"
Thanks, it was configured correctly and just stopped working. I just renabled those servers to test again and it is working again. Maybe it was something to do with the cdn or something. Thanks though!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
25.7 Series / [solved] unbound connection to quad9 TLS
August 27, 2025, 02:43:51 AM
Hi all,
I am getting a very strange problem which just started this morning. I can't see anything in the logs which would indicate what is causing it either.
When using the quad9 tls servers in unbound (9.9.9.9) dns resolution fails. If i use cloudflare or google tls it works perfectly.
I can use dig +tls @9.9.9.9 to resolve names manually so connection to 9.9.9.9 doesn't seem to be the problem and I can't see anything in the unbound logs indicating an error.
Is anyone else having a problem? Could it be a certificate error or something on the opnsense box?
I am getting a very strange problem which just started this morning. I can't see anything in the logs which would indicate what is causing it either.
When using the quad9 tls servers in unbound (9.9.9.9) dns resolution fails. If i use cloudflare or google tls it works perfectly.
I can use dig +tls @9.9.9.9 to resolve names manually so connection to 9.9.9.9 doesn't seem to be the problem and I can't see anything in the unbound logs indicating an error.
Is anyone else having a problem? Could it be a certificate error or something on the opnsense box?
#3
Zenarmor (Sensei) / Re: SOLVED Resolving hostname
April 09, 2024, 02:38:47 AM
I have the free version running and some of my local IPs resolve but not others. Its strange. I don't have any aliases setup.
Does this happen for anyone else?
Does this happen for anyone else?
#4
Virtual private networks / Re: Wireguard Selective Routing - Why Step 9?
February 03, 2024, 12:44:25 AM
Sorry I am only just coming back to this as I haven't had my VPN on for the last year. Thank you all for replies and responses.
#5
Hardware and Performance / Re: Alder Lake N100 fanless build
July 30, 2023, 05:40:40 AM
Thanks, interesting looks like it should handle it fine
#6
Hardware and Performance / Re: Alder Lake N100 fanless build
July 30, 2023, 02:58:03 AM
Hi there thanks for posting this. I would be really interested to know what wireguard performance is like? i am in the process of upgrading my router and looking for one which will support gigabit wireguard
edit: Also what temps are you seeing?
edit: Also what temps are you seeing?
#7
Virtual private networks / Re: Wireguard maxing out at 120Mbs
July 06, 2023, 07:45:39 AM
On further inspection, it appears there is a CPU bottleneck on CPU0 when wireguard is enabled.
When wireguard is disabled, the is obviously less CPU overhead across all 4 cores
When it is enabled, CPU0 does all the interupt heavy lifting and the other cores whilst have system usage, interrupt usage in top is minimal.
Not sure how I fix that though, I have tried lots of different tunables from the forum but nothing seems to make a difference
When wireguard is disabled, the is obviously less CPU overhead across all 4 cores
When it is enabled, CPU0 does all the interupt heavy lifting and the other cores whilst have system usage, interrupt usage in top is minimal.
Not sure how I fix that though, I have tried lots of different tunables from the forum but nothing seems to make a difference
#8
Virtual private networks / Wireguard maxing out at 120Mbs
July 04, 2023, 02:13:11 PM
Hi all
I have just upgraded to a fibre connection which is 1Gbit. If i connect directly with my laptop and Mullvad wireguard i get speeds about 5% slower than than the native connection.
On my my APU4 PCEngine with opnsense I get max 120Mbps.
I have tried changing MTU and simplifying the routing tables. No changes and unlikely to be the issue as my fibre connection doesnt use PPPoE.
Any ideas how I can get my opnsense box to achieve the same speeds? It is the latest version with the kmod as default. The cpu is also not even 10/15% when doing the speed test
I have just upgraded to a fibre connection which is 1Gbit. If i connect directly with my laptop and Mullvad wireguard i get speeds about 5% slower than than the native connection.
On my my APU4 PCEngine with opnsense I get max 120Mbps.
I have tried changing MTU and simplifying the routing tables. No changes and unlikely to be the issue as my fibre connection doesnt use PPPoE.
Any ideas how I can get my opnsense box to achieve the same speeds? It is the latest version with the kmod as default. The cpu is also not even 10/15% when doing the speed test
#9
Virtual private networks / Wireguard Selective Routing - Why Step 9?
January 26, 2023, 08:58:20 AM
Hi,
I have setup my wireguard to connect to mullvad and route all LAN traffic through it.
My original setup was a little different to the guide for selective routing to an external vpn in the opnsense wiki.
As it was the only wireguard connection I didn't have 'disable routes' enabled. This way I just had:
1. an interface assigned to wg0
2. A gateway for the interface GWwg0
3. A Nat outbound rule for wireguard interface set to take a LAN traffic out GWwg0
This worked great as i didn't have to set a specific outbound firewall rule for the LAN interface. It just took all traffic to the default gateway. This was GWwg0 when it was up, but if it failed it just went out the wan interface (something i'm happy with, not concerned with leakage).
