Messages

1

Virtual private networks / Re: How to get IPv6 from Wireguard to OPNsense?

« on: November 23, 2024, 09:36:35 pm »

maybe this guides can help you getting started:
https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/
or ipv6 only: https://homenetworkguy.com/how-to/configure-ipv6-opnsense-with-isp-such-as-comcast-xfinity/

his tutorials have helpt me also in the beginning to get things started.

2

General Discussion / Re: Nominate OPNsense and FreeBSD Foundation for Proton's Fundraiser (Big Reward)!!

« on: November 10, 2024, 04:34:15 pm »

I think there should also be some 'crowdfunding' possibility...

Is a facility set up where users that want to show their appreciation can deposit a financial 'thank you'?

You can do a donation, see this post: https://forum.opnsense.org/index.php?topic=2049.180

or donate directly here: https://opnsense.org/donate/

3

General Discussion / Re: Nominate OPNsense and FreeBSD Foundation for Proton's Fundraiser (Big Reward)!!

« on: November 07, 2024, 06:36:15 pm »

thanks for sharing, and done!

4

Tutorials and FAQs / Re: Help with IPv6 for a total knoob!

« on: October 26, 2024, 07:55:18 am »

Hi CancunManny,

This guide will help you with ipv6 and opnsense: https://homenetworkguy.com/how-to/configure-ipv6-opnsense-with-isp-such-as-comcast-xfinity/

the fe80:: addresses are completely normal if you allow ipv6 on the network. Only hosts on the local network can access fe80:: ipv6 addresses and is generated by the device capable of ipv6.

5

General Discussion / Re: DoT for dns Local/LAN / adguard home and bind

« on: October 20, 2024, 06:31:41 pm »

Thanks newsense,

The AGH to Bind is less important if both are running on the FW, there's no rogue traffic there to be concerned about.

good to know. Both are running on the FW.

AGH encryption is setup. What do you mean by connect your cliens securely to AGH?
e.g. Iphone iOS:

Code: [Select]

    From the home screen, tap Settings.
    Choose Wi-Fi in the left menu (it is impossible to configure DNS for mobile networks).
    Tap on the name of the currently active network.
    In the DNS field enter your AdGuard Home server addresses.
This is not needed, it already states my opnsense/AGH ip, while all my DNS queries are sent to AGH by Opnsense.
Or do you mean on iphone itself, under wifi, changing dns ip to manual and add tls://IP-AGH ? or do you mean installing the Adguard for iOS App?

6

General Discussion / Re: DoT for dns Local/LAN / adguard home and bind

« on: October 20, 2024, 02:45:28 pm »

thanks again for the reply and help.

the clients on your LAN will (presumably) still be talking to AGH over port 53 with no "security".

-> I think that is the answer than, clients will use plain dns over port 53, so there is no way to secure DNS more on LAN

7

General Discussion / Re: DoT for dns Local/LAN / adguard home and bind

« on: October 20, 2024, 01:53:11 pm »

Hi dseven,

thank you for your reply and info.

What problem are you actually trying to solve here anyway? It seems like a lot of complexity for a problem that's not really clear (to me)....

The key idea I came up with is that dns traffic on LAN is plane dns, and was wondering if that could be changed to encrytped dns on LAN. Thisway making it impossible for the utopian case that DNS would be sniffed by something on LAN network

p.s. your config works for Bind. It starts and runs.
From terminal using dig, I can conform using TLS:

dig @127.0.0.1 google.com +tls

; <<>> DiG 9.20.2 <<>> @127.0.0.1 google.com +tls
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25158
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 19fc68c433fb6a90010000006714f4f3deedd5f14a92df93 (good)
;; QUESTION SECTION:
;google.com.         IN   A

;; ANSWER SECTION:
google.com.      300   IN   A   142.250.179.174

;; Query time: 6 msec
;; SERVER: 127.0.0.1#853(127.0.0.1) (TLS)
;; WHEN: Sun Oct 20 14:17:55 CEST 2024
;; MSG SIZE  rcvd: 83

Adguard home - DNS Settings - Upstream DNS Servers - tls://127.0.0.1:853 or 127.0.0.1:853 - don't work or connect.

