Topics

1

24.7 Production Series / Caddy Plugin - no certificate available for '10.10.19.2'

« on: October 01, 2024, 11:39:17 am »

Hi Everyone,

I recently switched from Nginx Reverse Proxy to Caddy on OPNsense.
Works really smart and everything seems to be working, However I get this entry in my logs as error:

"debug","ts":"2024-10-01T09:28:57Z","logger":"http.stdlib","msg":"http: TLS handshake error from 105.232.xxx.xxx:9078: no certificate available for '10.10.19.2'"}

This is in my home lab, so I have the Fiber Router NAT everything to the Firewall and obviously OPNsense then handles the tcp/80 tcp/433 within OPNsense.

So the connection looks like this:

<Public IP 197.188.xxx.xxx/32> to <OPNsense IP 10.10.19.2> to <LAN Network 192.168.200.0/24>

From my understanding, since 10.10.19.2 is not internet routable it cannot get a certificate, but it should not worry about that, it should be looking at the Public IP, but does not seem to get resolved or I cannot find any way to static it. I cannot bind it in custom conf's since 197.188.xxx.xxx is not on the firewall anywhere?

Any ideas?

2

24.1 Legacy Series / WireGuard Site to Site | Alternative Internet Access

« on: June 13, 2024, 01:29:19 pm »

I have successfully created a Site-to-Site WireGuard VPN between two sites.

Site A
LAN: 172.16.1.0/24
WG: 10.2.2.1/24
Interface Assigned Manually and Allow IPV4* Rule Added


Site B
LAN: 192.168.200.0/24
WG: 10.2.2.2/24

Interface Assigned Manually and Allow IPV4* Rule Added
Added Gateway: 10.2.2.1/24

I can route flawlessly between A & B without any issues, but I have one host on Site B that must use the default WAN gateway of Site A to connect to the Internet (because of the public IP it needs to present outbound)

I created a rule to force use the Gateway Created on Site B to route over to 10.2.2.1 on Site A, but I cannot get Site A to forward that traffic via its WAN gateway. I just get Destination Host Unreachable.

How can I allow the traffic originating from the single host on Site B to pass to the gateway of Site A?

Any help would be appreciated.

3

23.7 Legacy Series / 23.7.7 - Set Priority on LAN Rules

« on: November 06, 2023, 05:16:28 pm »

I have a rule in my LAN interface for a device that I change the priority to Video of all packets and low delay (ACK packages matching any packet type.

With the latest update any change to priority causes the rule to not pass? Anyone else have this issue?

4

23.1 Legacy Series / Execute Command After Startup

« on: April 14, 2023, 02:37:11 pm »

Hi Guys,

I use a custom curl URL to notify me on my Telegram when my servers have completed startup. I am looking to do the same thing with OPNsense, but cannot figure out how to go about it.

The GUI CRON section has no support for a custom curl command, and adding the entry to /etc/crontab makes no difference.

on Debian and other Linux Distros I use the @reboot directive of cron to achieve this.

5

22.7 Legacy Series / SSH Proxy / Jump Host

« on: January 23, 2023, 01:22:40 pm »

Has anyone ever attempted to use OPNsense as a SSH Proxy / Jumphost?

Currently I forward port 22 from my GEO Location to a Linux server on the network and then jump the SSH session from there to other hosts in the network. But if I have active SSH connections via this server and I bounce that server, all other connections are lost.

Would be great if OPNsense itself could be the Jumphost.

6

22.7 Legacy Series / IPFW not listed in service

« on: October 03, 2022, 01:50:28 pm »

I recently installed a new firewall V22.7 and I manipulated the backup files from my old firewall on the new firewall (completely different interfaces, lagg setup etc.)

Everything is working, but I cannot get the ipfw Shaper service to list in the services.
on the console when running service ipfw status I get "Cannot 'status' ipfw. Set firewall_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'."

I have complete removed the shaper and set it back up from scratch but the service does not enable, list or start.

Any ideas where I can check now?

7

22.1 Legacy Series / ACME Client - Linode DNS Verification Broken

« on: July 05, 2022, 11:14:30 am »

There seems to be an issue with the latest version of the ACME client using DNS-01 Verification.

Anyone know how to fix this?

