Messages

The assertion that opnsense was hacked caught my attention.  :o

I should add to the previous suggestions to test before deploying, meaning at least connect it to you lan and run nmap to check for open ports, make sure no default and/or weak passwords are in use, and use key authentication instead of passwords.

There is a lot that can be done, but the default installation is pretty safe, provided that the default passwords are changed/updated during the setup.

Good luck with your new setup, check the forums or ask for more specific questions if you get stuck on something.

[Proto Destination Gateway Flags Use MTU Netif Netif (name)ipv4 0.0.0.0/1 link#9 US NaN 1420 wg0 wireguard lan0ipv4 10.0.0.0/8 link#9 U NaN 1420 wg0 wireguard lan0ipv4 128.0.0.0/1 link#9 US NaN 1420 wg0 wireguard lan0]

OPNsense 24.7.9_1-amd64


This is based on the OPNsense docs on azire-vpn road warrior example.

The OPNsense router has 3 lan Ethernet ports, each for a different lanX subnet exiting to a gateway that is a wgX tunnel. Each wgX tunnel has different wg keys, is connected to a different server and shows a handshake time, appearing to be connected

All works in the first lan. The other 2 have no traffic going thru.

The routing table only shows entries for the lan0 tunnel


Proto  Destination    Gateway  Flags   Use    MTU  Netif      Netif (name)
ipv4    0.0.0.0/1        link#9      US      NaN   1420  wg0        wireguard lan0
ipv4    10.0.0.0/8      link#9      U        NaN   1420  wg0        wireguard lan0
ipv4    128.0.0.0/1     link#9     US      NaN   1420  wg0        wireguard lan0



Wireguard logs show errors in all 3 opt interfaces

2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt3 interface gateway address: 'missing'   
2024-11-28T14:04:52   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt4 interface gateway address: 'missing'   
2024-11-28T13:59:39   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt5 interface gateway address: 'missing'   



But only show this for lan1 and lan2,  lan0 connects and works fine.

2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '128.0.0.0/1' -interface 'lan2'' returned exit code '1', the output was ''   
2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '0.0.0.0/1' -interface 'lan2'' returned exit code '1', the output was ''   
   
2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '128.0.0.0/1' -interface 'lan1'' returned exit code '1', the output was ''   
2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '0.0.0.0/1' -interface 'lan1'' returned exit code '1', the output was ''   



If any of the 3 wireguard connections is enabled while disabling the other 2, that port/lan/connection works, traffic goes thru. Meaning the wireguard keys, ports,etc and opnsense firewall rules would be ok.

Hoping for some ideas on why the routing table only shows 1 out of 3 wg connections.

The thread below should be of help

https://github.com/opnsense/core/issues/1091

You will likely need to boot from a USB flash drive to edit the file indicated in that thread. If you don't have one, you will need a working computer to download the ISO/image and create the USB boot drive.

Same here. No changes in the logs after updating to 27.7.4 but all the rest works.

The logs will display if you set the time frame to "no limit¨.

After a clean installation of 24.7 and upgrade to 24.7.3 I restored the backup of my latest 24.1 Opensense configuration xml.

DNSCrypt is my only LAN DNS server. It resolves locally and also to all LANs.

Only 1 thing did not work well: the DNSCrypt proxy logs page.

2 problems:

1-
After restoring and reboot, the logs displayed no content. Domains were being resolved so it was working.

The default option is ¨Last day¨. When switching to ¨no limit" the logs do show, but.. read below.


2-
notice the alignment in the images. The date, severity and process columns are off.
In comparison, check the columns in the logs for DHCP (last image)


This is a display issue. The proxy is working and logs are being collected.

[Backend: Native]

As of OPNsense 24.1.6 this works.

I am using Interface v4 as Check IP Method otherwise my VPN IP was being set.

Thanks for sharing.

Just wondering if the force SSL protects the usr/passw sent when syncing.

Took a while to get it working. You get the data from https://freedns.afraid.org/dynamic/v2/?style=2 (v1 is not usable with ddclient). Also, the "native" backend is crucial, otherwise it will not work.

General settings:
Backend: Native

Service: custom
Protocol: DynDNS 2
Server: sync.afraid.org
Username/Password: Your FreeDNS username/password
Hostname(s): Your FreeDNS FQDN there
Check IP Method: FreeDNS
Interface to monitor: WAN
Force SSL: ticked

I am a newbie with OPNsense and would appreciate your comments on this:

This is my setup:

ISP – OPNsense __ eth1 -- VPN -- LAN1 ... PC1, PC3
                           |__ eth2 -- WAN -- LAN2 ... PC2, PC4
                           |__ eth3 ...

OPNsense is permanently connected to VPN for LAN1 traffic.  LAN2 goes thru OPNsense NAT to access the internet with my ISP public IP.

I needed computers from LAN2 to access computers in LAN1 (ssh, smb, nfs, etc) and vice versa

As all LAN1 traffic is sent to VPN, I tried creating a floating rule. Did not work

I think i may need to somehow 'route' only local traffic  between (LAN1) 192.168.10.X and (LAN2) 192.168.20.X  before it reaches the gateway for each interface: VPN or WAN.

Just not sure how. Any ideas are appreciated.