Messages

1

22.7 Legacy Series / Re: Port forwarding to VPN enabled linux device

« on: January 07, 2023, 10:56:48 am »

I want port 140 to be accessible on that linux device from the Internet

Which external ip-address are you trying to access, your normal WAN ip or the Surfshark one? The latter wont work since the port forward needs to be done at Shurfshark, which they don't support ( https://surfshark.com/blog/vpn-port-forwarding#vpn-clients-and-vpn-port-forwarding ).

If you get a public ip-address from your ISP, then it should be as simple as creating a port forward rule on your WAN interface for port 140 pointing to the clients internal ip. But if your ISP does Carrier-grade NAT (CGN or CGNAT), then this will not work.

2

General Discussion / Re: get webpage content from the command line

« on: September 14, 2022, 10:51:07 pm »

Reading it from the backup file should be pretty easy if the data is stored there. Below an example of how to read the expiration date for the self-signed web cert from the backup xml-file. This uses xmllint to parse the xml-file, decodes the <crt> node and passes the result to openssl x509 to display the data

Code: [Select]

xmllint --xpath '/opnsense/cert/crt/text()' config-file.xml | base64 -d | openssl x509 -noout -subject -enddate
Don't have any VPN certificates stored on my own setup, so adjust the xpath for the correct node, and of course the name of the input file. 

3

General Discussion / Re: Manage kids devices.

« on: September 12, 2022, 09:26:33 pm »

The way I've done it is

• assign static leases for the devices in DHCP
• put the ( now known ) ip-addresses in an alias
• use the alias in rules to block/allow access

4

Tutorials and FAQs / Re: Can't seem to improve NAT type on Nintendo Switch

« on: May 08, 2022, 08:02:51 am »

It depends on the next number, from Wikipedia :
100.64.0.0/10    100.64.0.0–100.127.255.255    Private network    Shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT.

And if that is the case, then you're  out of luck as far as ipv4 connectivity is concerned. You should check with your ISP if this is the case also ask if they  offer ipv6, because if all your devices are configured for it, then that might work.

As a last resort one could try a VPN service that allows port-forwarding

5

Tutorials and FAQs / Re: Can't seem to improve NAT type on Nintendo Switch

« on: May 06, 2022, 12:41:46 am »

Maybe asking some obvious questions, but:

• Has the fiber modem/router been set to bridge mode?
• Does WAN on OPNsense receive a public ip-address and nothing in the 10.x.x.x / 172.16.x.x / 192.168.x.x ranges?
• The Nokia beacon is connected to OPNsense?

And no, you don't need a static ip-address from your ISP

6

22.1 Legacy Series / Re: os-ddclient

« on: February 28, 2022, 07:45:43 pm »

In the meantime you can use the Custom-option, just set the server address to: freedns.afraid.org
Set the protocol to DynDns2, or leave it empty. The latter will work although it registers as a warning in the log,

Code: [Select]

file /usr/local/etc/ddclient.conf, line 17: Invalid Value for keyword 'protocol' = ''

7

Virtual private networks / Re: Is there a way to programatically change Wireguard settings?

« on: March 28, 2021, 03:47:43 pm »

There is an API for the Wireguard plugin : https://docs.opnsense.org/development/api/plugins/wireguard.html

Haven't played around with it much though, so not much help as far as usage goes. Got so far playing around with Postman that I could get a list of endpoints with http://192.168.1.1/api/wireguard/client/get
But adding a new one or trying to set something always resulted in "failed"

8

General Discussion / Re: NordLynx (WireGuard NordVPN implementation)

« on: February 08, 2021, 07:13:41 pm »

Perhaps I was a bit unclear, I'm not suggesting you should try and install anything / run the commands listed on OPNsense, but rather on any available Linux distribution (if none at hand use a WM, Live disc etc.) to obtain the configuration which can then be used in OPNsense.

9

General Discussion / Re: NordLynx (WireGuard NordVPN implementation)

« on: February 07, 2021, 11:02:23 pm »

It's stated in the blog that

We will soon provide tutorials on how to set it up on any third-party WireGuard client.

So ideally you could just ask NordVPN for the config, but from what I've read they haven't been that forthcoming regarding this issue.

I did however find a forum post with instructions on how to use the  NordVPN Linux client to obtain the configuration
https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27

10

20.7 Legacy Series / Re: Blocking a LAN device from WAN, device can still connect to WAN network

« on: July 25, 2020, 02:05:13 pm »

Out of interest, do you know why this rule is functioning correctly with the direction set to 'in'? I can't get my head round that. There's no traffic coming into LAN, it's already within it... or is this a total misconception?

From the firewalls point of view everything is on the outside, ie. packets from LAN must come IN before going OUT on the WAN side.

11

20.1 Legacy Series / Re: Remotely enable / disable a rule

« on: May 10, 2020, 07:08:34 pm »

Haven't played with it myself, but looks like there's a os-firewall plugin "Firewall API supplemental package" and looking at the docs ( https://docs.opnsense.org/development/api/plugins/firewall.html ) it seems that there's a command for toggling a rule.

12

Hardware and Performance / Re: Need some help to find hardware

« on: April 16, 2020, 04:36:52 pm »

My current low budget solution is a used i3 NUC (/w single Gbit NIC) & 8-port managed switch that does VLANs, set me back 120 euros in total.

Network is split into 4 VLANs (home, work, iot, guest) and since they are isolated and the uplink is only 200/20 Mbit, it works fine for my use case. I'm not saturating the single NIC and haven't had any issues so far, but as always YMMV.

13

19.1 Legacy Series / Re: NordVPN on ONE interface

« on: March 31, 2019, 11:42:51 am »

If I understood your configuration correctly, then all you need is a allow any rule on OPT1 with "VPN_DHCP" (assuming this is the VPN gateway) set as your gateway and an outbound NAT rule for the VPN interface with "OPT1 network" as source and "Interface address" as translation/target.

14

General Discussion / Re: Route one IP over VPN?

« on: February 11, 2019, 09:42:37 pm »

Are the hosts in the alias also in the 10.0.1.0/24 range? If so, try moving the VPNtraffic rules in outbound NAT before the 10.0.1.0/24 entries.

15

General Discussion / Re: NordVPN Tutorials/Instructions?

« on: February 01, 2019, 04:50:59 pm »

How about the guide from NordVPN themselves :

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm