Messages

Hello,

I have a working road warrior WireGuard setup on my OPNsense box. It works well. However, if I do a sustained download when connected to the VPN (that saturates the connection), like a speed test, I can see packet loss on the WireGuard interface, in Interfaces > Diagnostics > Netstat. It's not major, usually 2000 to 3000 packets dropped out of roughly 900000 to 1000000 packets. So we're talking 0.22% or 0.33%. If I don't run a speed test, I get no packet loss at all.

I also have a road warrior IPsec setup on the same box and running a speed test while connected to IPsec does not incur any packet loss.

Is there something about WireGuard that makes it more prone to packet loss than other VPN protocols? I'm pretty sure this isn't a MTU/MSS issue - they've both been lowered to accommodate WireGuard, and were it that, I'd expect to see packet loss all the time, not just during sustained downloads/speed tests.

I'm trying to figure out if there's an issue with my WireGuard setup or if this is normal.

Any insights are welcome.

Thanks

Update: If I create my connection on the mac (without a profile) it connects. It sends exactly the same proposals as with the profile, so I don't understand why it works. Something appears to have changed in OPNsense's IPSec implementation that doesn't play nice with profiles. Even creating a standard profile with the same values as the connection created in the macOS UI fails to connect.

I want to use the profile because I specify options that are not available in the UI.

Again, any help would be appreciated. And I'm not expecting a "just do this, bro" or "tick this box" response. I guess I'm asking if anything has changed with IPSec in OPNsense since 24.7.4_1. Nothing changed on my end apart from the update.

Cheers

UPDATE: Saved and restored a config (i.e. the exact same settings the box was running prior to restoring) and now it works... Dunno what to say... Maybe something silently went wrong with the update and restoring the config fixed it? I guess there are some things Man is just not meant to know...

Hello,

I'm having issues with IPSec and macOS since the update to 24.7.4_1. Prior to the update, everything was working fine. Now, I can no longer connect from macOS. macOS is running the same version as before the 24.7.4_1 update.

I use a configuration profile (.mobileconfig) to setup my IKEv2 connection on macOS. And I'm aware there's a bug in macOS Sonoma, where it ignores the values you set in the profile for proposals and rekey time. Regardless what you configure in the profile, macOS will send the following proposals to the server:

2024-09-20T22:40:56-04:00   Informational   charon   11[CFG] <5> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

So I made sure the server supported at least one of those:

11[CFG] <5> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256

Prior to 24.7.4_1, the profile and connection worked just fine. Since 24.7.4_1, I can no longer connect. I've attached a picture of the logs. Happy to provide more logs if needed.



I also have a pfSense box that runs the same services and has IPSec setup with the same values and it connects just fine. But I don't want to go back to pfSense - I'm an OPNsense guy now :-)

Anybody else running into issues like this? Anyone have any ideas? Was IPSec changed in 24.7.4_1?

Any help would be appreciated. Thanks.

Hello,

Has anyone managed to configure an IPsec tunnel using eap-tls in the new "Connections" tab? There is no tutorial for this setup in the docs, only a legacy example using the old UI. I've tried adapting the tutorial for eap-mschapv2 that exists for the Connections tab to use eap-tls but it fails to connect, always.

I'm wondering if it's supported at this time.

Thanks.

Hello,

I hate to add to the ddclient woes, but... While it used to work with NameCheap, it does not anymore. ddclient is setup correctly and runs. But it always fetches the VPN IP address even though the selected interface is WAN. This happens using Interface as the method.

Anyone else experience this? Any workarounds? NameCheap isn't available when selecting the OPNsense backend and using 'custom' doesn't work because you can't select NameCheap as a protocol...

Cheers

Hey, just something that might be helpful for those who use a dynamic dns service that isn't supported/working properly with ddclient.

I use namecheap, which is only supported using 'ddclient' as the backend. But I have a particular setup in which my "default" gateway is a gateway group comprised of three wireguard gateways. Using 'Interface' as the IP check method and selecting WAN, ddclient always detects my wireguard IP, despite WAN being selected as the interface. It would probably work just fine with a more "vanilla" setup.

Anyway, what I ended up doing and which may be helpful to others, is using dns-o-matic. It's more of a "meta" dynamic dns service in that it can update your IP at your dynamic dns service without you having to switch your dynamic dns provider. I created an account with dns-o-matic. And using dns-o-matic (and configuring ddclient to use dns-o-matic rather than namecheap) detects the correct IP and everything works properly and my IP is updated in my namecheap dashboard. It's not the ideal solution but it works.

Maybe everyone already knows this and I just stated the obvious. But I didn't know and it helped me out.

Cheers

I doubt there's anything to glean from my server configuration. So it's more about asking if anyone else has ever encountered this with OpenVPN and what they did to resolve it.

Thanks

Hi,

I recently transitioned from pfSense to OPNsense and everything works extremely well - except for OpenVPN. While it does work, it's exteremely slow.

I have WireGuard and IPsec (IKEv2) tunnels running on the same box and both WG and IPsec are blazing fast. I understand that OpenVPN is single-threaded and generally slower than the other two protocols. But I believe I should be getting roughly 300 - 400 Mbps with this box. I'm barely getting 80Mbps. With WG and IPsec, I'm getting close to 900Mbps.

My OpenVPN server has pretty much a "vanilla" configuration. Essentially the same settings in pfSense get me 400Mbps, so I'm inclined to believe I should be getting roughly the same speed woth OPNsense.

I've attached a screenshot of my server config. If anyone has any ideas as to what might be bogging OpenVPN down, I'd appreciate it. If any more info is need, I'm happy to provide it.

I'm running OPNsense 23.1.5_4 on a Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz (4 cores, 4 threads).

Cheers.

Thanks for looking into this @meyergru.

Turns out you're correct. Looking in System > Log Files > Backend and filtering with the term "alias", shows the job being run every minute, as it should.

I was just looking at the wrong logs. Non-issue.

Thanks again.

Cheers

Firewall > Log Files > General

The job runs every 6 minutes on the dot.

Thanks wbk, and meyergru for your responses.

@meyergru I didn't have Monit configured, so I have no email settings on my box.

Also checked in /var/cron/tabs/nobody. Cron job is listed correctly.

Has cron always acted this way in OPNsense? Feels like a bug...

Hi wbk,

Thanks for the reply.

Here's the screenshot. The thing is, I understand how cron works. And my cron job should be running every minute but it runs every 6 minutes instead - that's what I don't get.

Any ideas as to why it runs every 6 minutes instead every minute?

This is resolved. Needed to fiddle with my gateway settings.

Hi there,

I'm trying to set up a cron job that will run every minute. In the minutes field, I've tried */1, *, and listing out all the minutes in a comma-seperated list. It simply will not run every minute. Instead, it runs at 6 minutes intervals, like clockwork.

Any idea what I'm doing wrong?

Thanks

I don't think it can be done as it stands right now. Anyone know if it's on the radar?