Messages

Are you aware of this similar topic:

https://forum.opnsense.org/index.php?topic=38603.msg199209#msg199209

I was just hit by this after upgrading to 24.1.7

Code Select Expand


2024-05-21T19:29:59-04:00 Warning dpinger send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 8.8.4.4 bind_addr 100.99.yy.xx identifier "WAN_SL_DHCP "
2024-05-21T19:29:59-04:00 Warning dpinger send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 8.8.8.8 bind_addr 192.168.1.64 identifier "WAN_MX_DHCP "
2024-05-21T19:29:59-04:00 Warning dpinger exiting on signal 15
2024-05-21T19:29:59-04:00 Warning dpinger exiting on signal 15
2024-05-21T19:29:59-04:00 Warning dpinger exiting on signal 15
2024-05-21T19:13:59-04:00 Warning dpinger send_interval 1000ms loss_interval 4000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 0ms loss_alarm 0% alarm_hold 10000ms dest_addr 1.1.1.1 bind_addr 100.99.yy.xx identifier "WAN_SL_DHCP "
2024-05-21T19:13:59-04:00 Warning dpinger exiting on signal 15
2024-05-21T19:13:57-04:00 Warning dpinger WAN_SL_DHCP 1.1.1.1: sendto error: 22
2024-05-21T19:13:56-04:00 Warning dpinger WAN_SL_DHCP 1.1.1.1: sendto error: 22


I've set the Starlink GW as a far GW for now...

Also there's another similar post

EDIT: Setting it as a far GW doesn't help at all! :-(

For me switching to another Repo-Mirror solved it...

For anybody else facing it: I was hit on my way from 24.1.3 to 24.1.4 ;-)

THX a ton

Hi all,

this morning I got an Email from my WiFi-WAN Provider, asking to restore power to the AP on my roof. As I'm currently not in the EU and couldn't reach my Dad who is housesitting I started to dig into the issue:

Found this in the Unbound log:

Code Select Expand


2023-04-08T14:10:57 Critical unbound [31257:0] fatal error: could not complete write: /root.key: No space left on device
2023-04-08T14:10:56 Error unbound [31257:0] error: could not fflush(/root.key): No space left on device
2023-04-08T14:10:51 Warning unbound PTR record already exists for unifi.mydom.de(10.yy.xxx.14)


So I checked the FS via SSH:

Code Select Expand


mircsicz@router:~ $ uptime
2:12PM  up  4:06, 1 user, load averages: 0.42, 0.35, 0.28
mircsicz@router:~ $ df -h
Filesystem                  Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs              14G     13G   -153M   101%    /


Damn it so my APU's 16GB SSD is full! And here's the offender:

Code Select Expand


mircsicz@router:~ $ sudo du -h /var/log
88K    /var/log/lighttpd
4.0K    /var/log/suricata
4.0K    /var/log/ntp
5.1M    /var/log/audit
8.7G    /var/log/filter


So I rm'd some of those:

