Messages

Did you add an interface, gateway and NAT rule on this config? Sounds like you want to use selective routing is that right?

Although for Wireguard, the principles are the same on this how to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html# give it a try and see how you go.

Manaki

I have a simple setup with single LAN only network 10.34.10.10/24 and a wireguard client configured for VPN access to external VPN provider. For DNS, I am using a template to forward all DNS requests to NextDNS anycast servers. All clients on LAN network are policy based routed to external VPN and are working as expected.

Today, I added a new external client device using Road Warrior and got a connection to OPNsense but cannot seem to route the client back out over my existing Wireguard VPN tunnel connection.

Have tried various different methods but the client only returns my WAN ip address instead of my VPN providers addresss. Settings are as follows:

---------------------
Servers (OPNsense):

VPN: WireGuard > Local:

Interface: WG0
Listen: 51821
Tunnel address: 10.11.1.52/16
DNS: Blank
Peers: VPN_PROVIDER
Disable Routes: Checked
Gateway: 10.11.1.51
Monitor IP: VPN provider IP address

Interface: WG1
Listen: 51831
Tunnel address: 172.16.16.2/24
DNS: Blank
Peers: iPAD_CLIENT
Disable Routes: Unchecked
Gateway: Blank
Monitor IP: Blank

------------------------------------
Clients (OPNsense):

VPN: WireGuard > Endpoints:

Name: VPN_PROVIDER
Allowed IPs: 0.0.0.0/24
Endpoint Address: VPN provider address
Endpoint port: 51822

Name: iPAD_CLIENT
Allowed IPs: 172.16.16.20/32
Endpoint Address: Blank
Endpoint port: Blank

------------------------
External Remote Client (iPAD):

Addresses: 172.16.16.20/32
Listen port: 51831
DNS: Blank

Peer:

Allowed IPs: 0.0.0.0/0
Endpoint: a.b.c.d:51831

------------------------------------------
NAT and Rules (OPNsense):

Firewall: Rules: WAN

Interface: WAN
Direction: In
Proto: UDP
Source: any
Ports: any
Destination: WAN address   
Destination Port: 51831

Firewall: Rules: Wireguard (Group)

None

Firewall: Rules: WG0

None

Firewall: Rules: WG1

None

Firewall: Rules: LAN

Interface: LAN
Direction: In
Proto: TCP/UDP
Source: ALL_CLIENTS (Alias for all LAN clients)
Destination invert: Checked
Destination: PRIVATE_NETWORKS (Alias for RFC1918_Networks)
Ports: WAN_SERVICE_PORTS (Alias containing service ports)
Gateway: WG0 Gateway (to VPN provider)

Firewall: NAT: Outbound

Interface: WG0
Source: Local_Networks (Alias) 10.34.10.10/24
NAT Address: Interface Address

How can I properly route all traffic from my external client down existing VPN provider tunnel?

TIA.
Manaki

Hi,

Have GEOIP blocking enabled on my IPv4 only firewall and have started seeing regular entries from a blocked country (CN) - in this case.

Upfront - my firewall settings advanced max states setting is set to 2000000

Attached screenshots of:

1. Log event showing the origin country CN was not blocked
2. GEOIP Alias definition
3. Floating rules for In + Out on WAN interface

Any ideas, suggestions on how to resolve or improve?

Thanks.

In case this helps someone else:

To get SSL working properly on your OPNsense firewall, you must have the TCP port set to 443.

--------------------------------

Dear all,

Loosely following a couple of tutorials https://forum.opnsense.org/index.php?topic=23339.0 and https://www.wolffhaven45.com/2017/11/07/intranet-ssl-certificate-for-pfsense-using-lets-encrypt--cloudflare/ to setup SSL for OPNsense WEBGUI access but after many failures to get a secure green padlock connection running we have opted to ask for help.

Domain:

We own a domain (fictional here) mydomain.xyz and the nameservers are pointing to Cloudflare. We do not have or require any hosting.

OPNsense firewall hostname:

Our firewall has beupone as the system Hostname and runs on port 588.

In Cloudflare we added a cname record for the firewall hostname (beupone) pointing to mydomain.xyz resulting in beupone.mydomain.xyz.

General steps:

Installed ACME Client -> Created account -> Added challenge type -> Created certificate successfully

After doing so, we choose the new certificate in System -> Settings -> Administration -> SSL Certificate (beupone.mydomain.xyz)

Trying to access https://beupone.mydomain.xyz:588 fails.

