Messages

oh snap, I didn't realize there were replies, sorry. I didn't mean to be rude.  I didn't receive any notifications.

Thank you both for your replies and advice.   
I've tried to change the default time window and grace period to at least triple their default values.    Time on both firewall and authenticator device is near as dammit the identical... certainly within a second.
Also, the key+password format (and vice versa) is what I have been trying.   Trying both different formats out of desperation and neither worked.

at a loss as to what else to try or troubleshoot as I don't seem to see there being any kind of logs which could maybe help me in working out why it is failing.


to confirm, if i go to the tester, if i use the server "otp server" which is the one i created,  it fails.  if i flip it to the local database server and just use the same username and just the password, it is fine.
Is there something i am doing wrong there? it seems weird that my user can be used on either authentication source

polite bump.   anyone?   don't suppose there is a discord channel yet is there?

I've tried this now on an off for over a year through various versions and it still doesn't work for me.

• I've created a OTP server within Opnsense, i've tried with different token lengths and so on.
• I've added a user and configured it to use OTP and imported the token QR code into Google Authenticator and other OTP apps (including Yubico and a windows one too).
• I've tried the 'tester' and trying to log in too (user is configured as admin rights)  but neither work.
• I've verified time, date and timezone and all is correct.
• I've tried using the OTP followed by the password and the other way around.
• I've tried a user name of gibbon and also gibbon@opnsensefw (which is what its listed as in the authenticator app... not sure which you're suppose to use, but neither seem to work).

please can anyone help troubleshoot this with me or at least offer some suggestions.  i've read through the guide on the wiki page and i'm positive i've done all thats needed (i've set it up from scratch a few times now) 
I don't fancy factory defaulting the whole box to see if that helps though.

I was going to post about this same subject when i thought I'd check to see if i wasn't the only one thinking it.   And here we are.

Totally agree.  Small userbase as it is, it really shouldnt be further splitting that community up into languages. 

I use and am a member of many many forums for many products and the vast majority of them, especially if they are official vendor community forums, are in English. Unless the product is only used in one region (Russian/Chinese products spring to mind).  Google Translate is there for those who cannot post or read in English. I speak to German people all of the time in business and my friendship circles and tbh they have usually a better grasp at the English language than a lot of English people!

The issues don't just stop at the splitting up of the community, but also in terms of duplicating of posts, users trying to find support and help on certain topics.  There may well be nothing coming up when searching for the problem, but given that there are so many posts in German etc, there may well be others who had the same problem but they'd never know since the search terms would be some other word.
Same goes for any articles, help documents or any other posts that are specifically posted in a different language.

I'm not talking about some kind of language based FOMO, but I really do feel that splitting the language really dilutes the community and restricts things.  Also given that there are usually only a handful of people who tend to actually reply/provide solutions for questions that are asked, I'm sure that those brilliant and kind individuals can't be bothered to duplicate something that they already answered in a different language elsewhere on the same forums.

Sorry for the rant.

who looks after this plugin from a dev point of view?

I hate to add to this thread... However it appears that ddclient does not work in multi wan environments.  I use DynDNS, and when I set dd-client to Interface to monitor (None) and Check IP Method (Interface):

Code Select Expand

2022-03-18T13:38:37-04:00 Notice ddclient[320] 54434 - [meta sequenceId="5"] WARNING: found neither ipv4 nor ipv6 address
2022-03-18T13:38:33-04:00 Notice ddclient[97610] 53819 - [meta sequenceId="4"] WARNING: found neither ipv4 nor ipv6 address
2022-03-18T13:38:07-04:00 Notice ddclient[55511] 54044 - [meta sequenceId="3"] WARNING: found neither ipv4 nor ipv6 address
2022-03-18T13:38:05-04:00 Notice ddclient[50294] 53561 - [meta sequenceId="2"] WARNING: found neither ipv4 nor ipv6 address
2022-03-18T13:37:21-04:00 Notice ddclient[36503] 28394 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address
2022-03-18T13:08:27-04:00 Notice ddclient[84274] 92874 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address
2022-03-18T12:58:27-04:00 Notice ddclient[84274] 13239 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address
2022-03-17T21:18:24-04:00 Notice ddclient[84274] 95262 - [meta sequenceId="1"] WARNING: file /usr/local/etc/ddclient.conf: file /usr/local/etc/ddclient.conf must be accessible only by its owner (fixed).
2022-03-17T20:48:24-04:00 Notice ddclient[84274] 77262 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address

Only by setting the interface to monitor as a single wan does it appear to work.  Any way to make it always report just the current default wan ip in multi-wan environments?

