Topics

Hello,

After the 25.7.8 update, I can no longer connect to WiFi. I'm using freeradius and all my devices now state "Unable to connect to [WiFi Network]" when I attempt to connect. Was connected just before the update. Logs don't show any errors. All I get is: Auth: (11) Login OK: [USERNAME/<via Auth-Type = Accept>] (from client WLAN port 0 cli MAC ADDRESS) over and over again, but my client never connects or gets an IP address.

Anyone else encounter this?

Cheers

Hello,

I'm having a strange (I think) issue with DNSmasq. If I set it up to use the servers listed in System/Settings/General, everything works perfectly: I can go out to the internet and resolve local hostnames (as defined by the host overrides).

However, if I create a custom .conf file in /usr/local/etc/dnsmasq.conf.d/ with:

Code Select Expand

no-resolv
server=<dns server ip>
(using the same server that I would put in System/Settings/General), I can still go out to the internet but I lose local hostname resolution despite host overrides being defined.

Is this expected behavior?

Running 25.1.7_4.

Thanks

Hello,

I have a working road warrior WireGuard setup on my OPNsense box. It works well. However, if I do a sustained download when connected to the VPN (that saturates the connection), like a speed test, I can see packet loss on the WireGuard interface, in Interfaces > Diagnostics > Netstat. It's not major, usually 2000 to 3000 packets dropped out of roughly 900000 to 1000000 packets. So we're talking 0.22% or 0.33%. If I don't run a speed test, I get no packet loss at all.

I also have a road warrior IPsec setup on the same box and running a speed test while connected to IPsec does not incur any packet loss.

Is there something about WireGuard that makes it more prone to packet loss than other VPN protocols? I'm pretty sure this isn't a MTU/MSS issue - they've both been lowered to accommodate WireGuard, and were it that, I'd expect to see packet loss all the time, not just during sustained downloads/speed tests.

I'm trying to figure out if there's an issue with my WireGuard setup or if this is normal.

Any insights are welcome.

Thanks

UPDATE: Saved and restored a config (i.e. the exact same settings the box was running prior to restoring) and now it works... Dunno what to say... Maybe something silently went wrong with the update and restoring the config fixed it? I guess there are some things Man is just not meant to know...

Hello,

I'm having issues with IPSec and macOS since the update to 24.7.4_1. Prior to the update, everything was working fine. Now, I can no longer connect from macOS. macOS is running the same version as before the 24.7.4_1 update.

I use a configuration profile (.mobileconfig) to setup my IKEv2 connection on macOS. And I'm aware there's a bug in macOS Sonoma, where it ignores the values you set in the profile for proposals and rekey time. Regardless what you configure in the profile, macOS will send the following proposals to the server:

2024-09-20T22:40:56-04:00   Informational   charon   11[CFG] <5> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

So I made sure the server supported at least one of those:

11[CFG] <5> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256

Prior to 24.7.4_1, the profile and connection worked just fine. Since 24.7.4_1, I can no longer connect. I've attached a picture of the logs. Happy to provide more logs if needed.



I also have a pfSense box that runs the same services and has IPSec setup with the same values and it connects just fine. But I don't want to go back to pfSense - I'm an OPNsense guy now :-)

Anybody else running into issues like this? Anyone have any ideas? Was IPSec changed in 24.7.4_1?

Any help would be appreciated. Thanks.

Hello,

Has anyone managed to configure an IPsec tunnel using eap-tls in the new "Connections" tab? There is no tutorial for this setup in the docs, only a legacy example using the old UI. I've tried adapting the tutorial for eap-mschapv2 that exists for the Connections tab to use eap-tls but it fails to connect, always.

I'm wondering if it's supported at this time.

Thanks.

Hello,

I hate to add to the ddclient woes, but... While it used to work with NameCheap, it does not anymore. ddclient is setup correctly and runs. But it always fetches the VPN IP address even though the selected interface is WAN. This happens using Interface as the method.

Anyone else experience this? Any workarounds? NameCheap isn't available when selecting the OPNsense backend and using 'custom' doesn't work because you can't select NameCheap as a protocol...

Cheers

Hi,

I recently transitioned from pfSense to OPNsense and everything works extremely well - except for OpenVPN. While it does work, it's exteremely slow.

I have WireGuard and IPsec (IKEv2) tunnels running on the same box and both WG and IPsec are blazing fast. I understand that OpenVPN is single-threaded and generally slower than the other two protocols. But I believe I should be getting roughly 300 - 400 Mbps with this box. I'm barely getting 80Mbps. With WG and IPsec, I'm getting close to 900Mbps.

My OpenVPN server has pretty much a "vanilla" configuration. Essentially the same settings in pfSense get me 400Mbps, so I'm inclined to believe I should be getting roughly the same speed woth OPNsense.

I've attached a screenshot of my server config. If anyone has any ideas as to what might be bogging OpenVPN down, I'd appreciate it. If any more info is need, I'm happy to provide it.

I'm running OPNsense 23.1.5_4 on a Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz (4 cores, 4 threads).

Cheers.

Hi there,

I'm trying to set up a cron job that will run every minute. In the minutes field, I've tried */1, *, and listing out all the minutes in a comma-seperated list. It simply will not run every minute. Instead, it runs at 6 minutes intervals, like clockwork.

Any idea what I'm doing wrong?

Thanks

I don't think it can be done as it stands right now. Anyone know if it's on the radar?

Hi,

I'm setting up an OPNsense box and for the most part, it's going very well. I'm trying to setup Unbound Query Forwarding for just two interfaces on the box and it's not working. As soon as I enable Unbound, DNS resolution stops working (for the clients that are meant to use it). If I set the exact same DNS server in DHCP, everything just works.

Also, with Unbound enabled, the firewall is able to resolve domains from those interfaces but the clients on those interfaces cannot. I've checked my firewall rules and it's not that - an allow any to any rules gets the same result. It's also not a DNSSEC issue - same result with or without DNSSEC.

Any ideas where I should look to find the issue?

Hello,

I'm transitioning over from pfSense to OPNsense and I've been "cloning" the pfSense box settings on OPNsense. Everything is working great except IPSec. I can't for the life of me get it working. I've checked the settings well over 100 times and they're correct. On pfSense it works perfectly. On OPNsense, when I try to connect a client it instantly disconnects. The strange thing is that I see no error messages at all in the IPSec logs - the client hits the server and the logs are full of "success" statements - no errors. And so I have no idea where to look to fix the issue. I've torn down the tunnel and started over more times than I can count. I also reinstalled OPNsense from scratch and reconfigured IPSec - same exact result. It was working prior to the update to 23.1_2. I'm now on 23.1_3 but that update didn't help.

Off the top of anyone's head do you have any ideas where I should look?

Here are screenshots of my config and logs:

[I removed the screenshots because they're pointless now - the settings are fine - see below]

Thanks