Topics

1

19.1 Production Series / problem updating

« on: February 03, 2019, 08:55:23 am »

Just reporting I had to revert back to 18.7 from 19.1

Not sure where the problem was. My setup is DNSCrypt on 127.0.0.2:53, unbound listen on #53 and

Code: [Select]

do-not-query-localhost: no

      forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53
system dns setting is just 127.0.0.2

For firewall rules I have NAT Port Forward--> "LAN2    TCP/UDP    *    *    ! LAN2 address    53 (DNS)    127.0.0.2    53 (DNS)    DNS (KEEP AT TOP) " for all 3 interfaces.

Also I have for Virtual IP --> "127.0.0.2/32    Loopback    IP Alias    DNSCrypt "

This worked well on 18.7 , forcing every clients to use dnscrypt.
On 19.1 the GUI was locking up a little and it seems unbound was not getting reply from dnscrypt. dnscrypt log said it was listening where it should and could communicate upstream. All services were running. Maybe someone else has the same issues?

2

Tutorials and FAQs / Domain blocking with DNSCrypt v2 tutorial 18.7 (obsolete)

« on: January 25, 2019, 10:06:40 am »

Edit: This howto is obsolete since the latest plugin has added blocklists to the gui.

I got domain blocking to work with the new DNSCrypt package that has been recently been added to opnsense. Thanks mimugmail  (m.muenz@gmail.com).

I may have done something incorrectly and poorly so please suggest a better way if you know one.

After you get dnscrypt up and running, and checked that it is working proceed to the shell.

(If your missing nano or wget just type "pkg install wget" or "pkg install nano")

Code: [Select]

mkdir /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
cd  /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist.conf
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist-local-additions.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-time-restricted.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-whitelist.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
chmod a+x generate-domains-blacklist.py

Now is a good time to edit the .conf file.

Code: [Select]

nano domains-blacklist.confRemove the hash symbol on the lists you want and comment out the ones you don't want, I added a few of my own at the end of the file, mostly facebook and microsoft domains.

Also edit domains-blacklist-local-additions.txt.

Code: [Select]

nano domains-blacklist-local-additions.txtI myself did not want to block *.local, *.localdomain or *.workgroup
so comment them out if you want to also.

Now to run the program

Code: [Select]

/usr/local/bin/python2.7 generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt
Try it twice if it fails fetching a adblock list like it did to me.

If you succeed, go up a directory

Code: [Select]

cd ..and make another file that will point to your new blocklist

Code: [Select]

ln -s generate-domains-blacklists/dnscrypt-blacklist-domains.txt dnscrypt-blacklist-domains.txt
Lastly we need to edit the config file for dnscrypt and tell it about out blacklist

Code: [Select]

nano dnscrypt-proxy.toml
add this to the end -->

Code: [Select]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'
Go to the router's GUI  -->Services -->DnsCrypt-Proxy, and restart the service.
If it comes back up it should now be blocking those domains. If it doesn't, comment out the

Code: [Select]

blacklist_file = 'dnscrypt-blacklist-domains.txt in the .toml file and double check everything.

Hope this works for you. :-)

Edit: Important, the changes to the .toml file do not stick after you save from the GUI, so you need to edit

Code: [Select]

nano /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
add the blacklist section so it looks like this:

Code: [Select]

[static]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'

{% if helpers.exists('OPNsense.dnscryptproxy.server.servers.server') %}
{%   for server_list in helpers.toList('OPNsense.dnscryptproxy.server.servers.server') %}
{%     if server_list.enabled == '1' %}
  [static.'{{server_list.name}}']
  stamp = 'sdns://{{server_list.stamp}}'
{%     endif %}
{%   endfor %}
{% endif %}
Just below [static] but above the rest at the end.

Edit#2 Here is a tutorial I found to force DNSCrypt on all your clients https://forum.opnsense.org/index.php?topic=9245.0   Just remember to change 127.0.0.1 in the example to 127.0.0.2.

3

18.7 Legacy Series / [SOLVED] openvpn client-to-client tutorial/help needed

« on: December 27, 2018, 07:28:11 am »

I have my ISP giving me carrier grade NAT. This broke my openvpn server running on my opnsense box.


So I changed the OpnSense from server to client and connect to a openvpn server with a static IP somewhere else.
I want to have my OpnSense LAN subnet connect as a client to a OpenVPN server that is running lets say in a VPS in some data center. I have client-to-client enabled in the server.conf in the VPS.  The connection from the VPS to my OpnSense client is already established. I just need help or suggestion as when another client connects to the openvpn server I can not ping any devices on my lan.