I'm getting these in my logs when i'm just set to WAN and it has a normal IPv4 address.

Also, I notice that there is an option to 'check' every x amount of seconds for an address change (default 300) but is there a way of forcing the update to the dyndns provider on a set schedule anyway?  as some providers (like noip who i use) require you to update every x amount of days else they disable the account.  obviously if my ip hasnt changed in a couple of months, then it won't auto update the provider. (if i understand it correctly)

:edit: just installed the old dyndns client and it works fine.
please don't deprecate the old client?  at least not until the new one is actually fit for purpose!

maybe i did. a PR, from what i understand is to provide code to a repository with the view of the owner of the project pulling that code into their codebase.   is that not correct? 

right, but as i say, neither of us are developers.  so suggesting to create a PR on your repository is not an option and frankly assuming that people can is pretty ridiculous.  surely you have a method of creating RFE's?   

Franco,  n00bs don't understand what github is, let alone a PR.   Bear in mind that a lot of users of OPNsense are not massively technical and i dare say that most are not developers

Hi,

I need to run a specific script on a schedule.  From what I can make out from the documentation i need to add a custom actions_somethingoranother.conf file to /usr/local/opnsense/service/conf/actions.d

I have done so and I now see the item I created within the dropdown list in the CRON section of the GUI.
But I am getting a error 127 in the logs when it tries to run the cron on its schedule.

I've tried a couple of locations to put the actual script file, and afaik it as the same permissions and ownership as other script files which are ran currently by cron.

content of my actions_custom.conf are

Code Select Expand


[vpnsquidinterface]
command:/usr/local/opnsense/scripts/proxy/vpnscript.sh
parameters:
type:script
message: reload proxy with vpn interface
description: VPN Proxy script


I've tried to work out https://docs.opnsense.org/development/backend/configd.html but I'm still not hugely clear on if/why it needs a 'name' in the [] brackets at the top. 

error i get is

Code Select Expand

2022-03-15T16:21:00 Informational configd.py message f66b3eb5-d5e3-47cf-a595-3565daeca9ce [custom.vpnsquidinterface] returned Error (127)
2022-03-15T16:21:00 Error configd.py [f66b3eb5-d5e3-47cf-a595-3565daeca9ce] returned exit status 127
2022-03-15T16:21:00 Notice configd.py [f66b3eb5-d5e3-47cf-a595-3565daeca9ce] reload proxy with vpn interface
which as far as i can tell , means that the file isn't found.   the file is there, and as I say, its got correct ownership/permissions and i've tried a few places and get the same sort of error.  despite following the same convention as existing cron actions. 

thanks in advance

just had some time to play again.  looks like the cron job set up to run the script isn't actually running it. can't see anything in my logs either.  ugh... on the verges of giving up

honestly mate, I don't know any more.  i think we're both at a place where all we need to happen is to know the proper way of "adding" a line of config to the squid config using templates so that it doesn't overwrite all the other config and that it doesn't get lost in an upgrade.

its going to need someone that knows how to do this.  I don't see anything of the like mentioned in the opnsense documentation and I can't make head nor tail of the documentation for that template system.

i did what i put in that thread.  not had any feedback on my last comment and i don't know any different.   I'm pretty sure that it would get overwritten.  I can't say i fully understand these template things tbh.  back end hacking around of a firewall OS wasn't really what i signed up for when i chose to run this system but hey ho

Ok i just tested this
created a additional entry to the +TARGETS file of test.conf and added the line to that
test.conf:/usr/local/etc/squid/squid.conf

but it seems to completely overwrite the .squid.conf with the contents of test.conf.  it doesn't append the contents to the end of the squid.conf file which is what I need.

Is there a way of doing that?  Also is this way of doing it likely to break/be reset on any system update, or are these files explicitly exempt from being touched during an update?

thanks

:edit: I just added the line to the bottom of the squid.conf template file.  seems to have worked for nwo. but it's not ideal i guess as i'm sure that file will be replaced should there be any updates to the proxy in the future.

Great, thank you. I wasn't aware that you referred to this as 'templates'.  I'll give it a read.  :)