Recent posts

#1

Zenarmor (Sensei) / Re: updating to 2.6 checking f...

Last post by Taunt9930 - Today at 08:23:14 PM

Should we be being offered an update to 2.6.x? Version 2.5.1 from May 22 is showing as up to date for me.

[VPN: IPsec: Connections]

#2

Tutorials and FAQs / What to do and what to avoid f...

Last post by meyergru - Today at 07:22:49 PM

Hi everyone,


I usually prefer Wireguard for its simplicity, but I found that some ISPs block it using Deep Packet Inspection (even for the purpose of fighting copyright violations). IPsec, being the more "enterprise" VPN protocol, is less often blocked, so it is handy to have a fallback.

While setting up an IKEv2 EAP-MSCHAPv2 Roadwarrior connection using the modern VPN: IPsec: Connections module according to the official OPNsense Roadwarrior (swanctl) Documentation, you might run into situations where the connection seems established on the firewall (swanctl --list-sas), but 0 packets / 0 bytes are being transmitted.

To save you hours of structural troubleshooting on the FreeBSD kernel or routing layers, here is a definitive list of bullet points on what actually causes issues with modern iOS/macOS clients—and what you can safely ignore.

⚠️ The Real Problems (What you must avoid / fix)

• Avoid Manual Profile Configuration (The DNS Trap)
  
  • The Issue: Typing the VPN credentials directly into the native iOS VPN settings menu.
    
  • The Impact: iOS manually configured profiles strictly ignore the DNS Configuration Payload sent by the server. This happens regardless of whether you use Split Tunneling or Full Tunneling (0.0.0.0/0). Internal DNS resolution will be completely broken.
    
  • The Fix: You must deploy the configuration via a .mobileconfig file to explicitly inject the DNS structure into the Apple network stack.
    You can create such profiles with the free Imazing app.
    
• Avoid Server Certificate Lifetimes > 397 Days
  
  • The Issue: Creating a server certificate with a standard 1-year+, 2-year, or permanent validity period.
    
  • The Impact: The Apple crypto subsystem silently and rigidly rejects any server certificate with a total lifetime exceeding 397 days.
    
  • Note: While this rule can technically be bypassed by backdating the Not Before timestamp years into the past via OpenSSL CLI commands, the OPNsense GUI does not allow backdating (it always forces creation date to time()). Therefore, stick to ACME/Let's Encrypt (90 days) or issue short-lived certificates.
    Note: This will not be any problem when using ACME-type certificates. Also, the System : Trust : Certificate dialogue will preset the certificate lifetime with 397 days for this very reason.
    
• Avoid Missing Server Authentication EKU
  
  • The Issue: Generating the server certificate as a generic or unconstrained type.
    
  • The Impact: The certificate must explicitly contain the Extended Key Usage (EKU) attribute TLS Web Server Authentication. Without it, iOS drops the connection instantly during the IKE_AUTH phase. This is also done automatically in System : Trust : Certificate if you select "Server Authentication".
    
• Avoid Non-RSA certificates
  
  • The Issue: Generating the server certificate as an EC certificate.
    
  • The Impact: The certificate must be an RSA certificate to be recognized. This is also done automatically in System : Trust : Certificate per default.
    

ℹ️ The Cosmetic Illusion (Do not judge the connection by this)

• The Missing VPN Icon
  
  • The Reality: In current iOS versions, the VPN icon in the status bar standardly disappears after a successful IKEv2 handshake. Do not assume a vanished icon means a routing failure, a bad configuration, or a silent disconnect. The tunnel remains fully active (ESTABLISHED / INSTALLED in swanctl), even when the icon is missing. The status display is not tied to a failing DNS check.
    

🚫 Mythbusting (What is NOT the problem)

If your tunnel is up but registers 0 packets on active SAs, do not waste your time troubleshooting the following theoretical network pitfalls, as iOS handles them perfectly fine:

• Overlapping / Supernet Routing: iOS handles broad local traffic selectors like 192.168.0.0/16 flawlessly alongside CGNAT or carrier cellular networks. However, use a disjoint network for your IP pools.
  
• MTU sizes: IP fragmentation is handled correctly, but AI agents will often misinterpret log messages as to try to make the
  
• Multiple LocalNets / Comma-separated Lists: The native Apple client parses multiple distinct local networks in the traffic selector correctly.
  
• Strict SAN / Wildcard Validation: Wildcard certificates (*.domain.tld) or strict Subject Alternative Name (SAN) match anomalies are not the cause of 0-byte transmission stalls.
  
• IPv6 problems: There are none. AI bots may also misinterpret mixed IP adressing for the connection itself and the tunnel IPs, but that is not a problem.
  

Summary for a working setup:
Follow the official documentation, make sure your certificate is short-lived with the correct Server-EKU, ignore the missing status bar icon, and deploy the client configuration exclusively via a tailored .mobileconfig profile to get proper DNS access.

#3

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by bhoriss - Today at 05:39:23 PM

If anyone ends up on this post and is in a similar situation to me, aka
DEC750 V1 owner (3x 1G RJ45 ports) and ISP modem doesn't have any available SFP+ ports.

I ended up setting up a LAGG (interfaces>devices>LAGG) with 2 igb interfaces and the load balance protocole (LACP wasn't working with my particular modem).

Now, overview reports a 2G/s link to the modem. Here's to hoping things will be stable from here.

Thank you again to everyone that replied,
best,
Bhoriss

#4

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by Monviech (Cedrik) - Today at 05:22:46 PM

Ah okay that makes sense. Well nothing that can be done about this now.

No problem happy to help.

#5

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by bhoriss - Today at 05:18:35 PM

Did you buy directly from Deciso or was it from somewhere else?

I bought from the opnsense store in 2023. 799 euros

Seems like I bought a couple of months before the V2 PDF was updloaded....

#6

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by Monviech (Cedrik) - Today at 05:15:39 PM

Did you buy directly from Deciso or was it from somewhere else?

#7

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by bhoriss - Today at 05:12:42 PM

Well what are your interface names?

Just do an "ifconfig" in the shell.

If it shows "igb" its gigabit and "igc" are the multi gigabit ports.

my interfaces are igb. then it is solved, I was sent the older version of the DEC750 with 1G RJ45 ports instead of the 2.5G ports.

Imma go cry in my corner now.

Thank you all for the help!

#8

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by Monviech (Cedrik) - Today at 05:11:16 PM

Well what are your interface names?

Just do an "ifconfig" in the shell.

If it shows "igb" its gigabit and "igc" are the multi gigabit ports.

#9

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by bhoriss - Today at 05:07:28 PM

There are different generations of the DEC750 - I have one with 2x 10G and 3x 1G. Only the newer ones have 3x 2.5G.
And the 10G ports do not support anything but 1G and 10G.

Then you have the older 1G model just like me.

Very interesting and disappointing. I was not aware the 2 versions existed under the same name. I can't find any details online about 2 versions and my box doesn't show any version number. Do you know how I can figure out which version I bought?

#10

26.1, 26,4 Series / Re: Unable to achieve 2.5Gbps ...

Last post by Patrick M. Hausen - Today at 05:06:29 PM

Then you have the older 1G model just like me.