"Code Select
Error opnsense /xmlrpc.php: Unable to retrieve authenticator for PW/4...I don't (yet) have anything set up for high availability.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
24.7, 24.10 Legacy Series / Should I be concerned about this repeated error in my logs regarding xmlrpc ?
August 10, 2024, 04:22:44 PMI don't (yet) have anything set up for high availability.
#2
24.7, 24.10 Legacy Series / opnsense-code ports fails with "index file smaller than expected" [SOLVED]
August 05, 2024, 10:19:45 PM
Am running the latest firmware on OPNsense on bare metal, but this problem might have existed earlier, unnoticed. I am updating my tailscale installation with
This typically indicates a corrupt index file which can be removed and rebuilt. However, the index does not exist in the usual place
Am hoping that anyone more knowledgeable than I knows how to find the index and fix this. Thanks.
Code Select
root@OPNsense:/home # opnsense-code src
fatal: .git/index: index file smaller than expected
This typically indicates a corrupt index file which can be removed and rebuilt. However, the index does not exist in the usual place
Code Select
root@OPNsense:/home # git status
fatal: not a git repository (or any of the parent directories): .git
, though I am not sufficiently familiar with freeBSD to know. The OPNsense documentation (https://docs.opnsense.org/manual/software_included.html#the-ports-tree) does suggest that this should be the usual place.Am hoping that anyone more knowledgeable than I knows how to find the index and fix this. Thanks.
#3
Zenarmor (Sensei) / Zenarmor blocks Magic Earth map downloads
May 14, 2023, 10:47:58 PM
Because it believes that it is a parked domain. However, the solution is fairly easy.
Go to Zenarmor -> Policies -> Default -> Exclusion. Whitelist the domain services.generalmagic.com
Just in case anyone else runs into this problem.
Go to Zenarmor -> Policies -> Default -> Exclusion. Whitelist the domain services.generalmagic.com
Just in case anyone else runs into this problem.
#4
21.7 Legacy Series / How to find logs from system crashes?
July 07, 2022, 05:09:33 PM
My OPNsense box has started crashing (seemingly) randomly every couple of days. It is difficult to debug without logs from the time of the crash. When it crashes there is no responsiveness from pings or ssh or webUI, so I have to reboot. However, after I reboot, all the logs I can find (e.g., /var/log/system) are from times after the reboot.
How can I get info from the crash to debug? Any help appreciated.
How can I get info from the crash to debug? Any help appreciated.
#5
21.7 Legacy Series / [Solved] Netdata Web UI unavailable
October 13, 2021, 05:25:33 PM
I am running 21.7.3_3-amd64 on a Protectli box. I don't think I have anything too strange in my setup. But for some time, the netdata web ui has been unavailable, and I finally tried today to see what might be going wrong. I uninstalled the os-netdata plugin and reinstalled it. Made sure that it was enabled, and checked that the daemon is running according the OPNsense dashboard. But still not available. I checked the General System logfiles, but did not find anything. I use the IP address of the box to make sure that there is not a DNS issue. Double-checked the correct port and checked CLI:
But trying to load the UI just times out. Tried different browsers.
I would appreciate any pointers for where else to investigate. If there is anything else in the forum, I haven't been able to find it.
Code Select
root@OPNsense:~ # sockstat | grep 19999
netdata netdata 92292 5 tcp4 192.168.yy.yy:19999 *:*
But trying to load the UI just times out. Tried different browsers.
I would appreciate any pointers for where else to investigate. If there is anything else in the forum, I haven't been able to find it.
#6
21.1 Legacy Series / [Solved] Unable to ping gateway from LAN
July 15, 2021, 10:33:06 PM
I read problems in the forum involving dual WAN setups, but mine is not dual and pretty simple. The 'block private network' switch on WAN is not checked. Yet, I cannot ping the gateway from inside the LAN. I must be missing something stupid, so any suggestions are likely to be useful, and certainly appreciated.