Now if you have 2 wireguard instances, they don't seem to work unless one of the instances has 'disable routes' as per the wiki instructions. You then setup the routing in the firewall rules, manually set the gateway address in the wireguard local peer, and also set the gateway monitor ip in the gateway. All things you understandably don't have to do if 'disable routes' is unchecked.
In this instance you have to use gateway groups (and set a lan interface rule to use the grouped gateway) in order to get failover. You also need to add an extra rule which uses the default * gateway for any LAN addresses which sits above the other rule, otherwise you can get locked out of the GUI (weird because the floating anti lockout rule should stop this, but it doesn't seem to.)
Anyway, one of the setups it asks for is adding this floating rule https://wiki.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-9-configure-routing
What is the point of this? If i disable it, everything still works fine.
Am i missing something, it seems like a rather strange floating rule
I have setup my wireguard to connect to mullvad and route all LAN traffic through it.
My original setup was a little different to the guide for selective routing to an external vpn in the opnsense wiki.
As it was the only wireguard connection I didn't have 'disable routes' enabled. This way I just had:
1. an interface assigned to wg0
2. A gateway for the interface GWwg0
3. A Nat outbound rule for wireguard interface set to take a LAN traffic out GWwg0
This worked great as i didn't have to set a specific outbound firewall rule for the LAN interface. It just took all traffic to the default gateway. This was GWwg0 when it was up, but if it failed it just went out the wan interface (something i'm happy with, not concerned with leakage).
Now if you have 2 wireguard instances, they don't seem to work unless one of the instances has 'disable routes' as per the wiki instructions. You then setup the routing in the firewall rules, manually set the gateway address in the wireguard local peer, and also set the gateway monitor ip in the gateway. All things you understandably don't have to do if 'disable routes' is unchecked.
In this instance you have to use gateway groups (and set a lan interface rule to use the grouped gateway) in order to get failover. You also need to add an extra rule which uses the default * gateway for any LAN addresses which sits above the other rule, otherwise you can get locked out of the GUI (weird because the floating anti lockout rule should stop this, but it doesn't seem to.)
Anyway, one of the setups it asks for is adding this floating rule https://wiki.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-9-configure-routing
What is the point of this? If i disable it, everything still works fine.
Am i missing something, it seems like a rather strange floating rule
#10
22.7 Legacy Series / Update fails with error in certs.inc line 33
September 05, 2022, 02:02:54 AM
Hello,
My upgrade has failed and the console stops with an error saying
Uncaught error "oscp_revoked_status_nostatus" in /usr/local/etc/inc/certs.inc line 33
Can anyone help resolve this without having to do a reinstall and restore?
My upgrade has failed and the console stops with an error saying
Uncaught error "oscp_revoked_status_nostatus" in /usr/local/etc/inc/certs.inc line 33
Can anyone help resolve this without having to do a reinstall and restore?
#11
22.1 Legacy Series / Wireguard with two local instances
August 31, 2022, 07:33:31 AM
Hello,
I have wireguard successfully setup to connect to my VPN in a site to site config. It is wg0
I am also trying to add a roadwarrior style setup under a second local instance assigned to wg1.
I cannot get it to work at all unless I disable the first wg0 instance. The handshake happens (i can see my client ip in the list configuration) but it doesn't complete properly and no data is sent.
As soon as I disable the site to site wireguard instance it works perfectly.
I have the interfaces setup separately with seperate firewall rules etc.
Can anyone assist me with this?'
Cheers
Edit Ok after further research it is because you cannot have the 'Allowed IPs' fields overlapping between endpoints. The Site to Site uses 0.0.0.0/0 which captures the local subnet assigned to each road warrior. I am guessing I need to edit the Site to Site Allowed IPs to exclude the RW Allowed IPs.
I have wireguard successfully setup to connect to my VPN in a site to site config. It is wg0
I am also trying to add a roadwarrior style setup under a second local instance assigned to wg1.
I cannot get it to work at all unless I disable the first wg0 instance. The handshake happens (i can see my client ip in the list configuration) but it doesn't complete properly and no data is sent.
As soon as I disable the site to site wireguard instance it works perfectly.
I have the interfaces setup separately with seperate firewall rules etc.
Can anyone assist me with this?'
Cheers
Edit Ok after further research it is because you cannot have the 'Allowed IPs' fields overlapping between endpoints. The Site to Site uses 0.0.0.0/0 which captures the local subnet assigned to each road warrior. I am guessing I need to edit the Site to Site Allowed IPs to exclude the RW Allowed IPs.
Pages1
