Messages

Would anyone be willing to assist me with a "Road Warrior" VPN setup I am trying to use in WireGuard? I have tried to follow the guide found here:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/?utm_content=cmp-true/monkey mart

I have captured logs and screenshots, but in short, after making the connection to the VPN using my Android phone (and the official WireGuard client for it) I cannot ping any resources on the desired LAN I have made a VPN connection to.

I am just not sure what my next step(s) would be on how to further troubleshoot this. My OPNSense firewall is connected to the internet via a business class cable modem connection, and I have a public & static IP WAN address from my provider (68.188.xxx.xxx).

Thanks in advance, I am stumped right now and I am getting frustrated...

I recommend you check the Allowed IPs settings on both the server and client, because this error often causes the device to connect but not access the LAN. Hope you fix it soon!

hey all,

Geometry Dash

I setup an open vpn server on my opnsense box, my phone and laptop has no problem to connected to it, however, my wife ( she is back in China) can't connect to the vpn server.

i did dns resolve on her laptop, IP address comes out correctly. i can see her connect request on my firewall, with a public IP and random port number, and is permitted. when i troubleshooting, every time i reset the server config and switch to a new port, she can connect at the very first time, then server will not respond to the request anymore, my phone on cellular network works every time. 

hope anyone can help me with is issue.


below are the log file copy from her client (i * out the IP address of my firewall.):

[Jun 11, 2025, 10:26:14] Server poll timeout, trying next remote entry...
⏎[Jun 11, 2025, 10:26:14] EVENT: RECONNECTING ⏎[Jun 11, 2025, 10:26:14] EVENT: RESOLVE ⏎[Jun 11, 2025, 10:26:14] EVENT: WAIT ⏎[Jun 11, 2025, 10:26:14] WinCommandAgent: transmitting bypass route to ***.***.***.***
{
    "host" : "***.***.***.***",
    "ipv6" : false
}

⏎[Jun 11, 2025, 10:26:18] EVENT: DISCONNECTED ⏎[Jun 11, 2025, 10:27:09] OpenVPN core 3.10.5 win x86_64 64-bit OVPN-DCO built on Dec 17 2024 12:24:32
⏎[Jun 11, 2025, 10:27:09] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Jun 11, 2025, 10:27:09] NOTE: This configuration contains options that were not used:
⏎[Jun 11, 2025, 10:27:09] Feature not implemented (option ignored)
⏎[Jun 11, 2025, 10:27:09] 0 [lport]

⏎[Jun 11, 2025, 10:27:09] Unsupported option (ignored)
⏎[Jun 11, 2025, 10:27:09] 0 [persist-tun]
⏎[Jun 11, 2025, 10:27:09] 1 [persist-key]
⏎[Jun 11, 2025, 10:27:09] 2 [resolv-retry] [infinite]
⏎[Jun 11, 2025, 10:27:09] EVENT: RESOLVE ⏎[Jun 11, 2025, 10:27:09] EVENT: WAIT ⏎[Jun 11, 2025, 10:27:09] WinCommandAgent: transmitting bypass route to ***.***.***.***
{
    "host" : "***.***.***.***",
    "ipv6" : false
}

⏎[Jun 11, 2025, 10:27:19] Server poll timeout, trying next remote entry...

When she connects for the first time after a port change, does the connection stay active for long? Or drop quickly? This could indicate active DPI detecting and cutting the connection after initial handshake.

Dear Community and OPNsense Team,

we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.

The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)

here the infos on the warning message:

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault

segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen Retro Bowl College

We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.

Thank you ahead for you help.

Regards,

Joel.

Hi Joel, did you happen to check whether there's a core dump or crash log generated from the Squid process after the segmentation fault?

I'm running the latest OPNsense 25.1.7_2-amd64 and the issues below occurred on the previous 25.1.6

I had NUT running fine for quite a while in Netclient mode connected to a Cyberpower UPS that is connected to a Synology NAS.

Block Blast

I got a second CyberPower UPS this week with the OPNsense NUC now being powered by it (previously it wasn't UPS protected as it's on a different floor to the Synology). So now I wanted OPNsense to work in Standalone mode connected to the USB UPS that's right next to it.

In the NUT UPS Type tab I unticked Netclient, saved and restarted the service, then Enabled Standalone and the USB-HID Driver option, plugged in the USB into the OPNsense NUC and restarted the service.

The Diagnostics shows it's still connected to the Netclient mode UPS in the garage and it won't recognise the standalone UPS plugged into the USB port. I tried all sorts of combinations and it always showed it was still connected via netclient.

So I uninstalled NUT, reinstalled it and rebooted OPNsense. Immediately when OPNsense starts up, it shuts down. It look me a few restarts to quickly go into the GUI and disable NUT to prevent the loop.

Here's the log when it starts then shuts down - 192.168.1.252 is the Synology NAS

Code Select Expand


2025-05-21T14:47:52    Notice    kernel    ---<<BOOT>>---   
2025-05-21T14:47:52    Notice    syslog-ng    syslog-ng starting up; version='4.8.2'   
2025-05-21T14:46:19    Notice    kernel    <6>ovpns1: link state changed to DOWN   
2025-05-21T14:46:18    Notice    syslog-ng    syslog-ng shutting down; version='4.8.2'   
2025-05-21T14:45:56    Notice    upsmon    Auto logout and shutdown proceeding   
2025-05-21T14:45:56    Critical    upsmon    Executing automatic power-fail shutdown   
2025-05-21T14:45:56    Notice    upsmon    UPS ups@192.168.1.252:3493: forced shutdown in progress   
2025-05-21T14:45:51    Notice    configctl    event @ 1747802750.95 exec: system event config_changed response: OK   
2025-05-21T14:45:51    Error    upsmon    Login on UPS [ups@192.168.1.252:3493] failed - got [ERR ACCESS-DENIED]

So even though I have disabled Netclient mode, it's still trying to connect, it fails, then 5 seconds later it decides to shutdown.

Looking at the logs, at one stage it did recognise the UPS via USB, but disconnected/attempted again which I discovered by googling that some Cyberpower UPS do this until they connect to the driver?

Code Select Expand

2025-05-21T14:34:59    Notice    kernel    ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)   
2025-05-21T14:34:59    Notice    kernel    ugen0.2: <CPS BR1200ELCD> at usbus0   
2025-05-21T14:34:59    Notice    kernel    ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)   
2025-05-21T14:34:59    Notice    kernel    ugen0.2: <CPS BR1200ELCD> at usbus0   
2025-05-21T14:34:59    Notice    kernel    ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)   
2025-05-21T14:34:59    Notice    kernel    ugen0.2: <CPS BR1200ELCD> at usbus0
Any suggestions would be appreciated - I'm not too keen to re-enable NUT as I think it will shutdown as soon as I enable it?

You can fix the issue by manually clearing old NUT config files via SSH and setting up a fresh standalone configuration for your USB-connected UPS. You can then verify detection with usbconfig and configure ups.conf, upsmon.conf, and nut.conf to avoid fallback to the previous Netclient setup.