#7
20.7 Legacy Series / MQTT broker mosquitto possible?
November 13, 2020, 05:25:07 PM
Mosquitto was available for installing a few versions ago, but was ended, apparently, because of problems with LibreSSL. In a previous version @poupin claimed that it could be installed directly from the FreeBSD repos, and claimed that it worked (https://forum.opnsense.org/index.php?topic=14388.0).
Is this advisable, or is it likely to break sometimes?
Is this advisable, or is it likely to break sometimes?
#8
20.1 Legacy Series / [Solved] Cannot reach maltrail server
June 15, 2020, 09:45:03 PM
I was trying again to setup maltrail. The GUI says that both the sensor and the server are running fine. In fact, /var/log/maltrail/2020-06-15.log logs very recent suspicious activity. There is nothing in the general or backend system logs that looks problematic.
Apparently, it takes some time for the server to show up, but after waiting several hours, I still can not reach the server. The sensor is on the default 8337 port, and the server on the default 8338 port. The URL to listen on is the opnsense static LAN IP. Any attempt to reach that IP:8338 just times out.
Here is the config file (which still shows the default login credentials):
Can anyone suggest where else to dig?
Apparently, it takes some time for the server to show up, but after waiting several hours, I still can not reach the server. The sensor is on the default 8337 port, and the server on the default 8338 port. The URL to listen on is the opnsense static LAN IP. Any attempt to reach that IP:8338 just times out.
Here is the config file (which still shows the default login credentials):
Code Select
# [Server]
HTTP_ADDRESS 192.168.1.50
HTTP_PORT 8338
USE_SSL false
DISABLE_LOCAL_LOG_STORAGE false
SENSOR_NAME $HOSTNAME
CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
PROCESS_COUNT $CPU_CORES
DISABLE_CPU_AFFINITY false
USE_FEED_UPDATES true
DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault
UPDATE_PERIOD 86400
USE_SERVER_UPDATE_TRAILS false
USE_HEURISTICS true
CHECK_MISSING_HOST false
CHECK_HOST_DOMAINS false
SHOW_DEBUG false
LOG_DIR /var/log/maltrail
MONITOR_INTERFACE em0,ovpnc2,em3
CAPTURE_BUFFER 10%
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:2000:0.0.0.0/0 # changeme!Can anyone suggest where else to dig?
#9
20.1 Legacy Series / Update to 20.1.7 killed zerotier interface
May 20, 2020, 10:00:34 PM
UPDATE: In case anyone else has this issue. I uninstalled ZT, rebooted, deleted the old data and went through the process of enabling, and connecting to the ZT virtual network. That did it. Don't know why the update broke it.
Had zerotier running nicely on OPNsense, without any issues. However, once I updated to 20.1.7 it stopped working. The daemon was apparently running, the network was enabled, and OPNsense had connection to the intertubes. Eventually I found that the ZeroTier interface was assigned to em0 instead of ztxxxxxxx. In fact, there was no zt interface even available. I restarted the daemon, rebooted the router, uninstalled and reinstalled the zerotier plugin. However, the interface just won't return.
On the zerotier web portal, I have set the OPNsense router "Do Not Auto-Assign IPs" checked, and in OPNsense ZeroTier interface, I have Static IPv4 for the configuration type. Below that I have set the IPv4 address.
Did the update break something?
Had zerotier running nicely on OPNsense, without any issues. However, once I updated to 20.1.7 it stopped working. The daemon was apparently running, the network was enabled, and OPNsense had connection to the intertubes. Eventually I found that the ZeroTier interface was assigned to em0 instead of ztxxxxxxx. In fact, there was no zt interface even available. I restarted the daemon, rebooted the router, uninstalled and reinstalled the zerotier plugin. However, the interface just won't return.
On the zerotier web portal, I have set the OPNsense router "Do Not Auto-Assign IPs" checked, and in OPNsense ZeroTier interface, I have Static IPv4 for the configuration type. Below that I have set the IPv4 address.
Did the update break something?
#10
20.1 Legacy Series / High CPU from maltrail
May 10, 2020, 05:57:06 PM
Is anybody else seeing this? I had to disable and uninstall it, or there was a huge performance hit.
