"Quote from: Ametite on May 29, 2025, 09:34:17 AMGood morning, everyone. I apologize if this is not the correct section; I'm relatively new here.Thanks for sharing! I have reviewed this CVE and found that the current Kea DHCP version on OPNsense is affected. Luckily, this is just a report, so we can still plan to patch soon. Has anyone tried to update or have a workaround?
This morning, I received a CVE report from our cybersecurity agency regarding CVE on Kea DHCP. I checked the packet version in OPNsense, and it appears to be affected in the latest available version of OPNsense.
https://www.acn.gov.it/portale/en/w/aggiornamenti-di-sicurezza-per-prodotti-isc
https://www.cve.org/CVERecord?id=CVE-2025-32801
This is just as report :)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Series / Re: CVE-2025-32801 - Kea DHCP 2.6.x (x< 3)
September 24, 2025, 05:58:52 PM #2
Intrusion Detection and Prevention / Custom rules in Suricata – best practices?
September 24, 2025, 04:25:47 AM
Hi everyone, I've been experimenting with Suricata on OPNsense and am considering adding custom rules to detect specific traffic patterns in my network. Before I dive in, I'd like to know:
What's the best practice for managing custom rules without breaking updates?
Do you keep them in a separate file, or is there a recommended method within OPNsense to make sure they persist?
Are there any performance concerns when mixing official rule sets (ET/OpenAppID) with custom rules?
Would love to hear how others handle this.
What's the best practice for managing custom rules without breaking updates?
Do you keep them in a separate file, or is there a recommended method within OPNsense to make sure they persist?
Are there any performance concerns when mixing official rule sets (ET/OpenAppID) with custom rules?
Would love to hear how others handle this.
#3
Virtual private networks / How to optimize VPN speed vs security in OPNsense?
September 03, 2025, 09:16:42 AM
Hi everyone,
I've been using OPNsense for a while and have set up VPN connections for remote workers. One thing I'm still trying to figure out is the best way to balance performance and security.
For example, when enabling stronger encryption (like AES-256-GCM), I notice a drop in throughput compared to lighter ciphers. On the other hand, I don't want to compromise security just for speed.
I'm curious—what are the best practices the community recommends for:
- Choosing encryption algorithms without losing too much performance
- Tweaking VPN settings to handle multiple users smoothly
- Hardware considerations that make the biggest impact on VPN performance
Any insights, real-world experiences, or recommended configurations would be greatly appreciated!
Thanks in advance!
I've been using OPNsense for a while and have set up VPN connections for remote workers. One thing I'm still trying to figure out is the best way to balance performance and security.
For example, when enabling stronger encryption (like AES-256-GCM), I notice a drop in throughput compared to lighter ciphers. On the other hand, I don't want to compromise security just for speed.
I'm curious—what are the best practices the community recommends for:
- Choosing encryption algorithms without losing too much performance
- Tweaking VPN settings to handle multiple users smoothly
- Hardware considerations that make the biggest impact on VPN performance
Any insights, real-world experiences, or recommended configurations would be greatly appreciated!
Thanks in advance!
#4
Virtual private networks / Re: OpenVPN Error: No tunnel network provisioned, but required.
August 18, 2025, 06:05:43 AMQuote from: msantosn on August 05, 2025, 04:51:48 PMHi,Does your OpenVPN server instance have a Client-Specific Override (CSO) configured for msantosn, and if so, does it contain a tunnel network entry?
Got to play with Opnsense 25.7.1, and configured a OpenVPN instance for roaming users. I created my test user with its corresponding certificate. When authenticating I get AUTH_FAILED in the client.
