Messages

Okay..  :)

I had no better option as they don't play that nice with dynamic public IPs (4g connection.
Wireguard accept and run with a FQDN dynamically updated.

Many thanks 👍

[hank you so very much for your help mimugmail! This fixed it for both my appliances and it's now working correctly!]

FreeBSD is a bit more of a diva

No ***, yeah. that was the error.
No error message, no notification, just won't start.
This is unfortunately stuff that is pushing users (less experienced) to other solutions.

Thank you so very much for your help mimugmail!
This fixed it for both my appliances and it's now working correctly!

Code Select Expand

root@muminpappa:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 192.168.19.16/28 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 192.168.10.0/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock
root@muminpappa:~ #

Local and Enpoints configurations attached.
Thanks for looking at it.

Dear all,

Just updated to:
OPNsense 22.1.2_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021

And already previously I had troubles getting the Wireguard interface up.
Is it somehow colliding with the openVPN service (No openvpn configured but IPSec on my appliance ).
I am unfortunately unable to get any logs from the process.

Code Select Expand

$ wg showconf wg0
Unable to access interface: Device not configured
$ /usr/local/etc/rc.d/wireguard status
Unable to access interface: Device not configured
$

This is from SYSTEM: LOG FILES: GENERAL:

Code Select Expand

2022-03-03T21:47:48 Error opnsense /usr/local/etc/rc.bootup: Unable to configure non-existent interface opt4 (wg0)
2022-03-03T21:47:48 Error opnsense /usr/local/etc/rc.bootup: Executed inline creation of non-existent interface opt4 (wg0)
2022-03-03T21:47:48 Notice opnsense plugins_configure openvpn_prepare (execute task : openvpn_prepare(,wg0))
2022-03-03T21:47:48 Notice opnsense plugins_configure openvpn_prepare (,wg0)
2022-03-03T15:49:14 kernel wg0: link state changed to DOWN
2022-03-03T15:49:13 kernel tun0: changing name to 'wg0'
2022-03-03T15:17:24 kernel wg0: link state changed to DOWN
2022-03-03T15:17:24 kernel tun0: changing name to 'wg0'
2022-03-03T15:16:04 opnsense[34308] /usr/local/etc/rc.bootup: The command '/sbin/ifconfig 'wg0' -staticarp' returned exit code '1', the output was 'ifconfig: interface wg0 does not exist'
2022-03-03T15:16:04 opnsense[34308] /usr/local/etc/rc.bootup: The command '/sbin/ifconfig 'wg0' inet6 -accept_rtadv' returned exit code '1', the output was 'ifconfig: interface wg0 does not exist'
2022-03-03T15:16:04 opnsense[34308] plugins_configure openvpn_prepare (execute task : openvpn_prepare(,wg0))
2022-03-03T15:16:04 opnsense[34308] plugins_configure openvpn_prepare (,wg0)
2022-03-03T13:44:01 kernel wg0: link state changed to DOWN
2022-03-03T13:44:01 kernel tun0: changing name to 'wg0'
2022-03-03T13:43:51 kernel wg0: link state changed to DOWN
2022-03-03T13:43:51 kernel tun0: changing name to 'wg0'
2022-03-03T13:41:06 opnsense[33410] /interfaces.php: The command '/usr/sbin/arp -d -i 'wg0' -a > /dev/null 2>&1' returned exit code '1', the output was ''
2022-03-03T13:41:06 opnsense[33410] /interfaces.php: The command '/sbin/ifconfig 'wg0' -staticarp' returned exit code '1', the output was 'ifconfig: interface wg0 does not exist'
2022-03-03T13:41:04 opnsense[33410] /interfaces.php: The command '/sbin/ifconfig 'wg0' inet6 -accept_rtadv' returned exit code '1', the output was 'ifconfig: interface wg0 does not exist'
2022-03-03T13:41:04 opnsense[33410] plugins_configure openvpn_prepare (execute task : openvpn_prepare(,wg0))


What is wrong?

Nothing?

I have built and set up a site-to-site routed IPsec between an Edgerouter X (Left) and an OPNsense (Right) (19.7.2).

Traffic from the Left to Right works as well as Left-side LAN to Right-side Lan works.
Right side to Left side also works if I ping from the IPsec interface or "default" however pinging from the LAN interface on the right side to the IPsec endpoint on the left I get:

Code Select Expand

# /sbin/ping -S '192.168.11.1' -c '3' '192.168.10.19'
PING 192.168.10.19 (192.168.10.19) from 192.168.11.1: 56 data bytes

--- 192.168.10.19 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied

I'm at loss and don't know how to continue.
I have had very similar problems in the past and re-installed, it did not resolve my problem.

Where should I start troubleshooting?
Please help and or let me know the information you need in order to understand the issue better.

Many thanks,
Regards,
//Robert

I have two instances runnig OPNsense:

1.
Virtual ESXi
Forwards to Knyttet

2.
Netgate SG-4860

I have quite some problem regarding IPsec (as my previous question) but starting out with a simpler issue that may in the end possibly be related?

I have my SSH port forwarded trough as you see non-standard port.
On one OPNsense this is working perfectly, on the other one it isn't.

