Messages

Since the request is coming from the internet, I would have to enable DNS to the global internet?  That doesn't sound right ... or safe.
Even though I have the local subnet advertised it's almost like it can't reach that subnet when using the exit node, even thought I can ping things in that subnet.
When I ping the source shows as 127.0.0.1, but when I try to access DNS the source shows as my external IP. 

[not]

I have opnsense set as an exit node and I'm advertising my local network on the tailnet.  I'm using opnsense as my DNS server with unbound.  I'm advertising my opnsense IP as a DNS server to the tailnet.

If I'm not using tailscale as an exit node, my tailscale clients are able to use the opnsense DNS without issue.  However if I set opnsense as an exit node, DNS fails.  I can still route to things on the local network and the internet via IP, but not DNS running on opnsense.  I've created another DNS server on my local network and I can use that one without issue, but I'd really like to use unbound on opnsense.

I'm guessing maybe I'm missing a rule in opnsense?

You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.

Last night at exactly 1:00am, my router looks like it just started spawning endless processes until it ate all the memory on the system and caused it to start doing some strange things and eventually crash. I've checked and there are no cron jobs that start at this time so I'm wondering is there an automatic cleanup process that possibly got stuck?

This is the second time this has happened in the last 2 weeks.  Both times it started exactly at 1:00am.  This only started with 24.7.5

Where would I even begin to look to see if I can find out what was spawning out of control?

I'm using Opnsense to get the cert from letsencrypt, then the idea is to the copy the cert to the necessary server and restart nginx.  I've got the restarting of nginx working properly, but I cannot get the cert to copy over automatically.  I'm using the "upload certificate via sftp"

When I use the upload via sftp I get no error, it just doesn't copy anything.  When I "test connection" I get confirmation that connection and upload test succeeded.

I can manually scp the files from the firewall to the server without issue.

Edit: For some reason i had to delete the old files on the server before it would upload the new ones.  Probably a permissions issue on the server.  I'm tackling it from that end.

I've got my OpenVPN setup switched over to the new OpenVPN: Instances, but the client specific overrides no longer work.  Is there a new way of doing client specific overrides with OpenVPN: Instances?

I'm trying to set a specific client with a static IP address.

Currently running 23.7.5 but I don't really see anything in the release notes that would lead me to believe that 23.7.6 would resolve the issue.

Resolved Update: I was able to correct the issue by deleting the client override and just recreating it from scratch.

I'm trying to use ACME automations to copy certificates to other servers on the network.  Where would I find the key on OPNSense that I need to add to the servers ~/ssh/authorized_keys file to allow login?
I generated a key using ssh-keygen but when I try to use it I get the following.

Load key "/root/.ssh/id_rsa.pub": invalid format

Nevermind.  I realized I'm not a smart person.  You have to use /root/.ssh/id_rsa NOT the .pub file.

Oh ffs.  I can't tell you how many hours I've messed with this using the wrong certs.  As soon as I used the correct ones, now everything works perfectly.

Thanks!

I am trying to use OPNsense to create a wildcard cert for my domain name then distribute that cert to my bitwarden server through automations.  I'm copying the certs from the /var/etc/acme-client/certs/randomnumbers to my bitwarden server, but I feel like these are not the correct cert files that need to be moved over.  Is there a different location for certs?

Am I just missing something here or is this not actually possible with the acme plugin?

I'm looking for someone who has set up the ACME client with DynDNS.org

I use DynDNS.org for my dynamic dns and I'm trying to setup ACME/LetsEncrypt using a DNS challenge.  I've got everything set up, but I have no idea what I need to use for the attached field.  I contacted Dyn support but, unsurprisingly, they weren't much help.

Is there anyone who has done this combination who knows what needs to be used here?  Or maybe there is a way to generate the DNS record from the CLI and just manually enter it in to opnsense. 

I was making this way harder than it needed to be.
I was able to resolve the issue by simply adding the OpenVPN interface to all the existing NAT rules that I wanted to use.

Brief setup overview:
I've have an OpenVPN setup that is working.  I can access tunneled resources via IP without issue.
I'm using Dynamic DNS to translate my external IP to a DNS name.
I'm using NAT reflection so my LAN clients can access the LAN resources by DNS name.
I'm using Unbound DNS for all LAN and VPN clients.
All VPN traffic is forced through the tunnel.  No split tunneling.

Problem:
VPN users are not able to access LAN resources by the DNS name.

I'm not sure if this is a firewall rule I need to set or a NAT setting that needs to be changed.
I'm sure this has been covered before, but I was having a tough time searching.