Messages

for the handshake ,it needs only the wg ips/net

can you post the full config from the ios device , without priv keys?

have you tried with another key pair?

the log in ios , say no handshake?

you can see udp pakets in the firewall log?

which ips are in the allowed config from your ios device?

no right, the services dont start clearly.

But i try it next days again. I thought defguard are a good tool, rust code, mfa not only on the app side ,opnsense plugin.

But!

Documentation, really really bad. Bugs ( opnsense ) weeks open. Sound like with Version 1.0 they split the features to no enterprise / with enterprise license.

The developers must paid, thats are clear, but in the last time you see often, that opensource code goes the paid way and finally closed.

And when you go in to support opnsense , why no good documentation?

defguard with opensense = can really go enterprise wireguard vpn, but now it does not good work.

But try!! When more people from the opnsense community will try defguard, they will eventually kick in and the support level goes up!

I hear from many people / buisness peoples, the want wireguard , the like wiregurad , but the want a mfa layer. Only asymetrics keys, yes security are good, but too loose the config ( windows , not fully encrypted , malware) and you have they keys . With mfa you have a extra security layer.

I dont understand why its are not in the code from beginning. Like you must put in a code for the connect and then a new psk where handled from peer to peer , or you must proof the psk token, with a code, and then the connection are working.

Greets

So i fight with this module.

What i want, web filterung for specific user for specific websites.
without the old buisness plugin opnporxy i can block all and give websites free, but this wher eonly for all users.

with the opnproxy plugin i have many erros , users can not authetificate:

   Error   (basic_pam_auth)   in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()

User where authificate can accees all websites! , but it have all deny all , and only one website allow.
we though to use ist in our buisness , when test are ready, but when it has no forced block all fallback mode, i have no garanty that all things are right , how  i configured.

so how can i find out where i missconfigured? The policy tester say , the rule is right, but on the real side, user has accees to everthing, when authification comes right.

Failure : athentification:

   Error   (basic_pam_auth)   in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()

Picture one deny all for the web user

Picture two allow opnense website

Have you done this with the opnproxy plugin?

ok with a fresh opnsense install , same settings , its works .

So finaly question, how can a user purge all data from a plugin? so he can go started from scratch. everytime install a new sense , sounds no good.

So i purge the plugins and clear the config file to start from scartch, but it works not anymore.

What is my goal:

Proxy without ssl isprection, only sni information because of url .

I have created a user, this has a block rule with * , so everything and an allow rule for two three pages.

The policy tester says that they work.

In the browser I enter squid as proxy port 3128 https also, but rich can call any page and there is no query for the user data for the proxy.

The opnproxy takes effect via the normal settings with the white and black lists or?

I also see in the log that the requests go through the proxy and are called up. why is there not even a user query without a user?

Does anyone run squid with opnproxy plugin and could show me his config? Slowly I don't know where to start.

purge , must i have clear the squid from the config.xml or clear a folder?

Hello,

i setup a squid proxy  , with the os-OPNProxy .

I want setup different policy for different users.

But with Firefox its comes no credentials ask. Have anyone simular Problems? Firefox has no Options to set the username and Password or i dont see it.

edge browser also, so i think i have misconfigured.

How can i purge squid,redi,opnproxy? so that the configs are gone? deinstall and reinstall brings the old config.

Hey,

we look for to buy a dec4240 appliance. Have anyone running it? We want use zenamor with ca 100 clients.
My question are , remote access , when gui and ssh stuck. The console port and usb port are rs232? Why no rj45 port. How can we access without stay on the applaince. Can we connect with a adapter the port to a switch ? Or used with a converter? How you used this?

but i will try defguard, and can tell , if this tool are good for the community!

because its a external pkg, so i would here of othe rpeople use that tool or have other ideas for a 2fa/mfa option for wireguard with opnsense.

Hey ,

i read that defguard has a plugin for the opnsene , with that plugin 2fa for wireguard are possible. have anyone run this setup with defguard or how you secure your wireguard vpn ? or other options for 2fa /mfa for wireguard?

Hey,

i tried with patch and the new update 27.1.2 with os-caddy-1.6.3

"error","ts":"2024-08-21T20:13:27Z","logger":"tls.obtain","msg":"will retry","error":"[sub.domain.de] Obtain: [sub.domain.de] solving challenge: sub.domain.de: [sub.domain.de] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Incorrect TXT record "rekord" (and 1 more) found at _acme-challenge.sub.domain.de (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":124.751260674,"max_duration":2592000%7D

The disable dont help by netcup. The options with longer propagation where needed. Do you still need more for debug?

with other dns example clouflare its workes, so its looks like its needed the higher value for netcup.

thanks for your work !

retries yes, but , example netcup need longer propagation time , when not infinity loop.

https://github.com/caddy-dns/netcup

NOTE: You may need to set an unexpectedly high propagation time (≥ 900 seconds) to give the netcup DNS time to propagate the entries! This may be annoying when executing caddy run/start manually but should not be a problem in automated setups. In exceptional cases, 20 minutes may be required. See

can we have this option? to set a propagation time and delay ?