Messages

Hello,

I want to restart my OpenVPN Client Instances via Cron Job. When i check the Commands in the GUI i cannot find the Command for OpenVPN Instance under the available Commands.

Why is the Command not available?

Thx

Hi,

the Unbound Docu say on top also set listening and unbound interfaces to "All" but what are the implications when the "WAN Interface" is listening on Port 5353 for example? Just want to be sure, that my Opnsense cannot be used from others then, to be a Public DNS Server?

Code Select Expand

Warning
Below table contains the options to manually set listening and outbound interfaces, the recommended setting for both is "All" for good reasons. Unless you absolutely know what you are doing, best keep these settings default as misuse often causes startup issues.


Trying now to create a local loopack interface

Code Select Expand

Interfaces -> Other Type -> Loopback -> + > Name LO1
Interfaces -> Assigment Name "LO1",
Interfaces -> LO1 - Enable Interface
IPv4 Configuration Type: Static IPv4
IPv4 address: 127.0.0.1/8

When i try to save i get the error: The following input errors were detected:
   •   This IPv4 address is being used by another interface or VIP.


Has someone correctly accomplished this?

Hello,

i had the following code DNS Resolver authoritative for the local Domain in the private_domains.conf, added like the docu Example Unbound Templates Link https://docs.opnsense.org/manual/unbound.html#advanced-configurations

Code Select Expand

server:
local-data: "local.lan. 10800 IN SOA opn.local.lan. root.local.lan. 1 3600 1200 604800 10800"

The above code now seems to be deleted during an update, and when i compare the path with the above Documentation there are differences:

Code Select Expand

root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core # ls
+TARGETS blocklists.conf dot.conf unbound_dhcpd.conf
access_lists.conf dnsbl_module.py private_domains.conf
advanced.conf domainoverrides.conf safesearch.conf
root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core #
root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core #
root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core # cat +TARGETS

access_lists.conf:/usr/local/etc/unbound.opnsense.d/access_lists.conf
advanced.conf:/var/unbound/advanced.conf
blocklists.conf:/usr/local/etc/unbound/unbound-blocklists.conf
safesearch.conf:/usr/local/etc/unbound.opnsense.d/safesearch.conf
dot.conf:/usr/local/etc/unbound.opnsense.d/dot.conf
private_domains.conf:/var/unbound/private_domains.conf
domainoverrides.conf:/usr/local/etc/unbound.opnsense.d/domainoverrides.conf
unbound_dhcpd.conf:/usr/local/etc/unbound_dhcpd.conf
dnsbl_module.py:/var/unbound/dnsbl_module.py

root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core #
root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core #
root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core # cat private_domains.conf
{% if not helpers.empty('OPNsense.unboundplus.domains.domain') or not helpers.empty('OPNsense.unboundplus.dots.dot') %}
server:
# Set private domains in case authoritative name server returns a Private IP address
{%   set domains = [] %}
{%   for domain in helpers.toList('OPNsense.unboundplus.domains.domain') %}
{%     if domain.enabled == '1' %}
{%       do domains.append(domain.domain) %}
{%     endif %}
{%   endfor %}
{%   for forward in helpers.toList('OPNsense.unboundplus.dots.dot') %}
{%     if forward.enabled == '1' and forward.domain and forward.type == 'forward' %}
{%       do domains.append(forward.domain) %}
{%     endif %}
{%   endfor %}
{%   for domain in domains|unique %}
domain-insecure: "{{ domain }}"
{%     if domain is regex_match('.+\.(in-addr|ip6)\.arpa\.?$') %}
local-zone: {{ domain }} typetransparent
{%     elif not helpers.exists('system.webgui.nodnsrebindcheck') %}
private-domain: "{{ domain }}"
{%     endif %}
{%   endfor %}
{% endif %}
root@opn:/usr/local/opnsense/service/templates/OPNsense/Unbound/core #


Is there a possibility to add the SOA Code additionally under existing custom-options.conf under the path:

/usr/local/etc/unbound.opnsense.d/custom-options.conf

Code Select Expand

server:
local-data: "local.lan. 10800 IN SOA opn.local.lan. root.local.lan. 1 3600 1200 604800 10800"
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353


or does the SOA Record need to be in private_domains.conf like it was before, but why the Documentation and the Path are now different, can someone please guide me to get this working again??

Thanks a Lot

Updated today to Opnsense Version 24.7.7

AV Filtering is now working again, Squid Proxy Load Error still persist...

