Messages

1

22.7 Legacy Series / Re: Opnsense reverts to an old configuration

« on: November 13, 2022, 05:06:34 am »

When it would revert, the previous version(s) would still be stored in the backup, which is accessible via (System -> Configuration -> History).

In case it does automatically restore (which only happens when an un-parsable config is found), the machine would send a message to the (system) log about the event as well:

https://github.com/opnsense/core/blob/20a3c3da3869751ecacd306e267c53059a5f7973/src/opnsense/mvc/app/library/OPNsense/Core/Config.php#L330-L341

Best regards,

Ad

Thanks for responding Ad.
The code seems be logging the exception if the config cannot be restored. Where would I find that log -- just so that I can see what in the config is incorrect such that the restore fails with a ConfigException?

I checked my configuration history and originally had about 37MB of history. So the question still is why would it revert back to a config which was some months old and not the recent one?Also I haven't had this happen on every reboot and this definitely is intermittent.

In any case, since I was on the page, I reduced the Backup Count to 5 -- which effectively deleted all my old configurations from the history and kept only the latest ones. The hope is that next time it would just pick up one of the 5 latest configurations. I have reverted the Backup Count back to empty, so it would now save the history beyond the 5 recent files.

Under System>>Log Files>>Web GUI  I do see the following a few times:

Code: [Select]

2022-11-07T16:38:20-06:00 Error lighttpd (configfile.c.1287) WARNING: unknown config-key: server.dir-listing (ignored)
but I am not sure if it is related to be honest.

2

22.7 Legacy Series / Re: Opnsense reverts to an old configuration

« on: November 07, 2022, 11:46:11 pm »

This happened to me yet again when upgrading from 22.7.6 to 22.7.7_1. It reverted to a very old config when I used to have NordVPN clients etc.
Worse thing was that I could no longer access my NAS in order to upload a nightly saved configuration copy. I had to manually mount my NAS as NFS using the IP and then copy the configuration over.

I have not had this problem when upgrading opnsense before but this is much recent -- at least the last 3 or 4 upgrades. Can some please provide some pointers as to where the old config is being saved so that I can update it with the latest copy?

3

22.7 Legacy Series / Re: Wireguard NAT rules required?

« on: October 26, 2022, 12:30:40 am »

Yup. Thanks for confirming via testing.

It could just be how the plugin was implemented where the OpenVPN automatically adds it's subnet to NAT whereas WG doesn't. Might be worth a bug/enhancement ticket in the Wireguard plugin for feature parity with OpenVPN plugin but then again, the documentation clearly states that you need either the interface assignment or the NAT rules -- and sometimes maybe both depending on what you want to do.

I created the WG interface and am now able to access the LAN services as well as the internet at the same time from my connected device.

4

22.7 Legacy Series / Re: Wireguard NAT rules required?

« on: October 25, 2022, 03:49:59 am »

Ok, I now checked my outbound NAT, the only rules are those automatically generated rules containing every internal interface and, indeed, VPN (WG interfaces and OVPN subnets). I guess if there were no interface created for WG, the automatic rules would contain the subnet IPs as it does for OVPN. I am pretty sure that I used WG the first time without assigning an interface, this was done later when I added a second WG instance 

Yeah, this is for my home network and I don't foresee more than 1 WG VPN server which is why I thought of simply using the Wireguard(Group) to set up the firewall rules instead of assigning the interface similar to what I had for OpenVPN.

But from the looks of it, it seems I will have to assign the interface in order for it to be able to access the LAN services as well as the internet in general.

Oh well, I was just curious as to why it was different for OpenVPN vs Wireguard that's all.

5

22.7 Legacy Series / Re: Wireguard NAT rules required?

« on: October 24, 2022, 09:21:53 pm »

WG will also work without NAT rule or specific interface.
As said... Don't know for what reason NAT is needed here.

Well, it sure doesn't seem like it works. I have Wireguard setup and it connects. But I cannot access the internet from my phone when connected to Wireguard. The only thing that I can access is the local LAN services/devices.

