Messages

[file (client.ovpn):]

So just add to the Clients config file the following =>

file (client.ovpn):

Code Select Expand

route-nopull
route 192.168.90.0 255.255.255.0
I assumed the subnet here, but you get the idea :)

I tried your suggestion of:

Code Select Expand

route-nopull
route 192.168.90.0 255.255.255.0but it did nothing.  So I then tried playing around with random settings in the VPN setup.  I finally noticed a field called "DNS Server" so I thought I would give it a try.  I put in the IP of the server VPN interface and it worked!  The local client took that interface as its DNS server.  I find it very strange that none of the tutorials I searched, including the one in OPNsense's own documentation here: https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html mentioned anything about this field being required to make this work.  That cost me a lot of hours.

I then reinserted your code above and it made the local client's Internet connection keep its own DNS settings while the VPN connection kept the remote server as its DNS.  Mission accomplished.

Thanks so much for your help.

[Some questions =>]

Some questions =>

From my local Windows 11 computer:
Local network:

Code Select Expand

ping -n 1 192.168.1.24

Pinging 192.168.1.24 with 32 bytes of data:
Reply from 192.168.1.24: bytes=32 time=22ms TTL=64

Ping statistics for 192.168.1.24:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 22ms, Average = 22ms

Who is this IP address ?

Another PC ? Your Router ? Something else ?

192.168.1.24 is another PC on the local network.

Remote network:

Code Select Expand

ping -n 1 192.168.90.17

Pinging 192.168.90.17 with 32 bytes of data:
Reply from 192.168.90.17: bytes=32 time=23ms TTL=63

Ping statistics for 192.168.90.17:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 23ms, Average = 23ms

This is the subnet on the OpenVPN connection and the IP address of the Remote Desktop PC ?!

No, 192.168.90.0/24 is a subnet at the remote location and 192.168.90.17 is a device on that subnet.

Internet:

Code Select Expand

ping -n 1 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=19ms TTL=114

Ping statistics for 8.8.8.8:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms

You ping without DNS resolving, but is the VPN active ? On which Client/Server ?

Yes, VPN was active then and it did ping Google.

Ping of local network, remote network, and Google get quick replies.  So, there is some Internet connectivity but I am still unable to browse.

On the Remote Desktop PC or your Local PC ?

On the local PC.  Browsing on the remote PC works fine.

Code Select Expand

tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1    1 ms    1 ms    1 ms  192.168.1.1
  2    10 ms    12 ms    10 ms  10.61.193.35
  3    12 ms    13 ms    10 ms  162.151.216.241
  4    12 ms    9 ms    18 ms  po-2-rur201.exeter.nh.boston.comcast.net [68.86.224.229]
  5    38 ms    19 ms  124 ms  po-200-xar01.exeter.nh.boston.comcast.net [96.110.22.29]
  6  109 ms    16 ms    23 ms  be-301-arsc1.needham.ma.boston.comcast.net [162.151.150.125]
  7    23 ms    28 ms    18 ms  96.110.42.9
  8    25 ms    22 ms    20 ms  96.110.34.26
  9    *        *        *    Request timed out.
 10    25 ms    18 ms    19 ms  142.251.225.89
 11    25 ms    19 ms    21 ms  142.251.60.235
 12    20 ms    18 ms    18 ms  dns.google [8.8.8.8]

Trace complete.

Who is :

Code Select Expand

  2    10 ms    12 ms    10 ms  10.61.193.35Exactly ?

No idea who 10.61.193.35 is nor 162.151.216.241.  I was guessing they were part of my ISP's infrastructure???

Code Select Expand

nslookup 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  207.172.3.9

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

This should tell you dns.google as answer, but usually you nslookup opnsense.org for example and then it gives you an IP address.

That is the reason you "Have no internet" in your browser I think.

So you are saying there is no DNS?  Is that the cause of all of this.  My thought is that it could be.  So, what I want to do is to have the local computer runs its Internet traffic and its DNS through its own Internet connection and NOT through the tunnel.  That is known as Split-Horizon, right?  I just can't find a good how-to article on the most recent version of OpenVPN.

