Topics

1

23.7 Legacy Series / Unbound outgoing network interface

« on: August 02, 2023, 02:43:29 pm »

My config has 1 WAN and 3 WG tunnels (WG1, WG2, WG3) each with interfaces and gateways configured.

I have VLANS going out to each of these gateways

I'd really like unbound to send recursive queries out on WG1 rather than WAN, but it doesn't seem to honor anything that I set in "Outgoing network interfaces", everything always goes to WAN.

I asked about this earlier and it was suggested gateway priorities might fix this, but I thought that would confuse the WG tunnel routing which need to go out WAN. I am now using static routes to my WG endpoints over WAN, and then changing WG1 gateway to upstream with low priority, and this seems to work with all local router traffic (unbound, ntp, etc) all going out WG1.

Is there a better way to achieve this?

2

23.1 Legacy Series / two problems with multiple WG tunnels on 23.1.11

« on: July 29, 2023, 05:27:09 pm »

My setup uses latest opnsense 23.1.11:
I have usual WAN, LAN, and 4 wireguard tunnels (WG1...WG4) all configured as gateways
I have VLANS that I connect to wireguard tunnels for different destinations (VLAN_WAN, VLAN_WG1, etc) using different wireless SSIDs.

This all works as desired, but I have 2 problems:

1) wg gateways don't reconnect on temp loss of WAN.  When the wan comes back, all the wireguard handshakes are restored, showing the wg connection exists, but all wg gateways are marked down forever

2) for some of the wg tunnels I'd like to do dns resolution in the tunnel, rather than using unbound. I've configured the DNS address in wireguard which didn't work. I can tell the VLAN DHCP 4 to use a specific public service and that does go through each tunnel properly, but I'd like to use the private resolution specified by the wireguard provider and I can't figure out how.

Any suggestions for either problem would be appreciated!

3

21.7 Legacy Series / unbound: outgoing network interfaces

« on: November 01, 2021, 06:43:42 pm »

I'm running 21.7.4 on a Quotom box, its been running great for years. Besides WAN I have two WG tuinnels set up, and I always had unbound configured to use these WG tunnels instead of WAN for DoT lookups. That worked until this upgrade, if WAN isn't selected unbound doesn't work. I'd prefer my DNS lookups to go out over the WG rather than through my ISP, any suggestions?

If I could get AdGuard to query over WG I wouldn't need unbound, but this has been my solution until now, with adguard asking unound on 5353.

4

21.7 Legacy Series / [Solved] 2fa TOTP problems

« on: August 04, 2021, 04:00:00 pm »

I would appreciate any suggestions for the following problem:

I have been using login with TOTP for years, but a strange new problem in the last 3 days:

- can't login to web interface, get a password failure (with TOTP)
- open a shell using ssh and existing certificate, reset admin password and turn off TOTP
- login without TOTP, restore working configuration (reboots)
- can once again log in using old TOTP setup

The next morning it is dead again, and I have to repeat all the above (3 mornings in a row)

Everything seems to run fine, just can't login to web interface.

running on Qotom box:
   OPNsense 21.7-amd64
   FreeBSD 12.1-RELEASE-p19-HBSD
   OpenSSL 1.1.1k 25 Mar 2021

5

21.7 Legacy Series / adguard home lookups through WG tunnel?

« on: August 02, 2021, 02:03:07 am »

Is it possible to configure adguard home lookups to go through WG tunnel instead of WAN?

Background:

In my setup I have two LANs and two WG tunnels, and everything from WAN0 goes through WG0 and everything from WAN1 goes through WG1.

I have port forwarding setup for all DNS requests on any LAN to any other DNS server to be forwarded to the router.

Before using Adguard I could configure the system DNS to go through a WG port, or I could configure unbound to go the a WG port, but now Adguard lookups are going out over WAN. Is there a simple way to change this?

6

20.1 Legacy Series / VPN/unbound dns leak

« on: June 25, 2020, 05:04:17 pm »

As I understand it when running unbound (recursive, not forwarding) and doing dns leak testing the address of the WAN connection is reported.

I route all devices through my VPN tunnel, so reporting the WAN (ISP) address when  doing DNS leak tests is undesirable (pretty much the definition of a dns leak).

Is there a way to fix this or is not using unbound the only solution?

