"
Thank you sy!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Zenarmor (Sensei) / Re: Netmap packet drops
October 14, 2025, 07:38:18 PM
i've reset tunables, added this parameters again
restarted and dmesg | grep netmap:
packets are droping:
Code Select
dev.ixl.0.iflib.override_nrxds="2048"
dev.ixl.0.iflib.override_ntxds="2048"
dev.netmap.buf_num="1000000"
dev.netmap.buf_size="2048"
dev.netmap.ring_size="36864"
net.inet.udp.recvspace="1048576"
net.isr.bindthreads="1"
net.isr.maxthreads="-1"restarted and dmesg | grep netmap:
Code Select
root@fw:~# dmesg | grep netmap
[185] 128.687783 [1167] generic_netmap_attach Emulated adapter for wg14 created (prev was NULL)
[185] 128.697565 [1072] generic_netmap_dtor Emulated netmap adapter for wg14 destroyed
[185] 128.706772 [1167] generic_netmap_attach Emulated adapter for wg14 created (prev was NULL)
[186] 129.103669 [ 319] generic_netmap_register Emulated adapter for wg14 activated
[186] 129.112182 [1167] generic_netmap_attach Emulated adapter for wg9 created (prev was NULL)
[186] 129.121897 [1072] generic_netmap_dtor Emulated netmap adapter for wg9 destroyed
[186] 129.131131 [1167] generic_netmap_attach Emulated adapter for wg9 created (prev was NULL)
[186] 129.141014 [ 319] generic_netmap_register Emulated adapter for wg9 activated
[186] 129.149399 [1167] generic_netmap_attach Emulated adapter for wg8 created (prev was NULL)
[186] 129.159155 [1072] generic_netmap_dtor Emulated netmap adapter for wg8 destroyed
[186] 129.168284 [1167] generic_netmap_attach Emulated adapter for wg13 created (prev was NULL)
[186] 129.178153 [1072] generic_netmap_dtor Emulated netmap adapter for wg13 destroyed
[186] 129.187368 [1167] generic_netmap_attach Emulated adapter for wg12 created (prev was NULL)
[186] 129.197244 [1072] generic_netmap_dtor Emulated netmap adapter for wg12 destroyed
[186] 129.206428 [1167] generic_netmap_attach Emulated adapter for wg8 created (prev was NULL)
[186] 129.216404 [ 319] generic_netmap_register Emulated adapter for wg8 activated
[186] 129.224960 [1167] generic_netmap_attach Emulated adapter for wg12 created (prev was NULL)
[186] 129.234886 [ 319] generic_netmap_register Emulated adapter for wg12 activated
[186] 129.243443 [1167] generic_netmap_attach Emulated adapter for wg11 created (prev was NULL)
[186] 129.253293 [1072] generic_netmap_dtor Emulated netmap adapter for wg11 destroyed
[186] 129.262541 [1167] generic_netmap_attach Emulated adapter for wg11 created (prev was NULL)
[186] 129.272495 [ 319] generic_netmap_register Emulated adapter for wg11 activated
[186] 129.281215 [1167] generic_netmap_attach Emulated adapter for wg6 created (prev was NULL)
[186] 129.290986 [1072] generic_netmap_dtor Emulated netmap adapter for wg6 destroyed
[186] 129.300135 [1167] generic_netmap_attach Emulated adapter for wg13 created (prev was NULL)
[186] 129.310134 [ 319] generic_netmap_register Emulated adapter for wg13 activated
[186] 129.318779 [1167] generic_netmap_attach Emulated adapter for wg6 created (prev was NULL)
[186] 129.328614 [ 319] generic_netmap_register Emulated adapter for wg6 activated
[186] 129.399411 [1167] generic_netmap_attach Emulated adapter for wg45 created (prev was NULL)
[186] 129.409257 [1072] generic_netmap_dtor Emulated netmap adapter for wg45 destroyed
[186] 129.418496 [1167] generic_netmap_attach Emulated adapter for wg45 created (prev was NULL)
