Messages

Just wondering if OPNsense can run a SOCKS5 proxy server and then route the received traffic to a specific outbound route?

Any guidance would on how to configure would be very much appreciated.

Thanks!

Different OpenSSL versions.

Indeed, macOS is running 3.5.1.1 and OPNsense is running 3.0.17.

Will try that shortly. Thanks!

If you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?

If you pick "Save on this firewall" instead and after issuing the certificate click on the download button to the right, you can pick PKCS#12 and enter a password.

If you want to only download it right away you need to apply encryption after the fact with e.g. openssl.

Next issue - I created the client certificate and selected "Save on this firewall", however...

After generating a client certificate within OPNsense that's signed against the OPNsense CA, and downloading the PKCS12 file and setting a simple password such as "password", when I try to open that on a client computer (macOS) it prompts for the password, but won't accept the password. Even if I download the PKCS12 file without setting a password, it prompts for the password, and when entering nothing, it won't accept and import to Keychain.

I'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?

Correct.

If you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?

I see, so the private key is created on the client, then the CSR is created from the private key, the CSR is signed by the OPNsense CA and then I can download the certificate, create the PKCS#12 file from the certificate and the private key on the client via openssl.

Thanks for clearing that up Patrick!

I'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?

Thanks Patrick, so if I import the certificate to the client, I'm guessing I can export the PKCS#12 file from the client that issued the CSR.

Thanks for confirming. AI LLM's we're telling me to export it from the OPNsense firewall, I guess they're still not that good afterall!

Hi - I've provided a CSR and signed a certificate against the opnsense internal CA.

I would like to download the PKCS#12 file format file, however after clicking on download, nothing happens.

I've tried different browsers and computers, rebooted the firewall, but it just doesn't provide a prompt to save the file.

Same issue occurs when trying to download the private key.

Downloading the "Certificate" does work! But I need the private key :)

Any ideas why it's not working?

Cheers!

Hi OPNsense community!

The Live Log view (Firewall > Logs Files > Live View) is great! It allows you to filter easily and find what traffic is passing through the firewall easily.

I'm wondering if there is a similar view that can be used to filter the firewalls historical logs (syslogs)?

Any advice would be great!

Thanks!

I've configured Mullvad via Wireguard and am using a PPPoE WAN connection.

I have it working, but find that when a client is connecting to various internet webpages, it takes more time to load, and some of the content or functionality does not work.

E.g. Speedtest.net doesn't find the optimal server, and is extremely slow to start the test.

I've installed wireshark on my client computer and can see a fair amount of TCP retransmission messages in the traffic.

I get the sense that this is related to MTU/MSS, but I've changed it to different settings and can't seem to get it working properly.

My WireGuard instance MTU is 1412, the WAN PPPoE MTU is default (1500) but I think opnsense reduces it automatically to 1492, I have Normalization rule set to Max Mss 1352.

Would appreciate some help to determine what's causing this?

I've got a squid forwarding proxy running on my LAN interface (gateway IP) on default port 3128.

What firewall/NAT rule settings must be configured to route squids outbound traffic via a different WAN interface?

For example:

1. Can I create a firewall rule that filters traffic sent to the squid destination service port 3128, and then NAT that to a different WAN interface default gateway?

Or

2. Run squid proxy on a LAN sub-interface (Unique IP), and then create a firewall rule that specifies that any traffic originating from the sub-interface address routes via different WAN inteface gateway?

Cheers!

There are different methods for DNS blocking - here's one (TL;DR) discussion about them: https://support.adamnet.works/t/comparing-dns-blocking-methods/1245

Presumably your DoT DNS provider chose the NXDOMAIN method. You'd have to ask them why...

Excellent post on the different methods! Thanks for sharing that.

I ran into something like this before.  If it's only certain domains not resolving then my first guess is you either have some strict DNS setting enabled like "QNAME Minimisation" that breaks some sites, or the particular DoT provider you are forwarding to is doing some filtering.

Thank you OPNenthu. It turned out to be the DoT DNS provider I was using. It was filtering ads, malware and viruses. After changing the DNS server to the option that does not filter anything, DNS is now resolving. Appreciate your help to narrow it down, and hope this post helps someone else in future.

If anyone else knows why this causes NXDOMAIN responses, it would be useful to understand it further?

After further fiddling, when I disable DNS over TLS and tick "Use system nameservers", then in System > Settings > General add 1.1.1.1 to the DNS servers list, DNS resolution is working.

Does anyone know why DNS over TLS resolution does not work for all domains?

After further fiddling, when I disable DNS over TLS and tick "Use system nameservers", then in System > Settings > General add 1.1.1.1 to the DNS servers list, DNS resolution is working.

Does anyone know why DNS over TLS resolution does not work for all domains?

I'm using wireguard to connect from an iphone to opnsense.

The tunnel is working and my DNS is resolving most domains. DNS is using ubnbound, and the wireguard client is set to wireguard tunnel ip.

I'm finding that some domain return "NXDOMAIN" and do not resolve to an ip when using nslookup/dig.

Example: x.com doesn't resolver and either do some iphone apple.com services.

What could be causing this?