Messages

I've configured the DynamicDNS updater in OPNsense, but I want a "backup" solution.

Is there a way to have OPNsense send an email (or otherwise communicate) when the IP address on the WAN-side changes?

[Details follow:]

Is there any way to test that my OPNsense DynamicDNS client is working properly? Of course it will be tested eventually when my ISP changes it, but I may not have access to my firewall when that happens (I travel a lot).

Details follow:
I use OPNsense for a number of reasons. One of the features that is particularly important to me is the VPN feature as it allows me to connect to resources on my home network while I am away on travel (which is very frequently). My sw version is: OPNsense 19.1-amd64

Following is a summary of my network configuration:
My ISP provides a "cable modem" box. To use OPNsense, I configure this modem to operate in "bridge mode". In my network, the cable modem faces the Internet, my "WAN-side" OPNsense fw/vpn adapter is connected to the "LAN side" of the modem, and then my home network is connected to the LAN-side adapter of my OPNsense fw/vpn. Everything works reasonably well until my ISP decides to change things around. One of the things that they are changing more frequently now is the routable IP address assigned to my modem. I have decided that it is time to add Dynamic DNS.

Dynamic DNS to the rescue:
To that end, I've gotten an account at "freeDNS", and a hostname to use for my OPNsense fw/VPN server. I've also set up the Dynamic DNS service in the webGUI. AFAIK, things are working as they should, but I've learned over the years that assumptions often lead to failure and disappointment. And so I want to test my Dynamic DNS configuration to make sure it works as it should. This is where I need help: I can find nothing in the docs that describes a test procedure.

How to Verify Dynamic DNS is operating correctly?:
Of course I will get a test when my ISP eventually changes the IP address of my cable modem, but I may be out of the country when that happens. I'd like some way to verify that things are working properly now - while I am still in  position to make necessary changes. Any suggestions?

I have a rather awkward method that I must use for the time being to access OPNsense (Ref: https://forum.opnsense.org/index.php?topic=8623.0). When I visit the "Lobby" in OPNsense, I see there are a number of "Notices" (see attachment for screen shot), but I am not able to read the entire line.

Where can I find the full text of these Notices; i.e. are they in a log file?

Your problem reminds me of an issue I had a few years ago. It drove me insane (never quite recovered btw)... I had put my Comcast cable modem in "bridge mode" to avoid double-NAT'ing, and one or two other reasons I don't recall now. Connected my firewall to it, configured, etc... It worked for weeks like that.

I had another appliance I was using as a cold spare, and it was identically configured to the first box. But when I swapped, nothing worked - nothing!

Turned out that the modem would only talk to that first MAC address - no other MAC address would do. Fortunately, this was easy to deal with in pfsense at the time, and is still in OPNsense.

Maybe it's that? Is your modem in bridge mode?

[EDIT]: I've made some forward progress, so I'm updating this post.

I've got my OPNsense+OpenVPN configured, and **mostly** operational now, but there's one awfully annoying item that persists:

The remote LAN is in the US behind an OPNsense firewall that also serves as the LAN gateway, DNS and DHCP server. Its IP address on the LAN side is 192.168.1.1.

My local network is behind a P.O.S. Sky router in the UK, which was configured by someone else - I am using the network here as a guest - not as the admin, tho' I might be able to get a change made if it would help. The P.O.S. Sky router's LAN interface is also 192.168.1.1, but it does not respond to https:, only http.

I can reach all the active hosts on the remote LAN as long as I know its IP address. That's not a huge problem as it's a small network, but still - it would be nice if that worked. The exception to this is the one I really need to access: the OPNsense firewall at https://192.168.1.1  If I just connect to 192.168.1.1, I am connected to the P.O.S. Sky router. When I specify https://192.168.1.1, it simply refuses to make the connection (I assume due to the duplicity of the single IP address.

I'm currently working around this by making a remote desktop connection to a host on the remote network, and connecting from there, but that's awkward, and since it's a Windoze PC, it may fall over and die at any moment!

