Messages

thanks! for me -
curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.211:443
* Connecting to hostname: 45.90.28.211
* Connecting to port: 443
*   Trying 45.90.28.211:443...


is there a firewall rule i can explicity allow this ip for anything?

thanks - just not making sense nextdns would block ip

i'm unable to connect to 45.90.28.111 (nextdns) using curl

doesn't work -
curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.211:443
Connecting to hostname: 45.90.28.211
* Connecting to port: 443
* Trying 45.90.28.211:443...

working - i can connect -
curl -v https://dns.nextdns.io/info --connect-to ::76.76.2.11:443

anyone know why? can't seem to figure out whats wrong on opnsense.

Hello
After upgrading to 23.7.12 (from 23.7.10) DNS DOH to Nextdns servers stopped working.

Upgraded to 23.7.12 without any issues for a day or so, without making any opnsense changes, DNS suddenly stopped working.

If i remove nextdns servers then everything works.  I confirmed via connecting to wireguard vpn that nextdns servers still works.  once i disable wireguard then dns stops working.
using unbound with TLS to nextdns servers.

i checked using curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.201:443
and the result is failed to connect to 45.90.28.201 (nextdns server)

no issues using curl to the same ip if i connect thru wireguard/vpn.

Anyone know what i need to do?  Thank you!

Hello
After upgrading to 23.7.12 (from 23.7.10) DNS DOH to Nextdns servers stopped working.

Upgraded to 23.7.12 without any issues for a day or so, without making any opnsense changes, DNS suddenly stopped working.

If i remove nextdns servers then everything works.  I confirmed via connecting to wireguard vpn that nextdns servers still works.  once i disable wireguard then dns stops working.
using unbound with TLS to nextdns servers.

i checked using curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.2XX:443
and the result is failed to connect to 45.90.28.2XX (nextdns server)

no issues using curl to the same ip if i connect thru wireguard/vpn.

Anyone know what i need to do?  Thank you!

thanks, a reboot and everything came up fine.  thank you

did opnsense-bootstrap but got stuck here -

--
Beep! Beep!
Fetching base-23.7.10-amd64.txz: ...client_loop: send disconnect: Broken pipe

getting this error trying to upgrade to 23.7.10 from .9

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.9 at Wed Dec 13 06:58:30 EST 2023
Fetching changelog information, please wait... Missing /usr/local/etc/pkg/repos/OPNsense.conf
Repository not found: OPNsense
Updating FreeBSD repository catalogue...
pkg: sqlite error while executing SELECT count(name) FROM sqlite_master WHERE type='table' AND name='repodata'; in file pkgdb.c:2367: database is locked
pkg: Repository FreeBSD contains no repodata table, need to re-create database
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 33987 packages processed.
pkg: sqlite error while executing DROP TABLE repo_update; in file pkgdb.c:2343: malformed database schema (packages_origin) - invalid rootpage
All repositories are up to date.
pkg: Unknown repository: OPNsense
pkg: sqlite error while executing SELECT count(name) FROM sqlite_master WHERE type='table' AND name='repodata'; in file pkgdb.c:2367: database is locked
pkg: Repository FreeBSD contains no repodata table, need to re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
self: No packages available to install matching 'opnsense'

[Use Case]

Have the same issue, if i bypass the opnsense and use wireguard on my macbook i get about 800Mbps to 900, close to 1Gigabit.
However when i use wireguard on the opnsense box (HP T720) then my speeds drop down to 250-280Mbps.

Please let me know if you found a workaround.

Hi all,

Looking for some advice on further tuning ideas to maxmise my Wireguard (Via Nord VPN) performance.

This time totally stalled at how to get my Wireguard VPN performance close to my 1Gb internet connection speed. Currently caps out around 450 to 550Mbps. The speed completely flatlines which leads me to believe its simply a setting which is maxing the throughput/processing.

Firstly, my ISP allows these speeds and have done direct connection to internet router getting about 975Mbps.


Key Questions I have

   
• Does the DNS config affect speed? (Currently using Unbound in forwarding mode to Quad9 Servers)
• Are there specific turnables settings others have used and found a speed boost?
• What specific MSS and MTU settings were used and where did you apply these?

I have played around with the MTU and MSS settings, between 1380 to 1420. Not seen any major jump across a range of combinations. Additionally not sure where is the best place to enter these as there seems to be several locations to do it

   
• The wireguard tunnel
• WG interface
• LAN interface
• Interface normalisation settings
• System settings

Use Case
Simple home setup using Nord VPN for wireguard, just trying to get maximum speed.


