"
Please ignore this one, for some reason after the update i had 4users with not updated clients trying to connect. Was investigating and 1st thing same into my mind is the upgrade i made yesterday.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.7 Series / [SOLVED] OpenVPN issue - not able to connect after upgrade to 25.7
Today at 10:41:55 AM
Hi, after update im not able to connect to openvpn instances.
some logs from /var/log/openvpn/latest
On dashboard i see client is connected, but openvpn app can't connect (UDP send exception: send: Can't assign requested address).
some logs from /var/log/openvpn/latest
Code Select
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server100 42675 - [meta sequenceId="10665"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-11ddf25b-cffc-4d7d-ac65-11af4d239602.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server100 42675 - [meta sequenceId="10666"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server100 42675 - [meta sequenceId="10667"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server95 50542 - [meta sequenceId="10668"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-eef414e6-42a5-4b3a-ac81-486ca0f4faa0.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server95 50542 - [meta sequenceId="10669"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server95 50542 - [meta sequenceId="10670"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server131 4320 - [meta sequenceId="10671"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-43ac02a2-5a40-4b23-b735-2d785cacfcde.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server131 4320 - [meta sequenceId="10672"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server131 4320 - [meta sequenceId="10673"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server105 74517 - [meta sequenceId="10674"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-a2f1d33d-1b81-4cdb-bbe2-0488259f46e8.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server105 74517 - [meta sequenceId="10675"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server91 11945 - [meta sequenceId="10676"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-e4352535-9b8a-47d2-9912-a33dd87010b3.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server91 11945 - [meta sequenceId="10677"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server105 74517 - [meta sequenceId="10678"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server91 11945 - [meta sequenceId="10679"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server97 69433 - [meta sequenceId="10680"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-12feb732-a4be-4fbf-9f18-bdbe9ce402f2.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server97 69433 - [meta sequenceId="10681"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server97 69433 - [meta sequenceId="10682"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server111 99364 - [meta sequenceId="10683"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-7ffacefa-42da-4773-ba76-4be34ad80a29.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server111 99364 - [meta sequenceId="10684"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server111 99364 - [meta sequenceId="10685"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server121 67657 - [meta sequenceId="10686"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-7acdbd9c-b875-486f-ae93-23f075acdefc.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server121 67657 - [meta sequenceId="10687"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server121 67657 - [meta sequenceId="10688"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server92 19091 - [meta sequenceId="10689"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-5f0e621d-c40e-4dfc-bdd0-76047c78e905.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server92 19091 - [meta sequenceId="10690"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server92 19091 - [meta sequenceId="10691"] MANAGEMENT: Client disconnectedOn dashboard i see client is connected, but openvpn app can't connect (UDP send exception: send: Can't assign requested address).
#3
Virtual private networks / Netmap and TUN interfaces
April 15, 2025, 07:46:24 PM
hi all, searching for workaround via physical interface for Zenarmor visibility?
I'm running OPNsense with Zenarmor (Sensei) and using multiple OpenVPN instances (TUN interfaces). As widely documented, Netmap does not support TUN interfaces, which means Zenarmor can't see or filter any traffic coming through those VPNs.
I understand this is a FreeBSD/Netmap limitation, not a Zenarmor issue.
I attempted to bridge the OpenVPN TUN interface with a physical VLAN interface to force traffic to flow through a Netmap-visible interface, hoping Zenarmor could then perform packet inspection. But as expected, TUN interfaces can't be bridged due to the lack of Ethernet framing.
I then tried routing traffic from the OpenVPN subnet (e.g. 172.17.2.0/24) through vlan with outbound NAT and firewall rules, but Zenarmor still doesn't pick up this traffic.
My question:
Is there any known workaround (even dirty or semi-supported) that could make Zenarmor see and filter traffic coming from OpenVPN (TUN), perhaps by routing or redirecting it through a physical interface that Netmap supports? Or is this fundamentally impossible without switching to WireGuard or using TAP (which has its own limitations in OPNsense)?
Any ideas, tricks, or experiences are welcome.
Thanks in advance.
I'm running OPNsense with Zenarmor (Sensei) and using multiple OpenVPN instances (TUN interfaces). As widely documented, Netmap does not support TUN interfaces, which means Zenarmor can't see or filter any traffic coming through those VPNs.
I understand this is a FreeBSD/Netmap limitation, not a Zenarmor issue.
I attempted to bridge the OpenVPN TUN interface with a physical VLAN interface to force traffic to flow through a Netmap-visible interface, hoping Zenarmor could then perform packet inspection. But as expected, TUN interfaces can't be bridged due to the lack of Ethernet framing.
I then tried routing traffic from the OpenVPN subnet (e.g. 172.17.2.0/24) through vlan with outbound NAT and firewall rules, but Zenarmor still doesn't pick up this traffic.
My question:
Is there any known workaround (even dirty or semi-supported) that could make Zenarmor see and filter traffic coming from OpenVPN (TUN), perhaps by routing or redirecting it through a physical interface that Netmap supports? Or is this fundamentally impossible without switching to WireGuard or using TAP (which has its own limitations in OPNsense)?
Any ideas, tricks, or experiences are welcome.
Thanks in advance.
#4
25.1, 25.4 Series / Re: OPNsense 25.1.5_4 - Captive Portal user authentication not working
April 14, 2025, 09:14:46 AM
same here, captive not working in a production. As a authentication I'm using external radius server, where the user get successfully negotiated.
Anyway, Captive says login failed.
Code Select
Auth: (38) Login OK: [captive.user] (from client OPNsense port 0 cli XX:XX:XX:XX:XX) - VLAN ID: XXXX >> You're User (from client opnsense.ip)Anyway, Captive says login failed.
#5
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 13, 2025, 05:16:58 PM
ok, at Network/Headers was the answer for correct endpoint.
thanks again!
Code Select
{OPNSENSE_URL}/api/openvpn/client_overwrites/del/{uuid}thanks again!
#6
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 12, 2025, 11:41:56 PM
Update: Got it working – here's where I went wrong and what the fix looks like, thanks again for the guide!
I was doing Incorrect JSON structure – The API expects a top-level key called "cso", like this:
And wrong servers field – You must provide the UUID of the OpenVPN instance (not its name or description).
You can retrieve these UUIDs by calling:
Have another Q, what about removing CSO. By inspecting API while removing CSO i can not see the correct endpoint. Im trying it with:
and getting
I was doing Incorrect JSON structure – The API expects a top-level key called "cso", like this:
Code Select
{
"cso": {
"common_name": "...",
...
}
}And wrong servers field – You must provide the UUID of the OpenVPN instance (not its name or description).
You can retrieve these UUIDs by calling:
Code Select
curl -X POST 'https://your.opnsense/api/openvpn/instances/search' ...Have another Q, what about removing CSO. By inspecting API while removing CSO i can not see the correct endpoint. Im trying it with:
Code Select
curl -X POST 'https://my.opnsense.host/api/openvpn/client_overwrites/del' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}' \
--insecureand getting
Code Select
{"errorMessage":"Endpoint not found"}
#7
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 11, 2025, 10:48:00 PM
Follow-up: Still getting {"result":"failed"} despite updated syntax and values
I tried adjusting the request syntax after reviewing the updated API docs and checking existing CSO entries via the search endpoint.
Here's the command I used:
Before sending the request, I verified the servers value by listing current CSOs with:
Which returned:
I updated the request payload accordingly, but unfortunately, the API still responds with
I tried adjusting the request syntax after reviewing the updated API docs and checking existing CSO entries via the search endpoint.
Here's the command I used:
Code Select
curl -X POST 'https://my.opnsense.host/api/openvpn/client_overwrites/add' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{
"common_name": "test.user",
"description": "IP-Reservation",
"servers": "OVPN-Proton-IN (52002 / UDP)",
"tunnel_network": "172.17.2.107/32"
}' \
--insecureBefore sending the request, I verified the servers value by listing current CSOs with:
Code Select
curl -X POST 'https://my.opnsense.host/api/openvpn/client_overwrites/search' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{}' \
--insecure | jq '.rows[] | select(.servers | startswith("OVPN"))'Which returned:
Code Select
{
"uuid": "298345e2-da80-45a4-ad65-295670b148d1",
{
"uuid": "298345e2-da80-45a4-ad65-295670b148d1",
"enabled": "1",
"servers": "OVPN-Proton-IN (52002 / UDP)",
"common_name": "howno",
"block": "0",
"push_reset": "0",
"tunnel_network": "",
"tunnel_networkv6": "",
"local_networks": "",
"remote_networks": "",
"route_gateway": "",
"redirect_gateway": "",
"register_dns": "0",
"dns_domain": "",
"dns_domain_search": "",
"dns_servers": "",
"ntp_servers": "",
"wins_servers": "",
"description": ""
}
}I updated the request payload accordingly, but unfortunately, the API still responds with
Code Select
{"result":"failed"} #8
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 11, 2025, 08:56:40 PM
Hi again, and thanks for quick reply!