Can anyone tell me how to resolve this? I need access to the OPNsense firewall on the remote LAN - not the P.O.S. Sky router here on the local LAN.

Hello All,

I've been watching this thread with interest as it's almost exactly what I want to do (uh, except I'm not using torrent, I'm just trying to get around some "geo-location" BS). I hoped that all questions and issues associated that have come up with the HOW-TO would be resolved in short order, but it's been over 2 weeks since the last post. Can someone provide an update on the status of this??

~S

The issue must have had something to do with my choice of serial terminals. Someone recommended an app called "CoolTerm", so I tried it. It worked fine until the boot process reached the point where the installer logs in to install. After that, a lot of trash appeared, which I guess is due to the way the "little boxes" are formatted and sent over the serial port from OPNsense. I switched to "screen" (native to Mac), and the trash disappeared.

I'm trying to install the latest distribution (OPNsense-18.1-OpenSSL-serial-amd64.img.bz2) on a PCEngines APU2. I am able to boot successfully from the USB I created using "Etcher". Everything seems to be going OK until immediately after I log in as "installer". At that point, the data presented over the serial port (still configured at 115200, per OPNsense docs) is (virtually) illegible. At any rate it's not displayed correctly.

Any ideas on what the issue might be?

FWIW, here's what I see at my serial terminal:

----------------------------------------------
|      Hello, this is OPNsense 18.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Lists:        https://lists.opnsense.org/  |        @@@@         @@@@
| Code:         https://github.com/opnsense  |         @@@@@@@@@@@@@@@
----------------------------------------------
.[1;24r.[m.[?7h.[?1h.=.[H.[J.[23B.[H.[23B.[HF10=Refresh Display.[4;47H@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[5;46H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[6;46H@@@@@.[6;71H@@@@@.[7;50H@@@@@.[7;67H@@@@@.[8;47H@@@@@@@@@@@       @@@@@@@@@@@.[9;52H\\\\\.[9;66H/////.[10;46H))))))))))))       (((((((((((.[11;52H/////.[11;66H\\\\\.[12;47H@@@@@@@@@@@       @@@@@@@@@@@.[13;50H@@@@@.[13;67H@@@@@.[14;46H@@@@@.[14;71H@@@@@.[15;46H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[16;47H@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.[8BWaiting for backend....[5;46H                 .[6;46H     .[B.     .[8;47H           .[B......     .[10;46H            .[B......     .[12;47H           .[13;50H     .[14;46H     .[B.....                 .[16;47H                .[20;19H.[5;19H.(0.[1mlqqqqqqqqqqqqu.(B OPNsense 18.1 .(0tqqqqqqqqqqqqqk.(B.[m.[6;19H.(0.[1mx.(B.[m.[6;62H.(0.[1mx.(B.[m.[7;19H.(0.[1mx.(B.[m Welcome to the OPNsense 18.1 installer!  .(0.[1mx.(B.[m.[8;19H.(0.[1mx.(B.[m.[8;62H.(0.[1mx.(B.[m.[9;19H.(0.[1mx.(B.[m Before we begin, you will be asked a     .(0.[1mx.(B.[m.[10;19H.(0.[1mx.(B.[m few questions so that this installation  .(0.[1mx.(B.[m.[11;19H.(0.[1mx.(B.[m environment can be set up to suit your   .(0.[1mx.(B.[m.[12;19H.(0.[1mx.(B.[m needs..[12;62H.(0.[1mx.(B.[m.[13;19H.(0.[1mx.(B.[m.[13;62H.(0.[1mx.(B.[m.[14;19H.(0.[1mx.(B.[m You will then be presented a menu of     .(0.[1mx.(B.[m.[15;19H.(0.[1mx.(B.[m items from which you may select to       .(0.[1mx.(B.[m.[16;19H.(0.[1mx.(B.[m install a new system, with or without    .(0.[1mx.(B.[m.[17;19H.(0.[1mx.(B.[m importing a previous configuration.      .(0.[1mx.(B.[m.[18;19H.(0.[1mx.(B.[m.[18;62H.(0.[1mx.(B.[m.[19;19H.(0.[1mx.(B.[m.[19;32H.(0.[1m.(B< Ok, let's go. >.[19;62H.(0x.(B.[m.[20;19H.(0.[1mmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj.(B.[m
.[4B.(0.[1m.(B.[mSet up the installation environment and continue.[5A.[24;1H
.[?1l.>The installation was aborted.

