Messages

DEAR READER

If you have made it this far, amidst the slight drama, here is the final update:

No-IP seems to be the culprit. My dynamic IP from my ISP recently changed, but the DDclient was pushing the update to No-IP. It appears to break/ unbreak the Wiregaurd connection randomly. Last night I changed my endpoint to a FreeDNS hostname, and have had no issues. I have rebooted OPNsense multiple times, and toggled the client connection on/off multiple times.

I stand firm when I STATE that I had not made ANY CHANGES to my firewall. The erratic behavior of the DDNS endpoint redirect made it appear that the plugin was broken. This was not in my initial suspicion, hence why I asked for help, though I am not sure anyone would have guessed this issue.

I am no longer going to pay for/ rely on No-IP. As far as I can tell, this is the culprit, but I still haven't found logs on OPNsense to check, although I can check PC/Android client app logs. Since it is working now, I am no longer going to troubleshoot. I hope this helps someone else.

Franco,

I have put a warning on my comment, for others to see.

I read a lot of other posts from the recent few months of activity, and saw many with no responses. I assumed my posts/thread would lay dead just like all of these other posts. And, it's frustrating because, other than Reddit, there is nowhere else to ask questions about this operating system.

I don't know how else to say this: I had not changed anything related to the Wireguard setup. I had not made any changes to Unbound. A few days ago, I added another Dynamic DNS host to update through the GUI. How would that break Wireguard? Maybe there was a power outage I did not catch in time, and there was file system corruption. I have this on a UPS, so it's hard to imagine.

I think it's awkward for the admin to single me out, and insult me, by calling me a "general demotivating poster"? My last post was in April, and I answered my own question, detailing what I did to fix the issue. Before that, almost a month. Seems I edited it out, probably because I was lost on a problem and was embarrassed about my ignorance at the time.

So, I sincerely apologize if I offended you or anyone else, by saying "I guess this forum is dead", because I ACTUALLY worried it might be. But why the personal attack/insult?

EDITED DUE TO RESPONSE FROM ADMIN
***WARNING*** OFFENSIVE COMMENT***
I guess this forum is dead. It's pretty disheartening...
***SHOULD NOT HAVE SAID THIS. APOLOGIES TO ALL!!!***

I restored from a 2-month-old backup, and now wireguard is working. I have not made any changes in the past 2 months. I haven't had any time to mess with this thing and it's been working just fine. I really wish someone would at least say something. If there is a bug that corrupts the plug-in when updating to the last couple of recent versions, then people need to be notified about it. There's no documented location for log files. Nothing is documented on how to troubleshoot why this broke. There is also no definitive answer why a backup fixed it. As far as I know a backup is only configuration files. Since I haven't changed anything what did the backup fix?

Thought I fixed it. Still broken...

This doesn't make any sense. It only works when I am already on my home wifi. It does not work when I am trying to connect externally. Can someone chime in on what is happening?

I set up Wireguard a few months ago, following the Road Warrior guide. It has worked since then. In the past few days it does not allow my clients to do anything. They appear to connect, but I see no response looking at handshakes. I have tried two DDNS services, just to make sure that wasn't the problem. Unbound DNS has been listening on the Wireguard interface since the beginning. I'm really not sure where to look for what has broken/changed. I personally have not changed anything on this firewall since setting up Wireguard.

I really don't know how to go about troubleshooting this. I have reinstalled the plugin. Updated to 21.1.8_1 firmware, updated all packages, cleared states and source tracking, cleared DNS cache, restarted Unbound...can someone help me with this?

Nevermind...possibly. Didn't even see the little ENABLE checkbox. Also, Force SSL possibly needs to be disabled for NOIP. I finally got a SUCCESS message after making those changes and enabling verbose logging.

I can't get this new version to work. It doesn't seem to save my password, doesn't have a dashboard widget, and the logs keep saying found neither IPV4 nor IPV6 address. It also doesn't show up in the services widget, and I also have these errors:

Code Select Expand

WARNING: file /var/tmp/ddclient.cache, line 3: Invalid Value for keyword 'ip' = ''

WARNING: updating scaleman.ddns.net: nochg: No update required; unnecessary attempts to change to the current address are considered abusive

I am using NOIP. I have tried noip-ipv4, interface, and other options for Check IP Method. Am I doing something wrong?

Hi,

best practise is to create an alias (RFC1918) with private IPv4 address ranges.

Than on the VLAN99 where you want to have internet only create the following rule:

Interface: VLAN99
Source: Any
Protocol: TCP/UDP
Destination invert: checked (IMPORTANT)
Destination: RFC1918
Destination Port: 80,443

This allows TCP/UDP traffic for Port 80,44 only to Internet (IPv4).

br

What if their IOT devices need to access ports other than the two listed? And what if the ports they need aren't well documented? They would have to allow all just to see what is happening on the VLAN, right? I am welcome to be told I am wrong. Looking at this page, though, there are a ton of possible ports that could be used for IOT. These are standard, but the manufacturer could use any port they desired.

https://www.f5.com/labs/articles/threat-intelligence/the-hunt-for-iot--multi-purpose-attack-thingbots-threaten-intern

edited

You have to create a default allow any to all rule, so you can at least get internet. That rule stays at the bottom of your rules list. Then add more allow/deny on top. Personally, I create rules on each VLAN, blocking them to IOT, then from IOT to those specific VLANs.

edited

Haven't logged in here in a while. I appreciate you responding. I have almost forgotten about that part of the setup, but I'm pretty sure I followed yours exactly and have had encrypted DNS working well since then.

edited

I followed the first guide, and skipped entry of DNS servers in the general settings. All seems to be working. I think I see that- if no one cares to answer...- DNSCrypt uses Cloudfare. Looking at the bottom of the page I see his settings snapshots. So then it does appear to use it's own server settings. I'll stick with what I've set up.

I think I set up my DNS incorrectly, due to some reading I've done on the forum. I found a thread from user @comet, which was all over the place:

https://forum.opnsense.org/index.php?topic=8505.0

Currently I have set DNS servers in the Settings/General area, but I think that is incorrect. I want to use the Unbound Resolver, and found this article:

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-1/

It does not mention adding servers in the General settings, but within Misc. settings of Unbound. I also  came across this topic:

https://forum.opnsense.org/index.php?topic=10670.0

I would like all traffic to go through Quad9, but be able to use encrypted DNS, and add blacklists to Unbound.

The first guide makes sense, but it looks like the author is not using the General DNS server settings. Would that be correct?

I don't know enough about DNSCrypt, but the second guide appears to me that DNSCrypt uses its own DNS servers to reach IPs out of my internal network? I don't see where @p1n0ck10 lists specific DNS servers to use, becuase he says to omit the entries in General settings.

I'd appreciate a nudge in the right direction. I am moving from consumer grade routers, and feel stumped here. I can't seem to Google a proper answer.