Again, not sure what this really means for me.

I would say you have no DNS Server on the OpenVPN connection ?

It has been a while for me that I have done anything with OpenVPN so I can't help you that much, but in general for any VPN there is for example the option to have so called 'Split-Horizon' connections via a tunnel.

You can then decide :
- If there should be a Internet Connection via the Tunnel.
It will then replace your Local Internet Connection.
- If there should be a DNS Server available inside the Tunnel.
If not, then the Client uses it's Local DNS Server.

When you use the OpenVPN connection just like a shortcut to the Remote Desktop and for nothing else then both sides are connected as 'Split-Horizon' and not a so called 'Full Tunnel' :)

Basically check your Routing & DNS Options you have applied to the OpenVPN connection and make sure they do exactly what you want them to do !!

Right, my research turned up mentions of "Split-Horizon" and I think that is what I want.  I don't want all Internet coming through the tunnel.  I want the client to still use its own Internet connection.  The problem is that I can't find info on how to do that.  I found some mention of the "Redirect gateway" setting but I cannot find any info on what each of those settings does and they are not intuitive (and other posters found the same problem).  So, I just don't know how to set all that up and can't find a good how-to.

What did ping/tracert/traceroute/nslookup/dig had to say about this ?? ;)

Thanks for your help.

From my local Windows 11 computer:
Local network:

Code Select Expand

ping -n 1 192.168.1.24

Pinging 192.168.1.24 with 32 bytes of data:
Reply from 192.168.1.24: bytes=32 time=22ms TTL=64

Ping statistics for 192.168.1.24:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 22ms, Average = 22ms
Remote netowrk:

Code Select Expand

ping -n 1 192.168.90.17

Pinging 192.168.90.17 with 32 bytes of data:
Reply from 192.168.90.17: bytes=32 time=23ms TTL=63

Ping statistics for 192.168.90.17:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 23ms, Average = 23ms
Internet:

Code Select Expand

ping -n 1 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=19ms TTL=114

Ping statistics for 8.8.8.8:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
Ping of local network, remote network, and Google get quick replies.  So, there is some Internet connectivity but I am still unable to browse.

Code Select Expand

tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.1.1
  2    10 ms    12 ms    10 ms  10.61.193.35
  3    12 ms    13 ms    10 ms  162.151.216.241
  4    12 ms     9 ms    18 ms  po-2-rur201.exeter.nh.boston.comcast.net [68.86.224.229]
  5    38 ms    19 ms   124 ms  po-200-xar01.exeter.nh.boston.comcast.net [96.110.22.29]
  6   109 ms    16 ms    23 ms  be-301-arsc1.needham.ma.boston.comcast.net [162.151.150.125]
  7    23 ms    28 ms    18 ms  96.110.42.9
  8    25 ms    22 ms    20 ms  96.110.34.26
  9     *        *        *     Request timed out.
 10    25 ms    18 ms    19 ms  142.251.225.89
 11    25 ms    19 ms    21 ms  142.251.60.235
 12    20 ms    18 ms    18 ms  dns.google [8.8.8.8]

Trace complete.
I just don't know enough to interpret those results.

Code Select Expand

nslookup 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  207.172.3.9

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
Again, not sure what this really means for me.

I just setup an OpenVPN instance on 25.7.11_2.  It connects and traffic via the tunnel seems fine with Windows Remote Desktop able to connect and function and surf the Internet from the remote computer.  But the local computer loses its Internet connection completely.  The Internet comes back as soon as I disconnect from the OpenVPN server.

I am new to this so can only guess at the cause and solution.  I guessed that it has something to do with the Internet traffic on the local computer being redirected through the tunnel but then I should get at least some response to web page clicks but I get NOTHING.  Now I am guessing that it might have something to do with DNS.  I tried toggling a few settings but nothing changed.  Can someone point me in the right direction?

