Messages

About performance: it depends on a lot of factors and also it depends very much on what and how you test. Generally Wireguard is way faster that OpenVPN and in many cases also faster than IPSec. For reliable testing you should use a tool like iperf(3) on both client and server and always perform the same test via a non-wireguard connection to compare. On OpnSense the iperf can be installed as well (from plugins/packages). It can be a good idea to play with the iperf params (ex parallel connections etc).

... or at least seeing any CPU running hot due to the cryptography of the tunnel.

Wireguard is quite efficient in CPU usage, so even if you hit the max of the tunnel it does not necessarily mean that your CPUs are running on 100% usage. I have not found many tests with 10Gb cards but here in a Reddit thread there are some numbers: https://www.reddit.com/r/linux/comments/9bnowo/wireguard_benchmark_between_two_servers_with_10/ but keep in mind that they used huge MTU (8.5k) to achieve the speed. Also here https://www.netgate.com/blog/wireguard-in-pfsense-2-5-performancemoto x3m some performance although only with 1Gb card

Great info! I've also noticed WireGuard performs impressively even on modest hardware. Iperf testing really helps reveal real throughput limits. MTU tuning can make a huge difference too—especially when pushing beyond gigabit speeds. Thanks for sharing those links!

I'm just wondering, why a release is coming out with these 2 new vulnerabilities?

Currently running OPNsense 25.1.10 (amd64) at Fri Jul  4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
  php -- Multiple vulnerabilities
  CVE: CVE-2025-1220
  CVE: CVE-2025-6491
  CVE: CVE-2025-1735
  WWW: https://vuxml.FreeBSD.org/poor bunny/d607b12c-5821-11f0-ab92-f02f7497ecda.html

sudo-1.9.17 is vulnerable:
  sudo -- privilege escalation vulnerability through host and chroot options
  CVE: CVE-2025-32463
  CVE: CVE-2025-32462
  WWW: https://vuxml.freebsd.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html

2 problem(s) in 2 installed package(s) found.
***DONE***

Your scanner output shows CVEs affecting php 8.3 and sudo on OPNsense. Sometimes releases include vulnerable package versions because disclosures and upstream patches arrive after a snapshot. Check OPNsense security advisories immediately and apply any package updates or hotfixes they publish. Meanwhile harden your box: disable unused PHP services, restrict sudo via sudoers, block external access to affected services, and back up configs. Monitor logs closely and subscribe to OPNsense security channels for prompt notifications and consider staged testing first.

Hi everyone,

I recently ran into a strange issue where some devices in my network were unable to use certain apps (in particular, Android-based POS devices). After some troubleshooting, I checked the Unbound DNS logs on my OPNsense firewall and noticed that in several cases, the local domain was being appended to external FQDNs.

Here is an example
Time            Domain                        Action    Source        Return Code    Resolve time    TTL
2025-07-09 12:59:55    api.sunmi.com.                    Pass    Cache        NOERROR        0ms        27   
2025-07-09 12:59:50    api.sunmi.com.                    Pass    Recursion    NOERROR        394ms        32   
2025-07-09 12:58:45    api.sunmi.com.                    Pass    Recursion    NOERROR        15ms        50   
2025-07-09 12:58:45    api.sunmi.com.domainname.local.                    Pass    Recursion    NXDOMAIN    14ms        85   

Or Attached u can find a Screenshot

As you can see, the query api.sunmi.com resolves correctly. However, there's also a request for api.sunmi.com.domainname.localbasketball stars, which fails with NXDOMAIN. This seems to be causing issues with app connectivity and delays.
Now I'm wondering:
Is this a client-side issue, or is Unbound responsible for appending the local domain?
For years I've used domainname.at as the system domain under System > Settings > General. Recently I changed it to domainname.local for testing, but the behavior still occurs.
If anyone has seen this before or knows how to prevent Unbound from appending the local domain to fully qualified hostnames, I'd really appreciate your input.
Let me know if you need more details!

Thanks, Chris

Hey Chris, that behavior usually comes from the client side—devices append the search domain when queries don't resolve instantly. In OPNsense/Unbound you can disable "register system domain" or adjust DHCP/DNS search domains to avoid this.