7

20.1 Legacy Series / lots of problems with 20.1.4 upgrade today

« on: April 12, 2020, 09:31:24 pm »

It looked like it went fine, but afterward:

The following aren't running:
   DHCPv4 Server
   Secure Shell Daemon
   Remote Syslog

I can't check for updates, it gives the error "No address record found for the selected mirror."

System::Firmware::Packages lists only base and kernel (is that normal)?

System::Firmware::Plugins is empty (is that normal)?

I don't see anything in logs

2 VPN tunnels are connected as normal, but without DHCP running it's pretty hard to talk to the router

8

18.7 Legacy Series / multiple OpenVPN clients

« on: November 28, 2018, 02:14:57 pm »

I learned something from reading bits and pieces in the forum that fixed my problem, and since I thought it wasn't that uncommon a situation I'd summarize in case it is useful to someone else. Perhaps this is documented somewhere, if so I missed it...

I make several VPN connections to different geographic locations, which I think others do as well (most VPN vendors allow this).  Then I route different devices to different locations. This was generally working, but often it would suddenly stop and I'd have to restart the VPN connections. I was connecting all of them using UDP and port 995, and my VPN vendor has a single certificate for all locations. What would happen was that all VPN connections would get a virtual address of the form 10.X.0.Y, where X was constant, and the different connections would get different Y's.  Every now and then different connections  would get the same Y, which is when things would stop working.

What I learned is that depending on the protocol (UDP/TCP) and port number that is configured, the value of X changes, so conflicts in random Y values can be avoided. For example, TCP/443 (X=8), UDP/1912 (X=35), UDP/1195 (X=33), UDP/995 (X=24), etc.  I also read that different certificates might affect X, but as I only have one certificate I don't know if that is true.

So, for anyone who makes multiple VPN client connections to different geographic locations (using the same vendor account) make sure they use different protocols and/or ports, and everything will work fine. Actually, this would probably also work for multiple connections to the same location to get redundancy/speed.

9

18.1 Legacy Series / 18.1.12 suricata crash

« on: July 16, 2018, 12:28:51 am »

After the latest update suricata is crashing. The dashboard shows that the memory use grows up to about double what it used in 18.1.11 and then it dies. The log shows:

Jul 15 16:23:42   kernel: pid 532 (suricata), uid 0: exited on signal 6 (core dumped)
Jul 15 16:20:19   kernel: -> pid: 300 ppid: 97610 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Jul 15 16:20:19   kernel: [HBSD SEGVGUARD] [/usr/local/bin/suricata (300)] Suspension expired.

hardware is a quotom q355g4, using openssl.

restarting it the memory slowly increases and then it crashes again.

10

18.1 Legacy Series / OpenVPN with unbound dns leak

« on: March 30, 2018, 05:11:20 pm »

I configured a Qotom q355g4 so that each of the LAN ports are separate OpenVPN client tunnels to different locations, and all devices to VPN from each LAN port. There is no routing between LAN ports, and I seem to have kill switches working so if any VPN goes down traffic does not go to WAN or some other VPN.

I configured freedns.zone nameservers, and when unbound is NOT running running dnsleaktest.com properly shows everything going to freedns.zone, as expected.

Whenever I enable unbound and then run dnsleaktest.com it shows my underlying ISP nameservers (which appear nowhere in my configuration). I've tried adding the unbound access list for the virtual VPN addresses with /24, I've tried blocking all DNS requests going outside of the LAN, I've tried a lot of things, but it always leaks.

As many say this works "out of the box" I'm wondering what I've done wrong.

I am running 18.1.5 with LibreSSL.

11

17.7 Legacy Series / Problems with multiple openvpn tunnels

« on: December 07, 2017, 02:27:35 pm »

I thought this would be easy, but I'm having problems that I don't understand. I have a Qotom q355g4 with 4 ethernet ports. My goal is to have one port for wan, and each of the 3 remaining ports dedicated to an openvpn connection (different locations of a popular vpn service). I have the 3 lan ports working, and I have 3 openvpn cients that work individually, but they don't all run at the same time (errors appear in the route add command).

I'd also like to make each of the vpn connections act like a kill switch, so if the tunnel goes down no traffic passes.

I've read articles on various aspects of this, but can't seem to put it all together.

Advice would be appreciated...

I'm using version 17.7.8

Thanks