I was seeing something between 40 and 80% CPU usage from it in System->Diagnostics->Activity.
Then my download rate was only about 55Mbps, whereas if I disabled maltrail and rebooted, it went
back up to about 320Mbps.
I did find this forum message for OPNsense 19.7: https://forum.opnsense.org/index.php?topic=14021.msg64454#msg64454
It is likely that my installation was not correct, since I didn't really know what I was doing. The sensor and the server are on the same machine, so most of the setting seemed to be the default ones.
I was seeing something between 40 and 80% CPU usage from it in System->Diagnostics->Activity.
Then my download rate was only about 55Mbps, whereas if I disabled maltrail and rebooted, it went
back up to about 320Mbps.
I did find this forum message for OPNsense 19.7: https://forum.opnsense.org/index.php?topic=14021.msg64454#msg64454
It is likely that my installation was not correct, since I didn't really know what I was doing. The sensor and the server are on the same machine, so most of the setting seemed to be the default ones.
#11
20.1 Legacy Series / Install files verification fails
April 11, 2020, 11:11:38 PM
Am I the only one with this problem. It seems straightforward enough. Using the instructions from here:
https://docs.opnsense.org/manual/install.html#download-and-verification. Have tried two different mirrors, two times each.
The latest one that I used is https://mirror.wdc1.us.leaseweb.net/opnsense/releases/20.1/. I downloaded the four files to my harddrive:
OPNsense-20.1-OpenSSL-checksums-amd64.sha256
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig
OPNsense-20.1.pub
Then ran
openssl base64 -d -in OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig -out image.sig
openssl dgst -sha256 -verify OPNsense-20.1.pub -signature image.sig OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig
But receive:
Verification Failure
The public key file is the same on both mirrors.
I assume that I am just missing something stupid, and that the files have not been hacked. ;D
https://docs.opnsense.org/manual/install.html#download-and-verification. Have tried two different mirrors, two times each.
The latest one that I used is https://mirror.wdc1.us.leaseweb.net/opnsense/releases/20.1/. I downloaded the four files to my harddrive:
OPNsense-20.1-OpenSSL-checksums-amd64.sha256
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2
OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig
OPNsense-20.1.pub
Then ran
openssl base64 -d -in OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig -out image.sig
openssl dgst -sha256 -verify OPNsense-20.1.pub -signature image.sig OPNsense-20.1-OpenSSL-vga-amd64.img.bz2.sig
But receive:
Verification Failure
The public key file is the same on both mirrors.
I assume that I am just missing something stupid, and that the files have not been hacked. ;D
#12
20.1 Legacy Series / Praise for intrusion detection plus ETPro implementation
March 07, 2020, 03:46:56 PM
I implemented intrusion detection a couple of weeks ago using the free rules from abuse.ch, from OPNsense and the open ones available from ETpro, if you let them gather some anonymized data from your machine. OPNsense scrubs your personally identifying information from the data that they receive, apparently. This seems a total win-win to me. My machine benefits from the protection against emerging threats, and contributes back to help identifying growing ones. It was straightforward to set up from the tutorial, and gives you lots of information, once running. I recommend it. The only ambiguous part is how many rules to implement. They can become resource heavy, if you use too many.
Of course, there could be a few improvements here. First, you do not get information about attacks from outside your network on your WAN until you add your WAN IP address to the home network. Once this number is changed by your ISP, it needs to be updated by hand again. Is that really necessary? Could that not be automated?
Is there a more artional way to choose the rules? It seems that part of the decision should be based on what is most useful to ET to know. Or really, that would be mutually beneficial.
The log files fill with lots of information. But you either scroll though and read, or download and process yourself. Graphs that are integrated with OPNsense seem ideal. It would be useful to have pie graphs that show which.ports are being most attacked, or which geolocations are the most frequent, or if there are a few IP addresses that are persistent, or which categories of attacks are common. This would also help in deciding which rules to use.
Finally, there are logs of harmless events like
suricata[3877]: [100255] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
which would be nice to remove.
