Messages

Tried to go again through the opnsense docs? Sometime I also totally forget a step in between and only looking again to the docs I remember it.

Personally I found two possible ways:

- first is going in the unbound settings, show advanced settings and select the outgoing interface you want (be aware that if that interface is down, no dns queries will leave the firewall). It does not accept gateways group, so you can only chose single or multiple gateway, but you can't define the order of use;
- second to route everything through the wireguard connections like a multi-wan setup.

To summarize: clients traffic go through the wireguards, but the traffic originated by the opnsense itself does not, correct?

In order to route everything through the wireguard VPN connections (I have 2-3 used one as backup of the previous one), I did:

partially follow the wireguard road warrior:

- flagged "Gateway switching" in System-Settings-General;
- flagged "Upstream Gateway" in System-Gateway-Configuration-each of the wireguard gateways;
- flagged  "Failover States" & "Failback States" in each wireguard gateway;
- given an higher priority (lower number) to the wireguard gateways (ie. First VPNgw =1 , Second VPNgw =3, Third VPNgw =5, WAN =7);
- the gateway monitoring brings online/offline each gateway in case something is not working;

-created a static route + firewall to each IP entrypoint through WAN (in order to avoid VPN connections going one through the other)

This way the wireguards are basically used as a multi-wan setup and I am finally able to route everything (also firewall originated traffic) through the VPNs.

The questions is: this configuration has any security issue or any other flaw?

Everything works properly, aside that after a randomic amount of time the handshakes are not renewed but the IP entrypoints are still reachable: I am trying to understand where is the cause of this behaviour.

Thank you.

Is it recommended to perform a clean installation and restore the latest config backup when installing major updates like this?
thank you

I want to totally disable the keepalive signal to peers of wireguard connections, is it possible?

If I put nothing in the box, it sends signals. If I put 0, it is not allowed. It seems the only thing I can do is to use the maximum value allowed of 65535 secs.

Thanks

Hi,

the latest version of this story (that lasted 2 years for me) is that PROTON VPN implemented silently a DDOS protection and has a very low threshold about the ping signals(any ping signal).
Once the protection kickin, it reject your request of handhake (in the beginning I thought it was some kind of block from my side)

Therefore:
- I passed from 3 to 2 vpn connections in parallel;
- set the gateway ping signal to 60 seconds for the first vpn;
- removed the gateway ping for the second one;
- removed the keepalive signal (pay attention that "0" i sont accepted, you have to leave the box empty) for both.

In this condition I solved the problem. The second vpn can become stale, but when it is used it immediately return online.
Do not contact them to ask what is the threshold of the ping signal beccause they refuse to share such information.

Solved -> https://forum.opnsense.org/index.php?topic=45457.0

Looking in the log of unbound, it was notified an error about a specific hostname....I found I entered that with a " " (space) instead to use an underscore ....

Activating  "Register DHCP Static Mappings", now everything seems to work.

Thank you Cedrik for your time.

uh...complicated, I should take my time to carefully read through it.

On unbound i tried to flag the "Register DHCP Static Mappings" as it seems to be what I need, but once I restart the opnsense, unbound does not start because of an error.

If I correctly understand, it could be this https://github.com/opnsense/core/issues/7237

Hi, here an example:

C:\Users\DD>nslookup 192.168.1.155
Server:  OPNsense.localdomain
Address:  192.168.2.1

*** OPNsense.localdomain non è in grado di trovare 192.168.1.155: Non-existent domain

Correct, I am using unbound dns. The other parameters are already as you mentioned: the external dns system is managed through Unboud and the override setting is disabled.

But still I am seeing just the IPs in the column of the hostnames (both source and destination one).

Have you tried to use trace route instead of ping?

Hi,

there is a way to see the host names specified in the KEA dhcp reservations (internal subnets) inside the firewall live view log?

In the live view page, activating " Lookup hostnames", I see two times the IP address (for internal IPs) and the domain for the external IPs.

Thanks

Ok, I thought so...but just in case there would be the chance to exclude domains or it is just not possible?
Thanks

Hello,
I tried to search for an answer but wasn't able to find, but for sure this was already discussed.
How I can exclude domains from a firewall alias? "!" works fine with ip addresses and subnets, but not with domains.

I tried like this !youtube.com , should i use some additional character?

What I am doing wrong?
Thanks