Current Setup

   
• Protectli FW6Br2 Intel i3-8130U 2.2Ghz 2 core 4 thread CPU with 16GB DDR4 Ram and 256GB SSD (According to Protectli Wireguard speeds of 900Mbps capable)
• OPNsense 23.7.1_3-amd64
• FreeBSD 13.2-RELEASE-p2
• OpenSSL 1.1.1v 1 Aug 2023

Test ResultsTesting via ethernet cable into LAN port via Speednet CLI Test

Speedtest by Ookla

      Server: Network Solutions Group - Sydney (id: 30430)
         ISP: GSL Networks Pty
Idle Latency:    12.25 ms   (jitter: 4.04ms, low: 8.57ms, high: 16.21ms)
    Download:   455.10 Mbps [==========-         ] 54%   - latency: 273.32 ms       Download:   464.39 Mbps [===========\        ] 55%   - latency: 273.32 ms       Download:   465.29 Mbps [===========|        ] 56%   - latency: 273.32 ms       Download:   465.38 Mbps [===========/        ] 56%   - latency: 273.32 ms 

Upload:    45.21 Mbps (data used: 35.0 MB)                                                   

                 47.27 ms   (jitter: 4.05ms, low: 14.23ms, high: 81.45ms)

Opnsense Setup
LAN Interface MTU = 1420
WG Interface MTU &  MSS = 1420
Using Unbound DNS forwarding to Cloud9 servers - Not using local resolver - Unsure which is best for my application

Notable Turnables I've adjusted based on various gudes - In particular https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/
https://forum.opnsense.org/index.php?topic=24409.msg116941#msg116941

kern.ipc.maxsockbuf = 614400000
net.inet.rss.bits = 2
net.inet.rss.enabled = 1
net.inet.tcp.abc_1_var = 52
net.inet.tcp.minmss = 536
net.inet.tcp.mssdflt = 1240
net.inet.udp.checksum = 1
net.inet.udp.maxdgram = 57344
net.isr.defaultqlimit = 2048
net.isr.dispatch = deferred
net.isr.maxthreads = -1
net.local.dgram.maxdgram = 8192
net.pf.source_nodes_hashsize = 1048576
set.hw.ibrs_disable = 1
vfs.read_max = 32


Any help or advice much appreciated.

Looks like my HP TP720 (CPU type   AMD GX-420CA SOC with Radeon(tm) HD Graphics (4 cores, 4 threads)) can't handle 1Gigabit speeds with Wireguard ON.  Without Wireguard 1.5Gigabit speeds is easily achieved on the box.



Can anyone advise what's a good hardware in the range of 300-500dollars that is capable of supporting Wireguard + 1.5Gigabit speeds?

Thanks!

Hi all i'm new to opnsense need some help routing all vpn traffic in my network thru wireguard VPN.

I followed this guide to setup Windscribe VPN with wireguard - https://www.wundertech.net/how-to-set-up-wireguard-in-opnsense/

and with the routing i used this guide - https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

However I can't tell if i'm actually connected to the VPN and on my internal network if i go whatsmyip.com it doens't show the windscribe's ip.

Any assistance is greatly appreciated!

the Handshake tab shows -
wg1   XXXXXXTjPUnnUtUapeLa2xA2XHvBFc=   0

the status tab shows -
interface: wg1
  public key: XXXXXXXRztjod9crXHynuqkK2w=
  private key: (hidden)
  listening port: 51820

peer: XXXXnnUtUapeLa2xA2XHvBFc=
  endpoint: 173.205.XXXX:1194
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 44.95 KiB sent
  persistent keepalive: every 25 seconds


from windscribe vpn setup file - changed IPs for privacy
[Interface]
PrivateKey = XXXXXYCQi6XsVBOQSXVo=
Address = 100.124.XXX.1/32
DNS = 10.255.255.3

[Peer]
PublicKey = XXXXXXXnUtUapeLa2xA2XHvBFc=
AllowedIPs = 0.0.0.0/0
Endpoint = XXXXX.whiskergalaxy.com:1194
PresharedKey = XXXXUActIlB17JctoldX9J3Y=

opnsense wireguard settings -
<server version="0.0.4">
        <servers>
          <server uuid="7c7c7be9-fb42-4048-af5a-52df37948a69">
            <enabled>1</enabled>
            <name>windscribe</name>
            <instance>1</instance>
            <pubkey>XXXtjod9crXHynuqkK2w=</pubkey>
            <privkey>XXXXXXYCQi6XsVBOQSXVo=</privkey>
            <port>51820</port>
            <mtu>1420</mtu>
            <dns/>
            <tunneladdress>100.124.XXX.1/32</tunneladdress>
            <disableroutes>1</disableroutes>
            <gateway>100.124.XXX.2</gateway>
            <peers>eb08a058-9ed7-4dfd-9354-66e28fbe3046</peers>
          </server>

<client uuid="eb08a058-9ed7-4dfd-9354-66e28fbe3046">
            <enabled>1</enabled>
            <name>windscribeXX</name>
            <pubkey>XXXXXXXOTjPUnnUtUapeLa2xA2XHvBFc=</pubkey>
            <psk/>
            <tunneladdress>0.0.0.0/0</tunneladdress>
            <serveraddress>XXXXXX.whiskergalaxy.com</serveraddress>
            <serverport>1194</serverport>
            <keepalive>25</keepalive>
          </client>

This set blocked twitch from working =(

FireHol Web Server List:

A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)

Info: https://iplists.firehol.org/?ipset=firehol_webserver

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOLserver
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
     Description: FireHOLserver

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan

thanks for the guide! for some reason when i Untick: Do not use the local DNS service as a nameserver for this system.  If i'm on opnsense box shell, i can't resolve any dns.  once i change resolv.conf from localhost to opnsense's 192.168.1.1 address then dns works.

does anyone know why i can't use 127.0.0.1 but can use the actual ip of opnsense?

hah it failed on me in the past but that was years ago.  thank you for your help today!

i'm currently on 22.1.10_4

do i need to update to 22.7 first? how can i update to 23 from 22.1 ?