Code Select Expand


mirco@router:~ $ sudo ls -lh /var/log/filter
total 18213184
-rw-------  1 root  wheel   143M Mar 10 00:00 filter_20230309.log
-rw-------  1 root  wheel   154M Mar 11 00:00 filter_20230310.log
-rw-------  1 root  wheel   127M Mar 12 00:00 filter_20230311.log
-rw-------  1 root  wheel   153M Mar 13 00:00 filter_20230312.log
-rw-------  1 root  wheel   132M Mar 14 00:00 filter_20230313.log
-rw-------  1 root  wheel   130M Mar 15 00:00 filter_20230314.log
-rw-------  1 root  wheel   140M Mar 15 23:59 filter_20230315.log
-rw-------  1 root  wheel   130M Mar 17 00:00 filter_20230316.log
-rw-------  1 root  wheel   145M Mar 18 00:00 filter_20230317.log
-rw-------  1 root  wheel   126M Mar 19 00:00 filter_20230318.log
-rw-------  1 root  wheel   125M Mar 20 00:00 filter_20230319.log
-rw-------  1 root  wheel   144M Mar 21 00:00 filter_20230320.log
-rw-------  1 root  wheel   131M Mar 22 00:00 filter_20230321.log
-rw-------  1 root  wheel   117M Mar 23 00:00 filter_20230322.log
-rw-------  1 root  wheel   150M Mar 24 00:00 filter_20230323.log
-rw-------  1 root  wheel   295M Mar 25 00:00 filter_20230324.log
-rw-------  1 root  wheel   502M Mar 25 23:59 filter_20230325.log
-rw-------  1 root  wheel   462M Mar 27 00:00 filter_20230326.log
-rw-------  1 root  wheel   502M Mar 28 00:00 filter_20230327.log
-rw-------  1 root  wheel   515M Mar 29 00:00 filter_20230328.log
-rw-------  1 root  wheel   517M Mar 30 00:00 filter_20230329.log
-rw-------  1 root  wheel   344M Mar 31 00:00 filter_20230330.log
-rw-------  1 root  wheel   320M Apr  1 00:00 filter_20230331.log
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:18 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log

root@router:/var/log/filter # rm filter_202303*
root@router:/var/log/filter # ls -lh
total 6938944
-rw-------  1 root  wheel   419M Apr  2 00:00 filter_20230401.log
-rw-------  1 root  wheel   352M Apr  3 00:00 filter_20230402.log
-rw-------  1 root  wheel   505M Apr  4 00:00 filter_20230403.log
-rw-------  1 root  wheel   528M Apr  5 00:00 filter_20230404.log
-rw-------  1 root  wheel   540M Apr  6 00:00 filter_20230405.log
-rw-------  1 root  wheel   507M Apr  7 00:00 filter_20230406.log
-rw-------  1 root  wheel   332M Apr  8 00:00 filter_20230407.log
-rw-------  1 root  wheel   204M Apr  8 14:19 filter_20230408.log
lrwxr-x---  1 root  wheel    35B Apr  8 14:01 latest.log -> /var/log/filter/filter_20230408.log


Then I checked through my Filter rules but all of them are like that.

So long story short question: Is there a way to check for Filter rules that have logging enabled in the config?

I'ld love to pack a Raspberry or Banana Pi in my travel-gear to have a OPNsense for WG and alike with me...

Are there any official plans?

Thx for the hint, but that method seems to be unavailable when using the webinterface to configure ddclient...

I've now checked the source code of /usr/local/opnsense/scripts/ddclient/checkip and found this list inside:

Code Select Expand


service_list = {
  'dyndns': '%s://checkip.dyndns.org/',
  'freedns': '%s://freedns.afraid.org/dynamic/check.php',
  'googledomains': '%s://domains.google.com/checkip',
  'he': '%s://checkip.dns.he.net/',
  'ip4only.me': '%s://ip4only.me/api/',
  'ip6only.me': '%s://ip6only.me/api/',
  'ipify-ipv4': '%s://api.ipify.org/',
  'ipify-ipv6': '%s://api6.ipify.org/',
  'loopia': '%s://dns.loopia.se/checkip/checkip.php',
  'myonlineportal': '%s://myonlineportal.net/checkip',
  'noip-ipv4': '%s://ip1.dynupdate.no-ip.com/',
  'noip-ipv6': '%s://ip1.dynupdate6.no-ip.com/',
  'nsupdate.info-ipv4': '%s://ipv4.nsupdate.info/myip',
  'nsupdate.info-ipv6': '%s://ipv6.nsupdate.info/myip',
  'zoneedit': '%s://dynamic.zoneedit.com/checkip.html'
}


after checking some of these I checked googledomains and that seems to work so far:

Code Select Expand


2022-06-22T23:48:17 Notice ddclient[771] 381 - [meta sequenceId="32"] SUCCESS: foo.ddns.me: skipped: IP address was already set to 185.xxx.xx.xx.
2022-06-22T23:48:10 Notice ddclient[98070] 96230 - [meta sequenceId="31"] WARNING: updating bar.dynns.com: nochg: No update required; unnecessary attempts to change to the current address are considered abusive


I also realized that when switching back to "noip-ipv4" it breaks again...

