerotier config:
{
"settings": {
"interfacePrefixBlacklist": ["interface1", "interface2"]
}
}
https://docs.zerotier.com/config/#local-configuration-options
try adding this to your zerotier config:
{
"settings": {
"interfacePrefixBlacklist": ["interface1", "interface2"]
}
}
https://docs.zerotier.com/config/#local-configuration-options
#13
24.7, 24.10 Series / Re: Firewall ‣ Aliases: URL: Spamhaus: Create Alias from JSON format
June 24, 2024, 05:17:27 PM
I would like to see json support. Currently i get my Microsoft Azure Service List json with https://github.com/thedxt/IP-Downloader. Love to see something like that in OPNsense.
#14
German - Deutsch / Re: Kea DHCP - Subnetze auf Interfaces verteilen?
May 06, 2024, 02:02:59 PM
Das brauchst du auch nicht, Kea erkennt selber auf welchen Interfaces die Subnetze sind, du musst nur sicherstellen das Kea selber auf die Interfaces aktiviert wurde auf dem DHCP Dienste bereitgestellt werden sollen.
#15
Virtual private networks / Re: [Solved] Port forward WireGuard return traffic through WAN
May 03, 2024, 08:14:48 PM
i am sitting here for 6 hours and try to find the reason why a port forward from a wireguard tunnel (that provides me a static wan ip) to my mailserver does respond to requests coming in from wireguard. That manual firewall rule and settings reply-to saved my day.
I almost went insane.
I almost went insane.
