Topics

1

General Discussion / saved configuration work on new hardware?

« on: September 08, 2023, 01:58:58 am »

I have a chinese board with 4 ethernet ports and a intel j1900. If i buy another mini pc with 4 ports can I load the config file from the old one? How similar does the hardware need to be?

Thanks

2

23.7 Legacy Series / Single User Mode

« on: August 31, 2023, 03:39:27 am »

I'm trying to talk a family member through reinstalling opnsense remotely. Its not going well.

How do you get into single user mode? I'm not getting a command prompt. Nothing that says login. Ctrl + Alt + F1 or F2 does nothing too (sometimes that works in Linux), just messages printed to screen (screeshot) This is 23.1 version.
Spacebar works to pause.

Also tried to install with fresh 23.7 vga img file, copied to thumb drive with dd, installer does not see the ssd drive when logging in via ssh installer@192.168.1.1. , it just shows the usb thumb drive. This is second day of messing around for a couple hours. My device is a qotom j1900 box.

Maybe the ssd is broken?

3

23.1 Legacy Series / Need help with update (log posted)

« on: June 25, 2023, 05:57:55 pm »

I keep getting this in the log when updating. I updating over wiregaurd remotely and don't want to brick it.
Anyone know what I should do? I am trying to fix another problem I am having but first thought I would update first.

Code: [Select]

***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.1.5_4 at Sun Jun 25 22:36:17 +07 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (56 candidates): .......... done
Processing candidates (56 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 59 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
easy-rsa: 3.1.5
pkcs11-helper: 1.29.0
py39-tzdata: 2023.3_1

Installed packages to be UPGRADED:
ca_root_nss: 3.89 -> 3.89.1
curl: 7.88.1 -> 8.1.2
dhcp6c: 20200512_1 -> 20230530
glib: 2.76.1,2 -> 2.76.3,2
ifinfo: 13.0 -> 13.0_1
krb5: 1.20.1 -> 1.21
libnghttp2: 1.52.0 -> 1.53.0
libpsl: 0.21.2_2 -> 0.21.2_3
libxml2: 2.10.3_1 -> 2.10.4
lighttpd: 1.4.69 -> 1.4.71
mpd5: 5.9_13 -> 5.9_16
nettle: 3.8.1 -> 3.9.1
nss: 3.89 -> 3.90
ntp: 4.2.8p15_5 -> 4.2.8p17
openssh-portable: 9.2.p1,1 -> 9.3.p1,1
openvpn: 2.5.8 -> 2.6.5
opnsense: 23.1.5_4 -> 23.1.10_1
opnsense-update: 23.1.5 -> 23.1.8_2
os-dnscrypt-proxy: 1.12_1 -> 1.13_1
pftop: 0.8_2 -> 0.8_4
php81: 8.1.17 -> 8.1.20
php81-ctype: 8.1.17 -> 8.1.20
php81-curl: 8.1.17 -> 8.1.20
php81-dom: 8.1.17 -> 8.1.20
php81-filter: 8.1.17 -> 8.1.20
php81-gettext: 8.1.17 -> 8.1.20
php81-ldap: 8.1.17 -> 8.1.20
php81-mbstring: 8.1.17 -> 8.1.20
php81-pdo: 8.1.17 -> 8.1.20
php81-phalcon: 5.2.1 -> 5.2.2
php81-session: 8.1.17 -> 8.1.20
php81-simplexml: 8.1.17 -> 8.1.20
php81-sockets: 8.1.17 -> 8.1.20
php81-sqlite3: 8.1.17 -> 8.1.20
php81-xml: 8.1.17 -> 8.1.20
php81-zlib: 8.1.17 -> 8.1.20
py39-bottleneck: 1.3.6 -> 1.3.7_1
py39-certifi: 2022.12.7 -> 2023.5.7
py39-charset-normalizer: 3.0.1 -> 3.1.0
py39-cython: 0.29.33 -> 0.29.35
py39-dnspython: 2.2.1_1,1 -> 2.3.0,1
py39-idna: 3.4 -> 3.4_1
py39-markupsafe: 2.1.2 -> 2.1.3
py39-numexpr: 2.8.4 -> 2.8.4_1
py39-numpy: 1.24.1,1 -> 1.24.1_4,1
py39-pandas: 1.5.3,1 -> 2.0.2,1
py39-requests: 2.28.2 -> 2.31.0
py39-sqlite3: 3.9.16_7 -> 3.9.17_7
py39-ujson: 5.7.0 -> 5.8.0
py39-urllib3: 1.26.14,1 -> 1.26.16,1
python39: 3.9.16_2 -> 3.9.17
sqlite3: 3.41.0_1,1 -> 3.42.0,1
squid: 5.8 -> 5.9
strongswan: 5.9.10_1 -> 5.9.10_2
suricata: 6.0.9_1 -> 6.0.13
syslog-ng: 3.38.1 -> 4.2.0

