Messages

No. See attached image.

LAN net = subnet A
Internet = subnet A
DMZ = subnet B

The server that is blocked is in subnet C and it's IP address is in the 'NoVPN' alias.
The bottom rule in the picture is for all in subnet C.
Below these rules are more rules. Packets from the server should match the NoVPN rule so I excluded them from the picture.

Hi,

For one box I want internet access bypassing my VPN client to a VPN provider.
So I added the IP address to a 'NoVPN' alias.

On the LAN interface the is a pass rule:
Source: IPv4 NoVPN alias
Destination: *
(and another rule below for the same subnet to use VPN gateway)

When I search the logs using remote logging there are packets on the LAN interface that are blocked from this one box (from tcp high ports to tcp high ports).
So before going out on the internet some packets are blocked.

How is this possible?

Do I have to use the Authority of the VPN provider? Can't select it in the Trust section when creating a client instance.

Role: Client
Protocol: UDP
Type: TUN
Remote; <vpnserver>:<port>
User: xxxxx
Password: xxxxx

What else?

Hi everyone,

For my internet access I use a well known OpenVPN provider. Muliple legacy clients (for multiple countries) are configured. Works fine. How do I go from legacy clients to client instances?

How did you configure the Client profile?

Oops....  :-[
In the client profile I used the public key of my laptop.....for the OPNsense peer.

Got a handshake  :). Can't ping anything yet.
That's for another time.
This is solved for now. Thanks!

No handshake yet.

When connecting from public wifi to OPNsense 'required key missing' (or similar, this is a translation) was shown on my laptop (wg client).
Have to debug a lot (routes, metric, dns, allowed ip's).

Today I came across the 'wg watch' command.
To be continued. Debug suggestions welcome.

No, wireguard doesnt log anything per design.

Didn't knew that. Thanks.

Recreated my 'Laptop' peer. It now shows on the wireguard widget. Offline for now. Not tested with public wifi yet.
Also created an extra firewall rule on Wireguard (Group) to monitor outbound wireguard traffic (51820/udp).

In my 'Laptop' peer I left Endpoint and port empty. Is this correct?

I will report back when I have tested from public wifi.

Where in the OPNsense logs can I check those 3 cases?

The packets reach the OPN server. In the logs I see correct source and destination IP address and port 51820/udp (pass).
'Laptop' is a peer of the only wireguard instance (and is enabled).

VPN - Wireguard - Logfile is empty.
VPN - Wireguard - Satus - Handshake is empty.

If the keys are wrong, shouldn't there be at least a log message?

Hi everyone,

Using a public wifi I'm trying to connect to my home LAN.

In the logs of OPNsense (via Graylog) I see some incoming packets on WAN port 51820 (pass).

There are no firewall rules on the wireguard interface.
There is one rule on Wireguard (Group): Any IPv4 to one private subnet (/24).

Why is there no handshake when I connect from my Linux Mint laptop?
The public wifi isn't the problem I think. There are incoming packets on OPNsense.

Solved with a 4G dongle (Alcatel IK41xx).

Configured WAN interface with USB device (ue0) and DHCP.
The WAN IP address is a private IP address of the dongle.
All fine now.

Key was to remove the PIN code from the SIM card.
Can't tell how that was done. That was done by the store where I bought the Sim card.
Something like put SIM in a smartphone and remove the PIN.

Thanks for your replies,
The M6 I saw, but for me it's too expensive for only bridging a gap for a month between two DSL providers.

Because it's a temp solution, switching software is not an option now.

Hi,

Today I tried to use a Huawei E3372H. No luck
Read online that model has to be flashed (to S version)

Does anyone has a recommendation for a similar dongle that is supported by OPNsense?
It is a failover for DSL. My DSL is down for now.
Posting from a public hotspot.

The Acer D5 Connect Predator does not work because there is not enough power on the USB port.

Hello,

For my internet connection I use a VPN provider.
In the client configuration I have the option 'Select remote server at random' checked.

Assumming that selecting the server is at service start, can it be done over time?
Every x hour connect to a different VPN server.
Via WebGUI or cronjob.

Now I got no pictures at all.
No traffic from IPTV interface. Do have an IP address on IPTV interface (dhcp)
Upgraded to 21.1.6

When I switch to pfSense all is ok (no hardware or cable changes, only other vm and same configuration I think).

Anyone any idea what to check/configure?

@RedVortex: Same configuration here. Only other vlan numbers.

> Also, you do not put any network on the downstream interface, only on the upstream.
The upstream networks are from the ISP(IPTV). They are correct (TV channels are visible now)
Downstream network is private subnet on seperate interface
Setup has three network interfaces: WAN/LAN/STB.

Rules:
IPTV (incoming):
IPv4 * * * gw IPTV if
Allow options was off (my bad, sorry) now enabled.

Difference now is that I can see the channels.
But only for a few seconds. Then it freezes.

Settop box:
I have specific rules for the separate network interface. No blocking traffic for what I can see.
DHCP (from OPNsense) works.
DNS is set in the DHCP server to DNS servers of the ISP.

I will review all the settings again. Done this so many time now I'm missing things (like allow options).
Thanks for your help.

Do you have any hints on the picture freeze? On forums I read other people posting this but can't remember what solved it.