<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 98916 - [meta sequenceId="1"] [Tue Jul  5 10:41:20 CAT 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 15494 - [meta sequenceId="2"] [Tue Jul  5 10:41:20 CAT 2022] Single domain='*.anything.com.na'
<14>1 2022-07-05T10:41:20+02:00 opnsense.badenhorst.com.na acme.sh 42590 - [meta sequenceId="3"] [Tue Jul  5 10:41:20 CAT 2022] Getting domain auth token for each domain
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 5764 - [meta sequenceId="4"] [Tue Jul  5 10:41:23 CAT 2022] Getting webroot for domain='*.anything.com.na'
<14>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 52261 - [meta sequenceId="5"] [Tue Jul  5 10:41:23 CAT 2022] Adding txt value: 0Yfe1V7sfNU***********************hock71wr_GCqU for domain:  _acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 57425 - [meta sequenceId="6"] [Tue Jul  5 10:41:23 CAT 2022] Error add txt for domain:_acme-challenge.anything.com.na
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 59624 - [meta sequenceId="7"] [Tue Jul  5 10:41:23 CAT 2022] Please add '--debug' or '--log' to check more details.
<11>1 2022-07-05T10:41:23+02:00 opnsense.badenhorst.com.na acme.sh 62170 - [meta sequenceId="8"] [Tue Jul  5 10:41:23 CAT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

8

22.1 Legacy Series / Nginx Reverse Proxy Configuration Not Changing

« on: April 22, 2022, 09:59:03 am »

I recently re-installed my OPNSense using OPNsense 22.1.6-amd64

Everything was working great up and until 2 days ago, I am attempting to add another Upstream Server to be used via the reverse proxy. However no matter what I do, the configuration does not change after clicking Apply. If I change the port of an already configured Upstream Server or simply add a new upstream server, the configuration remains completely unchanged.

After any change to upstreams / upstream servers are made, Services>Nginx>Traffic Statistic still shows the old uptream server and ports.

I have verified this by creating a MD5 hash of /usr/local/etc/nignx/nginx.conf and absolutely no change happens upon making changes in the GUI.

OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022

os-nginx (installed)   1.26

9

21.7 Legacy Series / WireGuard - HTTP/S Traffic Issue

« on: October 27, 2021, 05:34:00 pm »

Dear All,

I have a bit of a weird issue that I cannot figure out for the life of me. I was hoping getting more sets of eyes on the problem someone can help me pin point where the issue might be.

I have 2x OPNsense Firewalls installed. 1x at the Office and 1x at Home. Both run the same version OPNsense 21.7.3_3-amd64 and both have same WireGuard installed (os-wireguard 1.7, wireguard-go 0.0.20210424,1, wireguard-tools 1.0.20210914)

The only difference...

Office I have a router from the ISP configured as PPPoE
Home I have a router with Static IP address and setup as exposed host (Forward all public traffic directly to OPNsense Firewall (Double Nat'ting)

From Home: Notebook PC on LAN > Office-WireGuard Tunnel > Office Debian Server - Everything works, SSH, DB Connections, FTP, SFTP etc. NO HTTP or HTTPS Traffic in any browser. Curl in CMD also not working - This is true for other locations / servers on different subnets behind the Office OPNsense Firewall, basically effecting all HTTP/S traffic regardless of destination.

From Home: Android Phone on LAN> Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Public Internet: > Notebook PC via Mobile Data or Public Wi-Fi > Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Android Phone via Mobile Data or Public Wi-Fi > Office-WireGuard Tunnel > Office Debian Server - Everything works including HTTP or HTTPS

From Office: Notebook PC on LAN > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Office: Android Phone on LAN > > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Notebook PC via Mobile Data or Public Wi-Fi > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

From Public Internet: Android Phone via Mobile Data or Public Wi-Fi > Home-WireGuard Tunnel > Home Debian Server - Everything works including HTTP or HTTPS

I simply cannot understand why this condition, when connecting from my home network using my Notebook via the Office WireGuard Tunnel does not pass any HTTP/S traffic to the local webservers in the Office Network. This is true for devices that work on various webservers (Apache, Nginx and lighttpd) and even some of them on custom ports like 8443, 8080, 8006, 8007 etc. Obviously any traffic that bypasses the VPN Tunnel (split tunneling via "AllowedIPs") works without any issues.

