Messages

I believe so.

Hello,

Did anyone tested this hardware? looks pretty awesome
https://www.traverse.com.au/hardware-1.html

On the 21.7.1 version the DoT doesn't work easy. Required 3 service restarts. No idea why.
Once I define and enable the entries under Unbound -> DNS over TLS and enable 1 of them, dns is dead.

2021-08-14T15:37:31   unbound[96235]   [96235:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 21 recursion replies sent, 0 replies dropped, 0 states jostled out   
2021-08-14T15:37:31   unbound[96235]   [96235:0] info: server stats for thread 7: requestlist max 4 avg 0.545455 exceeded 0 jostled 0   
2021-08-14T15:37:31   unbound[96235]   [96235:0] info: server stats for thread 7: 146 queries, 125 answers from cache, 21 recursions, 1 prefetch, 0 rejected by ip ratelimiting

Finally it started working

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6IlllcyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJBTVMiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

Hi there

Is there any compatible USB WIFI that works with Opnsense?
Has anyone tested any?

thanks

I believe you could use it too

Hi,

If you route all your traffic, or one entire network then I believe it makes sense not to check it.
I only need one IP to be routed and this was the only way.

however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

All the best from Amsterdam [emoji6]


Sent from my iPad using Tapatalk

[Step 1]

Hi all,

My first time writing a howto, if there are inconsistencies just let me know and I'll be happy to address them.
Long story short: I was looking for a VPN provider for only 1 of my local ips (one Jail in particular). As so I decided to go with SurfShark VPN, and bellow is the step-by-step config:

Step 1
  Create SurfShark account and login
  Once in, Go to Manual Setup -> Manual -> Credentials. (Keep those safe)
  Switch back to Files and choose one of the servers you want (servers in the respective country you decide you
  will use as exit point)

Step 2
   In Opnsesen: Go to System -> Trust -> Certificates
     Press on + Add button. Then fill the fields out like this:
Descriptive Name: SurfsharkVPN
Method: Import an existing Certificate Authority
Certificate data:

-----BEGIN CERTIFICATE-----
MII3...

/UplsM=
-----END CERTIFICATE-----

This data can be also found in the CA&TLS certificates archive under the "Other configuration files" section on your SurfShark account.

Step 3
   In Opnsense: Under VPN -> OpenVPN -> Clients 
   Add new client:
  Disable this client: leave unchecked.
  Server mode: Peer to Peer (SSL/TLS);
  Protocol: UDP on IPv4 only (you can also use TCP);
  Device mode: tun – Layer 3 Tunnel Mode;
  Interface: WAN; (whatever name your wan interface has)
  Local port: leave blank;
  Server host or address: The server hostname that you want to connect to from the list of servers from
  Step 1
  Server port: 1194 (use 1443 if you use TCP as I do);
  Proxy host or address: leave blank;
  Proxy port: leave blank;
  Proxy Authentication: None;
  Description: Any name you like.
 
  Remember to use your credentials from step1 (the one advised to be kept safe  :P)
 
  Enable TLS Authentication for packets and use the following TLS Key:

-----BEGIN OpenVPN Static key V1-----
b02c4f079a4a49888da566b9978346
.......
e7279ff1a19cb092659e8c1860fbad0d

-----END OpenVPN Static key V1-----

TLS Key Usage Mode: TLS Authentication
Peer certificate authority: SurfsharkVPN;
Client certificate: webConfigurator default or as in my case the Let's Encrypt one
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.
Don't pull routes: check
Compression: No prefference

Add this under Advanced:
   tls-client;
   remote-random;
   tun-mtu 1500;
   tun-mtu-extra 32;
   mssfix 1450;
   persist-key;
   persist-tun;
   reneg-sec 0;
   remote-cert-tls server;

Step 4
   In Opnsense interface go to Interfaces -> Assignment -> Add Interface ovpnc1 (in my case) to the interfaces and give it a name (in my case is simply Surfshark)
   Once the interface is created:  IPv4 Configuration Type : None

Step 4.1
   If you want all your traffic to be routed via Surfshark, then select this new created interface as the outgoing interface for DNS (Unbound & any other resolver)
   In order for the DNS to work, you need to :
   check Forwarding Mode
   uncheck DNSSEC support
   Services-> Unbound DNS-> Advanced: check both Hide Identity & Hide Version
   
Step 5
   Firewall -> NAT-> Outbound:  change from Automatic outbound NAT rule generation
  (no manual rules can be used) to Hybrid outbound NAT rule generation
  (automatically generated rules are applied after manual rules)
   Add one rule :
   Interface      Source                                 Source Port                   Destination       Destination Port   NAT Address      NAT Port   Static Port   Description   
Surfshark   <localhost you want to route >     <ports you want to route>     *                         *   Interface address   *   NO    SurfSharkVPN

#this will apply only to 1 host in your network
If you want to route all your traffic simply change source with the ip address of your lan interface (192.168.1.1/24 as example)

Step 6
Firewall-> Rules-> Surfshark
Protocol   Source       Port   Destination        Port   Gateway                Schedule   Description    
IPv4 *   Lan_Wired net   *   <my specific host>    *   SURFSHARK_VPNV4     *           VPN allow traffic
Firewall-> Rules-> Lan
Protocol        Source                Port  Destination        Port   Gateway                    Schedule   Description
IPv4 *   <my specific host>     *   *                  *   SURFSHARK_VPNV4   *   gateway VPN

Step 7
System-> Settings-> General:
Under DNS Servers add:
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4

Step 8
Check the connection - VPN-> OpenVPN-> Log File & VPN-> OpenVPN-> Connection Status


I hope this will help.
enjoy

cool

not really because in my case, it always ends up with a reboot -> 0 logs
hope to catch it something next time

in my case suricata starts, then it freeze the system completely
the big problem i see is with the wan connection - being disconnected all the time.

after updating to OPNsense 20.7.2-amd64
my wan is constantly disconnecting!
Interface is an intel em0
connection is a DHCP
any clue? or hotfix?

Thanks for answering this.
I intended to use lan ( which in my case is a lagg)
Now I keep my old setup running it on Wan only.

Anyone running DoT with Multi-WAN (failover)? Would be happy if someone could attach a log and settings for getting this to work - I might have screwed up somewhere, and I can not for the world get my failover to work again....

same for me.

Recently I tried to make some changes to my setup so I can include Suricata as well.
As of now i used Sensei only for the WAN interface.
I am enabling Suricata in WAN and I tried to enable sensei on all my Vlan (LANS)
The problem I see is that Sensei does not support LAGG interfaces. Any ETA for this?

Thanks for the tip! Reinstall worked just fine