Messages

My apologies, I only looked at the play store. I see now that it's open source on Github. I stand corrected.

Call me paranoid, but I'm currently not trusting an app with 50k downloads and 0 reviews 😉

The problem seems to be DNS related.

My WG endpoint is home.<mydomain.com>:<port>.
The DNS records for this address (at my domain hosting service) point to my home IP.
This works perfectly when I'm not home, but stopped working when I arrived home.

I have set the Domain setting in Opnsense under System>Settings>General to home.<mydomain.com> as well.
I assumed that this would resolve to the opnsense IP address (where the WG server runs) when I'm home, but that's didn't seem to work (at least not for WG).
I have now added home.<mydomain.com> to Unbound's domain overrides.
This seems to have solved me being able to stay connected to WG at home, except, the switching doesn't happen smoothly.

Coming home now, I still lose internet connection. I need to manually disable WG, wait a while and then reconnect for it to use the internal IP address.
Same when I leave the house.
I'm testing this by disabling wifi on my phone, so that the WG connection needs to swith to my phone service provider.

How can I ensure a smooth transition from phone service to wifi and vice versa, while staying connected to WG?

WG should be able to work from your home LAN. Are you losing the WG connection (check for handshakes on either end - phone client or [VPN > WireGuard > Status] on OPNsense), or is it just routing to the internet that's not happening? Do you have access to your LAN hosts? If the handshakes are not happening, you probably have some firewall rule on your LAN interface that's blocking WG (UDP 51820 or whatever).

No more handshakes as soon as I'm on the home wifi. No internet at all really, can't even reach LAN hosts.
The firewall rules for LAN allow access to all (default allow LAN to any).

I use a wireguard connection to my home opnsense firewall when not at home. That way I have the advantage of adblocked traffic and access to my home servers.
When i get home however, my phone connects to the home wifi and I lose internet connection, unless I disable wireguard.
Ideally I would leave wireguard active all day long, and not have to worry about this.

I have enabled all three reflection settings.
What else could I setup?

Thanks, that worked.

as a starter: what gives

Code Select Expand

ip a

on your laptop? Is the laptop configured for wireguard?

This is a Mac, it doesn't work.

Code Select Expand

ifconfig gives a whole lot of interfaces, none of which are for wireguard.
I connect to wireguard using the wireguard app.

By default a DNS lookup of "opnsense.my.do.main" returns all IP addresses of all interfaces local to OPNsense.

You can change this by

* Services > Unbound > General > Do not register system A/AAAA records
* Services > Unbound > Overrides - create an entry with the single IP address you prefer

Do I need both settings, or just one of them?

I've got a weird issue.
My laptop is connected to my main VLAN 10.25.9.x.
The opnsense router IP is 10.25.9.1.

Yet when I traceroute opnsense.home.example.com (redacted), I see a warning about multiple addresses and I see it uses 10.25.10.1.

Code Select Expand

niek@3cz4n3 ~ % traceroute opnsense.home.example.com         
traceroute: Warning: opnsense.home.example.com has multiple addresses; using 10.25.10.1
traceroute to opnsense.home.example.com (10.25.10.1), 64 hops max, 40 byte packets
1  *
That subnet is used by the wireguard wg0 interface.
Why isn't opnsense.home.example.com resolving to the normal 10.25.9.1?
Which setting should I be looking at, unbound?

I have an automation to upload the certificates from ACME to my NUC running Proxmox.
The first file arrives on the NUC (ca.pem) but then the automation fails when trying to set permissions:

Code Select Expand

2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Command execution failed, exit code 2. Last input was: {"host":"10.25.9.7","host-key":"10.25.9.7 ssh-rsa AAAAB...<redacted>","port":"22","identity-type":"rsa","user":"root","remote-path":"/etc/pve/nodes/nuc","chgrp":"","chmod":"","chmod-key":"","cert-name":"ACME/cert.pem","key-name":"pveproxy-ssl.key","ca-name":"ACME/ca.pem","fullchain-name":"pveproxy-ssl.pem","certificates":"60e233ae8317f2.49433155","automation-id":"6261bfbeab2f64.84589426"}
2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed on {"source":"/tmp/sftp-upload-prMeUP","target":"ACME/ca.pem","mode":"0440","group":false,"delete_source":true}
2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed uploading file (with adjusted permissions) '/tmp/sftp-upload-prMeUP' to 'ACME/ca.pem' ; Cause: {"permission_denied":true,"error":"remote fsetstat: Permission denied"}
2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed changing permission to '0600' for 'ACME/ca.pem'.  ; Cause: {"permission_denied":true,"error":"remote setstat \"/etc/pve/nodes/nuc/ACME/ca.pem\": Permission denied"}
2022-04-22T14:27:36 Notice opnsense AcmeClient: running automation (configd): NUC

I have the same type of automation distributing these certificates to two other devices without a problem.
I would like to post the problem on a Proxmox forum as well, but the problem is I don't know which command it is failing on exactly. Is it chmod, umask,...? Google doesn't seem to know setstat of fsetstat.
Any idea what might be going wrong here?

[gpart show]

I managed to do it, using the discussion here!
I booted and opened a shell, then did:

• gpart show and took note of the index of the partition I wanted to extend, 3 in my case.
• Then I did gpart resize -i 3 ada0 to assign the unallocated space to the rootfs partition.
• df -h to find the filesystem name for rootfs, which is /dev/gpt/rootfs in my case.
• Now grow that filesystem with growfs /dev/gpt/rootfs and finally check if it worked with df -h

I just rebooted and it worked!

So cloning went smoothly with Clonezilla.
I now have the new SSD in the machine and written the clone back.
This all works, Opnsense boots but still sees just 16 GB.

The problem now is that Gparted doesn't want to extend the rootfs partition to include the unallocated space, whatever I try...
I suspect Gparted can't work with UFS partitions.

Luckily I still have the old SSD, the clone on a separate drive and even a backup of the config, so I can experiment a bit on the new SSD.
But in the meantime the wife is back home, so I need to hurry up   ;)

Ok, I've prepared two bootable drives, one external HD for Clonezilla, with enough space left to save the cloned drive, and a small thumbdrive with gparted.
After the wife leaves tonight, I'll bring down the Opnsense machine and perform the surgery  :)
Fingers crossed!

Hmm, so burn an iso of clonezilla to backup the ssd to my nas. Then switch the ssd and clone it back. Finally burn an iso for gparted to extend the partition?

I have been running Opnsense on an HP T620 plus for about 8 months now and have been adding/activating features.
Especially Sensei has been pushing the hardware to the limit, more specifically the 16 GB SSD.
Last week I noticed the dashboard was reporting 104% disk usage.
This happened the day after I had been adding a number of wifi devices (Shelly smart switches etc) and had been playing with VLANs.

Anyway, even with Sensei reporting data retention set to 1 day (instead of the default 2), disk usage is currently at 89%.
So I bought a new 250 GB SSD.
Overkill, but it came down to the GB/€ ratio.

My question is, how do I best upgrade the SSD?
I've read that I could export the settings, install Opnsense on the new SSD and then import the settings, but I have a few questions before I do that:

• Are all settings being exported, also those for plugins like Sensei or Suricata? Sensei for example has its own option to export the configuration.
• Does it automatically reinstall the plugins you had, or just restore the previous settings after you manually add those plugins?
  
• Will I run into issues with my ACME certificates? Will they continue to refresh, or do I need to set this up again, because perhaps the secret key changes?
• The installation documentation talks about the Opnsense Importer. If you are installing Opnsense using a USB memory stick, does this mean you need a separate memory stick with the config files you exported, or can it be the same as the installation stick?

I have a device in my local network that needs to have direct access to WAN, so without NAT (it's an iptv box from my internet/TV provider).
If I put that device in a separate VLAN, should I then bridge this VLAN with the WAN interface?
I can't connect the device straight to my provider's router, because of the location, and there are other devices at that location that go via the same cable.

I come from Openwrt and there it was really simple: https://www.niek.be/2016/03/17/interactive-television-with-openwrt-telenet-digicorder-behind-your-own-router/
But I'm unsure how to do the same in opnsense.