Topics

Opnsense 25.1.9_2

I've mentioned this before but I keep seeing it remains unresolved. I must say I don't know how the plugin update system works in OPNsense or who's responsible for this work. As of today, the dnscrypt plugin in OPNsense works with version 2.1.5, but I'm seeing version discrepancies across different sources.

In the OPNsense plugin repository, it has version 1.15 integrating dnscrypt-proxy 2.1

https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr

In the FreeBSD repositories, dnscrypt has version 2.1.5_13 updated on June 6, 2025.

https://www.freshports.org/dns/dnscrypt-proxy2/

And on the official Dnscrypt website on GitHub, they're already at version 2.1.12, which is what OPNsense should have.

https://github.com/DNSCrypt/dnscrypt-proxy/releases/tag/2.1.12

The funny thing is that on dnscrypt's GitHub, the program is available for FreeBSD, so it would be appreciated if it could be updated either on FreeBSD or directly on Opnsense.

https://www.netgate.com/blog/optimizing-pppoe-performance-in-pfsense-software

Upgrading to 25.1.4 also installs a dnscrypt update, however you are still on version 2.1.5 when the latest version is 2.1.7 released last January. As I commented recently in another post I am interested in this last version because it supports the ODOH protocol for dns, not having it I have to modify by hand the dnscrypt configuration file with the result that it works. The problem is that by doing the modification through ssh and not through the dnscrypt interface in opnsense the changes do not survive a reboot. An update of dnscrypt to version 2.1.7 would be appreciated.

DNScrypt supports Cloudflare's DNS under the ODOH protocol and Relay is required to configure them. DNSCrypt Servers and DNS-over-HTTPS Servers can be configured in the DNScrypt interface, but ODOH Servers cannot be configured.
Following this tutorial https://forums.serverbuilds.net/t/guide-adguard-home-unbound-dnscrypt-under-opnsense-part-2/13271 the Cloudflare ODOH DNS with their respective Relays work correctly. The problem is that when restarting Opnsense all modifications are lost and the dnscrypt-proxy.toml file has to be modified again via SSH.

I know this is not the right place to discuss this topic, but I can't locate the developer. I have installed the latest ISO of hbsdfw, and it doesn't come with any plugins to install. I have tried changing repositories, although I may have done it wrong, and I can't manage it. My question is whether it is possible to install the Opnsense plugins in that version.

I am testing the SSE version of Zenarmor and I am having problems accessing various websites of different types with TLS inspection enabled. There are times when it works fine but suddenly it stops loading the page and you can not access, to access that particular website you have to wait a few minutes trying again and then it is allowed, meanwhile you can not access any other website because the same thing happens. When the above is solved for a while everything works normally but soon happens again. When not being able to access the browser gives DNS error but I doubt very much that this is the problem.

Reviewing my interfaces in Opnsense I found a new one that may have been around for a while but I hadn't seen it until now called zenoverlay vpn and I think it is related to zenarmor and its monitoring of the wireguard interface. I have searched for information about it and have not found anything so I don't know if it is necessary to activate it or not and what it is for.

With the new update zenarmor prevents the wireguard connection, disabling the WG interface in zenarmor solves the problem, if you re-enable wireguard it connects but after a few minutes it disconnects again. All this can be seen in the Opnsense widget:

Valuable feedback and code changeshave come from this process that will also find their way into otherrelated projects in the near future.


Let's hope that this is not a new 'Pfsense case' and that the free version of Opnsense will be maintained under the current conditions.

A long awaited update from my side, many thanks to franco for his work.