4

18.1 Legacy Series / [solved] Port Forwarding / troubleshooting with netcat

« on: June 07, 2018, 05:02:49 am »

 Hello,
I am trying to figure out where the trouble is at to get port forwarding to work. I have a ISP fiber GPON modem (Chinese, remotely administered) ,that I assume is in bridge mode, I had asked the ISP to change it bridge mode, they did this from their network, the WAN interface on my OpnSense 18.1 now does the PPPoE credentials. I am confused because the public IP addressed assigned to the WAN as reported by OpnSense is not the same as my IP as reported by the websites I visit.

So my question if anybody knows, when I type from the opnsense terminal # "nc -l WAN_IP_as_reported_by_opnsense 5061" it is listening on the WAN interface and I don't need to make rules and change some obscure settings around right?

I have been using a VPS to SSH into and then use netcat from that to see if the packets arrive to my WAN Interface of OpnSense. So far no luck, I don't know where the failure is at.

Edit: The port forwarding problem is due to Carrier Grade NAT, I think opnsense was listening on the WAN at port 5061 when I asked it to from the terminal.

5

17.7 Legacy Series / openvpn obfuscate

« on: August 09, 2017, 12:17:54 am »

Thanks devs for still including the scramble patch for openvpn. Still works great for client and server after updating to 17.7
 

(its not mentioned much, but I still use it)

To anybody wondering what I'm talking about, its a simple way to obfuscate openvpn traffic, otherwise I read openvpn traffic is easier to fingerprint from my understanding.

6

17.1 Legacy Series / [SOLVED] UPnP

« on: February 18, 2017, 02:43:17 am »

I am missing the UPnP in services. So in System-->Firmware--> Packages I see miniupnpd was already installed, So I tried to install in plugins --> os-upnp.
It installed and I rebooted, but dnscrypt-proxy no longer worked. (I am using multiple dnscrypt) dnscrypt-proxy would not start, and I could not find anything in the /var/log as to why (I tried to increase verb) - my skills are not that good. UPnP showed up in Services, just like some screen shots I have seen in other posts.

So I removed os-upnp, and after reboot. dnscrypt-proxy started automatically and works again, but Universal Plug and Play is missing in Services (GUI). I have a machine with Steam on it, and on several games the mutiplayer does not work, so I am guessing I need UPnP and allow that machine on the network to open ports? Just wondering if anyone else knows what I did wrong.

7

17.1 Legacy Series / [solved] OpenVPN selective routing

« on: February 15, 2017, 09:24:07 am »

I had OpenVPN working previously, but have spent over a day on this with out any luck.
I have the Qotom box with 4 Intel LANs. Not sure how I broke this, but I had 1 whole interface that was routed to OpenVPN (Client to Server) Opnsense was the client.

Well the client connects, however all interfaces are getting routed through the vpn. I have played quite a bit with NAT and Firewall rules, but I still may be missing something. I could post some screen shots if someone on here could help me get this sorted. This kinda stopped working around the time I updated to 17.1

8

Development and Code Review / PHP errors [solved]

« on: January 02, 2017, 03:48:57 am »

Was getting PHP errors.
Solved it, It was two extensions of the same. openssl and lpad in /usr/local/etc/php/

Had the new separate extension files (ext-20-ldap.ini    & ext-20-openssl.ini) plus the same in the listed in the file extensions.ini

Solved it by removing ext-20-ldap.ini    & ext-20-openssl.ini
No more errors in /tmp/PHP_errors.log

ref. https://forums.freebsd.org/threads/54980/

If anyone else has the same

9

Tutorials and FAQs / DDNS with ddclient if you are Double NAT'd guide

« on: January 02, 2017, 02:25:27 am »

Here is some quick settings if you want ddns, but you are double NAT'd (example you don't have access to the edge device, or its missing dynamic ddns ). The problem is when your double NAT'd is your lan address gets reported ex. 192.168.0.1. You can see the line "use=web" below, thats what is needed to get your public ip. Use ddclient to update DNS-O-MATIC. DNS-O-MATIC is like a middleman who then updates your other dynamic dns services your are subscribed to. I couldn't find what I needed on 16.7 DynDNS GUI, so I went with the following:

1) Make a account at DNS-O-MATIC

2) SSH into your Opnsense box

Code: [Select]

pkg install ddclient
pkg install nano
3)Edit the config file:

Code: [Select]

nano /usr/local/etc/ddclient.conf
Use your email address (not your login name for DNS-O-MATIC) for the conf file below. (important)
Here is my conf:

Code: [Select]

##
## DNS-O-Matic account-configuration
##
ssl=yes
daemon=300
use=web, web=myip.dnsomatic.com
server=updates.dnsomatic.com,      \
protocol=dyndns2,                  \
login=yourEMAILaddress,          \
password=yourPASS        \
all.dnsomatic.com
5) edit rc.conf

Code: [Select]

nano /etc/rc.confadd the line:

Code: [Select]

ddclient_enable="YES"
6) test ddclient with:

Code: [Select]

ddclient -daemon=0 -debug -verbose -noquiet7) Start the client with:

Code: [Select]

service ddclient startYou should be all set.

