Messages

1

21.1 Production Series / Lokinet (onion router) TOR alternative - Feature request

« on: May 11, 2021, 12:53:22 pm »

Hi OPNsense team,

Not sure if this is the right place for feature requests. I recently come across Lokinet (onion routing) platform which is somewhat similar to TOR but it's more decentralised and optimised and seems more secure. Although there is no release currently available for FreeBSD it can be built from source see https://github.com/oxen-io/loki-network. Unlike Tor, Lokinet can tunnel all IP traffic over their low latency onion network. Is there anyway we can develop a plugin for Lokinet?

Note: Session IM app (alternative to Whatsapp/Signal/Telegram) uses Lokinet.

Thank you,
Regards,
Bobby Thomas

2

21.1 Production Series / Re: Wireguard not working after upgrade from 21.1.2 to 21.1.4

« on: April 01, 2021, 07:18:08 pm »

This seems to be reoccurring, I am unable to connect to WG from outside (WAN) if try to establish a new session (mostly after some hours after establishing a WG vpn sesison). But after connecting from inside (LAN) I am able to establish a WG session from outside. This is kind of weird. As this is reoccurring I changed the status of this post.

Any idea what could be causing the issue?

Thank you,
Regards,
Bobby Thomas

3

21.1 Production Series / Wireguard not working after upgrade from 21.1.2 to 21.1.4

« on: March 31, 2021, 11:56:33 pm »

Ok, this is kind of weird, I tried connecting from inside network and it connected fine, then I tried connecting from WAN again and this time it connected fine. Not sure what's going one with WG.

Going to mark this as Solved.

4

21.1 Production Series / Wireguard not working after upgrade from 21.1.2 to 21.1.4

« on: March 31, 2021, 11:36:13 pm »

Hi All,

I have upgraded my Opnsense instance to 21.1.4 from 21.1.2 and since then Wireguard is not working, I think the service is not running or some other issue. I see WG handshake timing out on the client side, but there is no traffic seen on the firewall end. I tried capturing packets on the WAN side on port udp 51820 (default port) but it's not even showing any hits. I can see other traffic from same IP and IPSec vpn is also working fine. Was there any changes in 1.5? Do I need to reconfigure WG from scratch after this upgrade?

Thanks in advance.

Regards,
Bobby Thomas

5

21.1 Production Series / How to move SWAP to a different drive?

« on: February 24, 2021, 09:46:36 pm »

Hi there,

This may not be much related to OPNsense but I would like to get some guidance in moving SWAP to a new partition/disk. Currently I am running OPNsense VM on Proxmox with SSD, I would just like to move the SWAP partition to another HDD, is it possible?

Thanks in Advance,

Regards,
Bobby Thomas

6

20.7 Legacy Series / Re: Having issues getting public IP on WAN interface

« on: January 02, 2021, 07:04:20 pm »

No, it's not related to routing or NAT, as soon as I change the modem from bridge mode to routed mode I get the private IP from the modem. As for the "Block private networks", it's already unchecked. My ISP doesn't provide IPv6 addresses yet, so it's not related to IPv6.

 I think this is something related to DHCP client service or some configuration on the ISP side which restricts IP allocation to certain MAC addresses (like some virtual mac addresses which has unknown OUI).

7

20.7 Legacy Series / Having issues getting public IP on WAN interface

« on: December 24, 2020, 04:05:06 pm »

Hi Team,

Hope everyone enjoying the holidays.

Well it seems like my holidays are going from bad to worse. Coming to the point I have an OPNsense firewall setup in a VM in Proxmox and it has been working great, couple of weeks back my ISP replaced my Docsis 3 ethernet cable modem with a wifi one, since then I was facing issues. I have disabled the wifi on the new Wifi Docsis modem and configured Bridge mode (as I need public IP terminating on my OPNsense firewall). I got public ip on the modem for some time then it started causing issues, I started getting IP address from 192.168.5.0/24 range even though I have disabled DHCP service on the wifi modem. What ever I do, I only receive an IP address from the range 192.168.5.0/24 on my OPNsense firewall, while if I connect a PC to the modem I am hetting a public IP issued by ISP DHCP server. I am scratching my head to understand why it's happening like this.

I also tried a different approach by assigning the MAC address of the PC to the OPNsense WAN interface and then it gets the public IP but it cannot communicate with anything in WAN (cannot ping gateway or it seems no traffic passing through). Any idea how I can get this issue fixed? I think there is some issue with OPNsense DHCP client service.