Any help or insight to what the issue might be would be greatly appreciated.

10

20.1 Legacy Series / OPNsense + Nginx Reverse Proxy + Custom 404,403 50x Error Pages

« on: April 29, 2020, 08:26:13 am »

I have  OPNsense 20.1.4-amd64 running with os-nginx 1.19 installed and working 100%
Certain HTTPS servers are restricted by IP ACL's, which also works great.

Is there anyway to configure a custom 403 Forbidden page when a HTTP/S requested is rejected based on the IP ACL?

11

20.1 Legacy Series / Nginx Reverse Proxy URL Rewrite

« on: February 03, 2020, 01:46:52 pm »

Hi Everyone,

I am struggling slightly getting URL re-writing to work on the NGINX Reverse Proxy Plug-in. Can anyone please help.

I have a Upstream Server
nextcloud_server = x.x.x.x port 80

I have a Upstream
nextcloud_upstream = nextcloud_server

I have a Location
nexcloud_location
URL Pattern = /
Match type = none
URL Rewriting = Nothing
Upstream = nextcloud_upstream
Force HTTPS = 1

I have a HTTP Server
Servername = cloud.xxxxxxxxx.xxx
Location = nextcloud_location
Certificates setup correctly

With this configuration everything is working as it should with https etc working. However I need to do URL rewriting

https://cloud.xxxxxxxxx.xxx/.well-known/caldav should rewrite to https://cloud.xxxxxxxxx.xxx/remote.php/dav
Can anyone explain step by step how this is achieved in the plugin?

I have tried several combinations of URL matching in location with rewrite url's but nothing seems to work.

my logic implies that I should duplicate the nextcloud_location to something like this

nexcloud_location_caldav
URL Pattern = /.well-known/caldav/
Match type = Case Insensitive Match ("~*")
URL Rewriting = {New URL Rewriting} <<<< I think this is my issue. I have no idea what to do in this section
Upstream = nextcloud_upstream
Force HTTPS = 1

Then simply add nextcloud_location_caldav to the HTTP Server...

Any help would be appreciated.

12

19.7 Legacy Series / Transmission Daemon JSON/RPC and Nginx Reverse Proxy

« on: December 06, 2019, 01:12:40 pm »

Hi Everyone.

I installed the Nginx reverse proxy on my Opnsense and basically have everything sorted. All sites redirect to upstream servers correctly using Let's Encrypt SSL certificates etc.

However I run Transmission torrent server on the one upstream server. The web access works 100% but the RPC/JSON commands used by 3rd party clients to control Transmission refuse to pass the Nginx Proxy...

Any idea on where to start looking for the issue?

13

19.1 Legacy Series / OpenVPN Client Export Not Working

« on: February 05, 2019, 08:51:12 am »

The OpenVPN client export is no longer working properly.
The ovpn file is formatted incorrectly and is not read properly by the Windows OpenVPN version.

Several issues with the ovpn file. the protocol is UDP instead of lower case udp for example.

Can anyone confirm this?

14

18.7 Legacy Series / OPNsense 18.7.r_162-amd64 to 18.7 Upgrade Failing

« on: August 14, 2018, 12:34:18 pm »

Hi There,

I am trying to update my OPNsense from 18.7.r_162-amd64 to 18.7
When I check for updates it tells me "This software release has reached its designated end of life. The next major release is: 18.7", I unlock the upgrade and select upgrade now.

OPNsense downloads the latest images, restarts and then remains on OPNsense 18.7.r_162-amd64 with the update option still available.

When running the update from the CLI, I get an error the "flowd could not be stopped" etc..

Any idea how to force the upgrade manually? or is OPNsense 18.7.r_162-amd64 the latest version and the upgrade tool is simply reporting it wrong?

15

18.1 Legacy Series / HAProxy with Secure Password Authentication

« on: July 26, 2018, 11:28:39 am »

Dear Forum Members

Has anyone had any success with using HAProxy with SPA?

I have amanged to setup HAProxy to my Mail Server (which can use SPA) however, Secure Password Authentication is not passed by HAProxy to the Mail Server.

Normal authentication works 100%