Yeah, I know, it is always easy to request these endless streams of new features, but thought that the feedback might be useful anyway. Thanks for this great feature!
Of course, there could be a few improvements here. First, you do not get information about attacks from outside your network on your WAN until you add your WAN IP address to the home network. Once this number is changed by your ISP, it needs to be updated by hand again. Is that really necessary? Could that not be automated?
Is there a more artional way to choose the rules? It seems that part of the decision should be based on what is most useful to ET to know. Or really, that would be mutually beneficial.
The log files fill with lots of information. But you either scroll though and read, or download and process yourself. Graphs that are integrated with OPNsense seem ideal. It would be useful to have pie graphs that show which.ports are being most attacked, or which geolocations are the most frequent, or if there are a few IP addresses that are persistent, or which categories of attacks are common. This would also help in deciding which rules to use.
Finally, there are logs of harmless events like
suricata[3877]: [100255] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.vba-jpg-dl' is checked but not set. Checked in 2814992 and 0 other sigs
which would be nice to remove.
Yeah, I know, it is always easy to request these endless streams of new features, but thought that the feedback might be useful anyway. Thanks for this great feature!
#13
19.1 Legacy Series / Can anyone reach their cable modem through OpnSense?
March 18, 2019, 05:18:55 PM
I recently replaced my DOCSIS 3.0 cable model with DOCSIS 3.1 (Arris) modem, and the performance
actually got worse. I wanted to look at the GUI for the modem and search for errors. The only way to
do this was by plugging an ethernet cable from my laptop into the second port on the modem, and then
I could reach the modem at 192.168.100.1. However, it would be better if I could just reach the cable
modem from my LAN. I found a couple of posts on this for pfsense:
https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html
https://superuser.com/questions/1243134/how-do-i-reach-the-modem-settings-page-from-inside-firewall
but nothing on the forum, or online for OPNsense.
There are just a few steps, but I get hung up on the earliest one, assuming that something analogous would work for OPNsense. Namely, how to "create a new OPT interface, and assign it to the physical network card that is on WAN" ? If I go to Interface -> Assignments, I could add a new interface, but it has to be attached to a NIC
different from the WAN. I can do that, and go edit to try to assign it to the same NIC, but OPNsense complains.
I am guessing that it needs a bridge ? But I am lost.
Can anyone point me in the right direction? Thanks.
actually got worse. I wanted to look at the GUI for the modem and search for errors. The only way to
do this was by plugging an ethernet cable from my laptop into the second port on the modem, and then
I could reach the modem at 192.168.100.1. However, it would be better if I could just reach the cable
modem from my LAN. I found a couple of posts on this for pfsense:
https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html
https://superuser.com/questions/1243134/how-do-i-reach-the-modem-settings-page-from-inside-firewall
but nothing on the forum, or online for OPNsense.
There are just a few steps, but I get hung up on the earliest one, assuming that something analogous would work for OPNsense. Namely, how to "create a new OPT interface, and assign it to the physical network card that is on WAN" ? If I go to Interface -> Assignments, I could add a new interface, but it has to be attached to a NIC
different from the WAN. I can do that, and go edit to try to assign it to the same NIC, but OPNsense complains.
I am guessing that it needs a bridge ? But I am lost.
Can anyone point me in the right direction? Thanks.
#14
18.7 Legacy Series / WAN to LAN fast, inside LAN slow
December 30, 2018, 02:53:42 AM
It is hard to be sure that this is really an OPNsense issue, but was hoping someone here could help.
My setup is cable modem to mini PC running 18.7.9 OPNsense. Plugged into this firewall is a gigabit TP-Link
switch, which further connects to a linux box as a server (ethernet), a ubiquiti AC LR AP, a powerline
adapter, and an Obihai VOIP box. OPNSense has almost everything running out through openvpn.
When I run speedtest-cli on the server, I get a respectable ~120mbps. When I run anything connected
WiFi (via the AP, android tablet, phone, laptop), I get at least 70mbps from outside. However, when I run
iperf3 in server mode on the server, and check the speed to my laptop, I get only ~10mbps.
