Messages

[OpenVPN Client]

I want to migrate my OpenVPN Client configuration from legacy to the to the new Instances. But some Settings in the New Configuration are not clear, and I hope someone can point me in the right direction.

I have two WAN interfaces: wan1 and wan2.
I have two OpenVPN instances: opt1, opt2.
I would like to route opt1 only via wan1 and opt2 only via wan2.
Wan1 has a static IP and wan2 has a dynamic IP.

With the legacy OpenVPN Client configuration I can easily set up everything because I can select a specific interface in the Client settings.
In contrast, in the new OpenVPN Insatnces settings it is possible to assign only a Bind address.

In case of opt1 (routed via only wan1) should I set the static public IP address of wan1 as Bind address? And that's all?

In case of opt2 (routed via only wan2 with dynamic IP)  what address should I set as Bind address?
(If I set the current IP address of wan2 as Bind address it seems to work, but what if the IP changes?!? Should I manually set a new address each time?!?)

[Old Configuration:]

Old Configuration:
Interface: WAN

New Configuration:
Bind Address:

I also don't understand what the design decision is behind not being able to select an interface for binding.
I would be particularly interested what are the recommended settings if I want to bind an OpenVPN instance (client) to only one specific WAN interface with dynamic IP?
In the case of a dynamic WAN IP what bind address should be entered at all?

And I honestly don't get your privacy concerns.

That's exactly why I didn't even bring up this topic myself.
I just wanted to be polite so I answered your question.
Everyone has a different level of sensitivity to privacy/security.

[lookup]

Don't set the IP of the mirror. Set the mirror the regular way, but lookup the IP and route the IP through your VPN tunnel. That's all.

And how could I set fix IP for the mirror (opnsense-update.deciso.com)? Unbound DNS/Overrides?
Otherwise if I would not set a fix IP for the mirror I had to lookup the IP every time before I start the update process to be sure it had not changed.

May I ask WHY you want to do this?

Since a subscription code is associated with identification information I think it is good privacy and security practice to use random IPs to fetch firmware updates with a given subscription code.

So you need a route for the pkg mirror. Steps:

• configure the desired openvpn interface (if not yet done) iface->assignements + iface config
• configure a gateway on the ovpn interface
• choose a fixed mirror (on that that is not resolving to multiple IP addresses in different networks)
• create a route matching the mirror address and choosing the crfeated opvn gateway

Your suggestion sounds good but unfortunately doesn't work in practice .
I've tested it with Deciso's comercial mirror (https://opnsense-update.deciso.com).
I think there are 2 reasons why your suggestion does not work:

1) SSL certificate errors.

2) If I set the IP (178.162.136.178) of the mirror here: 'System/Firmware/Settings/Mirror/other' it is not possible to set my subscription code. So I get authentication errors.

Log of the firmware update:

Code Select Expand

Fetching changelog information, please wait... SSL certificate subject doesn't match host 178.162.136.178
fetch: https://178.162.136.178/${SUBSCRIPTION}/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
pkg: https://178.162.136.178/${SUBSCRIPTION}/FreeBSD:12:amd64/21.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
SSL certificate subject doesn't match host 178.162.136.178
pkg: https://178.162.136.178/${SUBSCRIPTION}/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Any suggestion?

do you mean via in terms of routing (juts fetch the packages via the opnvpn interface in question) or in terms off accessing the opnsense device only from that interface?

I would like to fetch the packages via an OpenVPN interface without set this interface as the default route.

How can I set OpnSense to use only one given OpenVPN interface to make firmware updates?

If someone can find a solution please let us know!
I've tested the following 4 parameters in the advanced configuration:

push-filter ignore ipv6-route
push-filter ignore ifconfig-ipv6
push-remove ifconfig-ipv6
push-remove route-ipv6

But unfortunately none of them work.