Messages

I setup OpenVPN from one of the video tutorials found on Youtube. I also setup FreeDNS dynamic DNS.
I use an Android client (Galaxy S22 Ultra).

When I put it in cellular mode (turn off Wifi), the connection usually works, as long as I'm at home.

Things turn out differently when I'm on the go, ie. when I really actually need the VPN. The VPN client connects to my host properly. But then, 95% of the time, that's the end of it. No traffic goes through to any of my hosts.
Sometimes, if I reboot my phone, the problem is fixed, but most of the time, it is not.

Does anyone know what could be causing this intermittent failure, or what it might be ?

I'm considering setting up another type of VPN since this seems to be unreliable. What would be recommended ? IPSect ? WireGuard ? And where should I start for setting up some simple remote access.

Thank you very much for this ! I'll take a look.

I enabled SSH on the firewall and ran the "fetch" command.
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
I still don't see any new packages or plug-ins in the UI. Do I need a reboot ?

What's the name of the samba package ? I tried "pkg install samba" and "pkg install smbd" , but those did not work .

Thank you very much for this ! I'll take a look.

Gave up on running Proxmox inside Virtualbox. Double virtualization wasn't working reliably.

I installed it bare metal instead, using a very powerful system , AMD Ryzen 5950X with 64GB of RAM, single 10 Gbps Aquantia NIC. This is normally my daily desktop. There is a SATA hotswap bay also, so I used a spare 240GB SATA SSD for this test.

I still couldn't boot Opensense. Apparently I had the wrong image, I would need a DVD image rather than VGA I got. With just one NIC, I wouldn't learn too much about the performance, though.

I tried Windows and Linux clients. Windows managed 700 Mbps in Ookla speedtest in Firefox. About 1.3 Gbps with single stream in iperf3. Up to about 4.3 Gbps with multiple streams. I could only test unidirectional, I didn't have the proper Windows iperf3 binary that does bidir. I would have needed to reboot to my bare metal Windows partition to get the binary I compiled ...

OTOH, Linux (Ubuntu 22) achieved very good networking performance, 18 Gbps total in bidir mode. This was just for iperf3 though. No routing or firewall duties. And with two NICs that total is doubled, and that total (36 Gbps) is something my lowly 5700G handles fine without the virtualization in the picture with bare metal Opnsense.

I suppose there is no way for me to tell what the performance overhead will be without trying it on the actual hardware in question, with the proper config and the actual NICs.

This really seems like a level of complexity and abstraction that's not needed, to me, compared to running Samba bare metal.

I followed a tutorial on youtube on how to set it up. I setup the VM, and put the  Opensense .IMG file in the templates/iso folder . But the VM says the CD-ROM is not bootable, unfortunately. Maybe ISO and IMG formats are different ?

I would at least try the virtualization way, before installing stuff on a box which is not meant to be there. Every big upgrade can break your custom software as OPNsense does not care about it.

Good point. However, Samba isn't necessarily that complex to setup again, if the config is lost. I have done it many times on Linux manually. Never on FreeBSD. And not on a box with more than one NIC where I only wanted it to listen on one of them.

Installing a basic Proxmox system is very easy. Use a new hard disk, so your current installation can stay as it is.

Then install OPNsense and check how much of bandwidth drop you get.

Or just use a dedicated NAS for storage like a Synology.

I didn't want my network to go down, so I installed Proxmox under Virtualbox on my Windows PC, just to see how easy it really is. I noticed that it is entirely managed via web interface. How does that work if the router/DHCP server is running as a VM inside Proxmox ? Do I have to configure a static IP address for it ?
This is as far as I went. The web GUI for proxmox was pretty intimidating to me. I have no idea where to go to install an Opensense VM (or Ubuntu or TrueNAS VM for storage). This really seems like a level of complexity and abstraction that's not needed, to me, compared to running Samba bare metal.

