Messages

76

General Discussion / Re: Bug in HAProxy "Save & Test syntax"?

« on: April 06, 2021, 09:00:09 am »

I noticed that too. See this thread that I created a week or so ago: https://forum.opnsense.org/index.php?topic=22304.msg105819#msg105819


I think there was a feature that was added wherein the HAProxy config file is renamed to *.staging.conf when the plugin is disabled. During the rename it also adds the comment which comments out the global keyword. I thought my config was wrong for quite a few hours before I realized that the haproxy.conf file was created only after enabling the service and I noticed it only after I ssh'ed into the firewall and was actively monitoring the changes in the filesystem with every change I made in the WebUI.

It is definitely not intuitive -- as initially I thought that Test Syntax would be a good way to make sure everything is correct before enabling the service and I kept hitting Test Syntax and it kept failing and I kept re-doing the configuration from scratch thrice.

Maybe you can create a CR/enhancement request to change the behavior such that Test Syntax would work even when the HAProxy service was disabled.

77

General Discussion / Re: [SOLVED]Understanding DNS & DDNS

« on: April 06, 2021, 08:43:39 am »

Sorry to bring this up again...

I am trying to use the FQDN that I set up in the DDNS to connect to my VPN server. But it seems to resolve to some other address than my WAN IP.

I set up the DDNS service to use Cloudflare API. I have an A record in my public DNS called home.domain.net. I manually changed the public DNS to be some random IP. Then I did a Save and Force Update on my DDNS in OPNsense and it correctly updated my WAN IP for the A record in Cloudflare. So that part works...

However, when I try to nslookup the FQDN using Unbound as the name server, I get a different IP

NOTE: I have changed all public IPs in the below logs to hide my domain name as it's personally identifiable

Code: [Select]

[~]── - nslookup home.domain.net 192.168.1.1               
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: home.domain.net
Address: 101.87.98.110
Name: home.domain.net
Address: 172.33.25.119
Name: home.domain.net
Address: 2606:4700:zzzz::yyyy:ab77
Name: home.domain.net
Address: 2606:4700:wwww::xxxx:1d6e

[~]── -

If I try it again say with Google's DNS server, it will give me the other address that is listed :

Code: [Select]

[~]── - nslookup home.domain.net 8.8.8.8                 
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: home.domain.net
Address: 172.33.25.119
Name: home.domain.net
Address: 101.87.98.110
Name: home.domain.net
Address: 2606:4700:zzzz::yyyy:ab77
Name: home.domain.net
Address: 2606:4700:wwww::xxxx:1d6e

[~]── -
and it keeps switching between these 2 IPv4 addresses

When I try to ping the FQDN, it gives me the same result:

Code: [Select]

[~]── - ping -c2 home.domain.net
PING home.domain.net (172.33.25.119) 56(84) bytes of data.
64 bytes from 172.33.25.119 (172.33.25.119): icmp_seq=1 ttl=59 time=16.2 ms
64 bytes from 172.33.25.119 (172.33.25.119): icmp_seq=2 ttl=59 time=16.8 ms

--- home.domain.net ping statistics ---
[~]── -
Pinging again will sometimes give me the 172.33 address and at other times will give me the 101.87 address. But neither one is my actual WAN IP. So when I try to use home.domain.net as the FQDN to connect to (in the OpenVPN Connect app) it tries to connect to the IPv6 address which eventually times out.

How would I make sure that I can connect to my WAN IP and thereby my VPN server using the FQDN (home.domain.net) that I set up in the DDNS service?

78

Virtual private networks / Re: NordVPN issues sice update

« on: March 27, 2021, 06:57:02 pm »

Have you tried a different server?

I use NordVPN and I have no problems connecting. I am on the latest 21.1.3_3

79

General Discussion / Re: [SOLVED]Possible bug in the HAProxy plugin config file?

« on: March 27, 2021, 05:16:10 pm »

did you try to just enable HAProxy on Services: HAProxy: Settings: Service and Apply?

Umm...yes.

Did you see my second post?

80

General Discussion / Re: Possible bug in the HAProxy plugin config file?