Number of packages to be installed: 3
Number of packages to be upgraded: 56

The process will require 6 MiB more space.
[1/59] Upgrading python39 from 3.9.16_2 to 3.9.17...
[1/59] Extracting python39-3.9.17: .......... done
python39-3.9.16_2: missing file /usr/local/lib/python3.9/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl
python39-3.9.16_2: missing file /usr/local/lib/python3.9/lib2to3/Grammar3.9.16.final.0.pickle
python39-3.9.16_2: missing file /usr/local/lib/python3.9/lib2to3/PatternGrammar3.9.16.final.0.pickle
python39-3.9.16_2: missing file /usr/local/share/licenses/python39-3.9.16_2/LICENSE
python39-3.9.16_2: missing file /usr/local/share/licenses/python39-3.9.16_2/PSFL
python39-3.9.16_2: missing file /usr/local/share/licenses/python39-3.9.16_2/catalog.mk
pkg-static: Fail to rename /usr/local/lib/python3.9/test/test_tools/__pycache__/.pkgtemp.test_lll.cpython-39.opt-1.pyc.dRm2Lr8DrAGh -> /usr/local/lib/python3.9/test/test_tools/__pycache__/test_lll.cpython-39.opt-1.pyc:Invalid argument
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

4

Tutorials and FAQs / Blocking DNS, Private DNS, DNS over HTTPS and others

« on: January 16, 2023, 04:35:46 am »

Been pulling my hair trying to figure out why my test phone is getting dns after I blocked port 53 completely.
Turns out it has a setting "Private DNS" that activates itself once in a while.

Does anyone know if there is a github list that publishes a list of know ip address that run dns over https?

I want my dnscrypt to handle all dns queries, port forward anything on 53 to 5353. Unbound is doing this and port forwarding is also sending port 53 traffic to dnscrypt. My problem is that google and other data mining companies are running https dns resolvers. Firefox and other browsers are defaulting to using this and sending the dns to their buddies resolvers. I want to block these devices on my network that are bypassing my dns settings.

Sorry if this is hard to follow. I keep getting browser updates on computers and the updates change settings that I previous set. They are bypassing my dns even though I block outbound port 53 and port forward 53 to 5353 where dnscrypt is listening. Lets just say I don't think mozzarella, khrome, or edge is on my side and I don't want  them getting list of dns lookups from my network. Someone must have a list like the no ads ones on github.

5

22.1 Legacy Series / Wireguard peer [subnet<->subnet]

« on: May 23, 2022, 09:20:40 am »

I am using opnsense wireguard as a peer but,

I can't figure out is getting clients/peers such as phones connected to 10.8.0.0/24 to talk to  192.168.44.0/24

wg0 on opnsense is peer assigned 10.8.0.7, behind that is the LAN 192.168.44.0/24, but I can not ping anything there.

I can not get the two subnets to talk to each other. please suggestions?

wireguard is connected and there is a tiny bit of traffic.

6

20.1 Legacy Series / Help me with DHCPv4

« on: April 17, 2020, 03:33:44 am »

I have had this problem since before the update, maybe even back to v18.
- I have DHCPv4 enabled on LAN2 interface. (This is on every interface but just using LAN2 as example)
- LAN2 subnet is 192.168.44.0
- The dhcp available scope is 192.168.44.5 - 192.168.44.199
- I have been using static ARP outside this range to get my devices network connection to work.
- If I set device to  automatic/dhcp it gets a IP inside the scope, a gateway and a dns address, all seems normal to me.

However the device can not ping the interface/gateway at 192.168.44.1, can not ping internet address such as 8.8.8.8 and shows up in the dhcpv4 leases as device being offline. As mentioned I need to give the device a static IP outside the scope for internet to work. The firewall live view does not show anything (no icmp attempts)

7

19.1 Legacy Series / [solved] How do I edit sshd_config

« on: April 23, 2019, 09:03:37 am »

I am trying to figure out the stability for dnscrypt_proxy plugin and I see this in the dnscrypt_proxy log

Code: [Select]

[2019-04-23 13:29:05] [FATAL] listen udp 127.0.0.2:53: bind: address already in use
127.0.0.2 and 192.168.44.4 are virtual IP's (IP Alias )

The system log says it is sshd that is listening there, but it is not listed in the GUI (attached screenshot).

