Messages

In the user list I have only icons for searching existing certificates and creatng an API Key which is not what i need.
The search icon is just a link to System->Trust->Certificates.

Hi,
on former versions of opnsense it was possible to create a client certificate once you added a new user.
On 25.1.1 the option is missing.
Documentation still has the checkbox to automatically create a certificate:
https://docs.opnsense.org/manual/how-tos/user-local.html

Is this an bug or an outdated documentation and if the latter what's the new procedure to create a new OpenVPN user?

Best Regards,
Paul 

Hi pmhausen,
i've got the google DNS servers  in the general settings but there where no gateways assigned.
I thoughtthis was on purpose, since this is an multi WAN setup.
Assigning DNS servers to each gateway fixed the issue.
Seems like the gateways got lost during the update.
Thanks for the quick repsonse.

DNS with Dnsmasq is broken after
update to 22.1.5.
Is there any way to downgrade opnsense-revert without DNS?

Hi Exitcomestothis,
i'm using only IPSec not L2TP. So on theOSX 10.11 client side i have no option to route all traffic through the tunnel. Therefore if i google my IP adress i get the external IP of the local router the client is connected to.

In the VPN the opnsense box is not the only router, but it doesn't make a difference if i pull the plug of the main router which should be replaced by the opnsense box.
The strange thing is, that the resolver receives the DNS request and also resolves it, but the answer is not getting through to the client.

Thanks for your help, i appreciate that.

Paul

Using an external DNS is working, by setting the clients DNS to e.g. 8.8.8.8. But i think that traffic is not going through the tunnel.

[System:]

Hi everyone,
i want to switch from an old pfsense installation with an openvpn VPN to an opnsense 15.7.19 installation with multi wan and IPsec mobile setup.
So far so good, the installation is running, multi wan working and IPsec is setup.
I can connect by an OSX 10.11.1 Client via IPsec and get access to web frontend of the opnsense installation.
But any DNS lookups through the tunnel run into a timeout.
From the resolve.log i can see, that any client side nslookup is processed by the unbound resolver, but it seems that the answer isn't routed back through the tunnel to the vpn client.
Any help is appreciated.

System:
OPNsense 15.7.19-amd64
FreeBSD 10.1-RELEASE-p23
OpenSSL 1.0.2d 9 Jul 2015

Intel(R) Xeon(R) CPU E31220 @ 3.10GHz
4 CPUs: 1 package(s) x 4 core(s)

Mobile Clients:
User authentication:   Local Database
Group Authentication:   none
Virtual Address Pool:
   Provide A virtual IP:   Checked
   10.190.39.0/24

DNS Servers:     Checked
   10.190.30.253

Tunnel Phase1:
Key Exchange:   V1
IP:      IPV4
Interface:   WAN1

Authentication Method:   Mutual PSK+Xauth
Negotiation Mode:   Aggressive
My Identifier:      My IP Address
Peer Identifier:   Distinguished Name
         foo
Pre-Shared Key:      bar

Encryption algorithm:   3DES
Hash Algorith:      SHA1
DH Key Group:      2 (1024)
Lifetime:      28800
Disable Rekey:      Not Checked
Disable Reauth:      Not Checked
NAT Traversal:      Enable
Dead Peer Detection:   Not Checked


Phase 2:
Mode:      Tunnel IPv4
Type:      LAN Subnet
Address:   Left blank
Nat/Binat:   None
Address:   Left blank
      /128
Protocol:   ESP
Encryption:   Checked: AES, auto; Blowfish, auto; 3DES, CAST128
Hash Algs:   MD5, SHA1
PFS Keygroup:   OFF
Lifetime:   3600
Auto Ping Host:   Left blank


Firewall->NAT->Outbound:
Automatic outbound NAT:   Checked
WAN   127.0.0.0/8 10.190.30.0/24 10.190.39.0/24   *   *   500   WAN address   *   YES   Auto created rule for ISAKMP
WAN   127.0.0.0/8 10.190.30.0/24 10.190.39.0/24   *   *   *   WAN address   *   NO   Auto created rule
VDSL   127.0.0.0/8 10.190.30.0/24 10.190.39.0/24   *   *   500   VDSL address   *   YES   Auto created rule for ISAKMP
VDSL   127.0.0.0/8 10.190.30.0/24 10.190.39.0/24   *   *   *   VDSL    address   *   NO   Auto created rule

Firewall->Rules->Lan:
   *   *   *   LAN Address   443/80/22   *       Anti-Lockout Rule   
IPv4 *   LAN net   *   *   *   *      Default allow LAN to any rule     
IPv4 *   LAN net   *   *   *   Load_Balancing      Load Balancing
IPv4 *   LAN net   *   *   *   WAN1failover      If WAN fails switchover to VDSL     
IPv4 *   LAN net   *   *   *   WAN2failover      If VDSL fails switchover to WAN     
     

Firewall->Rules-IPSec:
IPv4 *   *   *   *   *   *         

DNS Resolver->Access Lists

Action: Allow
Networks: 10.190.0.0/16

Hi,
switching from the resolver to the forwarder in the gui, stops unbound and starts dnsmasq. so from that side evrything is fine.
Things stop working, when i change the firewall rule to use the multi wan gateway group instead of the default gateway.

Hi Franco,
i've done a clean installation of 15.1.11.1.
Configured wan network settings, which is the default gateway, everything works fine.
Then started to configure the multi wan setup by adding a 2nd wan, adding in the routing tab a new group with both interfaces as tier 1 for load balancing.
Still everything works, even the 2nd Wan is not physically connected.
Once i edit the standard firewall rule to use the load balancing gateway group, the dns isn't working any more for the connected clients.

Best regards,
Paul 

Hi,
did a clean install with 15.1.12
Same thing.

Hi,
tried:
# fetch https://pkg.opnsense.org/FreeBSD:10:amd64/15.1.11.4/OpenSSL/All/dnsmasq-2.72_1,1.txz
# pkg add -f dnsmasq-2.72_1,1.txz

reboot,
same as before.

By the way,
shouldn't there be a /etc/dnsmasq.conf file?

BTW, to get back to the latest version, type:

# pkg install -yf dnsmasq

Did you mean:
# pkg install -Af dnsmasq

root@OPNsense:~ # pkg add -yf dnsmasq-2.72_1,1.txz
pkg: illegal option -- y
Usage: pkg add [-IAfqM] <pkg-name> ...
       pkg add [-IAfqM] <protocol>://<path>/<pkg-name> ...

For more information see 'pkg help add'.

Hi Franco,
no errors in the log.

Hi,
i have problems getting the dnsmasq running.
Installed 15.1.11 upgraded to 15.1.12
Multiwan setup
dhcp server running
system->settings dns servers entered and assigned to the 2 wans
dns forwarder enabled, no other checkbox enabled on this page
diagnostics->dns lookup works
dhcp works and distributes the ip number of the opnsense box as a nameserver to all clients
i can ping from any host ip numbers but i can't resolve any domain name

Any help is very welcome,
Best regards,
Paul

/etc/resolv.conf
domain foo.local
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 194.25.0.52
nameserver 194.25.0.68

/etc/hosts
127.0.0.1       localhost localhost.foo.local
10.190.30.254   foorouter.foo.local foorouter