"Recent posts
#1
26.1, 26,4 Series / Re: 26.1.7_2: issue with ACME ...
Last post by TheCrackedCube - Today at 03:43:03 AMHi,
Did anyone find a solution to this?
Did anyone find a solution to this?
#2
Virtual private networks / IPSec VPN Between OPNSense and...
Last post by aaronu - June 02, 2026, 11:15:40 PMWhile trying to establish an IPSec VPN between my opnsense router located in a data center environment to a UNIFI UDM appliance at a remote site, I have been running into some issues.
Here is some info on what is trying to be achieved and how. I am trying to establish an ipsec vpn connection between the two sites. This vpn connection is being made to a an office location utilizing a storage server on the data center (opnsense) network. The data center network has a large ip block. The ip being used for the actual opnsense unit is different that the one I want to connect the vpn to. I am essentially using a seperate ip and vlan network for all traffic connected to this remote office, as only that customers servers live on this vlan. The ip is setup as a virtual ip as an ip alias in opnsense and is showing the opnsense login when reached.
What is happening:
After setting up the vpn connection and a lot of firewall rules to route the traffic from the wan to ipsec, than ipsec to the vlan of the server, ect, I was able to get a vpn connection via ipsec, showing connection on the unifi end, and connection on the OPNsense end. I also setup the child uner the OPNsense connection for the remote and local subnets. When attempting to ping the server on the data center network from the office, I however have not gotten a ping. I noticed that in the ipsec connection status, there is no value (not even 0) is the bytes sent or received, and the child states installed, but not established. Also while attempting a ping, the live log of opnsense shows a connection attempt from the remote office ip to the vpn ip, but with no port attached to the request, not attempting over an ipsec port, and is blocking the traffic. I am hesitant to allow anything from the remote location for security. I'm honestly not sure what to do here. I have not been able to find any resources for a setup between opnsense and unifi at all and have run out of things to try.
Any help or suggestions are appreciated.
Thanks!
Here is some info on what is trying to be achieved and how. I am trying to establish an ipsec vpn connection between the two sites. This vpn connection is being made to a an office location utilizing a storage server on the data center (opnsense) network. The data center network has a large ip block. The ip being used for the actual opnsense unit is different that the one I want to connect the vpn to. I am essentially using a seperate ip and vlan network for all traffic connected to this remote office, as only that customers servers live on this vlan. The ip is setup as a virtual ip as an ip alias in opnsense and is showing the opnsense login when reached.
What is happening:
After setting up the vpn connection and a lot of firewall rules to route the traffic from the wan to ipsec, than ipsec to the vlan of the server, ect, I was able to get a vpn connection via ipsec, showing connection on the unifi end, and connection on the OPNsense end. I also setup the child uner the OPNsense connection for the remote and local subnets. When attempting to ping the server on the data center network from the office, I however have not gotten a ping. I noticed that in the ipsec connection status, there is no value (not even 0) is the bytes sent or received, and the child states installed, but not established. Also while attempting a ping, the live log of opnsense shows a connection attempt from the remote office ip to the vpn ip, but with no port attached to the request, not attempting over an ipsec port, and is blocking the traffic. I am hesitant to allow anything from the remote location for security. I'm honestly not sure what to do here. I have not been able to find any resources for a setup between opnsense and unifi at all and have run out of things to try.
Any help or suggestions are appreciated.
Thanks!
#3
General Discussion / Re: Help with GeoIP and csv fo...
Last post by ChrisC - June 02, 2026, 10:56:36 PMQuote from: meyergru on May 10, 2026, 04:45:24 PM@Patrick: You probably misunderstood, @IPinfo is not with IP66...
There are tools to extract CSV or JSON data from MMDB files, which seem to be the only ones that IP66 offers, unlike Maxmind and IPinfo.