Have attached a few pictures of our settings in case it helps.

Anyone encountered this issue or have any tips on how we can make it work?

Thanks.

Hi all,

Have been searching for a solid guide to follow but am yet to come across anything that resembles my use case requirement. Not sure if it can even be done but here goes.

What I am wanting to do is use Wireguard to encrypt my local WiFi network traffic.  I do not need it to go externally as all my traffic is currently routed through an OpenVPN client connection.

My setup is as follows:

Firewall Appliance -> Netgear Router AP Mode -> Wireless Clients

OS-Wireguard is installed on my firewall.

Any and all help is greatly appreciated.

Hey franco,

Many thanks for your help.

I managed to get all the way through the installation phase. It's a shame the mods to this section didn't provide an update to compliment the excellent guide(s) written by @directnupe.

Now I am just trying to figure out how to select localhost on the interfaces section when the option to select it is no longer there! Another change perhaps??

Many thanks,
Amanaki

Hi all,

Using this guide, I am trying to get Stubby / GetDNS running on my machine but I have come across an issue in step # 3 which is preventing me from going further.

My fresh install:

OPNsense 19.1.10-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019
Unbound 1.9.2

This is the step I am having problems with:

Code Select Expand

Step 3: - Proceed and complete Opnsense Ports install with the following commands: ( Note that is designed for Opnsense 18.7 Variants; however, I believe that it will work with all Opnsense versions - but I have not tested that proposition. )

# cd /etc
# fetch https://raw.githubusercontent.com/opnsense/tools/master/config/18.7/make.conf

Returns the following errors:

Code Select Expand

root@OPNsense:~ # cd /etc
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record
root@OPNsense:/etc # fetch https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf
fetch: https://raw.githubusercontent.com/opnsense/tools/master/config/19.1/make.conf: No address record

As can be seen, I tried modifying the path provided in the guide but it won't work in the command line. I am not sure what is wrong. Perhaps I have missed something with all the changes.

Help please!

Ok. I will add this on downtime and see if it makes any difference to my DNS results.

Thanks.

No such file or directory!

Code Select Expand

root@OPNsense:~ # cat /etc/rc.conf.d/dnscrypt_proxy
cat: /etc/rc.conf.d/dnscrypt_proxy: No such file or directory

Services -> Unbound DNS -> General -> Enable Forwarding Mode = UNCHECKED

Ok, so my interpretation your instruction is to use a windows client on my network, flush its dns cache, then visit a website, is that correct?

I did as above using dnsprivacy.org then checked my dnscrypt-proxy logs and found the following entries:

Code Select Expand

[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 org DNSKEY PASS
[2019-01-14 08:18:57] 127.0.0.1 org DNSKEY PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org DS PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY FORWARD

On another note, I think I have stumbled across an issue where a file is missing inside my configuration.

In the install notes, there is a reference to a config file in the following path:

'etc/rc.conf'

Using winscp, I cannot find it at all...

The dnscrypt-proxy files I have are:

'usr/local/etc/rc.d'
'usr/local/etc/dnscrypt-proxy/dnscryptproxy.toml'

I initially installed 18.7.6 and not sure if this was caused by upgrading to the current version being 18.7.10.

I am not familiar with any CLI commands for unbound, but I assume this is what you were after.

Code Select Expand

unbound: [21146:1] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:2] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:0] info: start of service (unbound 1.8.3).
unbound: [21146:0] notice: init module 1: iterator
unbound: [21146:0] notice: init module 0: validator
unbound: [86555:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: service stopped (unbound 1.8.3).
unbound: [86555:0] info: start of service (unbound 1.8.3).
unbound: [86555:0] notice: init module 1: iterator
unbound: [86555:0] notice: init module 0: validator
unbound: [86555:0] notice: Restart of unbound 1.8.3.

Below are settings I have for dnscrypt-proxy and unbound. I can post my entire .toml file if you need as well. Note I use Plex and do not use any IPv6 at all.