6

22.7 Legacy Series / Re: Wireguard NAT rules required?

« on: October 24, 2022, 04:37:46 pm »

Thanks @RamSense, @tiermutter & @miroco for responding.

All 3 of you seem to be suggesting that you can just assign the Interface and then you won't need the NAT rule. I have gone through the homenetworkguy url and also the video and I understand that I can create either the NAT rule or the Interface assignment to get it to work.

But I am just trying to understand why OpenVPN works without an interface assignment or NAT rule, whereas Wireguard requires at least one or the other.

TIA.

7

22.7 Legacy Series / Wireguard NAT rules required?

« on: October 23, 2022, 05:56:08 am »

Hello,
I have a Road Warrior OpenVPN setup that is working perfectly. I am using the Automatic outbound NAT rule generation currently under Firewall-->NAT-->Outbound. I also have not assigned the OpenVPN interface, but created an "Allow All" rule under the default OpenVPN tab that gets created under Firewall-->Rules. I have a different subnet as the Tunnel network and then allow access to my main LAN and CCTV vlans by passing those in the IPv4 Local Network in the OpenVPN configuration. I can connect from my mobile device to my OpenVPN server and I am able to access the LAN devices as well as the internet.

I was trying to set up the exact same thing via Wireguard. After setting up the wireguard peers, I did the same thing, I did NOT assign the wireguard interface, but created an "Allow All" rule under Firewall-->Rules-->Wireguard (Group). Similar to the OpenVPN setup, I use a completely different subnet as the Tunnel Network for Wireguard and put in 0.0.0.0/0 as Allowed IPs in the client/endpoint configuration for wireguard. I can now access my LAN services from my mobile device but I am unable to access anything on the internet. I researched and found out that I need some NAT Outbound rules in order to do this.

But my question is why does OpenVPN work without any such NAT Outbound rules while Wireguard doesn't?

TIA

8

22.7 Legacy Series / Re: Help setting up nextcloud backup

« on: October 07, 2022, 06:41:55 pm »

Setup described here:https://forum.opnsense.org/index.php?topic=23339.0

Skimmed it and got my head spinning....

Not worth the trouble in my case.

As I said, the HAProxy opnsense plugin configuration is a bit convoluted with real servers, backend pools, conditions, rules etc. Too many fields however aren't even used for basic SSL offloading which is what I am using it for.

There was no 3rd party repos when I first started using Opnsense. So I opted for Caddy v2 in a Proxmox container, but then having to maintain host overrides in Opnsense Unbound pointing Caddy and then having them route again to the correct server seemed unnecessary which is why I opted for HAProxy which was available in the main Opnsense repo at that time.

I didn't have mimugmail repo enabled until 3 days ago -- which I did for AdGuard plugin. I would have used the caddy plugin when I did this if I had the option. Who knows, I might switch to the caddy plugin down the road. It would just be a lot of work for me since I would have to move and test 20+ different services over. Tedious without any huge benefit (for me). The config will be simpler, so I might try it out when I have time and patience.

9

22.7 Legacy Series / Re: Help setting up nextcloud backup

« on: October 07, 2022, 05:39:55 pm »

Yea that's mostly true, I just never like plain text passwords, if something is ever compromised on network that's just one more thing that could be read and subsequently accessed.  Small risk, but I worked a long time in enterprise cyber so lateral movement is something I always think about.

Then set up a free Let's Encrypt account and use a wildcard cert. It's not terribly difficult with the Acme plugin on Opnsense. I originally did it because vaultwarden password manager required SSL in order to access the WebUI. So I thought instead of a self-signed cert, I might as well set up LE and use that for all my services that I host locally.

I'll probably leave it this way for now, looks like DNS based Let's encrypt isnt easy to setup on Nextcloud currently. 

Then don't. Set it up on a proxy -- HAProxy plugin on Opnsense is what I use --- although, the configuration for HAProxy is relatively convoluted compared to other proxy servers like Nginx Proxy manager or caddy. I initially started with caddy (which has built in LE btw), then switched to HAProxy only to avoid having a separate VM/LXC container for the proxy, when my opnsense router was plenty capable of doing the same thing. If you enable the mimugmail repo in Opnsense, you can even use caddy as a plugin on Opnsense.