Another new Issue now is a Warning in ClamAV Log:

2024-10-24T10:58:47   Warning   freshclam   Can't download blurl.ndb from http://ftp.swin.edu.au/sanesecurity/blurl.ndb   
2024-10-24T10:58:47   Warning   freshclam   Message: Could not resolve hostname   
2024-10-24T10:58:47   Warning   freshclam   Download failed (6)   
2024-10-24T10:58:42   Warning   freshclam   Can't download blurl.ndb from http://ftp.swin.edu.au/sanesecurity/blurl.ndb   
2024-10-24T10:58:42   Warning   freshclam   Message: Could not resolve hostname   
2024-10-24T10:58:42   Warning   freshclam   Download failed (6)

Still have the Squid Proxy Error and no SSL Inspection, AV Filter not working. ClamAV Log just show a warning
Warning   freshclam   Invalid DNS reply. Falling back to HTTP mode.

Any suggestions how can i solve this?
Thx

Hello,

after update to 24.7.6 SSL Inspection with Squid / ICAP Plugin not working. Trying to restart Squid Service get an Proxy load error:

Segmentation fault
Performing sanity check on squid configuration.
2024/10/10 16:53:17| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/10/10 16:53:17| Starting Authentication on port 127.0.0.1:3128
2024/10/10 16:53:17| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2024/10/10 16:53:17| Starting Authentication on port [::1]:3128
2024/10/10 16:53:17| Disabling Authentication on port [::1]:3128 (interception enabled)
2024/10/10 16:53:17| Starting Authentication on port 127.0.0.1:3129
2024/10/10 16:53:17| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2024/10/10 16:53:17| Starting Authentication on port [::1]:3129
2024/10/10 16:53:17| Disabling Authentication on port [::1]:3129 (interception enabled)
2024/10/10 16:53:17| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/10/10 16:53:17| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/10/10 16:53:17| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/10/10 16:53:17| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2024/10/10 16:53:17| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)


How to Solve?

Description when creating the cron job is set.

dnscrypt seems to just pick the fastest servers when the service is restarted

Hello,

i try to restart DNS Crypt Proxy service via cron job in the GUI.

Settings - Cron - Add - Command

When i check under the Commands, i found "Download DNSCrypt-Proxy DNSBLs and restart".


I tried with this command, but the service is not restarted.

How can i restart the service within the Gui via Cron Job?

Thx

Yes, that seems to be the case. You can't select an interface but only add an IP. As a workaround you can leave this empty and have it bind to all interfaces and set up firewall rules that only allow access via WAN. I'm not sure what the design decision is behind not being able to select an interface but I suspect it has something to do with dynamic IPs on interfaces (e. g. if there's no fixed WAN IP).

Thx cs1 for the update on this

It would be really nice, if @Franco could give us a hint whats behind that change?

Hello cs1,

thanks for the information. Adapted yet my settings, but the Bind address is still not 100% clear.

Within the OpenVPN Legacy Server and OpenVPN Legacy Client (OpenVPN out) Settings, under Interface i can select a specific Interface, localhost, or any. I had in both Legacy Configs the WAN Interface specified.

In the new Instance Configs like Server or Client, if i want to bind the interface to my WAN Interface (like in Legacy Setups) i can just add my Public IP address to the bind address Field, but not select anymore Interfaces?

Thx
br

Hello,

after upgrade to 24.1.1 health audit show the following issue:

Code Select Expand


>>> Check for missing or altered package files
Checking all packages: .....
os-sensei-1.16.2: missing file /usr/local/zenarmor/output/archive/.placeholder


How to fix?

Thx
br

Hello bandit8623,

the "new" setting you find under OpenVPN - Instances - Add new - Role select Server

br

Really, no one?

[Old Configuration:]

Hello,

i have updated now to 24.1_1 without any problems so far. Now i want to migrate my OpenVPN
Server configuration from legacy to the new Instances. But some Settings in the New Configuration are
not clear yet, and i hope someone can point me in the right direction.

Old Configuration:
Interface: WAN

New Configuration:
Bind Address:

As i have a static WAN Address, do i need to add as Bind Address the Static WAN Address (similiar in the Legacy Configuration choosing the WAN Address) ?


Old Configuration:
IPv4 Tunnel Network:

New Configuration:
Local Network:

Is in the New Configuration the Local Network the IPv4 Tunnel Network the similar setting?


Old Configuration:
Redirect Gateway = marked

New Configuration:
local
autolocal
default
bypass dhcp
bypass dns
block local
ipv6 (default)
not ipv4 (default)

What is the correct setting similar to Redirect Gateway marked in the legacy config to route all traffic from the client through the VPN Server?


Old Configuration:
Advanced Configuration:

allow-compression no

New Configuration:
options

Do i understand this correct, that now the allow-compression no is the default parameter, and thats why in the New Configuration under options not included / selectable anymore?


Thanks a Lot!

Reinstall with config import.


Cheers,
Franco

Is there no possibility to install a patch to get the fields back, without complete reinstall?