@franco: as an EBI you might consider adding a hint to the list of offered services that most of those are just webservices like whatismyip.com... Because I first expected it to be specific for my above choosen Provider like noIP...

Hi all,

os-dyndns stopped to work for me when I was using No-Ip Group Passwd's. So I had to revert to my Master Passwd for all machines using that account a while ago. That is why I was happy to read the os-ddclient is gonna replace os-dyndns!

Now that we're about to transition to 22.7 I looked into migration my setup's to os-ddclient but am facing some issue's with ddlcient:

I've already read this thread and also this thread

with my setup I see the followong in the logs:

Code Select Expand


2022-06-22T15:59:41 Notice ddclient[98565] 93904 - [meta sequenceId="7"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:35 Notice ddclient[52758] 73674 - [meta sequenceId="6"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:10 Notice ddclient[771] 37236 - [meta sequenceId="5"] WARNING: unable to determine IP address
2022-06-22T15:59:10 Notice ddclient[771] 35027 - [meta sequenceId="4"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:07 Notice ddclient[98070] 17061 - [meta sequenceId="3"] WARNING: unable to determine IP address
2022-06-22T15:59:07 Notice ddclient[98070] 16274 - [meta sequenceId="2"] WARNING: found neither ipv4 nor ipv6 address
2022-06-22T15:59:00 Notice ddclient[95522] 19804 - [meta sequenceId="1"] WARNING: found neither ipv4 nor ipv6 address


So far I've tried the following "Check ip method's"

• noip-ipv4
• interface

But the log doesn't change...

This is what my ddclient.conf looks like:

Code Select Expand


daemon=300
syslog=yes                  # log update msgs to syslog
pid=/var/run/ddclient.pid   # record PID in file.
ssl=yes


use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i pppoe0 -t 1 -s noip-ipv4",
protocol=noip, \
login=MYUSER, \
password=MYPASSWD \
foo.ddns.me


I'm hoping one of you spot's the missing link...

I've also read this hint and tried to run it from ssh like this:

# sudo ddclient -daemon=0 -debug -verbose -noquiet

So I've found a reason for my instance's not activating the tunnel:

As soon as I add an additional "allowed ips" entry the tunnel goes down:

Code Select Expand

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823


brings up the tunnel without an endpoint:

Code Select Expand


$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY
  private key: (hidden)
  listening port: 21823


As soon as I add

Code Select Expand

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21823
AllowedIPs = 172.xx.xx.x/24,10.xx.xxx.0/24
PersistentKeepalive = 60

the tunnel does down:

Code Select Expand

$ sudo wg

So I thought it might be an issue with the keys, recreated them like a dozen times! Then I tried stripping the "allowed ips" from ',10.xx.xxx.0/24' Parameter and tada the tunnel come's up:

Code Select Expand

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21823
AllowedIPs = 172.xx.xx.0/24
PersistentKeepalive = 60

the tunnel come's up:

Code Select Expand

$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY
  private key: (hidden)
  listening port: 21823

peer: LOCALPUBKEY
  endpoint: 185.144.YY.YY:21823
  allowed ips: 172.xx.xx.0/24
  transfer: 0 B received, 6.94 KiB sent
  persistent keepalive: every 1 minute

Problem is the stripped IP-range is my "Main OPNSense" Subnet... And there's no handshake!

@franco you got a hint why this is happening?

BTW: Just reproduced it on a second remoteside:

Code Select Expand


$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY2
Address = 172.xx.27.x/32
ListenPort = 21822

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21822
AllowedIPs = 172.x.x27.x/24
PersistentKeepalive = 60


missing ',10.xx.xxx.0/24' in AllowedIPs the tunnel come's up too:

Code Select Expand


$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY2
  private key: (hidden)
  listening port: 21822

peer: LOCALPUBKEY
  endpoint: 185.xxx.xx.xx:21822
  allowed ips: 172.xx.27.0/24
  transfer: 0 B received, 5.06 KiB sent
  persistent keepalive: every 1 minute


I don't f..ing get it.