Secondly how often does a backup run?  Do I need to setup a cron job?  I see there is a "remote backup" option but I have no idea what it does.

It runs nightly. Mine runs at 1AM, but I couldn't find any documentation as to whether we can change the time it runs etc. If you do select the Cron job of Remote Backup, it will simply do the configured backup for you. So for eg. if you configured Nextcloud and Google Drive -- then it would run both those backups at the scheduled time.
I had set up a cron job and forgotten about it -- so when i saw a backup of my opnsense config at a time other than 1AM, I was confused until I checked the cron job. I have now disabled the cron job since I had set that up to run once a week whereas the autorun runs everyday even without a cron job.

10

22.7 Legacy Series / Re: Changing the DNS provider

« on: October 06, 2022, 11:50:05 pm »

Right, clear now. Internally.
You'd want to see where are your clients looking for their internal dns resolution and put an override there. Presumably it's Unbound. So try a host override.

Yeah, unbound is running in resolver mode and I already have a host override setup for adguard pointing to the IP of opnsense.

EDIT: Turned out that the SSL check was on in the Real Server configuration of HAProxy. Not sure how I missed that !!!! :angry:

11

22.7 Legacy Series / Re: Changing the DNS provider

« on: October 06, 2022, 06:18:41 pm »

If you are getting just your IP then your unbound is working as a resolver, yes.

12

22.7 Legacy Series / Re: Changing the DNS provider

« on: October 06, 2022, 12:30:06 am »

For blocking google ad services if you want to have it again, try the steven black blocklist https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

Ok thanks, I will try that. I did have that in my Unbound Blocklist. I was going to enable 1 at a time and see if it was worthwhile to add it to AdGuard Home.

For reaching your AGH from outside, is a bit more involved. I did it with nginx as reverse proxy on opnsense with a real server on the lan that was doing the required translations i.e. upd and dot (for android) but I changed my infrastructure and haven't re-done it. I needed a quick workaround for traveling and setup a wireguard vpn.  Now when I'm out, I enable wg on the phone and all flows through my home network including dns queries through ADG. Just a thought.

I do NOT want to access AGH from outside the network. I actually have a OpenVPN Road warrior setup and that works great for me to connect to the home network. I might think about setting a WireGuard VPN if there are speed benefits as everyone claims.

What I am currently trying to do is just use https://adguard.mydomain.com to access AGH instead of 192.168.1.1:81 from within my local network. I use such a setup for all my services and I own a domain and issue a wildcard Let's Encrypt certificate for all of them.

13

22.7 Legacy Series / Re: Help setting up nextcloud backup

« on: October 05, 2022, 11:12:05 pm »

https://forum.opnsense.org/index.php?topic=8996.0 this post had a similar issue and it was cert related, that's why I think it just doesn't like a self signed cert.  It's waaay to much effort to get let's encrypt up and going imo. 

Very frustrating something as necessary as backup is so hard to reach it seems. I'd say I'm a pretty seasoned sysadmin and this is stumping me.  No way less seasoned users are gonna get this working.  IMO there needs to be a much simpler option available.

Hmm. The 2 key differences in my setup are that my Nextcloud is running locally on a proxmox LXC container and I am using Let's Encrypt wildcard cert for all my services -- opnsense, nextcloud and many more.

I still think that self signed certs should work, as long as both ends accept it.

14

22.7 Legacy Series / Re: Help setting up nextcloud backup

« on: October 05, 2022, 10:36:39 pm »

Have you tried creating the folder that you want the backups in -- manually in Nextcloud and then trying?

15

22.7 Legacy Series / Re: Help setting up nextcloud backup

« on: October 05, 2022, 10:31:18 pm »

Once I created an App password for Opnsense, it was pretty straightforward. Assuming you set the correct URL for your nextcloud and the username and the App password for opnsense and enabled the "service"

Did you by any chance use a leading slash in your path for Directory Name? You shouldn't as the comment there suggests.