What took me the longest to figure out was to use my email instead of username. Hope this is helpful.

10

16.7 Legacy Series / Guest Network / Captive Portal + OpenVPN Client

« on: December 22, 2016, 03:27:36 am »

Hello,
Not sure what I am doing wrong. I have 2 things setup, but can't get them to work together.

--First setup is Guest Network with Captive Portal--
I have followed tutorial "Set up a Guest Network"--> https://docs.opnsense.org/manual/how-tos/guestnet.html
Works great for interface named GUESTNET which is a AP. Very nice.

--Second Setup (Captive Portal disabled) Sending GUESTNET traffic through OpenVPN Client (OVPNC1)--
I have the interface GUESTNET (AP) set up to go through the OVPNC1. That works great.

What am I doing wrong because when I enable captive portal- GUESTNET bypasses it. GUESTNET still uses OPVNC1 interface which is good.
If I change IPv4 * GUESTNET net * * * OVPNC1_VPNV4 to the example in the tutorial, Captive Portal works, but traffic is not sent out through VPN client anymore.



Any suggestions please?

11

Tutorials and FAQs / Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

« on: December 06, 2016, 07:13:22 am »

Hi I'm cake, I wanted multiple dnscrypt-proxy instances for reliability. I like dnscrypt because it eliminates your ISP from keeping a log of all your travels. Some of the dnscrypt providers are not 100 percent uptime, some discontinue, etc. This is for redundancy.  I don't take credit for any of the following, just gathering it all together in one spot for Opnsense 16.7.

So in the terminal-

Code: [Select]

pkg install dnscrypt-proxy
pkg install nano
I got this next script from https://forums.freebsd.org/threads/48250/

Code: [Select]

mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy
Paste this in: (credit to arabesc)

Code: [Select]

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done
Make it executable:

Code: [Select]

chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy
Next:

Code: [Select]

nano /etc/rc.conf
Here is mine as a example: (see next post down for a better way)

Code: [Select]

##  Use other method instead of lo0 alias  ##
##  ifconfig lo0 alias 127.0.0.2/32  ##
##  ifconfig lo0 alias 127.0.0.3/32  ##
##  ifconfig lo0 alias 127.0.0.4/32  ##

dnscrypt_proxy_enable="YES"

dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="d0wn-lu-ns1"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"
You can change the resolvers to whatever you want that is listed in:  /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
If you want the latest list:

Code: [Select]

pkg install wget
wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv]

You might be able to leave out the unbound enable line, since it doesn't appear to be need or is running.

In OpnSense GUI, go to Services-->DNS Forwarder
Enable it, set it to port 53. Specify the interface(s) and set it to strict. Also for testing uncheck Query DNS servers sequentially

EDIT:Use geofflowemn's advice instead of my commented out stuff above (ifconfig...)- go to the GUI - Firewall-->Virtual IP's--->Settings and add:

Virtual IP address    Interface    Type    Description
127.0.0.2/32              LocalHost        IP Alias    dnscrypt-proxy
127.0.0.3/32              LocalHost        IP Alias    dnscrypt-proxy
127.0.0.4/32              LocalHost        IP Alias    dnscrypt-proxy 

EDIT: fix typo, (thanks geofflowemn)

Next go to System-->Setting--->General---> Specify the dns servers at 127.0.0.2 127.0.0.3 and 127.0.0.4
I checked "Do not use the DNS Forwarder as a DNS server for the firewall" and unchecked "Allow DNS server list to be overridden by DHCP/PPP on WAN". I did not specify any dns servers in the dhcp section of services.

To test/start type: service dnscrypt-proxy start (it should load when system boots from now on)
Couple of good websites to test if its working:
https://www.perfect-privacy.com/dns-leaktest/
https://ipleak.net/

When testing: Make sure you disable your browser dns caching, also if your in linux the command sudo resolvconf -u helps when troubleshooting using dig, nslookup, etc. Hope I didn't forget any other tidbits, and your system reboots using your new dnscrypt-proxy settings without anymore user input.

Hope this gathering of info from several places has helped someone else achieve their goal. There is a nice tutorial on using unbound to cache queries for speed. https://blog.ipredator.se/freebsd-dnscrypt-howto.html

It would be a great feature to add this to the GUI in the future!
Edit: Add IP of LAN interface to: Services-->DHCP-->Server--->select interface-->DNS servers
Edit: Fixed some errors (spelling), added some extra. I noticed I messed up my configuration royally and when loading a older saved configuration dnscrypt-proxy gets wiped out (it didn't save my dnscrypt configuration). Had to start from scratch. Noticed a couple omissions in this post. :-0

12

16.7 Legacy Series / [solved] dnscrypt - a little help

« on: December 01, 2016, 05:23:32 am »

Did from terminal -- pkg install dnscrypt-proxy

It installed fine, I am very grateful to whoever compiled that.
Trying to set it up so 3 instances get started at boot from a script. In the script it will have something like:
dnscrypt-proxy --resolver-name=d0wn-is-ns1 --local-address=127.0.0.2
dnscrypt-proxy --resolver-name=d0wn-is-ns1 --local-address=127.0.0.3
dnscrypt-proxy --resolver-name=d0wn-is-ns1 --local-address=127.0.0.4
...

When I enter manually from terminal I get:

Code: [Select]

root@J1900:/etc # dnscrypt-proxy --resolver-name=d0wn-is-ns1 --local-address=127.0.0.2
[INFO] - [d0wn-is-ns1] does not support DNS Security Extensions
[INFO] + Namecoin domains can be resolved
[INFO] + Provider supposedly doesn't keep logs
[NOTICE] Starting dnscrypt-proxy 1.7.0
[INFO] Generating a new session key pair
[INFO] Done
[ERROR] Unable to bind (UDP) [Can't assign requested address]
This works but is not what I am after:
dnscrypt-proxy --resolver-name=d0wn-is-ns1 --local-address=127.0.0.1

How do I get rid of the bind error?

13

16.7 Legacy Series / opnsense blocking openvpn [SOLVED]

« on: November 27, 2016, 07:29:02 am »

Hello, my setup is very basic. It is also unattended for months at a time. Being back from abroad I noticed something is blocking openvpn clients on the lan to server(s) on Internet. Clients will connect to vpn on Internet according to (linux terminal) sudo openvpn --config *.ovpn,  I don't think its a dns problem, because one of my devices uses dnscrypt, and that also does not work. Looking for a obvious setting before I spend half a day or better blindly trying stuff out.

My config's are correct for openvpn client(s) and server(s), tested it out on different network without opnsense in the middle. I'm sure opnsense is blocking it.

14

16.7 Legacy Series / [SOLVED] authorized_keys keeps getting deleted somehow

« on: September 03, 2016, 12:03:01 pm »

I took a quick search all I found was this https://forum.opnsense.org/index.php?topic=1930.msg5996#msg5996 which doesnt help me.

Anyways, I created a new user on OpnSense, and authorized SSH logins for the user (not admin). I then copied a key over to  ~/.ssh/authorized_keys of the new user. I check that it is added. I checked I can log in (ssh) without the password to the new user on OpnSense.

I tested it out scp to transfer a file automatically as working with out password. Well later on one of my machines can't automatically scp into OpnSense, and I find the key I added earlier to the user account with ssh privileges is missing twice now. (empty file)

I may have rebooted the OpnSense box twice in between testing and sorting stuff out.
Am I missing something or is this operator error and I need to sniff around the logs?

15

16.7 Legacy Series / OpenVpn XOR Scramble patch example

« on: September 02, 2016, 01:23:13 pm »

The highest version I could get to work with Clayface's 2015 patch is OpenVpn 2.3.11 (Currently it is at 2.3.12)
Here is the steps I took to patch it.
First off this is what versions I started with:
  OPNsense 16.7.3-amd64
  FreeBSD 10.3-RELEASE-p7
  OpenSSL 1.0.2h 3 May 2016
  OpenVPN 2.3.12 (soon to be downgraded)

Start a SSH session,

Code: [Select]

#pkg install wget
#pkg install git
#cd ~
#mkdir XOR
#cd XOR
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.xz
#tar -xf openvpn-*
#cp openvpn_xorpatch-master/openvpn_xor.patch ~/XOR/openvpn-2.3.11/
#cd openvpn-2.3.11
#git apply openvpn_xor.patch
#./configure CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
#make
#make installI know those above commands can be combined, but my skills are not the best, I just keep it simple.

I am guessing at this next bit- go into the web GUI-->System--->Firmware--->Packages---> Lock openvpn from being updated. (even though it says a different version, if you check the log it says openvpn 2.3.11)

That is it. I tested it on my VPS. Hopefully the patch gets updated.