« on: March 26, 2021, 09:55:25 pm »

Apparently, starting up the HAProxy service, copies the staging conf file over to the actual conf file where the global directive is no longer commented.

I kept thinking that something is wrong because the Test Syntax kept failing when I was setting it up

81

General Discussion / [SOLVED]Possible bug in the HAProxy plugin config file?

« on: March 26, 2021, 06:58:03 pm »

I was trying to set up HAProxy as a reverse-proxy for my LAN only services. Was planning on using the Cloudflare API with DNS-01 challenge.

After spending hours configuring it, the Test syntax always gave me lots of errors. This is all new to me so I thought I was doing something wrong, I redid it twice, but still got errors. Then I deleted the plugin, cleared the haproxy.conf and haproxy.conf.staging files. Re-installed the plugin and without doing anything else, tried the Test syntax and it still failed. The global directive is commented out in the default config file that the plugin installs.

I tried to manually uncomment the global directive in the staging file, but when I tested the syntax again, it still gave me errors. Checked the staging file again and the global directive has been commented again


Would someone please double check this?

82

21.1 Legacy Series / Re: [Solved] My plugins is empty

« on: March 26, 2021, 05:04:11 pm »

Just a note that even though the provided solution worked for the OP, it may not be a solution for everyone.

For eg. If you are not using Unbound as a forwarder and you encounter the same DNS issue, you will have to figure out a different way to get your DNS fixed.

83

General Discussion / Re: Understanding DNS & DDNS

« on: March 25, 2021, 09:35:36 pm »

Sorry. I was using the Global API Key when using the Cloudflare API token option. I created a new token for All Zones and using that token, it worked.

The Global API Key works when using it as a password in the Cloudflare option instead.

84

General Discussion / Re: Understanding DNS & DDNS

« on: March 25, 2021, 09:24:04 pm »

So you just have to set up Cloudflare dyndns

I see. What is the difference between Cloudflare, Cloudflare(v6), Cloudflare API Token, Cloudflare API Token (v6) ?

V6 is for ipv6

API for accessing API Functions

Ok. I was editing my earlier post right when you posted. I tried all 4 options but all I get is N/A for the Cached IP for all of my sub-domains.

85

General Discussion / Re: Understanding DNS & DDNS

« on: March 25, 2021, 09:17:31 pm »

So you just have to set up Cloudflare dyndns

I see. What is the difference between Cloudflare, Cloudflare(v6), Cloudflare API Token, Cloudflare API Token (v6) ?

EDIT : I tried creating DDNS for a few of my sub-domains, but all I get is N/A as the Cached IP no matter which option I choose from the 4 listed above.

86

General Discussion / Re: Understanding DNS & DDNS

« on: March 25, 2021, 09:04:54 pm »

Hi

So all your DNS A records are now set up at namecheap or cloudflare?

On Cloudflare. I used Cloudflare only because caddy2 didn't have a DNS challenge plugin for Namecheap. I am willing to move completely over to Cloudflare if that simplifies things.

I probably did what I did due to a lack of complete understanding of DNS  vs Namespace at that time. I am still learning....

87

General Discussion / Understanding DNS & DDNS

« on: March 25, 2021, 08:09:56 pm »

I know the basics but I am trying to get a deeper understanding of how they work and how I can improve upon my setup.

So here’s the back-story which is relevant just so that you know how my current setup is…

It all started with me getting into self-hosting. Next thing I know I had 19 different URLs (nextcloud, bitwarden, emby, IPMI etc etc.) that I had to remember the IPs and the ports. So I thought of getting a reverse-proxy. Obvious choices, Apache & Nginx. But then I thought, why not get proper SSL Certs from Lets-Encrypt along with the reverse proxy so that it avoids the browsers from screaming about it and my wife calling me over whenever she is accessing bitwarden or emby etc.

Enter Caddy2 which had easy integration with Lets-Encrypt DNS challenges. I needed the easy button because this was all very new to me. I bought a domain name for myself from Namecheap. Unfortunately, Caddy2 only had the Cloudflare plugin available for DNS challenges during 2.0 Beta. So, I created a Cloudflare account and then used those nameservers as my “Custom DNS” in the Namecheap account instead of using the Namecheap BasicDNS.

