16
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
17
23.1 Legacy Series / Need help converting HAProxy config to Caddy
« on: March 05, 2023, 11:19:39 pm »
I have a working HAProxy configuration. It took me quite some time to figure out the nitty gritties in order to add SSL offloading for each of my services via the Acme Client plugin.
However, now that caddy is also available as a plugin in the mimugmail repo, I would like to switch over to caddy2 since configurations are easier to find for caddy2. Will the Acme Client plugin still be needed after switching to caddy since caddy handles the LE certs automatically?
Can someone help me to convert the HAProxy config into caddy config? I want this to be seamless because once I switch over to caddy, I want all my services to be accessible as I have my password manager as 1 of them. Having no access to that would cause a lot of consternation.
Once the caddy2 config is built, do I just have to paste it under the Caddy plugin from mimugmail, enable the Caddy service and disable HAProxy service?
Here's my HAProxy config:
However, now that caddy is also available as a plugin in the mimugmail repo, I would like to switch over to caddy2 since configurations are easier to find for caddy2. Will the Acme Client plugin still be needed after switching to caddy since caddy handles the LE certs automatically?
Can someone help me to convert the HAProxy config into caddy config? I want this to be seamless because once I switch over to caddy, I want all my services to be accessible as I have my password manager as 1 of them. Having no access to that would cause a lot of consternation.
Once the caddy2 config is built, do I just have to paste it under the Caddy plugin from mimugmail, enable the Caddy service and disable HAProxy service?
Here's my HAProxy config:
Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: https (HAProxy Public Service for all LAN services)
frontend https
http-response set-header Strict-Transport-Security "max-age=15768000"
bind 192.168.1.1:443 name 192.168.1.1:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/605e453acf0e75.09310296.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: nc_caldav
acl acl_6075fbe5edde88.14416266 path_end -i /.well-known/caldav
# ACL: nextcloud
acl acl_6068e929c25802.40129836 hdr(host) -i nextcloud.mydomain.com
# ACL: nc_carddav
acl acl_6075f978b44654.46404459 path_end -i /.well-known/carddav
# ACL: nc_nodeinfo
acl acl_609d839568e351.48169054 path /.well-known/nodeinfo
# ACL: nc_webfinger
acl acl_609d8379f35913.09534187 path /.well-known/webfinger
# ACL: firefly
acl acl_60b8e127010005.49996293 hdr(host) -i firefly.mydomain.com
# ACL: adguard
acl acl_633c7fddce7da1.80920986 hdr_reg(host) -i ^[adguard|agh]+\.mydomain\.com$
# ACL: amcrest
acl acl_60d3aaa0ca9ba7.98361344 hdr(host) -i cam1.mydomain.com
# ACL: apnet
acl acl_605e44279e3b56.98854478 hdr(host) -i apnet.mydomain.com
# ACL: dl
acl acl_606945b7508907.10161822 hdr(host) -i dl.mydomain.com
# ACL: dl2
acl acl_60694bc7097d72.55498217 hdr(host) -i dl2.mydomain.com
# ACL: home
acl acl_605e77060755c7.74232910 hdr(host) -i home.mydomain.com
# ACL: homer
acl acl_62351a098660c6.48798884 hdr(host) -i homer.mydomain.com
# ACL: emby
acl acl_6068ee14c01084.16274607 hdr(host) -i emby.mydomain.com
# ACL: jellyfin
acl acl_60affb35076bb2.76934816 hdr(host) -i jellyfin.mydomain.com
# ACL: nas
acl acl_6068e7c9290ad9.26389997 hdr(host) -i nas.mydomain.com
# ACL: netdata
acl acl_6068e847835b87.41206608 hdr(host) -i netdata.mydomain.com
# ACL: office
acl acl_6068e93d924d11.74924956 hdr(host) -i office.mydomain.com
# ACL: omada1
acl acl_6068e953c1b204.65701206 hdr(host) -i omada.mydomain.com
# ACL: pbs
acl acl_631fdfac2e34a6.66731673 hdr(host) -i pbs.mydomain.com
# ACL: proxmox
acl acl_60695b2ef32f30.68592514 hdr(host) -i proxmox.mydomain.com
# ACL: scanner
acl acl_6068e967a37f63.90582969 hdr(host) -i scanner.mydomain.com
# ACL: shinobi
acl acl_60d2b1089c1d58.17520071 hdr_reg(host) -i ^[shinobi|cctv]+\.mydomain\.com$
# ACL: switch
acl acl_605e444bbaa5f0.93057342 hdr(host) -i switch.mydomain.com
# ACL: ups
acl acl_605e7dd7be0f73.35996982 hdr(host) -i ups.mydomain.com
# ACL: vaultwarden
acl acl_63276269c65d47.19509789 hdr_reg(host) -i ^[bit|vault]+warden\.mydomain\.com$
# ACL: x9scl
acl acl_6068e97b2a02f8.85789703 hdr(host) -i x9scl.mydomain.com
# ACL: x10slh
acl acl_6068e98e041167.98049410 hdr(host) -i x10slh.mydomain.com
# ACTION: nc_caldav
http-request redirect code 301 location /remote.php/dav if acl_6075fbe5edde88.14416266 acl_6068e929c25802.40129836
# ACTION: nc_carddav
http-request redirect code 301 location /remote.php/dav if acl_6075f978b44654.46404459 acl_6068e929c25802.40129836
# ACTION: nc_nodeinfo
http-request redirect code 301 location /index.php%[capture.req.uri] if acl_609d839568e351.48169054 acl_6068e929c25802.40129836
# ACTION: nc_webfinger
http-request redirect code 301 location /index.php%[capture.req.uri] if acl_609d8379f35913.09534187 acl_6068e929c25802.40129836
# ACTION: fireflyHeaderProto
http-request set-header X-Forwarded-Proto https if acl_60b8e127010005.49996293
# ACTION: adguard
use_backend adguard if acl_633c7fddce7da1.80920986
# ACTION: amcrest
use_backend amcrest if acl_60d3aaa0ca9ba7.98361344
# ACTION: apnet
use_backend apnet if acl_605e44279e3b56.98854478
# ACTION: dl
use_backend dl if acl_606945b7508907.10161822
# ACTION: dl2
use_backend dl2 if acl_60694bc7097d72.55498217
# ACTION: home
use_backend home if acl_605e77060755c7.74232910
# ACTION: homer
use_backend homer if acl_62351a098660c6.48798884
# ACTION: emby
use_backend emby if acl_6068ee14c01084.16274607
# ACTION: firefly
use_backend firefly if acl_60b8e127010005.49996293
# ACTION: jellyfin
use_backend jellyfin if acl_60affb35076bb2.76934816
# ACTION: nas
use_backend nas if acl_6068e7c9290ad9.26389997
# ACTION: netdata
use_backend netdata if acl_6068e847835b87.41206608
# ACTION: nextcloud
use_backend nextcloud if acl_6068e929c25802.40129836
# ACTION: office
use_backend office if acl_6068e93d924d11.74924956
# ACTION: omada
use_backend omada if acl_6068e953c1b204.65701206
# ACTION: pbs
use_backend pbs if acl_631fdfac2e34a6.66731673
# ACTION: proxmox
use_backend proxmox if acl_60695b2ef32f30.68592514
# ACTION: scanner
use_backend scanner if acl_6068e967a37f63.90582969
# ACTION: shinobi
use_backend shinobi if acl_60d2b1089c1d58.17520071
# ACTION: switch
use_backend switch if acl_605e444bbaa5f0.93057342
# ACTION: ups
use_backend ups if acl_605e7dd7be0f73.35996982
# ACTION: vaultwarden
use_backend vaultwarden if acl_63276269c65d47.19509789
# ACTION: x9scl
use_backend x9scl if acl_6068e97b2a02f8.85789703
# ACTION: x10slh
use_backend x10slh if acl_6068e98e041167.98049410
# Backend: apnet ()
backend apnet
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server apnet 192.168.1.6:443 ssl verify none
# Backend: switch ()
backend switch
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server switch 192.168.1.9:443 ssl verify none
# Backend: home ()
backend home
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server home 192.168.1.20:443 ssl verify none
# Backend: ups ()
backend ups
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server ups 192.168.1.8:80
# Backend: nas ()
backend nas
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nas 192.168.1.3:443 ssl verify none
# Backend: netdata ()
backend netdata
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server netdata 192.168.1.5:19999
# Backend: nextcloud ()
backend nextcloud
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nextcloud 192.168.1.23:80
# Backend: office ()
backend office
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server office 192.168.1.24:9980
# Backend: omada ()
backend omada
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# ACL: omada1
acl acl_6068e953c1b204.65701206 hdr(host) -i omada.mydomain.com
# ACL: omada2
acl acl_6328cfa6578730.30147092 hdr_reg(host) -i ^omada\.mydomain\.com(:([0-9]){1,5})?$
# ACTION: omada_header_set
http-request set-header host omada.mydomain.com:8043 if acl_6068e953c1b204.65701206 || acl_6328cfa6578730.30147092
# ACTION: omada_response_replace
# NOTE: actions with no ACLs/conditions will always match
http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]
http-reuse safe
server omada 192.168.1.10:8043 ssl verify none
# Backend: scanner ()
backend scanner
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server scanner 192.168.1.7:80
# Backend: x9scl ()
backend x9scl
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server x9scl 192.168.1.2:80
# Backend: x10slh ()
backend x10slh
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server x10slh 192.168.1.4:80
# Backend: emby ()
backend emby
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server emby 192.168.1.30:8096
# Backend: dl ()
backend dl
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server dl 192.168.1.22:9091
# Backend: dl2 ()
backend dl2
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server dl2 192.168.1.29:9091
# Backend: proxmox ()
backend proxmox
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server proxmox 192.168.1.5:8006 ssl verify none
# Backend: jellyfin ()
backend jellyfin
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server jellyfin 192.168.1.21:8096
# Backend: firefly ()
backend firefly
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server firefly 192.168.1.26:80
# Backend: shinobi ()
backend shinobi
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server shinobi 192.168.1.28:8080
# Backend: amcrest ()
backend amcrest
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server amcrest 192.168.4.2:80
# Backend: homer ()
backend homer
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server homer 192.168.1.32:80
# Backend: pbs ()
backend pbs
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server pbs 192.168.1.33:8007 ssl verify none
# Backend: vaultwarden ()
backend vaultwarden
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server vaultwarden 192.168.1.25:8000
# Backend: adguard ()
backend adguard
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server adguard 192.168.1.1:81
# statistics are DISABLED
18
22.7 Legacy Series / Re: Opnsense reverts to an old configuration
« on: November 13, 2022, 05:06:34 am »When it would revert, the previous version(s) would still be stored in the backup, which is accessible via (System -> Configuration -> History).Thanks for responding Ad.
In case it does automatically restore (which only happens when an un-parsable config is found), the machine would send a message to the (system) log about the event as well:
https://github.com/opnsense/core/blob/20a3c3da3869751ecacd306e267c53059a5f7973/src/opnsense/mvc/app/library/OPNsense/Core/Config.php#L330-L341
Best regards,
Ad
The code seems be logging the exception if the config cannot be restored. Where would I find that log -- just so that I can see what in the config is incorrect such that the restore fails with a ConfigException?
I checked my configuration history and originally had about 37MB of history. So the question still is why would it revert back to a config which was some months old and not the recent one?Also I haven't had this happen on every reboot and this definitely is intermittent.
In any case, since I was on the page, I reduced the Backup Count to 5 -- which effectively deleted all my old configurations from the history and kept only the latest ones. The hope is that next time it would just pick up one of the 5 latest configurations. I have reverted the Backup Count back to empty, so it would now save the history beyond the 5 recent files.
Under System>>Log Files>>Web GUI I do see the following a few times:
Code: [Select]
2022-11-07T16:38:20-06:00 Error lighttpd (configfile.c.1287) WARNING: unknown config-key: server.dir-listing (ignored)
but I am not sure if it is related to be honest.
19
22.7 Legacy Series / Re: Opnsense reverts to an old configuration
« on: November 07, 2022, 11:46:11 pm »
This happened to me yet again when upgrading from 22.7.6 to 22.7.7_1. It reverted to a very old config when I used to have NordVPN clients etc.
Worse thing was that I could no longer access my NAS in order to upload a nightly saved configuration copy. I had to manually mount my NAS as NFS using the IP and then copy the configuration over.
I have not had this problem when upgrading opnsense before but this is much recent -- at least the last 3 or 4 upgrades. Can some please provide some pointers as to where the old config is being saved so that I can update it with the latest copy?
Worse thing was that I could no longer access my NAS in order to upload a nightly saved configuration copy. I had to manually mount my NAS as NFS using the IP and then copy the configuration over.
I have not had this problem when upgrading opnsense before but this is much recent -- at least the last 3 or 4 upgrades. Can some please provide some pointers as to where the old config is being saved so that I can update it with the latest copy?
20
22.7 Legacy Series / Re: Wireguard NAT rules required?
« on: October 26, 2022, 12:30:40 am »
Yup. Thanks for confirming via testing.
It could just be how the plugin was implemented where the OpenVPN automatically adds it's subnet to NAT whereas WG doesn't. Might be worth a bug/enhancement ticket in the Wireguard plugin for feature parity with OpenVPN plugin but then again, the documentation clearly states that you need either the interface assignment or the NAT rules -- and sometimes maybe both depending on what you want to do.
I created the WG interface and am now able to access the LAN services as well as the internet at the same time from my connected device.
It could just be how the plugin was implemented where the OpenVPN automatically adds it's subnet to NAT whereas WG doesn't. Might be worth a bug/enhancement ticket in the Wireguard plugin for feature parity with OpenVPN plugin but then again, the documentation clearly states that you need either the interface assignment or the NAT rules -- and sometimes maybe both depending on what you want to do.
I created the WG interface and am now able to access the LAN services as well as the internet at the same time from my connected device.
21
22.7 Legacy Series / Re: Wireguard NAT rules required?
« on: October 25, 2022, 03:49:59 am »Ok, I now checked my outbound NAT, the only rules are those automatically generated rules containing every internal interface and, indeed, VPN (WG interfaces and OVPN subnets). I guess if there were no interface created for WG, the automatic rules would contain the subnet IPs as it does for OVPN. I am pretty sure that I used WG the first time without assigning an interface, this was done later when I added a second WG instanceYeah, this is for my home network and I don't foresee more than 1 WG VPN server which is why I thought of simply using the Wireguard(Group) to set up the firewall rules instead of assigning the interface similar to what I had for OpenVPN.
But from the looks of it, it seems I will have to assign the interface in order for it to be able to access the LAN services as well as the internet in general.
Oh well, I was just curious as to why it was different for OpenVPN vs Wireguard that's all.
22
22.7 Legacy Series / Re: Wireguard NAT rules required?
« on: October 24, 2022, 09:21:53 pm »WG will also work without NAT rule or specific interface.Well, it sure doesn't seem like it works. I have Wireguard setup and it connects. But I cannot access the internet from my phone when connected to Wireguard. The only thing that I can access is the local LAN services/devices.
As said... Don't know for what reason NAT is needed here.
23
22.7 Legacy Series / Re: Wireguard NAT rules required?
« on: October 24, 2022, 04:37:46 pm »
Thanks @RamSense, @tiermutter & @miroco for responding.
All 3 of you seem to be suggesting that you can just assign the Interface and then you won't need the NAT rule. I have gone through the homenetworkguy url and also the video and I understand that I can create either the NAT rule or the Interface assignment to get it to work.
But I am just trying to understand why OpenVPN works without an interface assignment or NAT rule, whereas Wireguard requires at least one or the other.
TIA.
All 3 of you seem to be suggesting that you can just assign the Interface and then you won't need the NAT rule. I have gone through the homenetworkguy url and also the video and I understand that I can create either the NAT rule or the Interface assignment to get it to work.
But I am just trying to understand why OpenVPN works without an interface assignment or NAT rule, whereas Wireguard requires at least one or the other.
TIA.
24
22.7 Legacy Series / Wireguard NAT rules required?
« on: October 23, 2022, 05:56:08 am »
Hello,
I have a Road Warrior OpenVPN setup that is working perfectly. I am using the Automatic outbound NAT rule generation currently under Firewall-->NAT-->Outbound. I also have not assigned the OpenVPN interface, but created an "Allow All" rule under the default OpenVPN tab that gets created under Firewall-->Rules. I have a different subnet as the Tunnel network and then allow access to my main LAN and CCTV vlans by passing those in the IPv4 Local Network in the OpenVPN configuration. I can connect from my mobile device to my OpenVPN server and I am able to access the LAN devices as well as the internet.
I was trying to set up the exact same thing via Wireguard. After setting up the wireguard peers, I did the same thing, I did NOT assign the wireguard interface, but created an "Allow All" rule under Firewall-->Rules-->Wireguard (Group). Similar to the OpenVPN setup, I use a completely different subnet as the Tunnel Network for Wireguard and put in 0.0.0.0/0 as Allowed IPs in the client/endpoint configuration for wireguard. I can now access my LAN services from my mobile device but I am unable to access anything on the internet. I researched and found out that I need some NAT Outbound rules in order to do this.
But my question is why does OpenVPN work without any such NAT Outbound rules while Wireguard doesn't?
TIA
I have a Road Warrior OpenVPN setup that is working perfectly. I am using the Automatic outbound NAT rule generation currently under Firewall-->NAT-->Outbound. I also have not assigned the OpenVPN interface, but created an "Allow All" rule under the default OpenVPN tab that gets created under Firewall-->Rules. I have a different subnet as the Tunnel network and then allow access to my main LAN and CCTV vlans by passing those in the IPv4 Local Network in the OpenVPN configuration. I can connect from my mobile device to my OpenVPN server and I am able to access the LAN devices as well as the internet.
I was trying to set up the exact same thing via Wireguard. After setting up the wireguard peers, I did the same thing, I did NOT assign the wireguard interface, but created an "Allow All" rule under Firewall-->Rules-->Wireguard (Group). Similar to the OpenVPN setup, I use a completely different subnet as the Tunnel Network for Wireguard and put in 0.0.0.0/0 as Allowed IPs in the client/endpoint configuration for wireguard. I can now access my LAN services from my mobile device but I am unable to access anything on the internet. I researched and found out that I need some NAT Outbound rules in order to do this.
But my question is why does OpenVPN work without any such NAT Outbound rules while Wireguard doesn't?
TIA
25
22.7 Legacy Series / Re: Help setting up nextcloud backup
« on: October 07, 2022, 06:41:55 pm »Setup described here:https://forum.opnsense.org/index.php?topic=23339.0As I said, the HAProxy opnsense plugin configuration is a bit convoluted with real servers, backend pools, conditions, rules etc. Too many fields however aren't even used for basic SSL offloading which is what I am using it for.
Skimmed it and got my head spinning....
Not worth the trouble in my case.
There was no 3rd party repos when I first started using Opnsense. So I opted for Caddy v2 in a Proxmox container, but then having to maintain host overrides in Opnsense Unbound pointing Caddy and then having them route again to the correct server seemed unnecessary which is why I opted for HAProxy which was available in the main Opnsense repo at that time.
I didn't have mimugmail repo enabled until 3 days ago -- which I did for AdGuard plugin. I would have used the caddy plugin when I did this if I had the option. Who knows, I might switch to the caddy plugin down the road. It would just be a lot of work for me since I would have to move and test 20+ different services over. Tedious without any huge benefit (for me). The config will be simpler, so I might try it out when I have time and patience.
26
22.7 Legacy Series / Re: Help setting up nextcloud backup
« on: October 07, 2022, 05:39:55 pm »Then set up a free Let's Encrypt account and use a wildcard cert. It's not terribly difficult with the Acme plugin on Opnsense. I originally did it because vaultwarden password manager required SSL in order to access the WebUI. So I thought instead of a self-signed cert, I might as well set up LE and use that for all my services that I host locally.
Yea that's mostly true, I just never like plain text passwords, if something is ever compromised on network that's just one more thing that could be read and subsequently accessed. Small risk, but I worked a long time in enterprise cyber so lateral movement is something I always think about.
I'll probably leave it this way for now, looks like DNS based Let's encrypt isnt easy to setup on Nextcloud currently.Then don't. Set it up on a proxy -- HAProxy plugin on Opnsense is what I use --- although, the configuration for HAProxy is relatively convoluted compared to other proxy servers like Nginx Proxy manager or caddy. I initially started with caddy (which has built in LE btw), then switched to HAProxy only to avoid having a separate VM/LXC container for the proxy, when my opnsense router was plenty capable of doing the same thing. If you enable the mimugmail repo in Opnsense, you can even use caddy as a plugin on Opnsense.
Secondly how often does a backup run? Do I need to setup a cron job? I see there is a "remote backup" option but I have no idea what it does.It runs nightly. Mine runs at 1AM, but I couldn't find any documentation as to whether we can change the time it runs etc. If you do select the Cron job of Remote Backup, it will simply do the configured backup for you. So for eg. if you configured Nextcloud and Google Drive -- then it would run both those backups at the scheduled time.
I had set up a cron job and forgotten about it -- so when i saw a backup of my opnsense config at a time other than 1AM, I was confused until I checked the cron job. I have now disabled the cron job since I had set that up to run once a week whereas the autorun runs everyday even without a cron job.
27
22.7 Legacy Series / Re: Changing the DNS provider
« on: October 06, 2022, 11:50:05 pm »Right, clear now. Internally.Yeah, unbound is running in resolver mode and I already have a host override setup for adguard pointing to the IP of opnsense.
You'd want to see where are your clients looking for their internal dns resolution and put an override there. Presumably it's Unbound. So try a host override.
EDIT: Turned out that the SSL check was on in the Real Server configuration of HAProxy. Not sure how I missed that !!!! :angry:
28
22.7 Legacy Series / Re: Changing the DNS provider
« on: October 06, 2022, 06:18:41 pm »
If you are getting just your IP then your unbound is working as a resolver, yes.
29
22.7 Legacy Series / Re: Changing the DNS provider
« on: October 06, 2022, 12:30:06 am »For blocking google ad services if you want to have it again, try the steven black blocklist https://raw.githubusercontent.com/StevenBlack/hosts/master/hostsOk thanks, I will try that. I did have that in my Unbound Blocklist. I was going to enable 1 at a time and see if it was worthwhile to add it to AdGuard Home.
For reaching your AGH from outside, is a bit more involved. I did it with nginx as reverse proxy on opnsense with a real server on the lan that was doing the required translations i.e. upd and dot (for android) but I changed my infrastructure and haven't re-done it. I needed a quick workaround for traveling and setup a wireguard vpn. Now when I'm out, I enable wg on the phone and all flows through my home network including dns queries through ADG. Just a thought.I do NOT want to access AGH from outside the network. I actually have a OpenVPN Road warrior setup and that works great for me to connect to the home network. I might think about setting a WireGuard VPN if there are speed benefits as everyone claims.
What I am currently trying to do is just use https://adguard.mydomain.com to access AGH instead of 192.168.1.1:81 from within my local network. I use such a setup for all my services and I own a domain and issue a wildcard Let's Encrypt certificate for all of them.
30
22.7 Legacy Series / Re: Help setting up nextcloud backup
« on: October 05, 2022, 11:12:05 pm »https://forum.opnsense.org/index.php?topic=8996.0 this post had a similar issue and it was cert related, that's why I think it just doesn't like a self signed cert. It's waaay to much effort to get let's encrypt up and going imo.Hmm. The 2 key differences in my setup are that my Nextcloud is running locally on a proxmox LXC container and I am using Let's Encrypt wildcard cert for all my services -- opnsense, nextcloud and many more.
Very frustrating something as necessary as backup is so hard to reach it seems. I'd say I'm a pretty seasoned sysadmin and this is stumping me. No way less seasoned users are gonna get this working. IMO there needs to be a much simpler option available.
I still think that self signed certs should work, as long as both ends accept it.