Messages

I'd rather do this on the Firewall. This is most likely a problem with OPNSense. I have my network setup so devices cannot communicate to each other. So, I need to do this from the Firewall with how everything is configured most likely.

I have my network setup to not give useful information to attackers. Currently, looking at the livelog I get the ip address of the WAN, but none of the ports Wireguard sees DNS attempting to communicate through are available in the livelog.

Even if I reset to factory defaults updating the Arch keyring does not work.

I'm trying to troubleshoot why this is happening. It's blocking the keys from calling home and I cannot figure out why. If I turn all of the security settings off it still does it. How can I filter the web traffic to only see pgp traffic in the live UI so I can troubleshoot and fix this?

The problem is when I filter the denied traffic I get a ton of stuff constantly being denied from my lan, and yes the time is correct. I think I'd have to kill every process on my home machine besides the Arch keyring refresh process.

Tried adding this rule with no luck.

on the lan for traffic coming in from that interface.

Source: LAN Net
Destination: any
port: 11371

with no luck. Do I need to configure port forwarding as well? I think I might need to dig through multiple menus to get this working. I tried booting from a live environment with the default settings and I can't update my pgp keys.

How would you configure a fresh system?

I'm trying to update my keyring to install up to date packages on one of my machines. Opensense is blocking the keyring update process with my current firewall rules. I think it's from a redirect to local dns. But, I'm getting errors like

Code Select Expand

error retrieving 'george@rawlinson.net.nz' via WKD:

I tried turning off all filtering, and intrustion detection with no luck. Anyone know what firewall rule I might need to allow pgp updates?

On my Qubes machine I cloned the working settings I currently use for wireless to that lan. I currently, cannot connect to the internet. I know this did work at one point. Any idea what I might be getting stuck on connecting to a tor relay on my Qubes machine. I think this was working before the switch to kea.

I do have intrusion detection and intrusion prevention up, and tried taking both down with no luck so far. Any idea what might be blocking me from connecting to tor?

My setup used to work. What I could do for my rule set was switch my default outbound connection between my wireguard gateway, and non-vpn gateway. Currently, only the non-vpn gateway works. I've doubled checked and everything should be setup fine on Mullvad's end. For whatever reason nothing seems to be getting out of my Wireguard tunnel. Anyone know what might be going on here?

These settings used to work correctly I know for a fact. Maybe, I changed one thing that broke it. Have any tips for how to troubleshoot this?

Recently, I needed to enable my VPN again, and enabling the gateway for it no longer works. I have confirmed that I am successfully handshaking with wireguard. So, that is not the issue.

How I have my DNS setup is Unbound forwards specific queries to DNSMasq, and connecting to those websites works successfully. However, connecting to the websites intended for Unbound does not work if my Wireguard gateway is up. Previously, this behavior worked as expected. Even rolling back to a known working configuration did not work. Is anyone able to help?

In /usr/local/etc/dnsmasq.conf.d/dnsmasq-ipset.conf:

Code Select Expand

# Add the response for certain A/AAAA lookups to an opnsense alias
ipset=/example_website.com/dont_go_over_vpn


# Uncomment these if Unbound is still your primary DNS server; otherwise you'll have a loop
no-resolv
server=1.1.1.1


The above works for all sites not intended for the vpn. However, the sites intended for the VPN no longer work. I'm guessing this has something to do with the recent changes to DNSMasq and Unbound. In the Unbound gui I forward all example_website.com domains to DNSMasq.

Once I turn "Go out over VPN" to WAN_Mullvad I stop resolving addresses going out over the VPN. Previously, the VPN DNS would go out over the non-VPN tunnel to get the addresses for the VPN, and it no longer seems to be doing that at all.

[Update:]

I turned SMTEN on in the bios for the Dec850. Seems like it might be improving performance of Suricata. Hope we get support for that driver update soon. Some speed tests have been coming in 200 Mb/s faster since I've turned it on. I also have various tuneables turned on. But, the issue started showing up after turning on multithreading. I know this cpu only has 8 threads, and not 16 with multi-threading. But, does that setting still do something for Epyc 302s?

I have to manually assign my ip, and either reboot the firewall or restart Kea to get dhcp up. Networking works out of the router, but my devices are not getting assigned after every reboot. Could this be a bug?

Update: Looks like it was from setting dev.igb.<x>.fc=0. I'd assume other settings from here would have a similar impact. Either that or disabling powerd did it. I was able to get higher speeds intermittently, but those settings were not stable. Gateways kept going down, and download speeds would be 600 Mb/s for awhile, before suddenly dropping to 150 Mb/s. Still have SMT turned on and have not noticed any issues.

I tried your solution, but get the error message "This Gateway IP address already exists."

So, my network is starting to get more complex requiring multiple switches to hook all of my devices up. I'm starting to move away from having devices connected directly into my Dec850. For subnets I don't want leaking would I just toss them all on one switch, and configure the firewall rules for that switch to use external DNS servers?

To make sure nothing leaks, while still using a local resolver it sounds like my network could get quite complicated. Eventually, I'm probably going to move away from a VPN, and rent a VPS to run my wireguard servers. The only problem is if i need to change the country I come out of it could get quite expensive.

It's the gateway I setup for Wireguard on the Wireguard interface for my instance of Wireguard.

I believe I'm being impacted by the bug mentioned here. Trying to figure out if there is a workaround.

Solutions are mentioned here for DNS leaks from a local Unbound instance. I'm trying solution #1. Shouldn't setting Unbound's Outgoing Network Interface to the Wireguard interface accomplish that?

Got OpenVPN working, and the same behavior persists. There's really no way to setup a VPN tunnel (Maybe, using the ip address of the remote server) and have unbound go out through it for all of the DNS records?

Unbound has been leaking my DNS and think it is causing some reliability issues with which Gateway I go out on too. There's also the added concern of potential censorship on social media.

What I basically setup was for my firewall to use Unbound for most DNS queries, and for Unbound to forward a few queries to DNSMasq for the few sites I want going out over another Gateway. Redirecting all queries to Unbound is what's causing my DNS to leak. It did not leak, prior to redirecting all DNS queries to my local resolver.

If I bind the Outgoing Network Interface to only listen to WAN_Wireguard the internet completely breaks for me. If I bind it to WAN only everything works fine. I tried setting up a static route that connects to my VPN endpoint address and that did not work. How can I get this working?

I've tried setting up a URL Table in JSON format for Spamhaus's blocklist using Path expressions. However, I cannot find any expression that can successfully parse it. The JSON validators I've checked claim it is invalid JSON. However, jq can still successfully parse the list. Is this a situation that's kind of like YAML, where it's possible to write valid YAML no parser can interpret? Is this a valid JSON file?

I have a wireguard gateway, which I use as the default route for my traffic. I also have a second gateway I send traffic through that does not play nice with VPNs. This setup works perfectly fine. The problem is my gigabit internet gets cut in half. It definitely has more to do with IPS / IDS than my VPN. However, I'm trying to see if I can gain some performance back by sending my traffic out over multiple endpoints. Maybe, 100 Mbps max.

I have two endpoints setup currently, and they connect to the internet fine. However, the second one does not show an IP address, and I do not believe any traffic is getting sent out. In the widget, The first shows 44.71 MB down, and 7.93 MB up, while second shows 552 B down and 1.94 KB up. I have 0.0.0.0/0 set as the ip. Do I just need to assign random ips to both of the endpoints for this to work?

Would this even work with a gateway? I can't enable routes on this Wireguard instance. In otherwords how would I balance loads across both Wireguard endpoints?