Messages

Opnsense 25.1.9_2

I've mentioned this before but I keep seeing it remains unresolved. I must say I don't know how the plugin update system works in OPNsense or who's responsible for this work. As of today, the dnscrypt plugin in OPNsense works with version 2.1.5, but I'm seeing version discrepancies across different sources.

In the OPNsense plugin repository, it has version 1.15 integrating dnscrypt-proxy 2.1

https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr

In the FreeBSD repositories, dnscrypt has version 2.1.5_13 updated on June 6, 2025.

https://www.freshports.org/dns/dnscrypt-proxy2/

And on the official Dnscrypt website on GitHub, they're already at version 2.1.12, which is what OPNsense should have.

https://github.com/DNSCrypt/dnscrypt-proxy/releases/tag/2.1.12

The funny thing is that on dnscrypt's GitHub, the program is available for FreeBSD, so it would be appreciated if it could be updated either on FreeBSD or directly on Opnsense.

Unclear and contradictory ideas in the management of DHCP in Opnsense by the developers. Some time ago, Kea DHCP was included in Opnsense because, as they said, ISC DHCP was abandoned and Kea was its replacement. However, that inclusion was partial and is resolved today by including Kea DHCPv6, which would complete the migration. But it turns out that now Kea DHCP is also not valid, and in the near future, Dnsmasq DHCP will be used by default. The bottom line is that users no longer know what to expect on an issue that isn't even that complicated.

https://www.netgate.com/blog/optimizing-pppoe-performance-in-pfsense-software

True, thank you very much

Upgrading to 25.1.4 also installs a dnscrypt update, however you are still on version 2.1.5 when the latest version is 2.1.7 released last January. As I commented recently in another post I am interested in this last version because it supports the ODOH protocol for dns, not having it I have to modify by hand the dnscrypt configuration file with the result that it works. The problem is that by doing the modification through ssh and not through the dnscrypt interface in opnsense the changes do not survive a reboot. An update of dnscrypt to version 2.1.7 would be appreciated.

Oblivious DoH servers list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-servers.md

Oblivious DoH relays list: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md

In my case I have modified the dnscrypt-proxy.toml file leaving it as follows and it works without problems ..... until Opnsense restarts and stops working.:


# Now i'm using 53530 for Unbound so here I just set 53531
listen_addresses = ['127.0.0.1:5353']

max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = false
doh_servers = false
odoh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30
server_names = ['odoh-cloudflare']

log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false

cert_refresh_delay = 240
dnscrypt_ephemeral_keys = true
tls_disable_session_tickets = false
ignore_system_dns = true

netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
# If you want to be sure you don't use IPv6 change this setting to "true"
block_ipv6 = true

forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'

# Just disable it... Why do you need more caching if you have Unbound?
cache = false

[query_log]
  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

[allowed_names]
  allowed_names_file = 'whitelist.txt'
  log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  log_format = 'tsv'


[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Anonymized DNS relays

  [sources.'relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md';, 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

[anonymized_dns]
routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-ams', 'odohrelay-crypto-sx']}
]

### ODoH (Oblivious DoH) servers and relays ###
  [sources.'odoh-servers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  [sources.'odoh-relays']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md';, 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-relays.md'
  refresh_delay = 72
  prefix = ''

[static]

DNScrypt supports Cloudflare's DNS under the ODOH protocol and Relay is required to configure them. DNSCrypt Servers and DNS-over-HTTPS Servers can be configured in the DNScrypt interface, but ODOH Servers cannot be configured.
Following this tutorial https://forums.serverbuilds.net/t/guide-adguard-home-unbound-dnscrypt-under-opnsense-part-2/13271 the Cloudflare ODOH DNS with their respective Relays work correctly. The problem is that when restarting Opnsense all modifications are lost and the dnscrypt-proxy.toml file has to be modified again via SSH.

3. VLAN MTU: you cannot set that via the GUI, unless you create a named interface.

Vlan created through Interfaces: Devices: VLAN

Hola, la reflexión, el nat automático y el 1:1 los tienes que tener DESACTIVADOS.
No utilizo Proxmox pero puedes ver un tutorial sobre wireguard en Opnsense aquí aunque algunas cosas están desactualizadas y no son necesarias de configurar:

https://www.qnapclub.es/showthread.php?tid=4948

El tutorial oficial sobre wireguard lo puedes ver aquí: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I know IPS is not function in PPPOE.

You won't get it right, in my case I have set it up several times and it has always worked first time.

OpenZFS 2.3.0

https://github.com/openzfs/zfs/releases

IPS is not supported for PPPoE, only IDS.

Suricata can function as an IPS with PPPoE without any problems, you just need to make a few modifications:

- Configure the WAN interface as none (IPv4 Configuration Type none)

- Add a new OPT interface with the PPPoE configuration just like it was a WAN PPPoE.

- Configure Suricata as IPS on WAN.

https://forum.opnsense.org/index.php?topic=9741.15

I know this is not the right place to discuss this topic, but I can't locate the developer. I have installed the latest ISO of hbsdfw, and it doesn't come with any plugins to install. I have tried changing repositories, although I may have done it wrong, and I can't manage it. My question is whether it is possible to install the Opnsense plugins in that version.