Messages

Hello,

Please help me with the following. I am running opsense baremetal and have installed tailscale+mullvad addon. I want my opsense box itself to use the mullvad connection for internet traffic instead of the normal connection so that for example system updates only go through the tunnel.

This is the current public ip (redacted):

Code Select Expand

root@OPNsense:~ # curl https://am.i.mullvad.net/connected
You are not connected to Mullvad. Your IP address is 31.xxx.xxx.xxx
Tail scale docs do no provide a install guide to enable this. In opsense webgui it does say this under advanced:

Code Select Expand

Route traffic to the specified exit node. Note that this only affects traffic routed into your Tailscale interface, which you will have to configure separately using firewall rules and hybrid outbound NAT rules.
So can someone provide me with step by step guide please?

Thank you.

Greetings,

Any additional steps I need to take when using a vlan tag (interface) as the gateway since my ISP uses that for internet traffic over the fiber connection. When I add the mullvad gateway it stays red with 100% loss even after selecting it as the upstream gateway.

Thank you

Update:

When I use the same ip in the monitor ip section as the ip adress things light up green but the mullvad check does not pass. Tried different dns ip's to no avail.

Alright, I was able to resolve this through some research and time spent reading.  If anyone else needs it, here is what I found.

1.) Something changed when Wireguard moved into the kernel in v23.  This something broke many previously implemented Wireguard to private VPN service tunnels.

2.) The initial part of the WireGuard MullvadVPN Road Warrior Setup guide can still be followed, with one small change.

Follow "Step 1" of the above, except when configuring your "instance" be sure to check the box "disable routes".  If you don't it will create an automatic route that breaks external traffic over the wan.

Also, the guide above tells you to add a DNS server in the Peers section.  This no longer appears to be possible.  It is also not needed, as long as you used the version of the Mullvad Curl script that hijacks your DNS, as you will use Mullvads DNS either way, at least when connected to Mullvad.

Once step 1 is complete, shift to this video at timestamp ~8:39

Note that the youtuber is using the older WireGuard-go plugin which is now deprecated.  You can still follow his instructions, but whenever he uses the WireGuard config tab labeled "Endpoints" use the tab labeled "Peers" instead.   And whenever he uses the tab labeled "Local" use the tab labeled "Instances" instead.

Follow the youtubers guide to setting up firewall rules NAT rules.    He splits his video into two parts.  The first for forwarding ALL traffic through the VPN, and a second for setting up a gateway to later use firewall rules to decide which traffic goes through the VPN.

The first "everything through VPN" setup he configures will not work, but set up the rules as he does anyway, as they are needed in the second part.   If you complete the second part you should wind up with a second gateway just for Mullvad.   You can then use firewall rules to pass traffic through to whichever gateway is appropriate, Mullvad or wan to bypass Mullvad.

I usually set up a rule at the end of each networks firewall ruleset that passes all traffic through to the Mullvad gateway.  Then if I want specific exclusions, I add pass rules above that, to pass specific traffic types or traffic from specific hosts to the wan interface bypassing Mullvad.

I hope this saves someone else some time as I was about to tear my hair out.

I suspect (but I am not sure) that there is a bug in the current kernel implementation of WireGuard that creates a faulty, non-functional default route, unless you check the box to disable it during the creation of the instance, and that is what is causing all of this trouble.

Hi,

Can't get it to work. I'm using a vlan tag (added interface) to pluck the internet traffic out of my fiber connection. Are there additional steps I must take? Would you consider a complete step by step write-up (verbose) please?

Kind regard.

meyergru . I noticed you asked how to load a different version of the kernel under OPN and later you seemed to have been able to do it. Can you please point me in the direction of the instructions to achieve it? I'd like to make some tests of my own. Apologies for the hijack of thread.

I was about to ask the same question.

Directing this to the opnsense devs, will this be implemented any time soon?

The dropdown menu under System: Settings: Miscellaneous, shows the option for intel quickassist technology. I'm guessing this only applies for expansion cards?

Greetings,

I have a 2Gb symmetrical fiber connection not being utilized to its fullest due to my current network infrastructure. The plan is to do an upgrade of my j5040 machine to a mini pc that has i226-v nics in it. I came across the intel gold 8505 cpu that has more or less the same cpu horsepower as a n305 with the benefit of a onboard qat and dual channel memory alongside more pci-e lanes.

My question is if qat in the 8505 functions on opnsense with accelerating wireguard vpn traffic?  I will be running additional security like zenarmor, unbound/adguard and perhaps crowdsec.

Thank you.

Any input is welcome. I've heard about monit, but it is basic. No graphs and such. There's also a cool project on github:

https://github.com/bsmithio/OPNsense-Dashboard

But it is quite tedious to set up. Maybe I will have a go when I'm feeling up to it. Originally I just wanted some simple monitor tool for basic info that I could easily set up.

Kind regards. 

Aha docker it is. That's what missing in the tutorials. Kinda half work. Anyway thank you for the clarification,

Maybe I wasn't clear enough. After install of agent and configuration I was unable to navigate to the webgui of zabbix in the same way as the youtube tutorial shows.
So I need to install zabbix server next to the agent, but there is no zabbix server plugin in opnsense.. Do I need to run a docker image on a machine on the network ?

Others have it. Have a look at the youtube link that I've posted. Would be nice if we could see what we are monitoring.

Regards

Thank you for your reply. My post was intended as a general question for someone who has recently installed this. The following tutorials where used for setting up zabbix on my opnsense machine:

https://techexpert.tips/zabbix/zabbix-monitoring-opnsense-agent/
https://www.youtube.com/watch?v=wcxvphRYbnU (discarding the docker part)

The problem is that I cannot access the zabbix webgui by any means. I have looked at the zabbix website but what's written there differs from other sources of information. My guess is that different agent versions have different configuration steps?? There are multiple versions in the package manager..

Any shared experiences on how to set it up would be appreciated.

Hello,

Can someone please write a how to configure zabbix as I am unable to get it working with the (outdated) tutorials on the web.

Thank you.

Ah yes. Found a post on the internet from 3 years ago that said the same. They also mentioned that it is planned to encrypt things from the top down. Maybe it takes another 3 years or so.

Greetings,

I kindly ask if somebody can point me in the right direction on how to get DoT working using root servers by unbound? Couldn't find anything on the forum or the internet. Only tutorials using public dns like cloudflare and quad etc.

Thank you.