Yes - I've been using the Google Authenticator with my OPNsense firewall for several months now, and I've read through the documentation a few times now; esp the "How To" page. And I'm aware that 2FA is not proprietary to Google; it's an open standard, covered by an RFC, and there are other implementations that implement the standard that would be perfectly compatible with Google's implementation. However, unless I am misinformed, Google has recently made their code/their implementation of 2FA proprietary.

You can still download the sources and they are under an open source license:
https://github.com/google/google-authenticator-android/

And from the same URL:

Code Select Expand

This project is an older fork of the one on the Play store. It's an older version
that doesn't get changes synced to it from the Play store version.
Other modules relating to 2FA have been marked with similar notes that they will not be maintained (by Google), or have been superseded by 'newer' versions. Just sayin'...

OPNsense uses TOTP which is an open Standard. There are many open and closed clients supporting it

Oh that's interesting... so why does the OPNsense documentation refer users to Google to set up and use OTP authentication to the firewall?

It does not only refer to Google Authenticator - it is already included in the sources but the build is not released yet:
https://github.com/opnsense/docs/blob/27a90b3e0721d72525bd44ef23ee9f1ead1dd7c9/source/manual/how-tos/two_factor.rst#step-4---activate-authenticator-for-this-otp-seed

These responses are confusing, I think - perhaps I haven't phrased my question clearly:

Yes - I've been using the Google Authenticator with my OPNsense firewall for several months now, and I've read through the documentation a few times now; esp the "How To" page. And I'm aware that 2FA is not proprietary to Google; it's an open standard, covered by an RFC, and there are other implementations that implement the standard that would be perfectly compatible with Google's implementation. However, unless I am misinformed, Google has recently made their code/their implementation of 2FA proprietary.

And so given all of that is true, my question is, "Why use Google's software and/or services in OPNsense?" In other words, given that it's an open standard, and other implementations are available, why is OPNsense's practice to refer users to Google - at least for the client side of the solution? Is it just because Google has a mobile app, and that's convenient for some users?

And please don't take this question as a challenge to decisions made by the OPNsense project. I support the project whole-heartedly, and I only want to understand the logic behind the approach.

Best Rgds,
~S

P.S. And finally and FWIW, as a personal opinion only, I find using most all of Google's "services" and software these days is a frustrating PITA - it's far too arcane.

OPNsense uses TOTP which is an open Standard. There are many open and closed clients supporting it

Oh that's interesting... so why does the OPNsense documentation refer users to Google to set up and use OTP authentication to the firewall?

Odd question perhaps, and maybe not the correct forum, but here goes:

OPNsense has done a fabulous job of integrating Google's OTP service. I have a project that needs OTP authentication also. Until I looked into this, I thought that Google's OTP code was open source, and therefore generally available for such usage by a 3rd party. However, I've learned that it's no longer open source; Google has made it proprietary. And so I wonder how is it that the OPNsense project is able to continue using it?

Can someone provide a brief explanation, or better, point me toward documentation that explains it?

Thnx,
~S

Yes - things seem to work fine over both serial and VGA when I have both options checked. I'm guessing that the difference in the distros has to do with the fact that you have to choose one or the other before your install is configured?

System: Settings: Administration

Console options may be what your looking for

Ah... that may be it, thanks. I'm going to try that. But I got the idea that since the distro is offered in serial and VGA versions that it would be something that was built into the system.

Have you looked at this?: https://docs.opnsense.org/development/how-tos/api.html

It doesn't provide many details, but it states that "All components... receive API capabilities", so that would mean you should be able to do what you want... except for maybe the "physical button" part - but I guess you have a plan for that.