Thanks in advance,
Regards,
Bobby Thomas

8

20.7 Legacy Series / Re: Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 11:13:59 pm »

Why don’t you just use split-dns for this? OPNsense is handling letsencrypt on public ip. Then you define an override in unbound for the same hostname as you used for the letsencrypt cert with the internal IP of the OPNsense.

I thought of doing this but I will have to import the cert from firewall and update than on the server every 3  months. So I thought I will go with HA Proxy.

Regards,
Bobby Thomas

9

20.7 Legacy Series / Re: Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 11:12:41 pm »

I don't use unbound for homeassistant but for other haproxy services that depend also on LE and I don't have problems. Inside and vpn are redirected to the local address (the new virt-ip of the haproxy-frontend) but LE is working and looking for the official dns-servers.

Edit:
the condition and rule is simple:
cond: host starts (match or end will most likely be also possible) with: fqdn / or something like it
rule: it cond -> execute function use backend ...
rule selected/applied on the frontend then.

Best regards,
Bernd

I got it working for LAN, I will go through the VPN part in sometime, Thank you for your valuable suggestion.

Regards,
Bobby Thomas

10

20.7 Legacy Series / Re: Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 12:12:42 pm »

Thank you for the suggestion Bernd, I will give it a try with HA Proxy, the only concern I am having is with name resolution from inside and how to configure rules in HA Proxy according to that.

Regards,
Bobby Thomas

11

20.7 Legacy Series / Letsencrypt certificate export or HA proxy config? Need opinion

« on: October 29, 2020, 09:34:59 am »

Hi OPNSensers,

I am a bit confused here, trying to think of a method to implement a solution. Here are some details about the issue I am currently facing. I have an Openhab server for automation in the inside and I have access to it over http/https only from inside. There are some android apps which require https and public ca signed certificate for api access (as from Android 10 they have those restrictions). I have Letsencrypt service running for CA cert which signs my ddns domain. I previously had pi-hole where I have created a static DNS A record for my ddns domain pointing to Openhab and then I imported the Letsencrypt certificate to openhab from OPNSense, after this android app worked well. Now I have moved away from pi-hole as I am now using Unbound and Bind for dns filtering. Also it's very hectic to manually import the certificate to the openhab every three months, so I want to know if I can use HA proxy for this purpose. I only need to access this server from inside and vpn networks and not from outside but I need it to use the Letsencrypt cert for ssl.

It maybe a little confusing to you to follow, but let me know if you require any additional details.

Thanks in advance
Regards,
Bobby Thomas

12

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 02:01:43 pm »

I checked all available good documentations and also the official ones:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

I have no idea why you set your local networks in local instance.

This is nowhere documented.

Maybe this would was dismissed with FreeBSD 11.2 and now throws an error in FreeBSD 12.1

Ok, I may have overlooked this during while configuring the local instance. I think I added my LAN as well as Zerotier to Wireguard config thinking it's similar to ipsec config. Anyways I removed it now and everything looks good. I will keep this in mind when configuring WG in future.

Thank you Michael. Appreciate your assistance.

Regards,
Bobby Thomas

13

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 01:31:47 pm »

WHERE did you set this 192.168.1.0/24? in local instance or endpoint?

Local instance (on the firewall).

14

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 01:19:19 pm »

route -q -n add -inet 192.168.1.0/24 -interface wg0

The line above indicates that this should be a network on the other side of the VPN tunnel.
If one of your local interfaces has this network, wireguard will break. In 20.1 it seems FreeBSD just ignored this.

Got it, After removing LAN and restarting the service Wireguard service came back online. Is this how it should be configured?

Thanks and regards,
Bobby Thomas

15

20.7 Legacy Series / Re: Wireguard not working after upgrade.

« on: August 03, 2020, 01:01:40 pm »

But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas

I removed it, still the service is down.

root@firewall:~ # service wireguard restart
wg-quick: `wg0' is not a WireGuard interface

• wireguard-go wg0

INFO: (wg0) 2020/08/03 16:29:35 Starting wireguard-go version 0.0.20200320

• wg setconf wg0 /tmp/tmp.HQjWBJgx/sh-np.rUTYLg
• ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 10.1.1.3/32 -interface wg0
• route -q -n add -inet 10.1.1.2/32 -interface wg0
• route -q -n add -inet 10.1.1.1/32 -interface wg0
• route -q -n add -inet 192.168.1.0/24 -interface wg0
• rm -f /var/run/wireguard/wg0.sock

root@firewall:~ #

Do I need to remove LAN (192.168.1.0/24).

Thank you,
Regards,
Bobby Thomas