Any thoughts on if my router should be accessible via example.com and why I am getting an error?

The help for the setting "Alternate Hostnames" under System > Settings > Administration says this: "Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks
Here you can specify alternate hostnames by which the router may be queried, to bypass the DNS Rebinding Attack checks. Separate hostnames with spaces."

Perhaps you could enter this in there and see if you still get the error?

Code Select Expand

example.dyndns.org example.com

I tried that and it works but it worries me because I would think that it should work without it, right?  I'm wondering if there is something broken in my setup that is causing it not to work.  And is it another symptom of whatever is causing the other problems in my setup?

Does anyone have an ideas about what I might have done wrong?

The code change to support profiles in the os-acme-client plugin was merged today, after the 26.1 release. So I would guess it will be in the next version. I do not know the details of the OPNSense release process, so we'll have to wait and see. You can see the code in opnsense/plugins/pull/5154.

The code shows that once the feature is available, there will be a "Certificate Profile" text field in the "Edit Certificate" dialog.

Thanks so much @rajiv for that info.  I'll wait until it is released and test it and then mark this as solved once functionality is confirmed.

Have the domain name point to your external IP address and use a reverse proxy like Caddy for access and TLS/SSL termination. Works from the inside (LAN) just as well.

If it's not HTTP or HTTPS but some other service, still have the DNS point to the external address only and use NAT reflection for your internal clients.

Split-DNS while originally a good idea leads to a very complicated setup for services that are supposed to be both public and private. Just settle with a single IP address for all.

Sounds complicated but I'll take a look.  Know of a good How To?

Any thoughts on if my router should be accessible via example.com and why I am getting an error?

I have a domain name, example.com.  I want to use it both on my LAN and on the Internet to access my OPNsense router.  I read a few how to articles and set it up but it is not working.  Tried a few things but failed.  I need some help.

1. External access question: example.com is pointing to public static IP of OPNsense router.  Let's Encrypt example.com certificate is installed on router and also includes an alternate name of example.dyndns.org.  I have example.dyndns.org listed in "Alternate Hostnames" under System > Settings > Administration and it works fine to access the router. But example.com gives me "A potential DNS Rebind attack has been detected." error.  I have example.com listed as the Domain under System > Settings > General so shouldn't it work?  Plus, we have the certificate for it.  Am I missing something?

2. Internal access quesiton: We have 4 VLANs, vl10, vl20, vl30, and vl40 using Dnsmasq for DHCP and DNS over TLS in Unbound in the standard configuration (I think) that is described in the OPNsense Manual here:
https://docs.opnsense.org/manual/dnsmasq.html#

We have query forwarding setup in Unbound for 4 zones with:
-Domain = vl10.example.com, vl20.example.com, etc
-Server IP = 127.0.0.1
-Server Port = 53053
Plus, reverse of:
-Domain = 168.192.in-addr.arpa
-Server IP = 127.0.0.1
-Server Port = 53053

Dnsmasq has 4 Ranges set to:
-Interface = vl10, vl20, etc.
-IPs = 192.168.10.2 to 192.168.10.255, 192.168.20.2 to 192.168.20.255, etc.
-Domain = vl10.example.com, vl20.example.com, etc.

My clients are getting DHCP leases on vl10 just fine.  Problem is that a client then cannot ping itself via client1.vl10.example.com.  Error says it could not be found.  But clients CAN ping themselves via their IP addresses.  Also, the log in Unbound is set to Level 2 but it is empty.

The example in the Manual that I followed is for setting up using a different private internal domain name; lan.internal and there was a short note that if a public domain name was to be used instead then we could create a zone that is not used on the Internet, like lan.internal.example.com.  I used vl10.example.com so is that a problem?  Must the ".internal" be included?

Also, until a few days ago before I had the query forwarding setup I had xxx.internal entered as the Domain under System > Settings > General and all clients on the VLAN were seeing each other.  Now they cannot see each other.  Not sure if that is of help in diagnosing.

