Recent posts

#1

26.1, 26,4 Series / Re: Question for Best Practice...

Last post by Seimus - Today at 12:10:06 PM

Well maybe show the configuration for Instances and peers which would help to T-shoot.

But in general, if you have more than one instance of Wireguard you need 4 essential things to make sure connection is established:
1. Unique port per Instance
2. Unique Private and Public Keys per instance (thus unique keys for peers)
3. Unique network per Instance & Peers
4. Proper Rules on WAN interfaces to permit the specific instance (per Instance port rule)

To establish the Wireguard connect this is essential + the Ingress Underlay interface rule.

Regards,
S.

#2

Hardware and Performance / Re: Used PC as OPNsense router...

Last post by trdeal - Today at 11:14:27 AM

Hi,
I have a couple of old Dell Optiplex SFF PCs, a 7010 with an i5-3470 @3.2GHz and 3020 i5-3470@3.2Ghz (active and backup) both equipped with igb0 dual nic cards. I noticed that the 7010 had two 16x PCI slots so added two intel x550-t2 cards and replaced the 3020. With the 3020 I was getting latency issues connecting to the upstream router,  since swapping no issues.
When I ping the Opnsense (Optiplex 7010) LAN interface, WAN interface and the upstream router, the results are as follows 
LAN round-trip (ms)  min/avg/max/stddev = 0.128/0.149/0.288/0.028
WAN round-trip (ms)  min/avg/max/stddev = 0.139/0.166/0.299/0.036
Router round-trip (ms)  min/avg/max/stddev = 0.387/0.598/2.268/0.367 (not a direct connection but via 4 port switch)
I have ordered a second Dell Optiplex 7010 as a backup to current Optiplex 7010.
With reference to CPU utilisation it peaks around 15% with 15 clients accessing the internet

#3

25.1, 25.4 Legacy Series / Re: Bridging two VLAN's togeth...

Last post by Seimus - Today at 10:36:17 AM

I have a seperate VLAN for every gamer in our household. (for easy management of who is downloading to much, who needs to go to bed, who is beeing punished :) )

So the VLAN's are not realy for security, but more for management especialy since we have a very slow internet connection (only 95Mbps)

You know you could easily achieve that as well in a single VLAN, by using aliases, DHCP Static binding or Static IPs with DHCP IP exclusion?

In that case you would not deal with this.

Also, because this feature needs the Host Discovery, e,g the Host will announce the service under the UDP with this port board-casting on the network. And broadcast doesn't pass the bridge domain. SO you will need a UDP relay to announce hosts from one Network to another.

Regards,
S.

#4

Virtual private networks / Re: Wireguard Logging

Last post by Seimus - Today at 10:00:46 AM

If you did everything correctly the Wireguard log will start logging events every minute. These are accessible directly in the wireguard VPN log menu.

Code Select Expand

Code Select Expand

2026-03-13T14:04:00    Notice    wireguard     wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=56s
2026-03-13T14:03:00    Notice    wireguard     wireguard peer disconnected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=513s
2026-03-13T13:58:12    Notice    wireguard     wireguard peer disconnected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=381s
2026-03-13T13:54:36    Notice    wireguard     wireguard peer connected: instance=wg0, peer_name=laptop, peer_pubkey=9V3VB9ALJtB0lgvhpCetVVEbZW6YH6Rnk=, endpoint=192.168.11.228:54553, allowed_ips=192.168.12.3/32, handshake_age=9s
2026-03-13T13:51:57    Notice    wireguard     wireguard peer connected: instance=wg0, peer_name=phone, peer_pubkey=bOa1clBIOgmJEw2To7+StkqPaA2UxKsjw=, endpoint=192.168.11.65:51888, allowed_ips=192.168.12.2/32, handshake_age=6s
Peers are marked disconnected when they have not handshaked in 300 seconds / 5 min.

For the life of me I do not understand why this simple logging is not part of the Wireguard implementation on every firewall, since it is essential to know who is accessing your firewall and from where.

Not bad, maybe consider to open a PR on github?
Even though this is via the cron menu it could be redone to have it by default.

Regards,
S.

#5

Virtual private networks / Re: wireguard not working afte...

