Messages

I'm setting up multiple VPN connections on OpnSense and then configuring them as gateways according to this guide. There are a few issues that I'd appreciate getting some advice on:

• Gateway IPs. For each configuration that Proton generates it gives the same local address inside the tunnel `10.2.0.2`. Works fine when creating mutiple instances. However when I try to create multiple gateways that map to different profiles the system predictably complains that the IP is already in use. Are there any workarounds for that issue? I could spawn a bunch of containers on a different host that would connect as clients to proton and then expose this connection via a local server, and then point OpnSense to there local servers. But perhaps there are easier options that can be set up on OpnSense itself? I have another VPN provider that gives different local IPs for different connections and there it works fine. So it's just proton that has this issue (although if people know other providers that rely on the same configuration please share which ones so that I could avoid them)
• Monitor IPs. For a single connection I use my VPN provider's DNS IP. However since it's routed through a single gateway I can't reuse it for a different gateways. I don't want to lock google or cloudflare dns ips for that since I may want to use them sometime. Currently I picked some random IP addresses in the countries I connect to but it doesn't seem right to constantly ping random addresses so if people could point me to some IPs (both IPv4 and IPv6) that are "designed" for that purpose that would be helpful.
• Killswitch. There is a killswitch that prevents the traffic from leaking through regular WANs. Do I need to create similar rules to prevent the traffic leaking across VPN connections in case some of them go down while the others stay up?

Thank you for the pointer. I have not used Caddy yet but that could a good reason to explore.

I'm trying to configure DDNS for porkbun and some questions came up without a lot of answers on the Internet.

I have `os-ddclient` installed, configuration for `duckdns` and for `Hurricane Electric` works fine, to be fair for both of these I was able to find step-by-step guide how to set it up for OPNSense.

Porkbun has its own API: https://porkbun.com/api/json/v3/documentation#DNS%20Edit%20Record%20by%20Domain,%20Subdomain%20and%20Type
They also have a script that is deprecated: https://github.com/porkbundomains/porkbun-dynamic-dns-python/tree/main

I was able to verify that it works by executing a curl that looks like this:
`curl -H "Content-Type: application/json" --request POST -d '{"secretapikey": "sk1_XXX", "apikey": "pk1_XXX", "content": "192.168.0.200"}' https://porkbun.com/api/json/v3/dns/editByNameType/root.domain/A/sub1.sub2`

Notice that the domain I want to update looks like `sub1.sub2.root.domain`

Is there a way to make it work with `os-ddclient` somehow?

Eventually I had some success by using `porkbun` service with `ddclient` backend. However if I use more than 1 level of subdomain it considers the rest as root domain and returns an error, e.g. `sub2.root.domain` is not correct. Native `ddclient` has an option `root-domain` but I can't figure out how to set it via OPNSense WebGui. Adding it to `ddclient.conf` manually also did not help, perhaps it did not reload the config though.

Alternatively I thought using `custom` + `Custom POST` would allow me to what I wanted but then I can't figure out how to feed it the data part of the query. Help suggests that I should use the link `https://porkbun.com/api/json/v3/dns/editByNameType/root.domain/A/sub1.sub2` as the `server` but `data` part where I would provide the keys and the content is still a mystery. I tried looking at `/usr/local/etc/ddclient.json` but could not see anything resembling the data part of a `POST` request.

Am I missing something or is the built-in dynamic DNS not flexible enough to accomplish what I need?

Additionally what I'd like to know is if it's possible to use a different gateway to determine the IP address. I have a VPN tunnel, there is a corresponding GW. The GW has an internal wireguard IP. not an exit IP. So if setting the `interface to monitor` to the GW in question would send the quesry for a service like `freedns` through that gateway.

In the end it appears that to accomplish what I want it might be easier to set up docker containers that would sit on different subnets and  run the services to update the domains behind my WAN and my WAN_VPN. However having all that running on OPNSense would mean a bit less clutter.

Do you use VirtualBox ?

No, it's in VM running on Proxmox.

Sounds like a case requiring to enable Firewall: Settings: Advanced: Disable force gateway.

Thank you for the suggestion but that did not help. I'm also not quite sure why it would help since the connection is within a single network so there is no routing involved.

I'm testing in a VM. And I have another VM through which I can access the GUI via LAN network.

I could in theory arrange for my PC to get on the LAN network behind OPNsense but that's not the point of the current exercise. The point is to understand why setting up direct access to GUI does not work.

I'm doing some testing and I have an instance that is on my local network. The WAN interface is on my local interface and LAN has a different local network behind it. My PC is on the same local network as the WAN interface so it's convenient to access the GUI from that interface. At this point it's also about understanding what's missing for that to work.

Upon doing some research I've done the following:
- System -> Settings -> Administration -> Listen Interface == "All (Recommended)"
- On the same page I switched to `HTTP` just to make sure there are no HTTPS issues involved.
- Interfaces -> [WAN] -> "Block private networks" is unchecked
- Firewall -> Rules -> Wan. I added the rule to allow all the incoming traffic on the interface (IPV4+6, any source IP, any port, etc.), obviously not something to keep in production, just for testing. Same rule for outgoing traffic.

It appears that now the connection is not fully blocked but I get `The connection to the server was reset while the page was loading.` when I try access it via WAN interface. Works fine through LAN interface. If I disable the rule that allows all incoming traffic I get timeout so the firewall rule seems to allow the traffic to go through but there is something else that interferes with the connection.

If I execute `pfctl -d`then I can access the GUI via WAN.

What am I missing and what else needs to be configured to make it work?

I also tried to check some logs but I could not find any relevant connection attempts, maybe I need to increase the verbosity of the logs? In any case some pointers on how to investigate the issue would be appreciated as well.