However, I was unable to extract all data, including ASN with those, and I got errors all over the place during import to OpnSense, so I wrote my own: https://github.com/meyergru/opnsense-ip66
Later, I found the main problem is that for IPinfo-style .gz files, you need to send a Content-Disposition HTTP header - if you fail to do that, the file will get misinterpreted as a ZIP file in Maxmind format (with multiple files contained in it).
Nice, thanks!
I've just downloaded it and will try it in a bit.
Note that some of your lines that are longer than 84 characters have been split onto a new line, which makes my version of python barf.
Once i've removed the linefeeds on 6 of the lines, it runs.
#4
26.1, 26,4 Series / Re: System: Firmware: Updates:...
Last post by (MARLOO) - June 02, 2026, 10:51:53 PMThanks, Franco! So I can confirm this is the same issue I hit:
First update attempt: log stayed stuck/stacked, firewall rebooted
Second attempt: update succeeded
Since the fix is in the commit you linked and already in 26.1.8, my 26.1.9 should have it, but I still saw the chunked output and reboot. Looking forward to 26.1.10/26.1.11 when the logs return to normal streaming.
Good to know it's tracked and will be resolved!
First update attempt: log stayed stuck/stacked, firewall rebooted
Second attempt: update succeeded
Since the fix is in the commit you linked and already in 26.1.8, my 26.1.9 should have it, but I still saw the chunked output and reboot. Looking forward to 26.1.10/26.1.11 when the logs return to normal streaming.
Good to know it's tracked and will be resolved!
#5
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by pfry - June 02, 2026, 10:48:47 PMQuote from: Patrick M. Hausen on June 02, 2026, 08:28:30 PM[...] Of course flushing the firewall states will disrupt all active connections which is exactly why it does not happen by default.
Looks like single rule(set) operations are possible, but the mechanism is rather obtuse ("anchors") and does not appear to apply to associated states/sessions. A bit of a feature oversight.
#6
26.1, 26,4 Series / Re: [Solved] Connectivity Audi...
Last post by dseven - June 02, 2026, 09:47:28 PMQuote from: franco on June 02, 2026, 04:55:24 PMBut hostnames.sh actually tries to get the correct primary mirror first...
Ahh, I see. You're right, it is the sneaky sort -u that's undoing that. Replacing that with awk '!_[$0]++' might be a solution for dedup without sorting (https://stackoverflow.com/questions/21200659/seeking-reference-to-understand-one-pattern-0/21200722 for explanation).
#7
26.1, 26,4 Series / Re: Issue at update to 26.1.9
Last post by franco - June 02, 2026, 08:46:30 PMHi Mathias,
Only a temporary update glitch. The code is new in 26.1.9 and the plugin got the code before the core update in the update order it has. :)
Cheers,
Franco
Only a temporary update glitch. The code is new in 26.1.9 and the plugin got the code before the core update in the update order it has. :)
Cheers,
Franco
#8
26.1, 26,4 Series / Re: System: Firmware: Updates:...
Last post by franco - June 02, 2026, 08:44:56 PMYes, noticed while testing:
https://github.com/opnsense/core/commit/5de581cd4416
But the change was already in 26.1.8 so we'll fix for 26.1.10 which means in 26.1.11 the updates log will be back to where it was. ;)
Cheers,
Franco
https://github.com/opnsense/core/commit/5de581cd4416
But the change was already in 26.1.8 so we'll fix for 26.1.10 which means in 26.1.11 the updates log will be back to where it was. ;)
Cheers,
Franco
#9
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by Patrick M. Hausen - June 02, 2026, 08:28:30 PMIf you have an active connection which you intend to block the problem is possibly not that your aliases are not updated in a timely fashion, but that you need to flush the firewall states.
An active TCP connection that once was permitted stays that way because of the stateful firewall, even if you change the rules.
Of course flushing the firewall states will disrupt all active connections which is exactly why it does not happen by default.
An active TCP connection that once was permitted stays that way because of the stateful firewall, even if you change the rules.
