Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - gogolathome

#1
When I run the automation commands in the shell I get some more output.
I tried to install certificates on proxmox and synology and on both occasions I get the error of missing deploy hooks. I replaced my domain with example.com and zero-ed the certificate numbers to protect my privacy

root@opnsense:~ # /usr/local/sbin/acme.sh --deploy --syslog 7 --debug --server 'letsencrypt' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/00000.00000/cert.pem' --keypath '/var/etc/acme-client/keys/00000.00000/private.key' --capath '/var/etc/acme-client/certs/00000.00000/chain.pem' --fullchainpath '/var/etc/acme-client/certs/00000.00000/fullchain.pem' --domain 'example.com' --deploy-hook synology_dsm
[Thu Aug 31 19:12:40 CEST 2023] Selected server: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 31 19:12:40 CEST 2023] Lets find script dir.
[Thu Aug 31 19:12:40 CEST 2023] _SCRIPT_='/usr/local/sbin/acme.sh'
[Thu Aug 31 19:12:41 CEST 2023] _script='/usr/local/sbin/acme.sh'
[Thu Aug 31 19:12:41 CEST 2023] _script_home='/usr/local/sbin'
[Thu Aug 31 19:12:41 CEST 2023] Using config home:/var/etc/acme-client/home
https://github.com/acmesh-official/acme.sh
v3.0.6
[Thu Aug 31 19:12:41 CEST 2023] Using server: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 31 19:12:41 CEST 2023] Running cmd: deploy
[Thu Aug 31 19:12:41 CEST 2023] Using config home:/var/etc/acme-client/home
[Thu Aug 31 19:12:41 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu Aug 31 19:12:41 CEST 2023] DOMAIN_PATH='/var/etc/acme-client/home/example.com'
[Thu Aug 31 19:12:41 CEST 2023] The deploy hook synology_dsm is not found.


Could there be something missing in the acme client plugin installation or is it an error on the letsencrypt servers?
#2
If the delegated prefix changes then you have to change the static Wireguard addresses when you want ipv6 through the tunnel.
The approach from the OPNsense guide is to give an ULA address to peer and client, but then test at https://test-ipv6.com/ say that my browsers prefer an ipv4 connection.
Then I thought about giving random GUA addresses outside my delegated prefix to peer and client and make use of the outbound NAT.
This works well and the above test says 10/10 for ipv6.
Are there any gurus that say that this is bad practice and that there will be problems that I overlooked?
#3
I have router A connected to my dual stacked bridged cable modem.
Router B is connected to Hyper-V and is behind router A. Connected to router B is a virtual Ubuntu linux host.

Internet -- Router A -- Router B -- Linux host

I configured everything to my best knowledge and every machine is dual stacked with IPv4 and IPv6. I get a /56 prefix from my ISP and delegated a /62 to router B. This just a test setup.

Now here comes the problem, there is no IPv6 connection possible:

Ping6 to 2a00:1450:400e:80e::200e from Linux host behind router B give no reply. I see packets leaving on router B WAN interface and coming in on Router A LAN interface. But they don't leave Router A WAN!

Ping6 to 2a00:1450:400e:80e::200e from Router B leave WAN interface from router A and get a reply, but they don't leave LAN interface from Router A to WAN interface from Router B. End result is no reply.

It seems that packets get lost on Router A and I am breaking my head why.
The routing table on Router A seems ok, but I have read an old topic about some problems with downstream routers: https://forum.opnsense.org/index.php?topic=7719.0
#4
I am trying to use dnscrypt-proxy as standalone with cloaking rules.
When I disable unbound and enter listen addresses of my interfaces and standard listen port 53 in dnscrypt-proxy I get this message: "[FATAL] listen udp :53: bind: permission denied"

Because it is a privileged port dnscrypt-proxy has a problem binding to it as it is not running with root privileges. How can I solve this without opening access for <1024 ports for non-root users?