After several tests and with help from search and instances/search API calls, I believe I've finally figured out why my CSO API calls keep returning
Root cause: missing name field in OpenVPN instances?
The API endpoint client_overwrites/add expects server_list to include internal OpenVPN instance names, not just their descriptions. These names are normally set internally when creating an instance, but in my case, all instances returned:
This explains why the CSO can't be added – the instance has no valid internal name, and the API doesn't know where to attach the override.
Am I wrong?
After several tests and with help from search and instances/search API calls, I believe I've finally figured out why my CSO API calls keep returning
Code Select
{"result":"failed"}.Root cause: missing name field in OpenVPN instances?
The API endpoint client_overwrites/add expects server_list to include internal OpenVPN instance names, not just their descriptions. These names are normally set internally when creating an instance, but in my case, all instances returned:
Code Select
"name": null,
"description": "OVPN-Proton-IN"This explains why the CSO can't be added – the instance has no valid internal name, and the API doesn't know where to attach the override.
Code Select
curl -X POST 'https://my.opnsense/api/openvpn/instances/search' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{}' \
--insecure | jq '.rows[] | {name, description}'Am I wrong?
#9
Virtual private networks / [SOLVED] Trouble adding CSO via API – always getting {"result":"failed"}
April 11, 2025, 07:31:30 PM
Hi,
I'm trying to add a Client Specific Override (CSO) using the OPNsense API and curl, but I keep getting the response {"result":"failed"}.
I've tried various payload formats, using this OPNsense API doc as a base. Since I couldn't find a full schema for OPNsense CSO, I borrowed the format from the pf API here: https://pfrest.org/api-docs/#/VPN/postVPNOpenVPNCSOEndpoint
Here's one example I tested:
I also tried with escaping quotes and with other field combinations, but always got the same result.
The API call completes successfully with HTTP 200, but the body returns:
full output:
Any idea what I might be doing wrong? Is the tunnel_network key invalid in OPNsense? What's the correct schema for the CSO add endpoint?
Thanks!
I'm trying to add a Client Specific Override (CSO) using the OPNsense API and curl, but I keep getting the response {"result":"failed"}.
I've tried various payload formats, using this OPNsense API doc as a base. Since I couldn't find a full schema for OPNsense CSO, I borrowed the format from the pf API here: https://pfrest.org/api-docs/#/VPN/postVPNOpenVPNCSOEndpoint
Here's one example I tested:
Code Select
curl -v -k --location https://my.opnsense.host/api/openvpn/client_overwrites/add \
-u "key:secret" \
--header 'Content-Type: application/json' \
--data '{
"common_name": "test.user",
"disable": false,
"block": false,
"description": "IP-Reservation",
"server_list": ["OVPN-Proton-IN"],
"tunnel_network": "172.17.2.107/24"
}'
I also tried with escaping quotes and with other field combinations, but always got the same result.
The API call completes successfully with HTTP 200, but the body returns:
Code Select
{"result":"failed"}full output:
Code Select
* Host my.opnsense.host:443 was resolved.
* IPv6: (none)
* IPv4: 192.0.2.123
* Trying 192.0.2.123:443...
* Connected to your.opnsense.host (192.0.2.123) port 443
* ALPN: curl offers h2,http/1.1
* (TLS handshake and certificate ok)
* using HTTP/2
* Server auth using Basic with user '[REDACTED]'
> POST /api/openvpn/client_overwrites/add HTTP/2
> Host: your.opnsense.host
> Authorization: Basic [REDACTED]
> User-Agent: curl/8.7.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 213
>
* upload completely sent off: 213 bytes
< HTTP/2 200
< content-type: application/json; charset=UTF-8
< server: OPNsense
< date: Fri, 11 Apr 2025 17:06:49 GMT
< set-cookie: PHPSESSID=[REDACTED]; path=/; secure; HttpOnly; SameSite=Lax
<
{"result":"failed"}Any idea what I might be doing wrong? Is the tunnel_network key invalid in OPNsense? What's the correct schema for the CSO add endpoint?
