Messages

yep the remote command for openvpn is certainly missed.   if one server would go down it would round robin to the next one on the list.
I have no idea if the following method works but this is what I have setup

for a vpn instance I've added multiple "peers" to it.    thinking if the first one goes down, it will connect to the next peer.    I have not had a wireguard instance go down recently to see if it works.  In theory you think it would.

see attached screen shot

I do not see a reason to move away from Kea.

I am experimenting

I just want the most reliable

We shall see I guess

I had almost no issues with Kea. What I found issues with I could work around

Home user running business edition on an official appliance 
Moved to kea when it was first suggested and it's run fine since then. A year maybe more?

Decided to try dnsmasq it's surprising to read it's a one man army from the UK.  Compared to kea an actual company
Manually moved my kea static mappings over which I was fine with doing its only 17 devices

I had an issue with dnsmasq initially caused by mine own Alias error but since then all devices seem to be more responsive

Still using unbound for dns. Forwarding to either quad 9, nextdns, or controld dns over tls...

Interesting

Early yesterday I switched from kea to dnsmasq

I imported my static mappings. (It missed one). And it worked all day yesterday.

I just got home from work and connected my iPhone to wireless.  I couldn't view any websites. I have been using a controld apple mobile profile...l I thought maybe the service was down so moved to quad 9 https over dns.  Phone still said no network access, but had a valid ip address?..    I ended up turning off dnsmasq and enabling kea and all was good again


Should you reboot thevfirewall after going from one service to the other?

Next morning edit.
I enabled dnsmasq again and turned off kea and rebooted the firewall..
Devices are still not working.  Unbound is enabled and has been working fine forwarding to quad 9


Another edit.   I found the issue it was on my end

ive experienced this as well on the business edition.  posted it a few weeks ago i believe

i had to restore with out the users if i recall.   to be able to login with a blank password to use my backup

https://dnsprivacy.org/public_resolvers/#dns-over-tls-dot.    shows the cn the OP is using...
lots of confusion with cloudflare products
Why I don't use them

the error is coming from cloud flare.    id remove it and just add one server to verify its not something else causing it
9.9.9.9
por 853
verify CN = dns.quad9.net

you don't need to restart the service.  it does it itself

no need to check enable dnssec.  the majority do that already

Upgraded to business edition when I came home from work yesterday, created an ipinfo account and added it to my machine,    The number of ranges was the business edition number,   It never updated to ipinfo.
I just back home after another day of work and now the number is 4x what it was.

So there is a huge delay in it updating, but it did

My update failed.   Waited over thirty minutes (had 12 days uptime)
Never finished , I pulled the plug and then checked by console and it started the upgrade.

I am still on the us commercial server . I am not having the issue you reported

Use malware protecting fwd'ers, like 9.9.9.11, or the like.
Use DNSSEC.
Config your fw rule to allow only your bind IP to goto your selected fwd'er.

From there it should be pretty good.

if using dns servers that use dnssec.   i typically leave enable dnssec turned off within opnsense
quad9
nextdns
and controld for my usage

as a opnsense business licensed user.    which is the better option
the included Opnsense updates to the geoip data.

or using the new ipinfolite?

or is the Business edition pulling data from them now?


edit.  after reading the thread in the first post.   ill keep using the version included in business edition

The homepage has in big bold large font platform spelled incorrectly

As a business user of Opnsense is this actually going to replace geoip?   My understanding is Opnsense provides the ip addresses currently to be blocked by country

here was my Saturday.
I have been running business edition for the life of my dec670 appliance.   last week I decided to update to the latest 25.7 and ran it for a week no issues.(I did not run a backup config of 25.7)    then decided to go back to business edition from the usb drive I've been using for 2 years.  which means I have not updated it since then.    my backup files were dated August 13 and August 31st 2025.
I wiped the device and restored the file, hooked up to a wired computer and restored the backup.    used 3 different browsers and they ALL stated my password was wrong?      all browsers using a password manager and they all worked previously
I then wiped it again and restore the config file minus users so it would login as the default user and password.     that allowed me to login to the firewall and update it/ have partial internet.    but somehow my IOT Vlan were not functional :(  I had to factory reset all my unfi managed switches and access points.  also for the first time ever from doing this

I ended up downloading the latest Business Iso.  restored my backup and my password started to work again using all the same browsers, like nothing ever happened

I've been wiping my drive and reinstalling for quite a while, I know what I am doing.  but something has changed within 2025 that I didn't realize, that locked me out of my firewall for a Saturday morning.
I've now updated 2 thumb drives to the latest ISO> and moved to the US commercial servers.

[You can always import an old config into a later version]

You can always import an old config into a later version. I would do that from the WebGUI after the initial installation.

When the distance between versions is very large, there is a small risk that things might break, but if the config is very simple things will probably just work.

I'm making a new post above the above here very shortly @monveich.  unless this just affects business customers

I don't recommend to monitor the local IP of the router. It doesn't give true information about internet accessibility.

I was suggesting a basic troubleshooting step. the OP doesn't need to leave it.
a lot of gateway issues are resolved by opening the not working monitor,   and click save and it comes back online.
the 2 active messages are also not normal from my years of using opnsense

https://docs.opnsense.org/troubleshooting/network.html#errno