[186] 129.428411 [ 319] generic_netmap_register Emulated adapter for wg45 activated
[186] 129.444317 [ 853] iflib_netmap_config txr 10 rxr 10 txd 2048 rxd 2048 rbufsz 2048
[186] 129.453743 [ 853] iflib_netmap_config txr 10 rxr 10 txd 2048 rxd 2048 rbufsz 2048
[187] 130.140235 [1167] generic_netmap_attach Emulated adapter for wg10 created (prev was NULL)
[187] 130.150116 [1072] generic_netmap_dtor Emulated netmap adapter for wg10 destroyed
[187] 130.159302 [1167] generic_netmap_attach Emulated adapter for wg10 created (prev was NULL)
[187] 130.169252 [ 319] generic_netmap_register Emulated adapter for wg10 activated
[1498] 441.673311 [ 294] generic_netmap_unregister Emulated adapter for wg10 deactivated
[1498] 441.681937 [1072] generic_netmap_dtor Emulated netmap adapter for wg10 destroyed
[1499] 442.028443 [ 294] generic_netmap_unregister Emulated adapter for wg8 deactivated
[1499] 442.036933 [1072] generic_netmap_dtor Emulated netmap adapter for wg8 destroyed
[1499] 442.061069 [ 294] generic_netmap_unregister Emulated adapter for wg45 deactivated
[1499] 442.069637 [1072] generic_netmap_dtor Emulated netmap adapter for wg45 destroyed
[1499] 442.377310 [ 294] generic_netmap_unregister Emulated adapter for wg14 deactivated
[1499] 442.385889 [1072] generic_netmap_dtor Emulated netmap adapter for wg14 destroyed
[1500] 443.082925 [ 294] generic_netmap_unregister Emulated adapter for wg12 deactivated
[1500] 443.091513 [1072] generic_netmap_dtor Emulated netmap adapter for wg12 destroyed
[1500] 443.100591 [ 294] generic_netmap_unregister Emulated adapter for wg6 deactivated
[1500] 443.109125 [1072] generic_netmap_dtor Emulated netmap adapter for wg6 destroyed
[1500] 443.118134 [ 294] generic_netmap_unregister Emulated adapter for wg11 deactivated
[1500] 443.126723 [1072] generic_netmap_dtor Emulated netmap adapter for wg11 destroyed
[1500] 443.135819 [ 294] generic_netmap_unregister Emulated adapter for wg13 deactivated
[1500] 443.160902 [1072] generic_netmap_dtor Emulated netmap adapter for wg13 destroyed
[1500] 443.390434 [ 294] generic_netmap_unregister Emulated adapter for wg9 deactivated
[1500] 443.399937 [1072] generic_netmap_dtor Emulated netmap adapter for wg9 destroyed
[1] ixl0: netmap queues/slots: TX 10/2048, RX 10/2048
[1] ixl1: netmap queues/slots: TX 10/1024, RX 10/1024
[1] igc0: netmap queues/slots: TX 4/1024, RX 4/1024
[1] igc1: netmap queues/slots: TX 4/1024, RX 4/1024
[1] igc2: netmap queues/slots: TX 4/1024, RX 4/1024
[1] igc3: netmap queues/slots: TX 4/1024, RX 4/1024
[183] 668.572322 [1167] generic_netmap_attach Emulated adapter for wg45 created (prev was NULL)
[183] 668.582140 [1072] generic_netmap_dtor Emulated netmap adapter for wg45 destroyed
[183] 668.591307 [1167] generic_netmap_attach Emulated adapter for wg45 created (prev was NULL)
[183] 668.949825 [ 319] generic_netmap_register Emulated adapter for wg45 activated
[183] 668.958303 [1167] generic_netmap_attach Emulated adapter for wg11 created (prev was NULL)
[183] 668.968080 [1072] generic_netmap_dtor Emulated netmap adapter for wg11 destroyed
[183] 668.977060 [1167] generic_netmap_attach Emulated adapter for wg13 created (prev was NULL)
[183] 668.986882 [1072] generic_netmap_dtor Emulated netmap adapter for wg13 destroyed
[183] 668.996007 [1167] generic_netmap_attach Emulated adapter for wg11 created (prev was NULL)
[183] 669.005923 [ 319] generic_netmap_register Emulated adapter for wg11 activated