Thanks!
#10
Virtual private networks / Re: How to export OpenVPN config using the API?
April 11, 2025, 03:14:30 PM
hi, i can start new topic, anyway, before I'll try to ask here.
I'm trying to use API for adding new CSO.
The client has made a successful request. as code 200 is the answer, but at the end of response is {"result":"failed"}.
here is the curl command:
could someone help?
I'm trying to use API for adding new CSO.
The client has made a successful request. as code 200 is the answer, but at the end of response is {"result":"failed"}.
here is the curl command:
Code Select
curl -v -k -u "key":"secret" \
-H 'Content-Type: application/json' \
-X POST "https://firewall.ip/api/openvpn/client_overwrites/add" \
-d '{"enabled": true, "common_name": "test.user", "server_list": ["OVPN-IN (52002 / UDP)"]}'could someone help?
#11
General Discussion / Re: DNS forwarding issue
February 19, 2025, 05:48:29 PM
Sorry about that, I just wanted to be as clear as possible, and... At least now we know.
#12
General Discussion / Re: DNS forwarding issue
February 19, 2025, 05:39:14 PMQuote from: cookiemonster on February 19, 2025, 04:51:14 PMSame thing, being called different ways. From reading the thread "there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM."
- directly on the interface in the virtualizer = let OPNsense itself tag the packets and remove the VLAN settings from the virtual interface
and of course the expected "opposite":
- "KVM level" = VLAN tagging by the hypervisor (KVM in this case) and OPN blissfully unaware
This was just a answer for @viragomann, didn't want to get much into it. This does not have anything to do with my issue because firewall can see the VLAN and is accessible, just wanted to be clear with the whole setup. Anyway, my problem is still ongoing and have no idea what I'm doing wrong.
#13
General Discussion / Re: DNS forwarding issue
February 19, 2025, 05:27:28 PMQuoteWhat's a segment tag?vlan, network segmentation
#14
General Discussion / Re: DNS forwarding issue
February 19, 2025, 11:27:11 AMQuoteCan you discribe this more clearly, please?
Certainly, there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM.
Proxmox level:
Code Select
/etc/pve/nodes/pve/qemu-server/XXXXX.conf
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0,tag=10Code Select
dc01 ~
> # nmcli connection show
NAME UUID TYPE DEVICE
enp6sXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX ethernet enp6sXXKVM level:
Code Select
/etc/pve/nodes/pve/qemu-server/XXXXX.conf
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0Code Select
> # nmcli connection add type vlan con-name vlan0.10 ifname vlan0.10 dev enp6sXX id 10
> # nmcli device status
DEVICE TYPE STATE CONNECTION
vlan0.10 vlan connected vlan0.10
Code Select
> # nmcli connection show
NAME UUID TYPE DEVICE
vlan0.10 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX vlan vlan0.10QuoteThis might indicate an asymmetric routing issue.Will try later today
Run a packet capture on the client side Interface and sniff the DNS traffic to see, what's really going on.
#15
General Discussion / Re: DNS forwarding issue
February 19, 2025, 07:58:26 AM
Hi and thanks for reply
--
Also would be good to mention that once my DNS server iface is tagged at the Proxmox level, it is working.
Once I tag the segment whit-in the KVM it's acting as described reply from unexpected source.
Proxmox's Open vSwitch is set as simple L2, so L3 routing is only OPNsense doing.
QuoteIs the alias of the type "hosts"?Yes it is
QuoteIs this the correct interface?This is also correct, iface has a static IP and kea is serving dhcp on that segment.
This one, the clients are connected to?
QuoteDid you try to explicitly set the pool options to "round robin"?yes, round robin with sticky address and also the default option, what, based on the docu, "round robin" is
--
Also would be good to mention that once my DNS server iface is tagged at the Proxmox level, it is working.
Once I tag the segment whit-in the KVM it's acting as described reply from unexpected source.
Proxmox's Open vSwitch is set as simple L2, so L3 routing is only OPNsense doing.
QuoteI tested bypassing OPNsense and configured L3 on the switch, and everything started workingWhatever level i tag the iface this is working