In Opnsense I get the following errors:Code Select2025-08-05T14:24:24 Notice openvpn_server1 <EDITED CLIENT IP>:53433 SIGTERM[soft,delayed-exit] received, client-instance exiting
2025-08-05T14:24:19 Notice openvpn_server1 <EDITED CLIENT IP>:53433 SENT CONTROL [msantosn]: 'AUTH_FAILED' (status=1)
2025-08-05T14:24:19 Notice openvpn_server1 <EDITED CLIENT IP>:53433 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2025-08-05T14:24:19 Notice openvpn_server1 <EDITED CLIENT IP>:53433 Delayed exit in 5 seconds
2025-08-05T14:24:18 Warning openvpn authentication failed for user 'msantosn'. No tunnel network provisioned, but required.
2025-08-05T14:24:18 Notice openvpn Locate overwrite for 'msantosn' using server '77a28ac6-eb75-478d-a59a-d7609b675e52' (vpnid: 1)
2025-08-05T14:24:18 Notice openvpn_server1 <EDITED CLIENT IP>:53433 [msantosn] Peer Connection Initiated with [AF_INET6]::ffff:<EDITED CLIENT IP>:53433 (via ::ffff:<EDITED SERVER IP>%vtnet0)
2025-08-05T14:24:18 Notice openvpn_server1 <EDITED CLIENT IP>:53433 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA512, peer temporary key: 253 bits X25519
2025-08-05T14:24:18 Notice openvpn_server1 <EDITED CLIENT IP>:53433 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2025-08-05T14:24:18 Notice openvpn_server1 <EDITED CLIENT IP>:53433 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-08-05T14:24:18 Notice openvpn_server1 <EDITED CLIENT IP>:53433 TLS: Username/Password authentication deferred for username 'msantosn' [CN SET]
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_SSO=openurl,webauth,crtext
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_GUI_VER=OpenVPN_GUI_11.50.0.0
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_PROTO=990
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_NCP=2
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_MTU=1600
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_TCPNL=1
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_PLAT=win
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 peer info: IV_VER=2.6.12
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 VERIFY OK: depth=0, C=NL, ST=n/a, L=n/a, O=DunderMiflin, emailAddress=msantosn@example.com, CN=msantosn
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 VERIFY SCRIPT OK: depth=0, C=NL, ST=n/a, L=n/a, O=DunderMiflin, emailAddress=msantosn@example.com, CN=msantosn
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 VERIFY OK: depth=1, C=NL, ST=n/a, L=n/a, O=DunderMiflin, OU=IT Operations, emailAddress=root@example.com, CN=OpenVPN-CA
2025-08-05T14:24:17 Notice openvpn_server1 <EDITED CLIENT IP>:53433 VERIFY SCRIPT OK: depth=1, C=NL, ST=n/a, L=n/a, O=DunderMiflin, OU=IT Operations, emailAddress=root@example.com, CN=OpenVPN-CA
I have used a lot OpenVPN in the past and I find this error confusing. Also, I cannot find absolutely anything on Google. Anyone has an idea or a pointer?
#5
Virtual private networks / Re: Help with a new WireGuard VPN Connection?
July 29, 2025, 11:34:20 AMQuote from: StarsAndBars on July 28, 2025, 09:25:58 PMWould anyone be willing to assist me with a "Road Warrior" VPN setup I am trying to use in WireGuard? I have tried to follow the guide found here:I recommend you check the Allowed IPs settings on both the server and client, because this error often causes the device to connect but not access the LAN. Hope you fix it soon!
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/?utm_content=cmp-true/monkey mart
I have captured logs and screenshots, but in short, after making the connection to the VPN using my Android phone (and the official WireGuard client for it) I cannot ping any resources on the desired LAN I have made a VPN connection to.
I am just not sure what my next step(s) would be on how to further troubleshoot this. My OPNSense firewall is connected to the internet via a business class cable modem connection, and I have a public & static IP WAN address from my provider (68.188.xxx.xxx).
Thanks in advance, I am stumped right now and I am getting frustrated...
