Messages

In phase2 I have the network set to lan but I tried switching it to network 0.0.0.0/0 and then on strong swan client I tired adding 0.0.0.0/0 as a subnet to send over the tunnel.

I was unable to access the internet at that point on the mobile device but I was able to still get to the opnsense web interface and I ternal resources by ip.

How can I prevent the tunnel from being split tunnel? I want to force all traffic over the tunnel.

I'm using ikev2 and strong swan client on Android.

My main goal is using my pihole for dns remotely. So if that is possible without forcing all traffic over the tunnel then if be happy with that as well.

Any help much appreciated.

Right now it is split tunnel

I tried a couple of things I found after searching the forums.

I tried changing the p2 local network to 0.0.0.0/0 and creating an outbound NAT rule on the WAN interface with a source of the VPN address pool network translated to the WAN address. After these changes when I connected to the tunnel I could no longer get to the internet.

I followed this guide to get IPsec VPN working with Android using strongswan client and IKEv2.

https://wiki.opnsense.org/manual/how-tos/ipsec-rw-srv-eaptls.html

I connect just fine and can access the the firewall web interface on the LAN address but it is split tunnel.

I would like to force the Android phone to force all traffic over the tunnel. How can I do that?

If I can't force all traffic over the tunnel I would at least like to force dns resolution to take advantage of my pihole on mobile.

I use haproxy and letsencrypt integration with http validation

I had it working fine with renewing certificates for a while but now it fails validation. The log said timeout likely a firewall problem.

I've gone over the settings and I've tried adding additional firewall rules but nothing seems to work.

What can I check and verify? It was great when it was working :(

Do you mean it's a bad idea to run nextcloud on opnsense? Not running nextcloud behind opnsense on its own server.

I came across this and thought it might be useful to others.

From Proofpoint:

https://www.google.com/url?sa=t&source=web&rct=j&url=http://tools.emergingthreats.net/docs/ETPro%2520Rule%2520Categories.pdf&ved=2ahUKEwi1s5eLlNfiAhWEVN8KHV0dDgkQFjABegQIBxAN&usg=AOvVaw0VeLizsYuRFk0ekY3FOOZz&cshid=1559903175835

Is the clam av plugin useful for anything other than when used with a proxy?

With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?

My theme was preventing me from seeing the Wireguard interface in Firewall rules. Switching back to the default theme made it visible.

My theme was preventing me from seeing the Wireguard interface in Firewall rules. Switching back to the default theme made it visible.

I am able to get a connection established from Android to wireguard on opnsense but no traffic flows. I do not see a new interface under firewall rules either.

I have a connection to the Wireguard instance from Android.

No traffic is flowing and I also do not see a new interface in firewall rules for wireguard.

How can I get the traffic to flow and allow for access to my LAN over wireguard?

I hope to test tonight. I have been out of town.

I installed wireguard and I have the plugin in the webui.

I looked at the future doc you posted for wireguard and it seems to only mention site-to-site tunnels.

I would like to configure wireguard as a roadwarrior/client vpn to replace openvpn for things like my laptop/phone etc..

Can you give me a quick rundown of the configuration I need to make this happen?

I hope to test tonight. I have been out of town.