[183] 669.014513 [1167] generic_netmap_attach Emulated adapter for wg13 created (prev was NULL)
[183] 669.024382 [ 319] generic_netmap_register Emulated adapter for wg13 activated
[183] 669.032902 [1167] generic_netmap_attach Emulated adapter for wg10 created (prev was NULL)
[183] 669.042670 [1072] generic_netmap_dtor Emulated netmap adapter for wg10 destroyed
[183] 669.051825 [1167] generic_netmap_attach Emulated adapter for wg12 created (prev was NULL)
[183] 669.061693 [1072] generic_netmap_dtor Emulated netmap adapter for wg12 destroyed
[183] 669.070941 [1167] generic_netmap_attach Emulated adapter for wg8 created (prev was NULL)
[183] 669.080716 [1072] generic_netmap_dtor Emulated netmap adapter for wg8 destroyed
[183] 669.089838 [1167] generic_netmap_attach Emulated adapter for wg10 created (prev was NULL)
[184] 669.099781 [ 319] generic_netmap_register Emulated adapter for wg10 activated
[184] 669.108199 [1167] generic_netmap_attach Emulated adapter for wg12 created (prev was NULL)
[184] 669.118072 [ 319] generic_netmap_register Emulated adapter for wg12 activated
[184] 669.126637 [1167] generic_netmap_attach Emulated adapter for wg6 created (prev was NULL)
[184] 669.136389 [1072] generic_netmap_dtor Emulated netmap adapter for wg6 destroyed
[184] 669.145583 [1167] generic_netmap_attach Emulated adapter for wg6 created (prev was NULL)
[184] 669.155323 [ 319] generic_netmap_register Emulated adapter for wg6 activated
[184] 669.163798 [1167] generic_netmap_attach Emulated adapter for wg9 created (prev was NULL)
[184] 669.173593 [1072] generic_netmap_dtor Emulated netmap adapter for wg9 destroyed
[184] 669.182650 [ 853] iflib_netmap_config txr 10 rxr 10 txd 2048 rxd 2048 rbufsz 2048
[184] 669.192101 [ 853] iflib_netmap_config txr 10 rxr 10 txd 2048 rxd 2048 rbufsz 2048
[184] 669.433269 [1167] generic_netmap_attach Emulated adapter for wg8 created (prev was NULL)
[184] 669.443140 [ 319] generic_netmap_register Emulated adapter for wg8 activated
[184] 669.451515 [1167] generic_netmap_attach Emulated adapter for wg9 created (prev was NULL)
[184] 669.461401 [ 319] generic_netmap_register Emulated adapter for wg9 activated
[184] 669.922342 [1167] generic_netmap_attach Emulated adapter for wg14 created (prev was NULL)
[184] 669.932180 [1072] generic_netmap_dtor Emulated netmap adapter for wg14 destroyed
[184] 669.941462 [1167] generic_netmap_attach Emulated adapter for wg14 created (prev was NULL)
[184] 669.951366 [ 319] generic_netmap_register Emulated adapter for wg14 activatedpackets are droping:
Code Select
dev.netmap.iflib_rx_miss: 6608
#3
Zenarmor (Sensei) / Re: Netmap packet drops
October 14, 2025, 04:55:08 PM #4
Zenarmor (Sensei) / [Sloved] - Netmap packet drops
October 14, 2025, 05:20:43 AM
Hi, I have a problem with packet drops.
When monitoring packets on ixl0 (with 17 VLANs) and 9 WireGuard interfaces, I see dev.netmap.iflib_rx_miss counter growing continuously.
During high traffic by thousands per minute.
My config: OPNsense 25.7.5-amd64, LAN - Intel X710 ixl0 parent interface, Zenarmor 2.1 routed mode with native netmap driver.
Packet drops dev.netmap.iflib_rx_miss with standard tunables:
I tried to increase descriptor rings from 1024 to 2048 because the default 1024 was insufficient for the combination of high-throughput traffic, netmap, and VLANs. Larger rings provide more space for packet buffering at the NIC level, resulting in fewer drops.