That's correct, it's just different Tunnels:

Been using it for a while (as VPN Tunnel-Net) and never got issue's

So what's it that deny's the (additional) tunnel to be activated?

Code Select Expand

$ sudo /usr/local/etc/rc.d/wireguard stop
wg-quick: `wg0' is not a WireGuard interface

I can run the start/restart but only get default feedback

Code Select Expand

$ sudo /usr/local/etc/rc.d/wireguard start
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.10.xx.x/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xx.x/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock

But "wg show" remains empty

Code Select Expand

$ sudo wg show

So this behaviour show now on two different machines. I've on both recreated config like 3-4 times. And I also have it on my main FW but only for the third tunnel...

Code Select Expand


$ cat /etc/rc.conf.d/wireguard
wireguard_var_script="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
wireguard_enable="YES"
wireguard_interfaces="wg0"
start_postcmd=opnsense_postcmd
opnsense_postcmd()
{
for interface in ${wireguard_interfaces}; do
ifconfig ${interface} group wireguard
done
}


For me it's definitly activated, so where else could I look for the problem?!?

Reply to myself:

Can't get it to print a config on the WebIF, but the console give's me some more feedback:

Code Select Expand


$ sudo wg show
$ sudo wg-quick up /usr/local/etc/wireguard/wg0.conf
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.xx.xx.1/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xxx.0/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock
$ sudo ifconfig -g tun
ovpns1
$ sudo ifconfig wg create name wg0
ifconfig: SIOCIFCREATE2: Invalid argument


so this is what "/usr/local/etc/rc.d/wireguard" uses to start the service

Code Select Expand


$ sudo /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.xx.xx.1/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xxx.0/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock


Tried another target/tunnel but have the same issue then with the one above, no Config nor handshake is printed...

It's driving me crazy!

@bubbagump: THX for challenge me to check once more ;-)

Arggghhh, been going over those config's triple times...

But as it goes with quick saturday Couch tasks I fucked up triple!...

Rechecked the exchanged pubkeys and got the first tunnel up!!!

But there's a 2nd tunnel/target giving me a hard time:



Looking via SSH I can see the config seems to be fine:

Code Select Expand

[Interface]
PrivateKey = PRIVKEY
Address = 172.10.xx.x/24
ListenPort = xx822

[Peer]
PublicKey = PEERPUBKEY
Endpoint = 172.10.xx.x:xx822
AllowedIPs = 172.10.xx.0/24,10.10.xx.x/24
PersistentKeepalive = 60

There's no other config inside the wireguard config dir:

Code Select Expand

$ sudo ls -l /usr/local/etc/wireguard/
total 8
-rw-------  1 root  wheel  305 Jul 25 18:51 wg0.conf

But the Interface is really crooked:

Code Select Expand

--help: flags=8002<BROADCAST,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
groups: tun
nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>
Opened by PID 44943

This is a machine on which I already took the XML removed all Wireguard mentions and restored it as a backup

On my router, which already has one working tunnel to another target, I can see that there's no contact to the other side:

Code Select Expand

interface: wg1
  public key: PUBKEY
  private key: (hidden)
  listening port: xx822

peer: PEERPUBKEY
  endpoint: 185.35.xx.xx:xx822
  allowed ips: 10.10.xx.xx/24, 10.x.x.0/24, 10.x.x.0/24
  transfer: 0 B received, 31.80 KiB sent
  persistent keepalive: every 1 minute

Handshake is empty:

Code Select Expand

wg1 PEERPUBKEY 0

So as there is that interface with this highly uncommon name:

Code Select Expand


# sudo ifconfig -g tun
ovpns1
--help

how do I delete that interface?

After a reboot it's gone... So lets reconfigure this target.

I sure did... ;-)

But thx for asking anyways! :-)

For all the following readers I'll add a screenshot and a note to the initial posting