Messages

1

22.1 Legacy Series / Re: os-ddclient

« on: November 28, 2022, 10:43:20 pm »

Has anyone gotten ddclient to work with NameCheap? I was moving to ddclient today after my update to 22.7 and successfully installed ddclient-3.9.1.

It did not work when configuring it using the provided GUI, and filling in the hostname, login, password. After some testing, I figured out the issue, but its not something I can fix.

First, using dyndns as the "Check ip method", did not find my domain. Using freedns resolved that issue. Can't exactly confirm thats a ddclient issues, but it could be an issue with dyndns endpoint; I didn't go down that rabbit hole.

Second, looking at the logs under /var/log/ddclient/latest.log, I was able to see the request that is being used to update the IP entry, and it looks like this (matching the GUI variables):

hxxps://dynamicdns[.]park-your-domain[.]com/update?host={hostname}&domain={username}&password={password}&ip={Public_IP}

Matching these variables to ddclient.conf, I see hostname is as at the bottom, login is username, and password is password.

Code: [Select]

syslog=yes                  # log update msgs to syslog
pid=/var/run/ddclient.pid   # record PID in file.
ssl=yes


use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i eth0 -t 1 -s freedns --timeout 10",
protocol=namecheap, \
login=username, \
password=NameCheapAPIKey \
blah.com

I don't know anything about the dynamicdns api, or what it expects, but seeing "username" / "login" as the domain, made no sense to me. It would explain why I saw this error:

Code: [Select]

<?xml version="1.0" encoding="utf-16"?><interface-response><Command>SETDNSHOST</Command><Language>eng</Language><ErrCount>1</ErrCount><errors><Err1>Domain name not found</Err1></errors><ResponseCount>1</ResponseCount><responses><response><Description>Domain name not found</Description><ResponseNumber>316153</ResponseNumber><ResponseString>Validation error; not found; domain name(s)</ResponseString></response></responses><Done>true</Done><debug><![CDATA[]]></debug></interface-response>
My username is clearly not my domain.

So I played around with the request a bit, and found that the below url worked:

hxxps://dynamicdns[.]park-your-domain[.]com/update&domain={hostname}&password={password}&ip={Public_IP}

Code: [Select]

<?xml version="1.0" encoding="utf-16"?><interface-response><Command>SETDNSHOST</Command><Language>eng</Language><IP>{Public_IP}</IP><ErrCount>0</ErrCount><errors /><ResponseCount>0</ResponseCount><responses /><Done>true</Done><debug><![CDATA[]]></debug></interface-response>
Checking the DNS records on NameCheap I saw it updated the A record.

While I can just create a cron job / script to do this for me, I'd rather use the plugin since thats available to me and I can manage it via the web GUI.

If anyone has a solution that works with the current version of ddclient, I'd greatly appreciate it.

Thanks!

2

General Discussion / Re: Wireguard Split Tunnel between two Wireguard VPN Servers.

« on: April 11, 2020, 02:05:42 am »

Hi Everyone!

For anyone who is curious, I was not able to resolve this issue exactly with two wireguard servers. However, I was able to get it working with the one wireguard sever I had initially. I just added the outbound vpn as a peer to the one wireguard server. Leaving my existing ruleset and modifying my outbound NAT for vpn network to go out through the peer got it working as expected. So now I could login to my network remotely, have my internet traffic go out the vpn, and access my internal network.

If anyone has any questions about this, feel free to message me!

All the best,
Orest

3

General Discussion / Wireguard Split Tunnel between two Wireguard VPN Servers.

« on: April 02, 2020, 06:38:13 am »

Hi there!

I first want to express my deepest gratitude to this community and the OPNsense project. With the help of the documentation, community and colleagues in IT, I have been able to move from a Linksys Velop router to a completely virtualized network environment with two OPNSense Firewalls, one being an Edge Firewall, and the second an Internal Firewall, with the potential for a DMZ between the two. Don't have plans there but wanted the option. So my thanks goes out to all of you for your contributions to the community that helped me put this together. My understanding of Networking has increased exponentially because of all the resources out there, including here.

Anyway, so here is my endeavor.

On my internal firewall, I have two Wireguard Servers. My first one is a server to connect to my internal network, a 10.9.0.1/24 network (server IP is 10.9.0.1). My second one is a server to connect to an external VPN provider, in this case Mullvad, where I tunnel all of my network traffic through it (technically two of my networks, not my IOT network due to streaming concerns). It has an IP of 10.70.75.225.

Before I spun up the second server, I had no problems connecting to my internal network. But now, when the second server is up (Mullvad VPN), I cannot connect to my internal network with my first wireguard server. My troubleshooting shows that the wireguard packets reach the server, and leave it as well. Initially, my thoughts were that the wireguard packets left through the VPN, and didn't reach back to my mobile device, and did not establish the connection.

With that thought, I set up an Outbound NAT rule. This rule translated my second wireguard server IP, to my WAN Address (in this case, its an RFC1918 IP, 192.168.1.200). This then leaves via the Edge Firewall back to its origin (My mobile device). However, in doing that, I still do not establish a wireguard connection. It looks like the rule fails when I set my target port to the same port it came in on (55820), but when I leave it to any target port, the rule is executed, but it still fails the wireguard connection.

But, when I shut off the second wireguard server, the first one works again successfully.

Here is some sample firewall logs of what happens in different scenarios.

Scenario 1: First Wireguard Server is running, Second one is not.

Interface: WAN | <- | Source: 192.168.1.200:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP

This is what I have been trying to reproduce, while the second server is up, to see if I can establish a successful connection.

Scenario 2: First Wireguard Server is running, Second one is also running, No Outbound NAT.

Interface: wg1  | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP

Scenario 3: First Wireguard Server is running, Second one is also running, Outbound NAT with target port any

Interface: wg1  | <- | Source: 192.168.1.200:15728 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP

Scenario 4: First Wireguard Server is running, Second one is also running, Outbound NAT with target port 55820

Interface: wg1  | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP

At the end of the day, what I am trying to accomplish is have both VPNs working. I want the first wireguard server to connect me to my internal network, and the second wireguard server to route all my internet bound traffic out through it.

I hope I have provided enough information, and that I didn't confuse anyone. I am not a network pro either, so if I messed up any terminology, I apologize.

Thanks in advance, I appreciate any help I get.

- Orest