When changing dev.netmap.buf_num or dev.netmap.buf_size, Zenarmor crashes on WireGuard interfaces with loop:
Tested (all failed):
How to achieve connectivity without packet loss? Without Zenarmor everything works without drops.
When monitoring packets on ixl0 (with 17 VLANs) and 9 WireGuard interfaces, I see dev.netmap.iflib_rx_miss counter growing continuously.
During high traffic by thousands per minute.
My config: OPNsense 25.7.5-amd64, LAN - Intel X710 ixl0 parent interface, Zenarmor 2.1 routed mode with native netmap driver.
Packet drops dev.netmap.iflib_rx_miss with standard tunables:
Code Select
dev.netmap.buf_num="1000000"
dev.netmap.buf_size="2048"
dev.netmap.ring_size="36864"
dev.ixl.0.iflib.override_nrxds="1024"I tried to increase descriptor rings from 1024 to 2048 because the default 1024 was insufficient for the combination of high-throughput traffic, netmap, and VLANs. Larger rings provide more space for packet buffering at the NIC level, resulting in fewer drops.
Code Select
dev.ixl.0.iflib.override_nrxds="2048"
dev.ixl.0.iflib.override_ntxds="2048"
When changing dev.netmap.buf_num or dev.netmap.buf_size, Zenarmor crashes on WireGuard interfaces with loop:
Code Select
generic_netmap_attach: Emulated adapter for wg* created
generic_netmap_dtor: Emulated netmap adapter for wg* destroyedTested (all failed):
Code Select
8M buffers + buf_size 4096
8M buffers + buf_size 2048
4M buffers + buf_size 2048
6M buffers + buf_size 4096How to achieve connectivity without packet loss? Without Zenarmor everything works without drops.
#5
25.7, 25.10 Series / Re: OpenVPN issue - not able to connect after upgrade to 25.7
July 25, 2025, 12:56:20 PM
Please ignore this one, for some reason after the update i had 4users with not updated clients trying to connect. Was investigating and 1st thing same into my mind is the upgrade i made yesterday.
#6
25.7, 25.10 Series / [SOLVED] OpenVPN issue - not able to connect after upgrade to 25.7
July 25, 2025, 10:41:55 AM
Hi, after update im not able to connect to openvpn instances.
some logs from /var/log/openvpn/latest
On dashboard i see client is connected, but openvpn app can't connect (UDP send exception: send: Can't assign requested address).
some logs from /var/log/openvpn/latest
Code Select
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server100 42675 - [meta sequenceId="10665"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-11ddf25b-cffc-4d7d-ac65-11af4d239602.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server100 42675 - [meta sequenceId="10666"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server100 42675 - [meta sequenceId="10667"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server95 50542 - [meta sequenceId="10668"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-eef414e6-42a5-4b3a-ac81-486ca0f4faa0.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server95 50542 - [meta sequenceId="10669"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server95 50542 - [meta sequenceId="10670"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server131 4320 - [meta sequenceId="10671"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-43ac02a2-5a40-4b23-b735-2d785cacfcde.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server131 4320 - [meta sequenceId="10672"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server131 4320 - [meta sequenceId="10673"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server105 74517 - [meta sequenceId="10674"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-a2f1d33d-1b81-4cdb-bbe2-0488259f46e8.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server105 74517 - [meta sequenceId="10675"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server91 11945 - [meta sequenceId="10676"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-e4352535-9b8a-47d2-9912-a33dd87010b3.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server91 11945 - [meta sequenceId="10677"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server105 74517 - [meta sequenceId="10678"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server91 11945 - [meta sequenceId="10679"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server97 69433 - [meta sequenceId="10680"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-12feb732-a4be-4fbf-9f18-bdbe9ce402f2.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server97 69433 - [meta sequenceId="10681"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server97 69433 - [meta sequenceId="10682"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server111 99364 - [meta sequenceId="10683"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-7ffacefa-42da-4773-ba76-4be34ad80a29.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server111 99364 - [meta sequenceId="10684"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server111 99364 - [meta sequenceId="10685"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server121 67657 - [meta sequenceId="10686"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-7acdbd9c-b875-486f-ae93-23f075acdefc.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server121 67657 - [meta sequenceId="10687"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server121 67657 - [meta sequenceId="10688"] MANAGEMENT: Client disconnected
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server92 19091 - [meta sequenceId="10689"] MANAGEMENT: Client connected from /var/etc/openvpn/instance-5f0e621d-c40e-4dfc-bdd0-76047c78e905.sock
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server92 19091 - [meta sequenceId="10690"] MANAGEMENT: CMD 'status 3'
<29>1 2025-07-25T10:39:01+02:00 fw.sloto.space openvpn_server92 19091 - [meta sequenceId="10691"] MANAGEMENT: Client disconnectedOn dashboard i see client is connected, but openvpn app can't connect (UDP send exception: send: Can't assign requested address).
