Messages

Update: I tried to implement a Wireguard configuration and I'm having the same issue. After a short span of time, the tunnel dies. When I went poking around, my gateways for my VPN interfaces were both offline. After restarting both OpenVPN and Wireguard, the gateways came back up. So, something seems to be bringing the connections down and they won't come back without a manual service restart.

Hmm... The only thing I can really think of is just making sure your backend, condition, and rule are all named differently (i.e. nextcloud-back, nextcloud-condition, nextcloud-rule). It wouldn't surprise me if HAProxy completely craps out because of something as insignificant as that. Also, did you make sure to change the port you access OPNSense on? If it's still 443, that could explain what's happening.

I actually host my own instance of Nextcloud and proxy it out with OPNSense's HAProxy. I'll say this much; I wouldn't even bother trying to tweak Nextcloud's proxy settings for any reason. I've learned that it tends to make things a bit messy. If all you need is hosting capabilities so you can access it from outside of your home network, setting it up in OPNSense/HAProxy should be a breeze. I certainly wouldn't be hosting anything via HTTP (80) even for redirection purposes, but that's just me. From a cybersecurity analyst's perspective, I'd lock that down to exclusively use HTTPS and use an ACME-generated certificate. Do you know for a fact that you are calling the correct address/sub-domain when trying to resolve to your service? I just can't tell when all you've posted is your Public Service and not your condition, rule, backend config, etc.

I've seen this one mentioned a couple of times throughout the years, but I haven't seen an answer so far that would be applicable to 25.1. I have an OpenVPN Client configured to operate as a tunnel from my firewall to my VPN provider of choice to forward my internet traffic through. However, my connection to the remote VPN server dies very frequently (every 10ish minutes for the last few days or so). I've been trying to figure out how to configure Monit (given I have no other option) to monitor the status of my VPN tunnel and restart when the status is anything other than "connected," but every solution I've tried to implement simply does not work and I have no clue where to go from here. Remotely pinging the VPN's gateway is one of the solution's I've tried and it hasn't been going well and none of the information provided by the .conf, .stat, .sock, or .up files seems to be useful. I'm very used to PFSense's Watchdog plugin, which makes it very easy to tell it to watch the service and restart when it dies or behaves abnormally. Any help on getting started would be greatly appreciated!

Hey everyone! So, in my quest to migrate from PFSense to OPNSense, I appear to have come across a very bizarre routing issue I haven't seen before. I have configured several VPN tunnels to push certain traffic from designated subnets that I want anonymized (i.e. IoT and Server devices). However, I created a VPN bypass list that I designated particular devices the ability to connect without a VPN tunnel (to access streaming services without running into VPN/Proxy detection) straight through my WAN gateway. In my case though, the devices on my bypass list don't appear to be able to connect to a bunch of different websites. I can access duckduckgo, YouTube, and the OPNSense forum to name a few, but can't connect to websites like Hulu, Netflix, or even Google. Anything being pushed through my VPN tunnels have no issues whatsoever, but that makes streaming far more difficult when companies like Disney and Netflix are actively monitoring for VPN or Proxy-related traffic and fingerprints. If anyone has any suggestions on where I can begin to troubleshoot, I'd greatly appreciate it! It's been 3-4 days and I'm hopelessly lost.

I have a temporary allow-all in and out rule on OpenVPN and the individual VPN interfaces, just to test. No result. I never had to do this on PFSense, so I assume I won't have to here. They're just there to watch the logs.

edit: I tweaked around a couple of logs and now, I can see all of the traffic through my target interface and the VPN interface. So, there is some activity even if not properly translating. I'm trying to test connectivity with a ping test, but it is not resolving until I remove the VPN gateway from the rules.

Hey all! In my quest to migrate completely from PFSense to OPNSense, I've run into another snag that I might need help troubleshooting. When I used PFSense, I used to run all of my traffic through Surfshark VPN just to help protect my data from my ISP (with it being AT&T and all the security concerns being raised recently, it feels like it's best practice to do so). However, getting this set up has proven to be more of a hassle than it was on PFSense. I configured my VPN connections to the remote servers correctly (OpenVPN statuses and gateways prove so), Unbound has been configured appropriately, NAT has the correct rules generated/created, and my Firewall allows anything from my desired subnet out through the VPN gateway that I set. However, none of the hosts within my subnet can connect to the internet when all is said and done. I hope this is a quick fix that I'm overlooking, but I haven't been able to find anything. Any help would be greatly appreciated!

Thanks for the tip, meyergru. As it turns out, I only had to change one variable in my Frontend to allow for HAProxy to work. Apparently, HAProxy doesn't like when you try to use an FQDN for a Listen Address. I simply changed it to 0.0.0.0 to bind to all interfaces and it worked. I only wish my logs gave me some kind of an indication, so I could've solved this with Patrick that much sooner.

That's precisely where I went to look. The latest.log for the system has nothing but a whole list of lines that say "WARNING: failed to start haproxy" with no additional context and haproxy's latest.log just tells me my backends all stopped.

That's the output I get from System > Log Files > Backend. Latest.log just tells me all of my backends have stopped.

When I say recommended patches, I'm referring to posts that I've seen saying to run "opnsense-patch -c plugins 31b82cd 18cd9f6." Running that bricked my HAProxy instance and required reinstallation, so I won't be trying that again. "Came crashing down" was just a figure of speech. HAProxy stops running when I turn on my HTTP/HTTPS public service and won't turn back on until I turn it off. As I said in my original post, the only error log I get is an exit status 1. So, I've been looking through my Public Service configuration to see what could be causing this issue.

Absolutely! I completely started over from scratch and wiped what little I had built out so far. With HTTPS changed to a different port, with HTTP redirection off, and with a completely empty configuration (besides the acme plugin), the service was working. As soon as I try to add a public service, everything comes crashing down.

Hey everyone! So, in my quest to completely migrate from PFSense to OPNSense, I have been trying to set up HAProxy as I used it to proxy out a lot of my internal services that I wanted to host (i.e. Plex, Home Assistant, etc). I had a pretty robust setup on my PFSense instance, so I'd love to be able to re-implement that on OPNSense rather than having to move to a different solution like Nginx on a VM. However, whenever I try and set up my first service and turn HAProxy on, the service refuses to start and the only thing that the logs provide me is an exit code status 1. I'd appreciate any advice or troubleshooting steps on this, because I have no clue where to start diagnosing this. I implemented the recommended patches (which broke the entire thing and required a full re-installation) and combed through my entire configuration, but can't find any issues.

I exclusively used Unbound on PFSense with no issues whatsoever. It was never used in forwarding mode. The logs aren't telling me a whole lot, unfortunately. However, at this point, I'm happy I have DNS working at all.

So... the way I resolved this generates more questions than answers. I completely shut down Unbound and turned on Dnsmasq... and suddenly, everything started working. I combed through all of the options between Dnsmasq and Unbound, but there are absolutely no differences between their settings. I have absolutely no idea why Unbound wouldn't work, but Dnsmasq would.