I have rebooted everything (OPNsense, laptop, server, AP) but repeatedly get only ~10mbps.
It has persisted for several days. The reverse is true with running iperf3 as server on the laptop and checking
speed to the server.
Is it possible that OPNsense is somehow limiting the bandwidth for purely LAN connections?
Is it the switch? The AP? What other tests could I run to try and pinpoint the source of the problem?
Any help is appreciated.
My setup is cable modem to mini PC running 18.7.9 OPNsense. Plugged into this firewall is a gigabit TP-Link
switch, which further connects to a linux box as a server (ethernet), a ubiquiti AC LR AP, a powerline
adapter, and an Obihai VOIP box. OPNSense has almost everything running out through openvpn.
When I run speedtest-cli on the server, I get a respectable ~120mbps. When I run anything connected
WiFi (via the AP, android tablet, phone, laptop), I get at least 70mbps from outside. However, when I run
iperf3 in server mode on the server, and check the speed to my laptop, I get only ~10mbps.
I have rebooted everything (OPNsense, laptop, server, AP) but repeatedly get only ~10mbps.
It has persisted for several days. The reverse is true with running iperf3 as server on the laptop and checking
speed to the server.
Is it possible that OPNsense is somehow limiting the bandwidth for purely LAN connections?
Is it the switch? The AP? What other tests could I run to try and pinpoint the source of the problem?
Any help is appreciated.
#15
18.7 Legacy Series / [SOLVED] I am losing my mind with transparent proxy
November 04, 2018, 03:28:31 PM
This very well might be some Google problem, but getting help.from them is impossible, so am hoping someone here has fixed this before, or has some clues.
I wset up cache proxy, then transparent http proxy both according to the opnsense howtos,, and everything was working. I then set up SSL inspection, again according to the howto. I set up to bump certain sites, including the Google, googleapis and similar domains. I imported the certificate to my browser, and to the apps and vpn on my android tablet and phone. Everything worked fine, except the Google play store. It claimed that there was no internet connection. I double checked, triple checked everything. No joy. Rebooted everything, but no change. I gave up and restored my opnsense configuration to before even the cache proxy. No good. Rebooted the firewall. The router, the phone. Still no good. Removed the certificate, rebooted. No connection to Google. Even did a factory reset on the tablet after backing up everything to the micro sd. Seemed to work for a little while, but then started sending the same error again.the whole time, everything else on the interwebs was reachable.
It is the strange timelags the get me. Sometimes a setting takes time to.propagate, including on this issue. Rebooting isn't sufficient. But most urgently, is how do I fix this? I haven't found any clues in any logs, but I may not be looking in the right place.
UPDATE: Well, I solved the play store problem, but have not yet reimplemented the transparent proxy. The key was finding out that it was NOT a firewall block, so OPNsense was not the issue, but rather a DNS filter. One of the lists on pihole added the android.clients.google.com domain which blocked access. This happened at the same time that I set up transparent blocking, so that confused me. Now I can reach the play store. During this adventure, I discovered that (1) it is nearly impossible to reach anyone at Google, and (2) if that person you eventually reach does not have the information, they cannot ask someone else, or put you in contact with anyone else. This person could tell me what port the app uses, but could not find out the URL. I will try later to set up the transparent blocking again, but it will probably be necessary to add this domain to the bump list, too. I found the list from here: https://community.arubanetworks.com/t5/Security/2017-Google-Play-Store-URL-whitelist/td-p/284663
Two asides: I occasionally find (usually small) errors in the manuals or how-to lists. Is there a place to send those correction, so that I can help keep them up to date?