#7
Virtual private networks / Netmap and TUN interfaces
April 15, 2025, 07:46:24 PM
hi all, searching for workaround via physical interface for Zenarmor visibility?
I'm running OPNsense with Zenarmor (Sensei) and using multiple OpenVPN instances (TUN interfaces). As widely documented, Netmap does not support TUN interfaces, which means Zenarmor can't see or filter any traffic coming through those VPNs.
I understand this is a FreeBSD/Netmap limitation, not a Zenarmor issue.
I attempted to bridge the OpenVPN TUN interface with a physical VLAN interface to force traffic to flow through a Netmap-visible interface, hoping Zenarmor could then perform packet inspection. But as expected, TUN interfaces can't be bridged due to the lack of Ethernet framing.
I then tried routing traffic from the OpenVPN subnet (e.g. 172.17.2.0/24) through vlan with outbound NAT and firewall rules, but Zenarmor still doesn't pick up this traffic.
My question:
Is there any known workaround (even dirty or semi-supported) that could make Zenarmor see and filter traffic coming from OpenVPN (TUN), perhaps by routing or redirecting it through a physical interface that Netmap supports? Or is this fundamentally impossible without switching to WireGuard or using TAP (which has its own limitations in OPNsense)?
Any ideas, tricks, or experiences are welcome.
Thanks in advance.
I'm running OPNsense with Zenarmor (Sensei) and using multiple OpenVPN instances (TUN interfaces). As widely documented, Netmap does not support TUN interfaces, which means Zenarmor can't see or filter any traffic coming through those VPNs.
I understand this is a FreeBSD/Netmap limitation, not a Zenarmor issue.
I attempted to bridge the OpenVPN TUN interface with a physical VLAN interface to force traffic to flow through a Netmap-visible interface, hoping Zenarmor could then perform packet inspection. But as expected, TUN interfaces can't be bridged due to the lack of Ethernet framing.
I then tried routing traffic from the OpenVPN subnet (e.g. 172.17.2.0/24) through vlan with outbound NAT and firewall rules, but Zenarmor still doesn't pick up this traffic.
My question:
Is there any known workaround (even dirty or semi-supported) that could make Zenarmor see and filter traffic coming from OpenVPN (TUN), perhaps by routing or redirecting it through a physical interface that Netmap supports? Or is this fundamentally impossible without switching to WireGuard or using TAP (which has its own limitations in OPNsense)?
Any ideas, tricks, or experiences are welcome.
Thanks in advance.
#8
25.1, 25.4 Series / Re: OPNsense 25.1.5_4 - Captive Portal user authentication not working
April 14, 2025, 09:14:46 AM
same here, captive not working in a production. As a authentication I'm using external radius server, where the user get successfully negotiated.
Anyway, Captive says login failed.
Code Select
Auth: (38) Login OK: [captive.user] (from client OPNsense port 0 cli XX:XX:XX:XX:XX) - VLAN ID: XXXX >> You're User (from client opnsense.ip)Anyway, Captive says login failed.
#9
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 13, 2025, 05:16:58 PM
ok, at Network/Headers was the answer for correct endpoint.
thanks again!
Code Select
{OPNSENSE_URL}/api/openvpn/client_overwrites/del/{uuid}thanks again!
#10
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 12, 2025, 11:41:56 PM
Update: Got it working – here's where I went wrong and what the fix looks like, thanks again for the guide!