I set up 19 different A records – all pointing to my public WAN address (say XX:XX:XX:252) and using Cloudflare as the Proxy. I used DNS challenge and everything works as expected. I can use the sub-domains I defined in the A records instead of remembering the IPs and ports.

I use Opnsense as my firewall. I also have a road-warrior VPN server that I connect to from the road. I also have a dynamically assigned IP address. If my WAN IP changes, I would still want my certs and my VPN to continue functioning. Enter DDNS. I enabled DDNS service in Opnsense, and used the Namecheap option – put in my domain name (that I had purchased), my user/password and it immediately listed my WAN IP (XX:XX:XX:252) as the Cached IP. So here’s where I am confused

• How did it cache my WAN IP for my domain name instead of the actual public IP of the domain name? In my Cloudflare account, my base domain points to a completely different IP (I am not hosting anything on that domain though)
  

Then my WAN IP changed when I rebooted the modem and the Opnsense firewall

• However, all the A records that I created for the 19 services still point to the old WAN IP address (XX:XX:XX:252). This will be a problem whenever my current LE certs expire, wouldn’t it? Is there a way to auto-update these records whenever my WAN IP changes?
• Is there a way to create a wildcard cert for my domain name so that I can use the same cert for all my LAN services?
• How do I use the DDNS service in Opnsense such that my WAN IP is always tied to a particular domain name that I can use for all my VPN clients – so that I don’t have to manually change the IP address in each client’s VPN config?

88

21.1 Legacy Series / Re: My plugins is empty

« on: March 25, 2021, 03:45:31 pm »

I try to updated system, but still can't work

I enabled System > Settings > General : Prefer IPv4 over IPv6, but doesn't work.

What does "doesn't work" mean? Did you get any errors? If so what were they?
Have you checked if you are connected to the internet? Have you tried pinging a URL and are you getting a response back?

89

21.1 Legacy Series / Re: OpenVPN - DNS issue / question

« on: March 25, 2021, 03:33:07 pm »

Hello,

I recently activated OpenVPN with policy based routing. It works all except DNS query

I'm using the following DNS settings:
- System-> Settings -> General ->Networking ->DNS servers "8.8.8.8 / 8.8.4.4"
   - DNS server options "Allow DNS server list do be overridden by DHCP/PPP on WAN" -> UNCHECKED
   - Allow default gateway switching -> UNCHECKED
- Services -> Unbound DNS -> General
  - DNS Query Forwarding -> Enable Forwarding Mode -> CHECKED
  - Local Zone Type > transparent
  - Outgoing Network Interfaces > All (recommended)

DHCPv4 -> DNS servers -> BLANK -> USE SYSTEM DEFAULT DNS SERVERS

Problem: clients routed through the vpn tunnel are not able to resolve DNS host names until I set the DNS servers manually or with DHCP. It seems that "DNS Query Forwarding" (Unbound DNS) ist not working.

Is there an option and/or firewall rule that I'm still missing?

best regards,

Sarge

In your VPN Server configuration did you set up Unbound as your DNS server for the VPN clients? The clients connecting via VPN need to know the address of Unbound which is usually your opnsense IP.

Also, since you are only using DNS forwarder, another option is to just use Dnsmasq instead of Unbound with Query Forwarder Mode

90

Virtual private networks / Re: Understanding VPNs in OPNsense

« on: March 25, 2021, 03:21:39 pm »

I haven't looked into Zerotier, mostly because I'm wary of outsourcing security. OpenVPN has its own CA, so  gives control over who gets to connect.

It's a matter of where you draw the line between inside and outside your network, I guess.

Bart...

That was one of the first things I thought about as well. The data goes through the ZeroTier relays which seems like a possible point of insecurity.

I am currently following up with my parents to figure out if changing ISP is a possibility (unlikely) or I will try to contact their ISP and find out if they can provide a static IPv6 address. I will then have to look into IPv4 <--> IPv6 translations and how that would be possible. Failing that, I might have to consider moving to IPv6 as my ISP provides me with an IPv4 & an IPv6 WAN address