#6
Virtual private networks / Re: OPEN VPN server not respond to client
July 08, 2025, 04:57:30 AMQuote from: sleepydragon on June 11, 2025, 04:52:27 AMhey all,When she connects for the first time after a port change, does the connection stay active for long? Or drop quickly? This could indicate active DPI detecting and cutting the connection after initial handshake.
I setup an open vpn server on my opnsense box, my phone and laptop has no problem to connected to it, however, my wife ( she is back in China) can't connect to the vpn server.
i did dns resolve on her laptop, IP address comes out correctly. i can see her connect request on my firewall, with a public IP and random port number, and is permitted. when i troubleshooting, every time i reset the server config and switch to a new port, she can connect at the very first time, then server will not respond to the request anymore, my phone on cellular network works every time.
hope anyone can help me with is issue.
below are the log file copy from her client (i * out the IP address of my firewall.):
[Jun 11, 2025, 10:26:14] Server poll timeout, trying next remote entry...
⏎[Jun 11, 2025, 10:26:14] EVENT: RECONNECTING ⏎[Jun 11, 2025, 10:26:14] EVENT: RESOLVE ⏎[Jun 11, 2025, 10:26:14] EVENT: WAIT ⏎[Jun 11, 2025, 10:26:14] WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}
⏎[Jun 11, 2025, 10:26:18] EVENT: DISCONNECTED ⏎[Jun 11, 2025, 10:27:09] OpenVPN core 3.10.5 win x86_64 64-bit OVPN-DCO built on Dec 17 2024 12:24:32
⏎[Jun 11, 2025, 10:27:09] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Jun 11, 2025, 10:27:09] NOTE: This configuration contains options that were not used:
⏎[Jun 11, 2025, 10:27:09] Feature not implemented (option ignored)
⏎[Jun 11, 2025, 10:27:09] 0 [lport]⏎[Jun 11, 2025, 10:27:09] Unsupported option (ignored)
⏎[Jun 11, 2025, 10:27:09] 0 [persist-tun]
⏎[Jun 11, 2025, 10:27:09] 1 [persist-key]
⏎[Jun 11, 2025, 10:27:09] 2 [resolv-retry] [infinite]
⏎[Jun 11, 2025, 10:27:09] EVENT: RESOLVE ⏎[Jun 11, 2025, 10:27:09] EVENT: WAIT ⏎[Jun 11, 2025, 10:27:09] WinCommandAgent: transmitting bypass route to ***.***.***.***
{
"host" : "***.***.***.***",
"ipv6" : false
}
⏎[Jun 11, 2025, 10:27:19] Server poll timeout, trying next remote entry...
#7
Web Proxy Filtering and Caching / Re: Squid Web Proxy services error - 25.4.1 Business Edition - chaos for our company
June 07, 2025, 05:21:06 AMQuote from: Wuensch-AG-Adm on June 05, 2025, 10:11:57 AMDear Community and OPNsense Team,
we have bought a Deciso / OPNsense Appliance the Business Edition to receive every time a stable version of the system and the plugins too (normally they're tested on the community version).
Today during the maintenance, we have upgraded our appliance to the version 25.4.1 and after the reboot the squid plugin doesn't work anymore
Version: os-squid 1.2
A segmentation fault warning, and it's not the first time we've seen something like this, and each time we've solved the problems by making a few changes to the parameters.
This time it simply doesn't work and our company have no Internet without chaotic passthrough that I need the set up in urgence.
The first question: Shouldn't the Business Edition be tested better with plugin integration? (the minimum requirements for the business functions)
If no for the Business customer we need the list of the Business plugin that we can use (when we are buying the appliance for example)
here the infos on the warning message:
template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2025/06/05 08:30:13| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3128
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3128
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3128 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port 127.0.0.1:3129
2025/06/05 08:30:13| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2025/06/05 08:30:13| Starting Authentication on port [::1]:3129
2025/06/05 08:30:13| Disabling Authentication on port [::1]:3129 (interception enabled)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2025/06/05 08:30:19| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2025/06/05 08:30:19| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2025/06/05 08:30:19| WARNING: HTTP requires the use of Via
2025/06/05 08:30:19| Set Current Directory to /var/squid/cache
Segmentation fault
segmentation fault is quite general. Where can we see the detailed error message?