I was doing Incorrect JSON structure – The API expects a top-level key called "cso", like this:
And wrong servers field – You must provide the UUID of the OpenVPN instance (not its name or description).
You can retrieve these UUIDs by calling:
Have another Q, what about removing CSO. By inspecting API while removing CSO i can not see the correct endpoint. Im trying it with:
and getting
I was doing Incorrect JSON structure – The API expects a top-level key called "cso", like this:
Code Select
{
"cso": {
"common_name": "...",
...
}
}And wrong servers field – You must provide the UUID of the OpenVPN instance (not its name or description).
You can retrieve these UUIDs by calling:
Code Select
curl -X POST 'https://your.opnsense/api/openvpn/instances/search' ...Have another Q, what about removing CSO. By inspecting API while removing CSO i can not see the correct endpoint. Im trying it with:
Code Select
curl -X POST 'https://my.opnsense.host/api/openvpn/client_overwrites/del' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}' \
--insecureand getting
Code Select
{"errorMessage":"Endpoint not found"}
#11
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 11, 2025, 10:48:00 PM
Follow-up: Still getting {"result":"failed"} despite updated syntax and values
I tried adjusting the request syntax after reviewing the updated API docs and checking existing CSO entries via the search endpoint.
Here's the command I used:
Before sending the request, I verified the servers value by listing current CSOs with:
Which returned:
I updated the request payload accordingly, but unfortunately, the API still responds with
I tried adjusting the request syntax after reviewing the updated API docs and checking existing CSO entries via the search endpoint.
Here's the command I used:
Code Select
curl -X POST 'https://my.opnsense.host/api/openvpn/client_overwrites/add' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{
"common_name": "test.user",
"description": "IP-Reservation",
"servers": "OVPN-Proton-IN (52002 / UDP)",
"tunnel_network": "172.17.2.107/32"
}' \
--insecureBefore sending the request, I verified the servers value by listing current CSOs with:
Code Select
curl -X POST 'https://my.opnsense.host/api/openvpn/client_overwrites/search' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{}' \
--insecure | jq '.rows[] | select(.servers | startswith("OVPN"))'Which returned:
Code Select
{
"uuid": "298345e2-da80-45a4-ad65-295670b148d1",
{
"uuid": "298345e2-da80-45a4-ad65-295670b148d1",
"enabled": "1",
"servers": "OVPN-Proton-IN (52002 / UDP)",
"common_name": "howno",
"block": "0",
"push_reset": "0",
"tunnel_network": "",
"tunnel_networkv6": "",
"local_networks": "",
"remote_networks": "",
"route_gateway": "",
"redirect_gateway": "",
"register_dns": "0",
"dns_domain": "",
"dns_domain_search": "",
"dns_servers": "",
"ntp_servers": "",
"wins_servers": "",
"description": ""
}
}I updated the request payload accordingly, but unfortunately, the API still responds with
Code Select
{"result":"failed"} #12
Virtual private networks / Re: Trouble adding CSO via API – always getting {"result":"failed"}
April 11, 2025, 08:56:40 PM
Hi again, and thanks for quick reply!
After several tests and with help from search and instances/search API calls, I believe I've finally figured out why my CSO API calls keep returning
Root cause: missing name field in OpenVPN instances?
The API endpoint client_overwrites/add expects server_list to include internal OpenVPN instance names, not just their descriptions. These names are normally set internally when creating an instance, but in my case, all instances returned:
This explains why the CSO can't be added – the instance has no valid internal name, and the API doesn't know where to attach the override.
Am I wrong?
After several tests and with help from search and instances/search API calls, I believe I've finally figured out why my CSO API calls keep returning
Code Select
{"result":"failed"}.Root cause: missing name field in OpenVPN instances?
The API endpoint client_overwrites/add expects server_list to include internal OpenVPN instance names, not just their descriptions. These names are normally set internally when creating an instance, but in my case, all instances returned:
Code Select
"name": null,
"description": "OVPN-Proton-IN"This explains why the CSO can't be added – the instance has no valid internal name, and the API doesn't know where to attach the override.