Second aside, the web proxy mentions the yoyo ad blocking list, and references the squidblacklist, but says that it is only pay. However, they do provide a free list to block malicious domains. This would seem to be a great minimum web filter to suggest in the how-to:
https://blog.squidblacklist.org/?p=1658
I wset up cache proxy, then transparent http proxy both according to the opnsense howtos,, and everything was working. I then set up SSL inspection, again according to the howto. I set up to bump certain sites, including the Google, googleapis and similar domains. I imported the certificate to my browser, and to the apps and vpn on my android tablet and phone. Everything worked fine, except the Google play store. It claimed that there was no internet connection. I double checked, triple checked everything. No joy. Rebooted everything, but no change. I gave up and restored my opnsense configuration to before even the cache proxy. No good. Rebooted the firewall. The router, the phone. Still no good. Removed the certificate, rebooted. No connection to Google. Even did a factory reset on the tablet after backing up everything to the micro sd. Seemed to work for a little while, but then started sending the same error again.the whole time, everything else on the interwebs was reachable.
It is the strange timelags the get me. Sometimes a setting takes time to.propagate, including on this issue. Rebooting isn't sufficient. But most urgently, is how do I fix this? I haven't found any clues in any logs, but I may not be looking in the right place.
UPDATE: Well, I solved the play store problem, but have not yet reimplemented the transparent proxy. The key was finding out that it was NOT a firewall block, so OPNsense was not the issue, but rather a DNS filter. One of the lists on pihole added the android.clients.google.com domain which blocked access. This happened at the same time that I set up transparent blocking, so that confused me. Now I can reach the play store. During this adventure, I discovered that (1) it is nearly impossible to reach anyone at Google, and (2) if that person you eventually reach does not have the information, they cannot ask someone else, or put you in contact with anyone else. This person could tell me what port the app uses, but could not find out the URL. I will try later to set up the transparent blocking again, but it will probably be necessary to add this domain to the bump list, too. I found the list from here: https://community.arubanetworks.com/t5/Security/2017-Google-Play-Store-URL-whitelist/td-p/284663
Two asides: I occasionally find (usually small) errors in the manuals or how-to lists. Is there a place to send those correction, so that I can help keep them up to date?
Second aside, the web proxy mentions the yoyo ad blocking list, and references the squidblacklist, but says that it is only pay. However, they do provide a free list to block malicious domains. This would seem to be a great minimum web filter to suggest in the how-to:
https://blog.squidblacklist.org/?p=1658
#16
18.7 Legacy Series / Bug involving missing libdl.so.1
October 30, 2018, 02:49:34 PM
OPNsense is reporting this bug. According to this site:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232360
This arises because the version of freebsd used by opnsense (v11.1) is no longer supported.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232360
This arises because the version of freebsd used by opnsense (v11.1) is no longer supported.
#17
General Discussion / My dream home setup
August 25, 2018, 07:41:45 PM
I am very new to networking, but decided to jump in anyway. I bought a minipc with an intel i3 cpu, a 208GB SSD hard drive, 8GB memory, and more NICs than I need. It is now setup close to my ideal, but that will change, of course, since OPNsense keeps getting better, and my hardware is overkill.
My ideal:
1) Route all traffic through my OpenVPN client. I could use two setups, but PIA is fast enough for all my needs. If I were doing gaming, maybe have a subnet to avoid the VPN.
2) Have an OpenVPN server, so I can log in from anywhere using my phone, laptop, or tablet and access my whole home network. This means I can look at my security cams, get anything from my media server, or access home automation.
3) BLOCK ADS! I use two different piholes on two different raspberry pi zero w cards. The two cards are so cheap ($5 each) and use so little power, that I have a backup when necessary. I suppose that I could use aliases or something on opnsense to achieve almost
the same thing, but pihole is just beautiful. Maybe some day I will run pihole as a container on my firewall/router box, or maybe someone will make a plugin to do that. That would be phenomenal.
4) What I have not yet got to work: when I VPN in to my home network, say on my phone, I would like all my traffic to go out through
the router. Then I would have VPN for all my traffic and ad blocking! Did I mention how much I like ad blocking?
As you can see, my aspirations are modest. What is your dream setup?
My ideal:
1) Route all traffic through my OpenVPN client. I could use two setups, but PIA is fast enough for all my needs. If I were doing gaming, maybe have a subnet to avoid the VPN.
2) Have an OpenVPN server, so I can log in from anywhere using my phone, laptop, or tablet and access my whole home network. This means I can look at my security cams, get anything from my media server, or access home automation.