Clean install 24.7

Update to 24.7.1 perfect

Some components of the update took a long time to update but everything is fine.

https://www.securityweek.com/port-shadow-attack-allows-vpn-traffic-interception-redirection/

https://petsymposium.org/popets/2024/popets-2024-0070.pdf

Intel Takes Open-Source Hyperscan Development To Proprietary Licensed Software:


https://www.phoronix.com/news/Intel-Hyperscan-Now-Proprietary

https://www.netgate.com/blog/pfsense-software-embraces-change-a-strategic-migration-to-the-linux-kernel

https://www.reddit.com/r/opnsense/comments/1bchr5v/maxmind_transition_to_r2_presigned_urls/

https://dev.maxmind.com/geoip/updating-databases?utm_campaign=R2%20presigned%20URLs&utm_medium=email&_hsmi=297747371&utm_content=297747371&utm_source=hs_email#directly-downloading-databases

https://github.com/maxmind/geoipupdate/issues/290

Mini-pc Opnsense 8 GB ram
Suricata deactivated

With version 1.16 I had 55% of ram memory used and with the new version 1.16.1 I am now using 80 - 85% of ram memory used.

So far I had Suricata working correctly on Wan but I have changed internet provider and use ppoe. I have created the corresponding ppoe VLAN assigned to Wan and I have configured the Wan interface with ppoe with user - password. In interface assignments I have assigned the VLAN ppoe created earlier to Wan. With this configuration I have access to the internet without any problems. The problem is that Suricata in Wan does not work even if I put the Wan ip that I have assigned something that before if it worked perfectly, with that it does not work I mean that it does not block absolutely nothing, it is as if it did not recognise the interface. So that it recognizes it in interface assignments I have to put Wan in igb xxxxxx and create a new virtual interface for ppoe.

Mini-Pc Opnsense 23.7.3

-Wireguard
-Suricata ( Wan )
-Zenarmor ( Routed mode L3 native Netmap ) Lan + LAGG

Interfaces ( Igb ):

-Wan
-Lan
-Wg
-LAGG

Access to Opnsense via SSH: sysctl -a |grep netmap

Native Netmap does not work.

Zenarmor started as Sensei and at the beginning it required a huge amount of resources to work, later those requirements were lowered but it still did not work well giving problems of all kinds and today it still does despite the time elapsed, a good example of this is the new update 1.4 that despite having had its testing time is a real disaster including subsequent patches which is incredible. Suricata is a good example of user-friendly integration with its Telemetry rules that provide an extra benefit to Opnsense, however, Zenarmor in its free version is still a bad and cheap ad blocker with very limited settings and features, provided it works well, which it never does. It doesn't even bother to work in the Wireguard interface. Without going any further, Adguard or even Pfblocker do it much better and without needing so many resources for its operation. Does it make sense today to keep Zenarmor as a plugin? Clearly not, it would be much better for Opnsense users that Franco integrates Adguard as has been done with Wireguard-kmod and Zenarmor is abandoned. If something works and benefits users it should be promoted, but if something like Zenarmor not only does not provide any value but it is a real disaster better to abandon it and replace it with something better.

After formatting my mini-pc with the Opnsense 23.7 Release Candidate today I upgraded to the stable version. Once upgraded I decided to try Suricata 7 and I had the same problems as mentioned here:

https://forum.opnsense.org/index.php?topic=34997.0

To solve these problems I have added the command mentioned in this post in Suricata's custom.yaml file and indeed these problems are solved. Suricata 7 brings a lot of changes and among them are the support for http2 and quic but in the suricata.yaml file they don't appear unlike the suricata.yaml file in Github. I don't know if I did it right but to activate this support I added the following commands in the custom.yaml file

stream.midstream-policy: ignore

http2:
enabled: yes

quic:
enabled: yes

This way Suricata 7 works great, in fact it has a much better performance compared to Suricata 6.x.x.
The problem comes when I restart Opnsense, the custom.yaml file appears blank without the modifications added and I have to put it back by accessing Opnsense via ssh. That is, the custom.yaml file does not survive Opnsense restarts.

The custom.yaml file is located in the path usr/local/etc/suricata

I don't know if there is another custom.yaml file elsewhere that survives Opnsense restarts.