Here is my sshd_config file that I assume gets over written if changed.  /usr/local/etc/ssh/sshd_config

Code: [Select]

# This file was automatically generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc
Port 22
Protocol 2
Compression yes
ClientAliveInterval 30
UseDNS no
X11Forwarding no
PubkeyAuthentication yes
Subsystem sftp internal-sftp
AllowGroups wheel admins
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
HostKey /conf/sshd/ssh_host_rsa_key
HostKey /conf/sshd/ssh_host_ecdsa_key
HostKey /conf/sshd/ssh_host_ed25519_key
HostKey /conf/sshd/ssh_host_dsa_key
ListenAddress 10.8.1.2
ListenAddress 192.168.45.1
ListenAddress 192.168.44.1
ListenAddress 192.168.44.4
ListenAddress 127.0.0.1
ListenAddress 127.0.0.2
ListenAddress ::1
I would like to remove the virtual Ip addresses. If I restart openssh 127.0.0.2 and 192.168.44.4 re-appears even if removed or commented it out. Any ideas?

Solved: I changed the listen port from 53 to 5353 on the dnscrypt listen addresses and it seems to work now.

8

19.1 Legacy Series / problem updating

« on: February 03, 2019, 08:55:23 am »

Just reporting I had to revert back to 18.7 from 19.1

Not sure where the problem was. My setup is DNSCrypt on 127.0.0.2:53, unbound listen on #53 and

Code: [Select]

do-not-query-localhost: no

      forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53
system dns setting is just 127.0.0.2

For firewall rules I have NAT Port Forward--> "LAN2    TCP/UDP    *    *    ! LAN2 address    53 (DNS)    127.0.0.2    53 (DNS)    DNS (KEEP AT TOP) " for all 3 interfaces.

Also I have for Virtual IP --> "127.0.0.2/32    Loopback    IP Alias    DNSCrypt "

This worked well on 18.7 , forcing every clients to use dnscrypt.
On 19.1 the GUI was locking up a little and it seems unbound was not getting reply from dnscrypt. dnscrypt log said it was listening where it should and could communicate upstream. All services were running. Maybe someone else has the same issues?

9

Tutorials and FAQs / Domain blocking with DNSCrypt v2 tutorial 18.7 (obsolete)

« on: January 25, 2019, 10:06:40 am »

Edit: This howto is obsolete since the latest plugin has added blocklists to the gui.

I got domain blocking to work with the new DNSCrypt package that has been recently been added to opnsense. Thanks mimugmail  (m.muenz@gmail.com).

I may have done something incorrectly and poorly so please suggest a better way if you know one.

After you get dnscrypt up and running, and checked that it is working proceed to the shell.

(If your missing nano or wget just type "pkg install wget" or "pkg install nano")

Code: [Select]

mkdir /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
cd  /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist.conf
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist-local-additions.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-time-restricted.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-whitelist.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
chmod a+x generate-domains-blacklist.py

Now is a good time to edit the .conf file.

Code: [Select]

nano domains-blacklist.confRemove the hash symbol on the lists you want and comment out the ones you don't want, I added a few of my own at the end of the file, mostly facebook and microsoft domains.

Also edit domains-blacklist-local-additions.txt.

Code: [Select]

nano domains-blacklist-local-additions.txtI myself did not want to block *.local, *.localdomain or *.workgroup
so comment them out if you want to also.

Now to run the program

Code: [Select]

/usr/local/bin/python2.7 generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt
Try it twice if it fails fetching a adblock list like it did to me.

If you succeed, go up a directory

Code: [Select]

cd ..and make another file that will point to your new blocklist

Code: [Select]

ln -s generate-domains-blacklists/dnscrypt-blacklist-domains.txt dnscrypt-blacklist-domains.txt
Lastly we need to edit the config file for dnscrypt and tell it about out blacklist

Code: [Select]

nano dnscrypt-proxy.toml
add this to the end -->

Code: [Select]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'
Go to the router's GUI  -->Services -->DnsCrypt-Proxy, and restart the service.
If it comes back up it should now be blocking those domains. If it doesn't, comment out the

Code: [Select]

blacklist_file = 'dnscrypt-blacklist-domains.txt in the .toml file and double check everything.

Hope this works for you. :-)

Edit: Important, the changes to the .toml file do not stick after you save from the GUI, so you need to edit

Code: [Select]

nano /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
add the blacklist section so it looks like this:

Code: [Select]

[static]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'

{% if helpers.exists('OPNsense.dnscryptproxy.server.servers.server') %}
{%   for server_list in helpers.toList('OPNsense.dnscryptproxy.server.servers.server') %}
{%     if server_list.enabled == '1' %}
  [static.'{{server_list.name}}']
  stamp = 'sdns://{{server_list.stamp}}'
{%     endif %}
{%   endfor %}
{% endif %}
Just below [static] but above the rest at the end.

Edit#2 Here is a tutorial I found to force DNSCrypt on all your clients https://forum.opnsense.org/index.php?topic=9245.0   Just remember to change 127.0.0.1 in the example to 127.0.0.2.

10

18.7 Legacy Series / [SOLVED] openvpn client-to-client tutorial/help needed

« on: December 27, 2018, 07:28:11 am »

I have my ISP giving me carrier grade NAT. This broke my openvpn server running on my opnsense box.


So I changed the OpnSense from server to client and connect to a openvpn server with a static IP somewhere else.
I want to have my OpnSense LAN subnet connect as a client to a OpenVPN server that is running lets say in a VPS in some data center. I have client-to-client enabled in the server.conf in the VPS.  The connection from the VPS to my OpnSense client is already established. I just need help or suggestion as when another client connects to the openvpn server I can not ping any devices on my lan.

11

18.1 Legacy Series / [solved] Port Forwarding / troubleshooting with netcat

« on: June 07, 2018, 05:02:49 am »

 Hello,
I am trying to figure out where the trouble is at to get port forwarding to work. I have a ISP fiber GPON modem (Chinese, remotely administered) ,that I assume is in bridge mode, I had asked the ISP to change it bridge mode, they did this from their network, the WAN interface on my OpnSense 18.1 now does the PPPoE credentials. I am confused because the public IP addressed assigned to the WAN as reported by OpnSense is not the same as my IP as reported by the websites I visit.

So my question if anybody knows, when I type from the opnsense terminal # "nc -l WAN_IP_as_reported_by_opnsense 5061" it is listening on the WAN interface and I don't need to make rules and change some obscure settings around right?

I have been using a VPS to SSH into and then use netcat from that to see if the packets arrive to my WAN Interface of OpnSense. So far no luck, I don't know where the failure is at.

Edit: The port forwarding problem is due to Carrier Grade NAT, I think opnsense was listening on the WAN at port 5061 when I asked it to from the terminal.

12

17.7 Legacy Series / openvpn obfuscate

« on: August 09, 2017, 12:17:54 am »

Thanks devs for still including the scramble patch for openvpn. Still works great for client and server after updating to 17.7
 

(its not mentioned much, but I still use it)

To anybody wondering what I'm talking about, its a simple way to obfuscate openvpn traffic, otherwise I read openvpn traffic is easier to fingerprint from my understanding.

13

17.1 Legacy Series / [SOLVED] UPnP

« on: February 18, 2017, 02:43:17 am »

I am missing the UPnP in services. So in System-->Firmware--> Packages I see miniupnpd was already installed, So I tried to install in plugins --> os-upnp.
It installed and I rebooted, but dnscrypt-proxy no longer worked. (I am using multiple dnscrypt) dnscrypt-proxy would not start, and I could not find anything in the /var/log as to why (I tried to increase verb) - my skills are not that good. UPnP showed up in Services, just like some screen shots I have seen in other posts.

So I removed os-upnp, and after reboot. dnscrypt-proxy started automatically and works again, but Universal Plug and Play is missing in Services (GUI). I have a machine with Steam on it, and on several games the mutiplayer does not work, so I am guessing I need UPnP and allow that machine on the network to open ports? Just wondering if anyone else knows what I did wrong.

14

17.1 Legacy Series / [solved] OpenVPN selective routing

« on: February 15, 2017, 09:24:07 am »

I had OpenVPN working previously, but have spent over a day on this with out any luck.
I have the Qotom box with 4 Intel LANs. Not sure how I broke this, but I had 1 whole interface that was routed to OpenVPN (Client to Server) Opnsense was the client.

Well the client connects, however all interfaces are getting routed through the vpn. I have played quite a bit with NAT and Firewall rules, but I still may be missing something. I could post some screen shots if someone on here could help me get this sorted. This kinda stopped working around the time I updated to 17.1

15

Development and Code Review / PHP errors [solved]

« on: January 02, 2017, 03:48:57 am »

Was getting PHP errors.
Solved it, It was two extensions of the same. openssl and lpad in /usr/local/etc/php/

Had the new separate extension files (ext-20-ldap.ini    & ext-20-openssl.ini) plus the same in the listed in the file extensions.ini

Solved it by removing ext-20-ldap.ini    & ext-20-openssl.ini
No more errors in /tmp/PHP_errors.log

ref. https://forums.freebsd.org/threads/54980/

If anyone else has the same