3) BLOCK ADS! I use two different piholes on two different raspberry pi zero w cards. The two cards are so cheap ($5 each) and use so little power, that I have a backup when necessary. I suppose that I could use aliases or something on opnsense to achieve almost
the same thing, but pihole is just beautiful. Maybe some day I will run pihole as a container on my firewall/router box, or maybe someone will make a plugin to do that. That would be phenomenal.
4) What I have not yet got to work: when I VPN in to my home network, say on my phone, I would like all my traffic to go out through
the router. Then I would have VPN for all my traffic and ad blocking! Did I mention how much I like ad blocking?
As you can see, my aspirations are modest. What is your dream setup?
#18
18.7 Legacy Series / timeouts after adding an SSL server
August 17, 2018, 07:44:59 PM
I have discovered a very strange problem---at least it seem strange to me, because there is no obvious relation.
Following the tutorial on setting up SSL VPN Road Warrior causes many outbound connections from my LAN
to timeout---especially from apple appliances. This is repeatable, and I pinpointed exactly where the problem
occurs: when adding the SSL Server.
Now the details. I followed the tutorial as exactly as possible found here for setting up the openVPN server:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
It worked beautifully, and I could reach my LAN from outside. But, this setup started causing immediate problems
with many, but not all outbound connections. I restored the configuration back to the beginning of this setup,
and connectivity to the outside from the LAN was again restored.
I again tried setting up the SSL VPN Road Warrior again, following the instructions exactly. Connectivity from outside
worked again, but there were again problems with LAN reaching outside on many connections. I restored the
setting once again, and then checked LAN connectivity to outside at every single step of the tutorial. In fact,
I even rebooted my firewall after each step to be sure. Doing this, I discovered that connectivity issues happened
after adding the SSL server. Connectivity was also a problem after rebooting. If I disabled the SSL server,
connectivity was restored. The tutorial does not mention what to select for "Peer Certificate Authority", but it seemed
obvious that this should be "SSL VPN CA". Otherwise, there was not much else to decide on.
I have set up OPNsense in a pretty standard way. After default bits, there were three modifications:
1) Backup for configurations on the cloud were added (which is extremely handy for debugging!).
2) An openVPN client was added.
3) I changed my DNS to use a pi-hole.
These things should not be related to the problem, but who knows? These took some work to set up, but
now work beautifully.
Any help is appreciated, because I really need access to this LAN from the outside.
Following the tutorial on setting up SSL VPN Road Warrior causes many outbound connections from my LAN
to timeout---especially from apple appliances. This is repeatable, and I pinpointed exactly where the problem
occurs: when adding the SSL Server.
Now the details. I followed the tutorial as exactly as possible found here for setting up the openVPN server:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
It worked beautifully, and I could reach my LAN from outside. But, this setup started causing immediate problems
with many, but not all outbound connections. I restored the configuration back to the beginning of this setup,
and connectivity to the outside from the LAN was again restored.
I again tried setting up the SSL VPN Road Warrior again, following the instructions exactly. Connectivity from outside
worked again, but there were again problems with LAN reaching outside on many connections. I restored the
setting once again, and then checked LAN connectivity to outside at every single step of the tutorial. In fact,
I even rebooted my firewall after each step to be sure. Doing this, I discovered that connectivity issues happened
after adding the SSL server. Connectivity was also a problem after rebooting. If I disabled the SSL server,
connectivity was restored. The tutorial does not mention what to select for "Peer Certificate Authority", but it seemed
obvious that this should be "SSL VPN CA". Otherwise, there was not much else to decide on.
I have set up OPNsense in a pretty standard way. After default bits, there were three modifications:
1) Backup for configurations on the cloud were added (which is extremely handy for debugging!).
2) An openVPN client was added.
3) I changed my DNS to use a pi-hole.
These things should not be related to the problem, but who knows? These took some work to set up, but
now work beautifully.
Any help is appreciated, because I really need access to this LAN from the outside.
Pages1