Dnscrypt-proxy .toml  file includes the following for forwarding rules:

Code Select Expand

lan 127.0.0.1
10.in-addr.arpa 127.0.0.1
192.in-addr.arpa 127.0.0.1
254.169.in-addr.arpa 127.0.0.1

Unbound additional config includes:

Code Select Expand

server:
   do-not-query-localhost: no
   private-domain: "plex.direct"

forward-zone:
        name: "."       
        forward-addr:127.0.0.1@5353

The thing that really strikes me about this is when I was an OpenWRT user, I always got dnsleak tests back with the country I was connected to. For example, if my server selection in .toml file was set to cloudflare, then if I connected my vpn client to NL for instance, the dnsleak test would show the cloudflare server as being in NL as opposed to my home country.

Thanks again for taking the time to help out. I am keen to get to the bottom of this issue.

Amanaki

Ok, below I have enclosed dnscrypt-proxy daemon logs and test outputs with CLI.

Code Select Expand

[2019-01-14 14:08:44] [NOTICE] dnscrypt-proxy 2.0.19
[2019-01-14 14:08:44] [NOTICE] Loading the set of blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-blacklist]
[2019-01-14 14:08:45] [NOTICE] Loading the set of forwarding rules from [/usr/local/etc/dnscrypt-proxy/forwarding-rules]
[2019-01-14 14:08:45] [NOTICE] Loading the set of IP blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-ip-blacklist]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2019-01-14 14:08:46] [NOTICE] [cloudflare] OK (DoH) - rtt: 31ms

Code Select Expand

[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.c10r.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.c10r.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 cdn.fbsbx.com A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 fbsbx.com DS PASS

Code Select Expand

root@OPNsense:~ # ps ax | grep dnscrypt
50066  -  Is     0:00.00 daemon: /usr/local/sbin/dnscrypt-proxy[50151] (daemon)
50151  -  I      1:32.52 /usr/local/sbin/dnscrypt-proxy -config /usr/local/etc/
71046  0  S+     0:00.01 grep dnscrypt

Code Select Expand

root@OPNsense:~ # drill -p 53 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 926
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   508     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 241 msec
;; SERVER: 127.0.0.1
;; WHEN: Redacted
;; MSG SIZE  rcvd: 46

Code Select Expand

root@OPNsense:~ # drill -p 5353 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8169
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   599     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 18 msec
;; EDNS: version 0; flags: ; udp: 1452
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 17:59:46 2019
;; MSG SIZE  rcvd: 69

Code Select Expand

root@OPNsense:~ # dnscrypt-proxy -resolve dnscrypt.me
Resolving [dnscrypt.me]

Domain exists:  yes, 2 name servers found
Canonical name: dnscrypt.me.
IP addresses:   104.31.74.114, 104.31.75.114
TXT records:    v=spf1 include:spf.messagingengine.com ?all
Resolver IP:    194.132.32.23 (dns2.ipredator.se.)

Code Select Expand

root@OPNsense:~ # drill -p 53 google.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31403
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     599     IN      A       216.58.199.78

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 53 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 18:06:34 2019
;; MSG SIZE  rcvd: 44
root@OPNsense:~ #


Can you spot anything out of the ordinary?

[lot]

Hey thanks. I looked at the previous thread and I noticed a lot of people had issues with it. Also, it does not make any mention of unbound and dnscrypt-proxy either so I wonder if it is a viable option to pursue for my use case.

Regarding your suggestion of floating rules, I do not have not experience with using floating rules at this point, do you have a sample I could refer to or something at least to help get me started in the right direction?

Yes, that is right.

I have two networks (VLAN40 + VLAN10) for my teenage boys whom game a lot. It has UPnP for gaming and all so I just isolate them and allow all traffic to WAN directly through ISP.

Hi abalsam,

1.  Are you looking to restrict a single host to VPN only or the entire network? - the answer to this question would determine what rules to use.

My setup includes LAN and a number of VLANS. I have three VPN clients running. Only two networks require clearnet WAN access. All others are VPN connected and I want none of them to pass traffic to the clearnet if any of the connections drop.

Do you establish VPN connectivity via an IP address or a hostname (which must be resolved via DNS)?  - the answer to this question would determine if DNS should be included or excluded from the kill switch (if I need DNS working to resolve my VPN hostname I can't include it within the kill switch).

I use ExpressVPN and use hostnames for connections which as you pointed out, require DNS resolution.

On the note of DNS, I am using DNScrypt-proxy with unbound.

Also, my NAT, I have changed it to manual and have tried to jimmy a killswitch using NAT but I am not sure if it does anything. I enclosed a screenshot for you.

Thanks for helping :-)