Messages

Thanks a lot -- I'll take that as my best practice around that:

----
Domain Overrides are now considered deprecated, you should only use Query Forwarding / DNS over TLS for new setups. That's actually documented, but I agree that a hint in the UI wouldn't hurt. Changing the name to "Domain Overrides (legacy)" might be sufficient. Thoughts?
----

Cheers,
m.

Hi there all,

I'm here using Unbound DNS on OPNSense and I'd have a few questions about it.

• what is the difference(s) between Domain Overrides AND Query Forwarding?
• if using one or the other (Overrides OR Query Forwarding) is there a possibility to log where each queries are sent?

My goal is simple, forward a few domains onto internal servers while carrying the rest over DoT although I'd want to assess that internally geared resolutions aren't attempted toward the DoT setup. And well, tcpdump'ing DoT give some info's but obviously no queries details, which is the DoT purpose ain't it =)

Let me know,
Thanks,
m.

Hi again all,

So after troubleshooting a notch more, it turns out that:

- source port UDP:51820 packets flying out over the overlay only occurs upon peer "disconnection" (when turning WG tunnel OFF on the client device).
- the time frame while this is occuring is always around 900 seconds, I suspect CLOSE_WAIT and TIME_WAIT sessions perhaps.

Thanks for any possible advice here.

Cheers,
m.

Hi all,

I'll try to summarize my setup:

- wg0 instance reachable through the WAN interface + peers + config + unbound DNS etc etc (all working super duper fine)
- ovpnc1 interface where I'm routing wg clients 0.0.0.0/0 type of traffic (working super duper)

My only current concern is that this setup as somewhat of an asymmetrical routing issue, as either WAN or ovpnc1 could reach 0.0.0.0/0 -- I sometimes have witnessed some UDP:51820 source port bound packets to fly out over the overlay/ovpnc1 interface, which is unwanted. I did countermeasure that through the firewall but I'd been hunting for a cleaner solution.

Would it be possible to bound a specific and unique gateway to the WireGuard service itself? Hence always receiving and sending WireGuard tunnel service traffic over the exact same interface/gw combo at the opnsense level.

Let me know,
Regards,
m.

Hi Franco, team,

Clean fix indeed =) I've just seen the 24.1.7 announcement, thanks for all the work.
Quick question: should I revert to the "original" status / edit

Code Select Expand

/usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf to it's original status prior to apply 24.1.7 ?

Thanks,
Regards,
m.

Hi Franco, team,

Tested this workaround with prior to that, re-enabling Squid 6.9 on 24.1.6.
All fine here, config parses all good.

Thanks guys!
Cheers,
m.

I think all later 6.x are affected.  Come to think of it it may be an OpenSSL 3 incompatibility...

Hi Franco,

Yes, I've carefully read the github issue and comments and hum well, even with 6.8 it still SEGFAULT's. I'll need to read more about the latest findings; squid's legacy openssl issue.

On another frontline, I'm here running different proxies all running squid 6.8 + ssl bumping all over + a really bigger and rather complex configuration which doesn't show any of such artifacts.. Theses are running on Debian though.

Anyways, let's hope for a fix at some point as I do think that transparent proxy on opnsense is extremely sexy TBH.

Cheers,
m.

Hi Franco, all,

Thanks for the lead =) Here is what I've done to get it back to "work", which is a workaround/downgrade:

Code Select Expand


root@opnsense:/ # opnsense-revert -r 24.1.5 squid
Fetching squid.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240105... done
squid-6.8: already unlocked
Installing squid-6.8...
package squid is already installed, forced install
...


This obviously after having passed the OPNsense 24.1.6-amd64 update.

Thanks,
m

[no start]

Hi there,

Updated to 6.9 rendering a no start of the squid daemon. Conf is pretty slick here, transparent only.
Cloned the VM for troubleshooting, could you perhaps head me towards the squid daemon startup logs?

Code Select Expand


tail -f dmesg.today
pid 37033 (squid), jid 0, uid 100: exited on signal 11
pid 43233 (squid), jid 0, uid 100: exited on signal 11
pid 56327 (squid), jid 0, uid 100: exited on signal 11
pid 71492 (squid), jid 0, uid 100: exited on signal 11
pid 82282 (squid), jid 0, uid 100: exited on signal 11
pid 90846 (squid), jid 0, uid 100: exited on signal 11
pid 84958 (squid), jid 0, uid 100: exited on signal 11
pid 93956 (squid), jid 0, uid 100: exited on signal 11
pid 1971 (squid), jid 0, uid 100: exited on signal 11
pid 13146 (squid), jid 0, uid 100: exited on signal 11


Thanks,
m.

Hi all,

Just wired 50 Euros -- thanks for OPNsense !!

cheers,
m.

If you're adding an interface then normally it's relatively easy, if somewhat annoying to swap things around.

Can you post a diagram or list showing your desired before and after states?  It sounds like you've got a lot of moving parts which can add to the complexity.

Thanks a lot for your help guys. Hence, I gave this a 2nd shot and now everything has been an home run from start to finish...

Basically to explain you what/why I wanted to change this scheme -- historically I've had all the traffic of that OPNsense (was something else before/big up for OPNsense, way better...) passing through another main NGFW. That main NGFW had all the needed objects/policies enabled to reach potential services behind the OPNsense... This was to simplify the design at the time (single WAN uplink).. Although, that main NGFW is somewhat of a personal playground which means that conducting maintenance on that one would had disrupted the OPNsense box connectivity -- fact which I wanted to change because newly so, there are now peoples behind the OPNsense box, whooohooo...

Well the problem here most likely lied in between the chair and the keyboard =)

Thanks a lot for your help,
Cheers,
m.

Hi there Team,

I recently wanted to do the following's on my OPNsense system:

• add a new physical interface
• swap my WAN interface with the newly added vtnet5 adapter (was vtnet1.xxx)
• update my main gateway reflecting the changes
• the old WAN interface (the vLAN as well as its parent interface) would have been moved toward a different Zone (keeping an IPsec tunnel through here)

Sadly, my testings went pretty south TBH =) -- I ended up restoring a VM backup.
One of the artifact I've seen was that my old (vLAN based) gateway configuration kept coming back in the GUI/XML configuration and traffic didn't seemed to flow through the newly assigned WAN member. DHCP client had been functioning on the newly assigned interface though.

Is there anything I need to pay attention to before attempting the shift again ?

Let me know,
Cheers,
m.

Hi there team,

Is this "still" supposed to work with current versions of either Wazuh or OPNsense?
I can't get this to trigger any alerts in Wazuh, syslogs are coming through though.

Let me know,
Thanks & regards,
m.

Hi all,

I just wanted to share how I've setup OPNsense to provide Transparent Proxy over multiples interfaces.
The idea was to provide TP over: LAN, Internal WiFi, Guest WiFi and SSLVPN Road Warriors as well.

01 - For the SSLVPN part, you first need to assign your OpenVpn interface as an assigned interface.
02 - Enable the Web Proxy and assign all the interfaces you want your Squid Proxy daemon to listen to.
03 - Create NAT rules: Firewall --> NAT --> Port Forward / I have here created two rules (TCP:80 & TCP:443) involving all the interfaces I wanted to be Transparently Proxied/redirected (to TCP:3128 & TCP:3129 respectively).
04 - Within the Web Proxy > Forward Proxy > Access Control List -- you need to specify your Allowed Subnet within the Forward Proxy > Allowed Subnet.
05 - IF you're using Unbound DNS, you'll need to create Access Lists according to your different subnets using the Unbound DNS services.

You can see my config's within the attachments below.

Hope this helps.
Cheers,
m.

PS: can I use the attached images within my own post? couldn't figure how/if possible...

Hi all,

I've been trying to make my Squid transproxy to work for OpenVPN road warriors. Till now without success.
Has any of your got such a setup working ?

I've tried many things.. One idea was a loopback for squid and do the redirect to that IP instead of the 127.0.0.1 but no chance there either. At best I'd want to have a single loopback for squid if possible.

Attached a view of my vSSLVPN interface and the corresponding port forward NAT entries.

Thanks a lot,
mokaz