Messages

1

24.7 Production Series / Strange acme plugin problem

« on: November 16, 2024, 01:16:31 pm »

I am running the latest versin of opnsense 24.7.8 witht the latest acme client installed.

When I create a new certificate it shows up in the systems trust store. However if I try to download the certificate or press the info icon nothing happens. (when trying to download I get asked for what format and password I want to use but nothing downloads).

If I reboot the opnsense box then the certificate works when pressing the information or download icon.

I have tried to restart the webui but that does not help. The only way I can download the certificate is to reboot he firewall.

Anyone else have seen this and know how to resolve the problem?

2

24.1 Legacy Series / Re: Strange disconnects when opnsense has a static route to another router

« on: March 05, 2024, 03:09:52 pm »

I did try using a wireguard tunnel between my opnsense internet-facing router and my pfsense lab router, but it suffered the same problems with disconnections.

However, using a VLAN solved the problem. I have no idea why the wireguard tunnel solution did not work.

3

24.1 Legacy Series / Strange disconnects when opnsense has a static route to another router

« on: March 05, 2024, 11:15:04 am »

I have created a gateway in System->Gateways with the default options for the lan interface and the ip of the other router.

It comes up as online in the gateway status.

I then create a static route for a subnet on the other side of that router with the gateway as the gateway

I can connect but the connections dies after a short while. if I add a route on the client machine to this gateway directly the connection is rock solid.

Also if I add the route to the client after a connection has frozen the connection resumes. Is there a time limit for how long opnsense will forward packets to the internal gateway for each connection?

4

Virtual private networks / Re: Trying to run wireguard and openvpn at the same time on opnsense 24.1

« on: February 28, 2024, 07:49:04 am »

Thanks, I found it under:
Settings -> Firmware -> Status

Thanks again all for the help.

Regards,
Ivarh

5

Virtual private networks / Re: Trying to run wireguard and openvpn at the same time on opnsense 24.1

« on: February 28, 2024, 06:31:24 am »

Just upgraded to 24.1 and now wireguard no longer uses a tun device. However I now have a item in my plugin list that I cant delete that says: os-wireguard-go (missing)   N/A   N/A   N/A   N/A   N/A.

Is there a way to remove this expired entry from the plugin list?

6

Virtual private networks / Re: Trying to run wireguard and openvpn at the same time on opnsense 24.1

« on: February 27, 2024, 12:19:40 pm »

I was able to resolve the issue by editing the confif.xml file to change <vpnid>1</vpnid> to <vpnid>3</vpnid>
under the section labelled
<openvpn>
     <openvpn-server>

I think there might be a bug in opnsense if you mix Wireguard and OpenVPN on the same firewall

7

Virtual private networks / Trying to run wireguard and openvpn at the same time on opnsense 24.1

« on: February 27, 2024, 11:49:53 am »

I have a 3 instance wireguard setup that is using /dev/run{0,1,2} and they are working fine

I am trying to set up an openvpn server in addition to these, but it seems to allocate /dev/tun1 to use as the tunnel device.

The error logged is: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)

I see no way I can override the tun device selected.

Does anyone know how to resolve this?

8

23.7 Legacy Series / Advanced dns setup and redirection

« on: January 08, 2024, 11:05:50 am »

I am trying to redirect all local dns requests destined for the internet to be redirected to the unbound resolver running on the opnsense firewall. This works great. However I have local dns server that needs to be able to talk to  3 external dns servers.

It is running as a hidden primary nameserver for several domains that are all signed with dnssec and the dnssec keys are stored on this server. It pushes its signed zonefiles to 3 external nameserver that are seen as the official nameservers for those domains. This so that if any of them are compromized the dnssec keys are not compromized since they are not stored on any of those nameservers.

Here is a badly drawn map of my setup



I am looking to set up rules so that when lan ip1 connects to ext ip1,2,3 it does not get redirected to the local ubound instance but is let through as if the dns redirection is not there. I have not been able to make this part of the setup work. I have a portforwarding rule in the nat subsection allowing the ext ip1,2,3 to be forwarded to lan ip1.

Also I have been unable to set up redirection of ipv6 dns requests to the local unbound resolver.
I have tried using the same rule for ipv4 changiong the redirect ip to ::1.

Here are my port forwarding rules (disabled to make the external nameserers reachable):


I am grateful for any assistance