Messages

I did update 2 systems from 25.1.11 to 25.1.12 yesterday, and it only failed on one of them and I had to reinstall.

And just now we did update 4 systems from 25.1.10 to 25.1.12 directly without any issue at all. The only small thing we have seen on two of the systems that after another "Check for updates" the update of p5-Specio was still pending, which we then have done as well.

Are the private IP addresses from the VPN / road warrior allowed in NAT?

its a unix timestamp

root@opn03:/usr/local/etc # date -j -f "%s" 1752053171
Wed Jul  9 11:26:11 CEST 2025

On OPNsense and other BSD systems (including macOS) it is much simpler to use like this:

 % date -r 1752053171
Wed Jul  9 11:26:11 CEST 2025

As far as I know this does not work on Linux systems.

I have only systems with 2 ISPs and up to 4 Gateways because of IPv6 and IPv4. Usually I get the failed (with details) and succeeded (very generic) email on change. But I can not recall (or find any emails) for a cascade of failures.
If an uplink goes down, then in the on email both IPv6 + IPv4 are reported. But there could be cases that only one protocol may be down as I also monitor IP addresses outside of my ISPs network.

In Services / Monit / Settings in the "Service Settings" tab I have enabled the gateway_alert.

I do remember that it was possible to directly show in the Dashboard (in System Information) the status if there are updates available or not. I do remember that it was possible to disable this somewhere in the settings (what I did), but I am currently unable to find it again. My Systems all only show "Click to view pending updates." there.

At least something like this could explain that this lookups do happen, e.g. when someone may have the Dashboard open all day long.

It may be possible to prevent clients from doing this when they do not have a search domain name set or given through DHCP. But then clients may have to use FQDN on requests for internal hosts.

With CARP the Virtual IP does have its own dedicated MAC address. With this a upstream router does not have to learn a new MAC address when the VIP does jump from one OPNsense instance to the other.
But on the other hand now the switch between the OPNsense and the upstream router does have to reassign the MAC address to another port. Depending on possible security settings on the switch, this may not work properly.

If you either on top right toggle the "full help" to on, or click on the (i) icon left of "Server (IPv4)" the following help will be shown below the entry field:

"This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the .1 address of the given network for use as the server-side endpoint of the local TUN/ TAP interface"

If this is for the "Server (IPv4)" setting, then this needs to be the VPN internal IP addresses and defined with a netmask, e.g. as 192.168.100.0/24.

The above "Bind address" entry in my case is empty, so OpenVPN server will listen on all interfaces. Maybe you can not set multiple IP addresses there. In case you want to disable access on some interfaces, probably the best idea is to block it with firewall rules.

I manage an installation with OpenVPN Server for users where the "Strict User/CN Matching" is set to Yes. In that case all usernames are only with lowercase letters (a - z, no special characters or umlauts or such), and of course with identical CN in the certificate. The description of the certificate is different.

Can you try with an username without the "_", because I think that may not work as a CN in the certificate?

There is another thread with the same issue, where the user bamypamy did track it down to the issue that when the OPNsense systems do not have direct internet and have to use a proxy server, see https://forum.opnsense.org/index.php?msg=238761

I have just upgraded an HA setup from 25.1.5 to 25.1.7 with running multiple OpenVPN servers running. Still in legacy mode one for end users clients, two for Site2Site to some Ubuntu servers running OpenVPN and one where another OPNsense does connect from with the legacy client. Plus also a new instance for end users.
So far all of them are working fine, as they already did when the secondary system had been updated and then was CARP master.

Maybe check in VPN / OpenVPN / Log File for anything indicating what may be the issue.

I have just upgraded an HA setup from 25.1.5 to 25.1.7 with running multiple OpenVPN servers running. Still in legacy mode one for end users clients, two for Site2Site to some Ubuntu servers running OpenVPN and one where another OPNsense does connect from with the legacy client. Plus also a new instance for end users.
So far all of them are working fine, as they already did when the secondary system had been updated and then was CARP master.

Maybe check in VPN / OpenVPN / Log File for anything indicating what may be the issue.

This is the difference between the base system (FreeBSD) installed version and the one installed from Ports (pkg).

Code Select Expand

root@scrambler:~ # /usr/bin/which -a zstd
/usr/bin/zstd
/usr/local/bin/zstd
root@scrambler:~ #

Everything installed from the base FreeBSD system is in /bin /usr/bin and such, and all from Ports is in /usr/local/.

The path shows in which order things are used:

Code Select Expand

root@scrambler:~ # echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
root@scrambler:~ #

So to use the Ports zstd you have to use /usr/local/bin/zstd

Code Select Expand

root@scrambler:~ # /usr/local/bin/zstd -v
*** Zstandard CLI (64-bit) v1.5.7, by Yann Collet ***
stdin is a console, aborting
root@scrambler:~ #


How would any resolving system (OPNsense itself or a client in the network) if the outbound traffic will go trough the ProtonVPN "uplink" or anything else?

It will be impossible to direct DNS requests through ProtonVPN if you don't know before doing a lookup which destination will be used. Or the bigger question may be, how do you decide where traffic will go out?