Messages

@Fright You nailed it! Once I added a DNS (1.1.1.1) to the SYSTEM: SETTINGS: GENERAL -> Networking section, HA Proxy was happy and started nicely.

I remember taking that out... because it broke something else.

I'll leave it in for now and see how it goes.

Thanks so much for your help!

I'll assume that you didn't specify the DNS server addresses at SYSTEM: SETTINGS: GENERAL ->Networking

That's correct. It's empty.

can you share the Config Diff?

Sure:

-- /usr/local/etc/haproxy.conf   2024-03-16 19:02:46.607322000 -0400
+++ /usr/local/etc/haproxy.conf.staging   2024-03-17 11:10:00.222676000 -0400
@@ -3,6 +3,9 @@
# Do not edit this file manually.
#

+#
+# NOTE: HAProxy is currently DISABLED
+#
global
     uid                         80
     gid                         80

syncCerts.py and socketCommand.py errors are not the cause, but a consequence of the HAProxy does not work (and it is not possible to establish a control connection)
can you try to make some config of real/backend servers and apply it?

I added some quick info to the real server section and when I applied it, I get this error messages:

The HAProxy service may not be able to start due to critical errors. Run syntax check for further details or review the changes in the Configuration Diff.

It appears that I am missing the

haproxy.socket

in /var/run. I guess its not being created? for some reason.

/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py show-servers --output bootstrap --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''
While talking to /var/run/haproxy.socket: [Errno 2] No such file or directory
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py", line 146, in <module>
    con = HaPConn(SOCKET)
  File "/usr/local/lib/python3.9/site-packages/haproxy/conn.py", line 51, in __init__
    self.open()
  File "/usr/local/lib/python3.9/site-packages/haproxy/conn.py", line 60, in open
    self.sock.connect(sfile)
FileNotFoundError: [Errno 2] No such file or directory

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py", line 156, in <module>
    if args['debug']:
TypeError: 'Namespace' object is not subscriptable

I did notice that if I try to execute the commands from the CLI, I get these messages:

/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions --output bootgrid --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py", line 723, in <module>
    diff = Diff(crt_lists=crt_lists, **vars(args))
  File "/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py", line 49, in __init__
    self._transactions = self._get_transactions()
  File "/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py", line 142, in _get_transactions
    return self._execute_remote_cmd(cmds.showSslCerts)['transaction']
  File "/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py", line 23, in _execute_remote_cmd
    con = HaPConn(self.socket)
  File "/usr/local/lib/python3.9/site-packages/haproxy/conn.py", line 51, in __init__
    self.open()
  File "/usr/local/lib/python3.9/site-packages/haproxy/conn.py", line 60, in open
    self.sock.connect(sfile)
FileNotFoundError: [Errno 2] No such file or directory

Sure... but there's not much to it.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

#
# NOTE: HAProxy is currently DISABLED
#
global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats






# statistics are DISABLED

I found some of these error messages in the OPNsense log:

cript action failed with Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions --output bootgrid --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 44, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions --output bootgrid --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1.

cript action failed with Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py show-servers --output bootstrap --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 44, in execute subprocess.check_call(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.9/subprocess.py", line 373, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py show-servers --output bootstrap --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1.

Looks like I have some kind of python problem?

Hi All,

I wanted to start playing around with HAProxy...but I can't get it to start. I haven't created anything yet.

When I enable the service and hit apply, I get this message:

The HAProxy service may not be able to start due to critical errors. Try anyway?


So, I try "Save & Test syntax" and get this error message:

[NOTICE] (78455) : haproxy version is 2.8.7-1a82cdf
[NOTICE] (78455) : path to executable is /usr/local/sbin/haproxy
[ALERT] (78455) : config : Proxy '<OCSP-UPDATE>': Can't find resolvers section 'default' for do-resolve action.
[ALERT] (78455) : config : Proxy '<HTTPCLIENT>': Can't find resolvers section 'default' for do-resolve action.
[ALERT] (78455) : config : Fatal errors found in configuration.

I may have played around the haproxy years ago... but there nothing in my current config... maybe something file/setting has hung around from years ago?

Googling doesn't seem to help me with this.

Any idea what is going on here?

So, the free servers go up to #158 for NL.

I was able to find a stable server for about 12 hours...so, that gave me a good chance to test and correct. The "stable" server has now gone to 100% packet loss overnight. Was at 0% packet loss yesterday. Anyway...

DNS resolution was causing an issue yesterday for a bit... I tried a couple of firewall rules...but couldn't get that working. So, as long, I manually insert a DNS server (1.1.1.1 or 9.9.9.9 or 10.2.0.1) on the workstation, then resolution is fine. If I add a DNS server (incluing 10.2.0.1) to the static DHCP lease... then it also works.

If leave it defaulted to the router's IP for DNS resolution...then it fails.

Couldn't spend anymore time yesterday to figure it out...but I am sure, I am just missing a small something in the firewall rules.

Getting about a 50% - 80% packet loss on the NL server I picked. No packet loss to any other gateway. Leaning towards the free server being the issue.

@Chrome, I did the proton vpn setup like @koala outlined and it works fine since Proton made the WG configurations available. The only problem that I have (since switching from Proton OpenVPN to WG) is that the OPNsense system updates and bogon ip updates time out. When I stop WG, the updates go through smoothly.

@ckishappy Thanks for the tip. I'll keep that in mind for the next update.

@koloa  WOW! That's a great walk though... the best I've seen for Proton and their WG. My issue was more with the creating of the keys and doing that via the CLI. Once I did that properly, WG connected nicely. The routing part seems to be working just fine, now that I switched to the NL servers.
The CLI command: wg pubkey < private > pub 

was "KEY" for me. :-)

I am having issues more with the server (US ones mainly)...the Netherlands ones seem to work better for me. Having said that, I am on the free account... using the free servers...so, fairly certain that might have something to do with it. Looking to switch over to the paid version.

Thanks so much for the write up... I hope many others can benefit from it.

My 2 issues was creating the keys correctly...and didn't seem to have much luck getting a working connection to a FREE US server... it works MUCH better to a FREE NL server. Haven't tested a JP one yet.

@Koloa Thanks for the direction.

I think I've got the connection with Proton going. I can see the handshake and the status in the WG section of the VPN category. About 5MB received and 10MB sent over the last day or so.

The part I don't think I've got straight is the IPs for the gateway. and the "gotchas" you mentioned in your post.

I do have PIA working with a small subnet of machines being routed via the WG gateway. So, I do have a working example to pull from.

Back to Proton, I've set the gateway IP to 10.2.0.1 in the Gateway -> Single. Was this incorrect? I've tried 10.2.0.2 and 10.2.0.250...none of them seem to work.

When I use 10.2.0.1 the gateway is UP.

Any ideas?