Messages

A couple of days ago, I successfully installed the free version of Zenarmor on OPNsense v25.7.8. During the install, Remote Elasticsearch Database was an option that appeared during the wizard. I used it and setup Elasticsearch on a separate computer. Everything was working great.

Today, I upgraded the hard drives in my OPNsense box and did a clean re-install of OPNsense. Installing Zenarmor was the last step. During the install, Remote Elasticsearch Databas is not listed as an option, only local Elasticsearch or local SQLite.

Any thoughts on why it's not showing up as an option in the wizard?

"Then gateway monitoring is probably misconfigured. Check the routing table for 8.8.8.8." Meeans, use a IP-Adresse on the other Side of your Wiregurad-Tunnel.

"There was a key mismatch for my VPN server, but OPNsense was reporting a successful handshake. Is it possible to change the way OPNsense reports the Wireguard status?" Yes, ther is, create a report at: https://github.com/opnsense/core/issues

Done.

Then gateway monitoring is probably misconfigured. Check the routing table for 8.8.8.8. Make sure it isn't configured as a DNS server in System / Settings / General.

WireGuard is stateless. If the keys don't match, no traffic passes the tunnel. But there is no "login" or "connection" which could fail. That's by design.

There are no entries for DNS Servers in System / Settgings / General ... I use DNSCrypt for DNS Servers.

Under VPN / Wireguard / Status, what does a green check and a handshake age in seconds mean for a given Wireguard Peer?

The interface was "green" or the gateway? Gateway monitoring creates a static route for the monitor IP to prevent the pings from taking other routes, so it should definitely show the gateway as down.

Up is Green correct?  Attached is a picture of what was displayed in the Dashboard.

I guess the simple answer is NO, OPNsense cannot detect a key mismatch when connecting to a VPN Server?

I have 8.8.8.8 as the Monitor IP in the Wireguard interface. It showed the Wireguard interface as green

I'm not talking about the WAN gateway or the WireGuard status. You can set up an additional gateway monitor (System: Gateways: Configuration) for the WireGuard tunnel. Dpinger then pings a monitor IP of your choice through the WireGuard tunnel. If the tunnel stops passing packets, the ping fails.

If that ping fails, how do I know it's a key mismatch on the VPN server as opposed to a rule on OPNsense preventing data from going out?

The problem is that OPNsense was showing the Wireguard connection as fine.  Monitoring the gateway did not help because the gateway was alive and active.

The WireGuard status in OPNsense is reporting on the Layer 2/3 connection attempt (the VPN tunnel) and not necessarily the Layer 7 data flow (internet traffic).

When OPNsense initiates the connection, it sends a handshake packet to the VPN server's endpoint IP. The handshake is built using the local private key.

The VPN server receives this handshake packet and, if the network path is clear, it sends a reply back to OPNsense.

This reply packet from the server is misinterpreted by the OPNsense WireGuard service as a successful completion of the handshake process, even though the server immediately discards the session due to a key mismatch.

In my instance, I had accidentally deleted the VPN instance with the Private Key I was using, so the VPN server, upon receiving the handshake packet, looked up my Key in its database and said I don't recognize this public key anymore.  The VPN server did not process the session and did not pass any packets, but doesn't send a clean error message back to OPNsense that the key is invalid.  The OPNsense client just sees that the connection was established to the port, and a handshake occurred, leading to the confusing "successful handshake" status with zero or stalled traffic volume.  The OPNsense Latest Handshake status primarily indicates the last time the client and server spoke to each other, even if that conversation was a one-sided failure due to the invalid key. The true indicator of failure is the lack of inbound and outbound traffic bytes after the initial handshake.

Because the link was showing as UP with no traffic, I spent hours trying to diagnose the Firewall rules thinking that a rule or something went wrong on my side with the OPNsense configuration.

There was a key mismatch for my VPN server, but OPNsense was reporting a successful handshake. Is it possible to change the way OPNsense reports the Wireguard status? Instead of reporting on the Layer 2/3 connection attempt (the VPN tunnel), can OPNsense report on the Layer 7 data flow (internet traffic)?

Hi,

I am running OPNsense v 25.7.6 in 2 locations with 2 different Internet service providers. I have a Wireguard VPN setup for each (using different VPN server on each). 

It's has been working fine for months. Simultaneously this morning, the Wireguard VPN stopped letting traffic out of the OPNsense box in each location.

I have verified that my VPN provider is working. I have changed the server, public key, etc... OPNsense shows a successful handshake.

I'm running 25.7.6 and the login button no longer appears on my Captive Portal splash screen.

Thank you!  It works now.

The firewall Rule for the OpenVPN Server interface was set to the following:
TCP/IP Version: IPv4+IPv6
Gateway: Default

If I try to change the Gateway to the ProtonVPN/Wireguard interface, I get an error saying "You can not assign a gateway to a rule that applies to IPv4 and IPv6"

If I change TCP/IP Version to IPv4 only, then I can change the Gateway to the ProtonVPN/Wireguard interface, but when I connect a remote device via OpenVPN, I cannot access the network or access the internet.

I have OPNsense v 25.1.3 running with Wireguard/ProtonVPN and DNS Crypt. When I am on my internal LAN, I receive an IP from ProtonVPN and do not have any DNS leaks.

I have OpenVPN setup to access my LAN from outside my network. Whenever I connect via OpenVPN, however, I receive the external IP address of my WAN, not my ProtonVPN. Is this something I can change? DNS Crypt appears to be working while connecting via OpenVPN, but my IP is that if my Internet provider.

Thoughts?

I have a Guest Wifi up and Running with the Captive Portal splash page.  I have Monit up and running.  I want to get an email from OPNsense when a new Guest Wifi session happens. Is there an easy way to do this with Monit?

I just switched the virtual wireless interface from 2.4GHz to 5.0 GHz and everything works!