We have a backup of the configuration. Is there a link to the procedure for an emergency plan? If we need to quickly restore.
I've found this website: https://www.thomas-krenn.com/de/wiki/OPNsense_Konfiguration_wiederherstellen Retro Bowl College
We have tried to disable the squid proxy but the problem is still the same because of the NAT that squid proxy is creating when there's a transparent proxy.
We are currently being blocked by our OPNsense.
Thank you ahead for you help.
Regards,
Joel.
Hi Joel, did you happen to check whether there's a core dump or crash log generated from the Squid process after the segmentation fault?
#8
25.1, 25.4 Series / Re: NUT is in a Shutdown loop and has other odd behavior
June 07, 2025, 05:14:23 AMQuote from: vk2him on May 21, 2025, 09:07:07 AMI'm running the latest OPNsense 25.1.7_2-amd64 and the issues below occurred on the previous 25.1.6
I had NUT running fine for quite a while in Netclient mode connected to a Cyberpower UPS that is connected to a Synology NAS.
I got a second CyberPower UPS this week with the OPNsense NUC now being powered by it (previously it wasn't UPS protected as it's on a different floor to the Synology). So now I wanted OPNsense to work in Standalone mode connected to the USB UPS that's right next to it.
In the NUT UPS Type tab I unticked Netclient, saved and restarted the service, then Enabled Standalone and the USB-HID Driver option, plugged in the USB into the OPNsense NUC and restarted the service.
The Diagnostics shows it's still connected to the Netclient mode UPS in the garage and it won't recognise the standalone UPS plugged into the USB port. I tried all sorts of combinations and it always showed it was still connected via netclient.
So I uninstalled NUT, reinstalled it and rebooted OPNsense. Immediately when OPNsense starts up, it shuts down. It look me a few restarts to quickly go into the GUI and disable NUT to prevent the loop.
Here's the log when it starts then shuts down - 192.168.1.252 is the Synology NASCode Select
2025-05-21T14:47:52 Notice kernel ---<<BOOT>>---
2025-05-21T14:47:52 Notice syslog-ng syslog-ng starting up; version='4.8.2'
2025-05-21T14:46:19 Notice kernel <6>ovpns1: link state changed to DOWN
2025-05-21T14:46:18 Notice syslog-ng syslog-ng shutting down; version='4.8.2'
2025-05-21T14:45:56 Notice upsmon Auto logout and shutdown proceeding
2025-05-21T14:45:56 Critical upsmon Executing automatic power-fail shutdown
2025-05-21T14:45:56 Notice upsmon UPS ups@192.168.1.252:3493: forced shutdown in progress
2025-05-21T14:45:51 Notice configctl event @ 1747802750.95 exec: system event config_changed response: OK
2025-05-21T14:45:51 Error upsmon Login on UPS [ups@192.168.1.252:3493] failed - got [ERR ACCESS-DENIED]
So even though I have disabled Netclient mode, it's still trying to connect, it fails, then 5 seconds later it decides to shutdown.
Looking at the logs, at one stage it did recognise the UPS via USB, but disconnected/attempted again which I discovered by googling that some Cyberpower UPS do this until they connect to the driver?Code Select2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0 (disconnected)
2025-05-21T14:34:59 Notice kernel ugen0.2: <CPS BR1200ELCD> at usbus0
Any suggestions would be appreciated - I'm not too keen to re-enable NUT as I think it will shutdown as soon as I enable it?
You can fix the issue by manually clearing old NUT config files via SSH and setting up a fresh standalone configuration for your USB-connected UPS. You can then verify detection with usbconfig and configure ups.conf, upsmon.conf, and nut.conf to avoid fallback to the previous Netclient setup.
Pages1