Of course flushing the firewall states will disrupt all active connections which is exactly why it does not happen by default.
#10
26.1, 26,4 Series / How concerned should we be abo...
Last post by allenlook - June 02, 2026, 08:28:06 PMQuestion is in the subject, but to reiterate, how concerned should we be about the latest supply chain attack methods like Mini Shai-Hulud?
Software that "includes" or "imports" many external libraries of unknown provenance seem to be at very heightened risk now that the supply chain itself is being compromised.
Should we be worried about OPNsense?
-- From Brave AI --
Mini Shai-Hulud is a self-propagating supply chain worm campaign attributed to the cybercriminal group TeamPCP (also tracked as UNC6780), which emerged in April 2026 as the fourth generation of the Shai-Hulud malware family. The attack targets the npm and PyPI ecosystems, compromising over 170 packages by leveraging CI/CD trust relationships to steal developer and cloud credentials.
The malware operates by injecting malicious code into trusted packages, such as those in the SAP Cloud Application Programming Model, TanStack, and Mistral AI ecosystems. It uses a two-stage payload that downloads the Bun JavaScript runtime to execute obfuscated code, harvesting tokens from GitHub, AWS, Azure, Google Cloud, and Kubernetes. The stolen data is exfiltrated via encrypted commits to public GitHub repositories or through the anonymous messaging app Session.
Key characteristics of the campaign include:
SLSA Provenance Forgery: Mini Shai-Hulud compromised packages with valid SLSA Build Level 3 attestations, proving that process integrity controls can be defeated.
OIDC Token Extraction: The worm extracts OpenID Connect tokens directly from GitHub Actions runner memory to gain publish credentials without needing stolen passwords.
Persistence: It embeds itself into developer tooling configuration files, such as VS Code and Claude Code, to maintain access to workstations.
High-Profile Impact: The attack affected organizations including OpenAI, Mistral AI, and GitHub, with OpenAI confirming limited credential exfiltration from internal source code repositories.
Mitigation: Security experts recommend rotating all cloud and developer credentials, auditing CI/CD pipelines for unauthorized access, and reviewing package lockfiles for suspicious changes.
Software that "includes" or "imports" many external libraries of unknown provenance seem to be at very heightened risk now that the supply chain itself is being compromised.
Should we be worried about OPNsense?
-- From Brave AI --
Mini Shai-Hulud is a self-propagating supply chain worm campaign attributed to the cybercriminal group TeamPCP (also tracked as UNC6780), which emerged in April 2026 as the fourth generation of the Shai-Hulud malware family. The attack targets the npm and PyPI ecosystems, compromising over 170 packages by leveraging CI/CD trust relationships to steal developer and cloud credentials.
The malware operates by injecting malicious code into trusted packages, such as those in the SAP Cloud Application Programming Model, TanStack, and Mistral AI ecosystems. It uses a two-stage payload that downloads the Bun JavaScript runtime to execute obfuscated code, harvesting tokens from GitHub, AWS, Azure, Google Cloud, and Kubernetes. The stolen data is exfiltrated via encrypted commits to public GitHub repositories or through the anonymous messaging app Session.
Key characteristics of the campaign include:
SLSA Provenance Forgery: Mini Shai-Hulud compromised packages with valid SLSA Build Level 3 attestations, proving that process integrity controls can be defeated.
OIDC Token Extraction: The worm extracts OpenID Connect tokens directly from GitHub Actions runner memory to gain publish credentials without needing stolen passwords.
Persistence: It embeds itself into developer tooling configuration files, such as VS Code and Claude Code, to maintain access to workstations.
High-Profile Impact: The attack affected organizations including OpenAI, Mistral AI, and GitHub, with OpenAI confirming limited credential exfiltration from internal source code repositories.
Mitigation: Security experts recommend rotating all cloud and developer credentials, auditing CI/CD pipelines for unauthorized access, and reviewing package lockfiles for suspicious changes.