Code Select
curl -X POST 'https://my.opnsense/api/openvpn/instances/search' \
-u 'APIKEY:APISECRET' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{}' \
--insecure | jq '.rows[] | {name, description}'Am I wrong?
#13
Virtual private networks / [SOLVED] Trouble adding CSO via API – always getting {"result":"failed"}
April 11, 2025, 07:31:30 PM
Hi,
I'm trying to add a Client Specific Override (CSO) using the OPNsense API and curl, but I keep getting the response {"result":"failed"}.
I've tried various payload formats, using this OPNsense API doc as a base. Since I couldn't find a full schema for OPNsense CSO, I borrowed the format from the pf API here: https://pfrest.org/api-docs/#/VPN/postVPNOpenVPNCSOEndpoint
Here's one example I tested:
I also tried with escaping quotes and with other field combinations, but always got the same result.
The API call completes successfully with HTTP 200, but the body returns:
full output:
Any idea what I might be doing wrong? Is the tunnel_network key invalid in OPNsense? What's the correct schema for the CSO add endpoint?
Thanks!
I'm trying to add a Client Specific Override (CSO) using the OPNsense API and curl, but I keep getting the response {"result":"failed"}.
I've tried various payload formats, using this OPNsense API doc as a base. Since I couldn't find a full schema for OPNsense CSO, I borrowed the format from the pf API here: https://pfrest.org/api-docs/#/VPN/postVPNOpenVPNCSOEndpoint
Here's one example I tested:
Code Select
curl -v -k --location https://my.opnsense.host/api/openvpn/client_overwrites/add \
-u "key:secret" \
--header 'Content-Type: application/json' \
--data '{
"common_name": "test.user",
"disable": false,
"block": false,
"description": "IP-Reservation",
"server_list": ["OVPN-Proton-IN"],
"tunnel_network": "172.17.2.107/24"
}'
I also tried with escaping quotes and with other field combinations, but always got the same result.
The API call completes successfully with HTTP 200, but the body returns:
Code Select
{"result":"failed"}full output:
Code Select
* Host my.opnsense.host:443 was resolved.
* IPv6: (none)
* IPv4: 192.0.2.123
* Trying 192.0.2.123:443...
* Connected to your.opnsense.host (192.0.2.123) port 443
* ALPN: curl offers h2,http/1.1
* (TLS handshake and certificate ok)
* using HTTP/2
* Server auth using Basic with user '[REDACTED]'
> POST /api/openvpn/client_overwrites/add HTTP/2
> Host: your.opnsense.host
> Authorization: Basic [REDACTED]
> User-Agent: curl/8.7.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 213
>
* upload completely sent off: 213 bytes
< HTTP/2 200
< content-type: application/json; charset=UTF-8
< server: OPNsense
< date: Fri, 11 Apr 2025 17:06:49 GMT
< set-cookie: PHPSESSID=[REDACTED]; path=/; secure; HttpOnly; SameSite=Lax
<
{"result":"failed"}Any idea what I might be doing wrong? Is the tunnel_network key invalid in OPNsense? What's the correct schema for the CSO add endpoint?
Thanks!
#14
Virtual private networks / Re: How to export OpenVPN config using the API?
April 11, 2025, 03:14:30 PM
hi, i can start new topic, anyway, before I'll try to ask here.
I'm trying to use API for adding new CSO.
The client has made a successful request. as code 200 is the answer, but at the end of response is {"result":"failed"}.
here is the curl command:
could someone help?
I'm trying to use API for adding new CSO.
The client has made a successful request. as code 200 is the answer, but at the end of response is {"result":"failed"}.
here is the curl command:
Code Select
curl -v -k -u "key":"secret" \
-H 'Content-Type: application/json' \
-X POST "https://firewall.ip/api/openvpn/client_overwrites/add" \
-d '{"enabled": true, "common_name": "test.user", "server_list": ["OVPN-IN (52002 / UDP)"]}'could someone help?
#15
General Discussion / Re: DNS forwarding issue
February 19, 2025, 05:48:29 PM
Sorry about that, I just wanted to be as clear as possible, and... At least now we know.
