Messages

I am setting up a new OPNSense install and created a new OpenVPN server instance for a peer-to-peer network. When I simply enable the OpenVPN server instance (not connect to it from another site or anything, simply enable it on the main network), the main network begins to act strange, various sites and services become unreachable, but not all. As soon as I disable OpenVPN everything works fine. If I successfully visit a site that was previously unreachable while OpenVPN was disabled, then visit it again after it's re-enabled, that specific site suddenly become reachable again, but others that I haven't visited yet aren't. Pinging problematic sites while OpenVPN is enabled shows the proper IP, but the ping fails to actually reach the sites. Same with trace route.

I am surprised that simply enabling the OpenVPN service can have such effects on the host network. These sites aren't meant to be going through the vpn in the first place.

Any idea what's going on?

UPDATE:

I have traced the issue to a specific option in the OpenVPN config: "Verify Client Certificate". If this options is enabled, the aforementioned problems arise, if it is disabled, the network works fine. Any idea how/why that could be? These are just sites on the web from the host network, I am not trying to connect to the vpn from clients.

Hello,

I would like to port forward requests from the open internet (WAN) to an nginx reverse proxy on a separate machine. I setup the domain `files.domain.com` to point to the OPNSense public IP. Then I setup a port forward for ports 80 and 443 on WAN to point to the nginx machine, like so:



I also opened ports 80 and 443 on the firewall for the WAN:



However when I visit `files.domain.com` it never seems to reach the nginx box.

Any idea what I am doing wrong?

Ty Franco, I should have mentioned that my goal is to run nginx natively so that I could use config files instead of the GUI. I think there are remnant configurations from the OPNsense install that are interfering with the native install. Specifically it seems to be looking for the command in the OPNSense directories rather than straight sbin. I'm no expert in freebsd tho.

I uninstalled the nginx plugin, then re-installed nginx through the command line using pkg, however when I try to start nginx ("service nginx start") I get the error:

Code Select Expand

eval: /usr/local/opnsense/scripts/nginx/setup.php: not found

It seems to still be looking for nginx in opnsense.

If I do "which nginx" I get:

Code Select Expand

/usr/local/sbin/nginx

Any idea how to resolve this?

I have a WAN on igb0 that I temporarily disabled. I added a WAN2 that connects to a different provider on igb1. Internet works, things seem to work. However this machine was a peer-to-peer OpenVPN client using the first WAN and when I changed the interface to WAN2 in the OpenVPN client config it doesn't seem to connect anymore, giving the following error repeated many times over:

Code Select Expand

ERROR: FreeBSD route add command failed: external program exited with error status: 1

I am not sure how to begin resolving this problem, any advice?

I setup the nginx plugin as a reverse proxy to access a service from my network externally. To do that I had to change the port of the opnsense UI to 4433 instead of 443, which means I have to specify the port to access it now. I would like to simply use an internal subdomain with no ports, like so: https://opnsense.internal.domain.com.

I tried setting this up with nginx. I created an "upstream server" that points to https://opnsense.internal.domain.com:4433, as well as an "HTTP Server" and "Location". However when I access the domain without specifying a port I get an internal server error:



Any idea why that is? Can I use nginx to route locally without exposing to the outside?

I'm not very good with nginx.

Thanks a lot for your helpful response! Should the second location look like this:

Hello,

I am setting up a Seafile instance to run through the nginx plugin in OPNSense. Seafile provides an example nginx conf to emulate, but I am having trouble getting it right using the OPNSense UI and was wondering if someone could help. The example conf looks like this:

Code Select Expand


log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
    listen 80;
    server_name seafile.example.com;

    proxy_set_header X-Forwarded-For $remote_addr;

    location / {
         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header   Host $host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log      /var/log/nginx/seahub.access.log seafileformat;
         error_log       /var/log/nginx/seahub.error.log;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;

        send_timeout  36000s;

        access_log      /var/log/nginx/seafhttp.access.log seafileformat;
        error_log       /var/log/nginx/seafhttp.error.log;
    }

    location /media {
        root /opt/seafile/seafile-server-latest/seahub;
    }
}


Specifically I am unsure about how to implement the "proxy_pass" in "location" "/seafhttp":



I already have an "upstream" and "upstream server" defined for port 8000 to satisfy the first "location":




Should I create a second "upstream" and "upstream server" to handle port 8082?



Do I then add a "location" for it:



And associate that location with the existing "HTTP Server" already created:



Or perhaps create a separate "HTTP Server" for it?

I also have a question about the "rewrite" code:



I created the following "URL Rewrite":



Then I selected it in both, the "HTTP Server", and the "Location" for "/seafhttp" - is that right?

Thanks for any help on part or all of this.

I have an AP with VLAN support on OPT1 and a dumb switch (no VLAN support) for my cameras on OPT2. I would like any devices that are tagged VLAN #5 coming from the AP to be on the same network/subnet as the devices that are connected to the dumb switch. Is this possible? Does it involve bridging?

I am connecting two sites through a peer-to-peer OpenVPN connection. I am able to access machines in the host network from the remote network by IP, however I am unable to access those same machines by name.

How can I tell my remote machine to use the host's DNS when trying to access host sites?

I have two sites, one with lan 10.1.0.0/16 and another with lan 10.2.0.0/16. I have setup OpenVPN peer-to-peer vpn that seems to connect the two networks. However I am unable to ping the host network from the remote, if the OpenVPN's "IPv4 Remote Network" has a CIDR of "/16" like this: "10.2.0.0/16". If I change the "IPv4 Remote Network" to "10.2.0.0/24", a smaller network of "/24", I am then able to successfully ping the host network from the remote.

Why is that?

Additionally when I am unable to ping the host network, I receive these errors in the logs:

Code Select Expand


2023-01-21T17:36:41-05:00 Warning openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-01-21T17:36:41-05:00 Warning openvpn Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
2023-01-21T17:36:41-05:00 Error openvpn event_wait : Interrupted system call (code=4)


Any idea what the issue may be?

Thank you.

I am trying to integrate seafile, and one of the config requirements under `server` is to set `X-Forwarded-For` like so:

```
server {
    proxy_set_header X-Forwarded-For $remote_addr;
}
```

When I check the config generated by the ngnix plugin here at `/usr/local/etc/nginx/nginx.conf`I am unable to find the setting under `server` and I am unsure where in the GUI to find it.

Any ideas?

This `/usr/local/etc/nginx/nginx.conf` is exactly what I was looking for, thank you much. I don't even need to edit it, I just want to see what the UI is creating.

I am having trouble setting up a separate service on my NAS that relies on the nginx configuration of OPNSense. Specifically this Seafile integration: https://manual.seafile.com/deploy/deploy_with_nginx/

I understand the conf file gets overwritten by OPNSense but I would like to be able to see it so as to compare it to the documentation.

Where can I find the conf file that gets generated by the OPNSense UI?

Thanks.