8

General Discussion / Re: DoT for dns Local/LAN / adguard home and bind

« on: October 20, 2024, 11:47:04 am »

I found Bind supports DoT and I found that I must add the below items in /usr/local/etc/namedb/named.conf

 

      // Listen on port 853 for DoT
        tls-port 853;

      // Path to your certificate and key
       tls-cert "/var/etc/cert.pem";
       tls-key "/var/etc/key.pem";

   // Enable TLS
      listen-on port 853 { 127.0.0.1; };

But when I use above cert, Bind won't start anymore, what is the right cert/key file location? Or how do you generate the needed cert files?

I can than point Adguard home to DoT Bind 853 and set Adguard Home - settings - Encryption settings -> Enable plain DNS -> to disabled

Or?

9

General Discussion / DoT for dns Local/LAN / adguard home and bind

« on: October 19, 2024, 05:05:47 pm »

Hi, I am wondering if this is possible:
I am running Opnsense with Adguard Home (plugin) and Bind (plugin). So that every DNS/port 53 goes to Adguard home. Adguard Home has 127.0.0.1:5354 as upstream (Bind), bind has no DNS Forwarders. This way every lookup will go to the dns root servers, if not yet unknown/cache. As I have learned in the past from this forum, this gives more privacy while no root dns "has it all" and better than trusting the 1.1.1.1 server or your ISP encrypted dns server who "has it all". This is working great.

However, every local/LAN dns lookup is plain dns / unencrypted. Is there a way to make LAN also DoT? e.g. Adguard Home DoT to Bind? Maybe plain dns is a small risk on LAN, but if it can be secured, why not doing so.

I am eager to learn your solution(s) for this.

10

24.7 Production Series / Re: WireGuard not working ipv4 after update to opnsense 24.7.5

« on: September 29, 2024, 10:45:24 am »

correct, I have to hit apply on gateways for it to come back

11

24.7 Production Series / Re: WireGuard not working ipv4 after update to opnsense 24.7.5

« on: September 29, 2024, 08:06:04 am »

Hi again, just checked. gateway switching unchecked also, and skip rules unchecked too.

N.B. I noticed also that when I make a change in the opnsense wireguard instances or peer config and hit apply, I need to go to gateway-configuration and hit apply there for ipv4 and  ipv6 to be back up. So my old situation (on opnsense 24.7.4) trick of interface, off safe, and on safe - looks to be merged to the trick of going to -gateway-configuration and hit apply. But I believe there are related to the underlying issue I see/have.

12

24.7 Production Series / Re: WireGuard not working ipv4 after update to opnsense 24.7.5

« on: September 28, 2024, 06:22:18 pm »

Tried this also, same resulting, have to hit apply on the gateway page to get it to work. Thanks for the help so far!

13

24.7 Production Series / Re: WireGuard not working ipv4 after update to opnsense 24.7.5

« on: September 28, 2024, 04:53:51 pm »

ok, thanks for your help Bob.Dig

14

24.7 Production Series / Re: WireGuard not working ipv4 after update to opnsense 24.7.5

« on: September 28, 2024, 04:44:38 pm »

I added the attached outbound rule, after reboot I still had to hit "apply" on the gateway page for iphone with wireguard to get both ipv4 and ipv6 on whatsmyip.com

15

24.7 Production Series / Re: WireGuard not working ipv4 after update to opnsense 24.7.5

« on: September 28, 2024, 04:29:00 pm »

I do not follow? I have a outbound nat rule on wan with WG Net as source.
Or is it that instead of selecting WG net you put in the tunnel address 10.10.10.0/24?