What can be wrong?
Screenshots from the two:

Number 1: (Port-forwad & FW rule)
https://ibb.co/njm6f8Y
https://ibb.co/Vjzmjf0

Number 2:  (Port-forwad & FW rule)
https://ibb.co/c1n2KYR
https://ibb.co/qjvDckL

Hi,

I'm having issues with an IPsec tunnel causing issues going out from opnsense.
It's a newly setup instance on a Netgate SG-4860 running OPNsense 19.7.2-amd64, FreeBSD 11.2-RELEASE-p12-HBSD, OpenSSL 1.0.2s 28 May 2019, Serial version.
Remote network: 192.168.2.0/24 Local network: 192.168.11.0/24

• I'm able to ping remote host network from the ipsec interface
• I get "ping: sendto: Permission denied" pinging from LAN interface on opnsense
• Devices on local side get "Request timed out" pinging remote network
• Firewall config should be open for all: LAN https://imgur.com/a/Sg70N94 IPsec: https://imgur.com/a/AG6ynhe Tunnel Interface: https://imgur.com/a/AG6ynhe 
• Remote side seems to be working without any trouble to local bot local to remote
• I have pure Ipsec rules, no Ipsec interface (accept the tunnel specifc interfaces
• Currently two tunnels configured where one is down currently down

I had to manually edit these from being 0.0.0.0/0 in the following config file.

Code Select Expand


  rightsubnet = 192.168.2.0/24
  leftsubnet = 192.168.11.0/24


Code Select Expand


/usr/local/etc/ipsec.conf
# This file is automatically generated. Do not edit
config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no


  left = REDACTED
  right = REDACTED

  leftid = REDACTED
  ikelifetime = 28800s
  lifetime = 43200s
  ike = aes128-sha256-modp2048!
  leftauth = psk
  rightauth = psk
  rightid = REDACTED
  reqid = 1000
  rightsubnet = 192.168.2.0/24
  leftsubnet = 192.168.11.0/24
  esp = aes256-sha1-modp2048,aes256-sha256-modp2048,3des-sha1-modp2048,3des-sha256-modp2048!
  auto = route

Why is it not working you think? - Let me know if you need to understand anything else in the setup.
There seem to be something strange when I manually have to edit in the left|rightsubnet into the configuration...?

Hello,

I'm trying to switch 100% from another BSD firewall to this one.
Unfortunately, strange behaviours on the routing side prohibit me from fully embracing this one.
I can't (with my limited knowledge) say if this is a bug (I believe it is) or if this is just me and it's user error.

So start out the scenario:
OpenSense running in a VM on an ESXi Host.
Interfaces currently configured
https://ibb.co/6gVBMQc


IOT net = IOT devices
PIASE = PrivateInternetAccess OpenVPN
All internal traffic is running on LAN.

I change Gateway with FW rules to route some LAN/IOT traffic out ISP or through my VPN provider (PIASE)

I have been trying to connect my FW to my another over IpSec. I manage to get the tunnel up and "running".
but unable to get any traffic through it (e.g. ping GW's local IP on the other side)
When I'm checking the routes System > Routes > Status and checking the local subnet on the other side:
https://ibb.co/6HjNzNJ
It displays the PIA GW - Not the IpSec gateway?

To add to the mystery I also have troubles creating a Let's Encrypt SSL certificate due to the error message:

Code Select Expand

[Tue Jan 29 09:43:19 EET 2019] checking
[Tue Jan 29 09:43:20 EET 2019] GET
[Tue Jan 29 09:43:20 EET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/a_TNDvMX4Rzj5vEgCS2HzwUEDSY2uB-i-REDACTED/11997528332'
[Tue Jan 29 09:43:20 EET 2019] timeout=
[Tue Jan 29 09:43:20 EET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 09:43:21 EET 2019] ret='0'
[Tue Jan 29 09:43:21 EET 2019] REDACTED.net:Verify error:Fetching http://REDACTED.net/.well-known/acme-challenge/J5Bc_vqoO5guim5ZGITwk3aRTCdHp0_REDACTED: [b]Timeout during connect (likely firewall problem)[/b]
(HA Validation method)

I'm starting to suspect that this is because the FW uses PIASE interface and ask for returning connections on the validation method, can this be true? - I can not see any blocked connection requests in the FW log.
I have over and over again checked WAN rules to allow incoming connections on port 443 & 80:
https://ibb.co/z5HMcR5

A Traceroute shows:

Code Select Expand

traceroute acme-v01.api.letsencrypt.org
traceroute to e14990.dscx.akamaiedge.net (2.19.125.202), 64 hops max, 40 byte packets
1  10.16.11.1 (10.16.11.1)  40.593 ms  42.192 ms  45.477 ms
2  vl-404.pe1.sto1.se.portlane.net (46.246.29.129)  44.590 ms  28.450 ms  27.204 ms
3  be-4.cr1.sto1.se.portlane.net (80.67.4.192)  29.515 ms  16.969 ms  16.341 ms
4  netnod-ix-ge-a-sth-1500.akamai.com (194.68.123.170)  19.279 ms  37.166 ms  19.617 ms

I will also add another OpenVPN Server to connect to another site... But that's currently on hold a bit as I'm afraid it will complicate troubleshooting even more.

So am I wrong in the fact that there's something strange with the way OpnSense creates routes?
Or Is it just me again?

EDIT: Changed to URLs - From Image