Anyone see any other possible solutions to get the resolution and/or VLANs to work?

Thanks for the help, everyone.  I guess we'll wait and see....

I guess it may have been implemented in 26.1, I haven't had chance to read the changes notes (or install 26.1 yet), but I have an inclination, it has been included...

So you are saying such functions as described by @rajiv may have been included in 26.1?  Where would I find that functionality in the menu structure?

Thanks for the help, everyone.  I guess we'll wait and see....

You cannot have a certificate for an IP address. You must use a domain name.

Do you mean in general or in this specifically an OPNsense issue?  In general, Let's Encrypt says we can as of a few days ago:
https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability

I want to replace the self-signed certificate for the web GUI with a Let's Encrypt certificate for my IP address.  I do not have a domain name and access using the IP address directly.  I see that Let's Encrypt just started issuing certificates for IP addresses so I should be good to go, right?  Can't get it to work.

I followed instructions found in many tutorials on the web for setting up an LE cert with FQDN but entered the IPv4 instead of a FDQN.  A Google search brought me this set of AI-generated instructions specifically for doing it with an IP address instead of FQDN, all of which I followed:

Code Select Expand

AI Overview

To set up OPNsense with a Let's Encrypt certificate for a public IP address, you must use the OPNsense ACME client plugin and the HTTP-01 or TLS-ALPN-01 challenge methods, as DNS challenges are not supported for IP addresses. The certificate will be valid for approximately six days and must be renewed automatically.

Prerequisites
• A static, public IP address that your OPNsense firewall can serve traffic on.
• The os-acme-client plugin installed on your OPNsense system (go to System > Firmware > Plugins and install it if it is not already present).
• Ports 80 or 443 must be publicly accessible and forward traffic to the OPNsense instance for the duration of the validation process.

Step-by-Step Guide
1. Configure the ACME Account:
1. Navigate to Services > ACME Client > Accounts.
2. Click the + button to add a new account.
3. Enter a Descriptive name.
4. Select Let's Encrypt Production ACME v02 as the ACME CA.
5. Enter your email address for important notifications (like renewal failures).
6. Check the E-mail box and click Register new account.
7. Click Save.

2. Create a Certificate:
1. Go to Services > ACME Client > Certificates.
2. Click the + button.
3. Enter a Descriptive name.
4. In the Common Name field, enter your public IP address.
5. Select the ACME Account you created in the previous step.
6. Click Save.

3. Configure the Challenge Type:
1. Go to the Services > ACME Client > Settings page and then the Challenge Types tab.
2. Click the + button.
3. Select the Challenge Type (either HTTP-01 or TLS-ALPN-01). The HTTP-01 method is generally simpler.
4. Select the correct Interface where the public IP resides (e.g., WAN).
5. Click Save.

4. Issue the Certificate:
1. Go back to Services > ACME Client > Certificates.
2. Click the "Issue/Renew All Certificates" button (or the issue button specific to your certificate).
3. Wait a few seconds and refresh the page. The "Issue Date" and "Last ACME Status" fields should show as "OK".

5. Automate Renewal:
1. Let's Encrypt IP certificates are short-lived (around 6 days), so automation is essential. The OPNsense ACME client handles this automatically, but you should ensure the service is enabled and running under Services > ACME Client > Settings.
2. You may also create an automation to restart the web GUI (under the Automations tab in ACME Client settings) and link it to the certificate to ensure the new certificate is applied automatically after renewal.

6. Assign the Certificate to the Web GUI (Optional):
1. Navigate to System > Settings > Administration.
2. In the Web GUI section, select your new Let's Encrypt certificate from the SSL Certificate dropdown menu.
3. Click Save. Your browser will now use the valid certificate when you access the OPNsense web interface via its public IP address.


I DO have a firewall rule on interface WAN allowing ports 80 and 443 to "This Firewall".  I do NOT have the web GUI listening on 443.

Has anyone been able to make IP address certificate work?  Anyone got any suggestions?