There is a good point somewhere in the docs, or discussion forum, that you don't want this firewall to be an everything server. It is meant to stay busy moving packets your want in and out of interfaces. There are the openNAS projects, I'm looking to try to see the power of ZFS under its hood. The Synology systems use really lightweight ARM based Linux and their newest seem to allow use of BTRFS for snapshots. Hopefully a server appliance doing just file serving should be a green solution, and keep security higher
[/quote

I posted a lengthy reply earlier today, but it looks like it disappeared.

It seems the developers/doc writers don't want this firewall to be a file server. I, personally, very much want it to be.

A standalone NAS is by definition going to consume much more than just the wattage of additional SSDs on my pfsense box.

I do have a standalone (custom built) NAS already, but it idles at 100W, has 5 case fans, 8 platter disks of 14TB each, a GPU for transcoding, etc. Which is why it's not on 24/7 . It's using Ubuntu with ZFS RAID-Z2.

By comparison, my pfSense box is 100% silent (not even a CPU or PSU fan, and zero case fan) and idles at 37W with two SSDs (ZFS mirror). Each additional SATA SSD would add perhaps one watt, probably less. There are 6 SATA ports on the motherboard, and I have 3 more SSDs on hand I could plug in. Also two M2 slots. I believe I thus could add 6 SSDs with fairly minimal idle wattage increase. There are also 5 free PCIe slots that could take M2 PCIe cards. Of course that would entail more watts, possibly hitting limits of passive cooling. In any case, I do need software to make use of all those SSDs and share them through the LAN interface. I would very much prefer to do it bare metal, not through virtualization.

I got it to work by setting "0.0.0.0/0" in the "IPv4 remote network" field.
A bit strange that this isn't a required field. The server certainly doesn't seem to work with that field left empty.

Thanks. The mDNS is really not required for VPN, would be a bonus if it was simple to setup, but it doesn't look like it, unfortunately.

I got the "redirect gateway" option to work. Now, the Firefox web browser on my Android client has its traffic redirected. Loading speedtest.net in that browser shows my pfSense WAN IP address.
But if I run the native Android Speedtest app, it still shows that it's on the T-Mobile network.

Is this a bug in the OpenVPN client ? Are there other types of VPN that will work for all traffic from my Android device, and prevent leaks/connections directly through the ISP?

When I set this option, my VPN client (on Android) can't access any sites, internal (home devices) or external (Internet). Are there specific settings I need to set for it to work ? Specifically in the "IPv4 remote network" and "IPV6 remote network" fields.

I am interested in running a Samba server on my Opnsense box. I see that Samba has been ported to FreeBSD.
However, there is no Samba Opensense plug-in for this.

Google searches found several discussions about both pfSense and Opnsense, and this was generally discouraged for security reasons. Some recommend virtualization software to run Opnsense and a file server under different VMs. I'm skeptical that the performance will be acceptable. My system has a requirement to handle multi-gig speeds. I built it for that purpose. Virtualization likely would reduce the speed too much. I'd like to file server to support multi-gig speeds too, so it's not just an inexpensive matter to build another physical system as a file server, not to mention all the additional watts that entails.

Is there any solution for someone looking to run a file server bare metal on the same host as Opnsense ?

@pmhausen,
I got an X550-T2 which works fine Opnsense.
I got my pair of AQN-107 to work stable in pfSense 2.6, but not under Opnsense 23.1 .

Not sure what I changed, but the regular DNS (.localdomain) started working . The mDNS doesn't.  Google searches seem to point to that being really difficult to get to work with OpenVPN, if not impossible.

Where is the wizards tab ?

Found it. There is a wizard "icon".

I followed a video , also oudated, from https://www.youtube.com/watch?v=ocGAcZD8qYo .

I got my VPN working on Android client. I can connect when my phone is on cellular, and access my LAN hosts by their IPv4 address. So, at least the routing is working. DNS is not working, though. Neither mDNS (.local) nor .localdomain .

I still like Kirk's guide, even though it's a bit vintage: https://www.kirkg.us/building-an-openvpn-server-with-opnsense/

Indeed, it seems it doesn't match the current release.

In the OPNSense Web UI, go to VPN -> OpenVPN. Click on the Wizards tab

Where is the wizards tab ?