Last post by iorx - Today at 09:39:58 AM

Hi again!

Don't know if this is frowned upon or maybe worth much for others, but this solved it for me and may give other an idea how to get it going with WireGuard and hostname.

Some LLM vibe-coding...

This script ensures that all required services are running and that the hostname is resolvable before it triggers a WireGuard restart via pluginctl. It also includes a "pre-flight check" so it doesn't restart anything if the tunnel is already up.

It grabs what it can from the config.conf. A warning is that it assumes that a pingable IP through the tunnel is .1 from one of the .0/24 allowed networks in the peer configuration.

Add:
Put it here, and make an +x on it.

Code Select Expand

root@fwa:~ # cd /usr/local/etc/rc.syshook.d/start
root@fwa:/usr/local/etc/rc.syshook.d/start # ls
10-newwanip             25-syslog               90-carp                 90-openvpn              95-beep
20-freebsd              50-ntopng               90-cron                 90-sysctl               99-wireguard-dns-fix
root@fwa:/usr/local/etc/rc.syshook.d/start # chmod +x 99-wireguard-dns-fix

PEER_NAME: Change the to match your peer name.
REQUIRED_SERVICES: Adjust Services that should be running.

Script:

Code Select Expand

#!/bin/sh

# Header: Dynamic Wireguard Startup Sync for OPNsense 26.1
# Description: Extracts peer data from config.xml and ensures DNS stack is ready.
# Note: This script will "man-guess" that .1 is a reachable gateway address if a .0 network is found.
# Optimization: Checks if the tunnel is already up before performing any actions.
# Logging: Outputs to system log with tag "man-guess-wg" and priority "user.notice".

# --- Configuration ---
PEER_NAME="wg_peer"
REQUIRED_SERVICES="unbound dnsmasq AdGuardHome"
CONFIG_PATH="/conf/config.xml"
LOG_TAG="man-guess-wg"
MAX_RETRIES=20
SLEEP_INTERVAL=5

log_msg() {
    # Output to stdout and OPNsense System Log (General)
    echo "$1"
    logger -p user.notice -t "$LOG_TAG" "$1"
}

# 1. Extract the Endpoint (serveraddress)
CHECK_HOST=$(xmllint --xpath "string(//wireguard/client/clients/client[name='$PEER_NAME']/serveraddress)" $CONFIG_PATH 2>/dev/null)

# 2. Extract the first entry from Allowed IPs (tunneladdress)
RAW_IP=$(xmllint --xpath "string(//wireguard/client/clients/client[name='$PEER_NAME']/tunneladdress)" $CONFIG_PATH 2>/dev/null | cut -d',' -f1 | cut -d'/' -f1)

# Logic: Convert network address (ending in .0) to gateway (.1) for ping test.
# This part is a confident man-guess that .1 is the responding address.
TUNNEL_IP=$(echo "$RAW_IP" | sed 's/\.0$/.1/')

# Validation: Stop if configuration data is missing
if [ -z "$CHECK_HOST" ] || [ -z "$RAW_IP" ]; then
    log_msg "ERROR: Extraction failed for '$PEER_NAME'. Check if the name matches in config.xml."
    exit 1
fi

# --- INITIAL CHECK ---
# If the tunnel is already reachable, we exit immediately to avoid unnecessary restarts.
if ping -c 1 -t 2 "$TUNNEL_IP" > /dev/null 2>&1; then
    log_msg "STATUS: Tunnel to $TUNNEL_IP is already UP. No action taken."
    exit 0
fi

check_process() {
    pgrep -f "$1" > /dev/null
    return $?
}

log_msg "STATUS: Tunnel is DOWN. Initiating sync for peer: $PEER_NAME (Target: $CHECK_HOST)"

for i in $(seq 1 $MAX_RETRIES); do
    SERVICES_READY=true
   
    # Verify that all DNS-related services are running
    for SERVICE in $REQUIRED_SERVICES; do
        if ! check_process "$SERVICE"; then
            SERVICES_READY=false
            break
        fi
    done
   
    if [ "$SERVICES_READY" = true ]; then
        # Check if the dynamic hostname can be resolved yet
        if host "$CHECK_HOST" > /dev/null 2>&1; then
            log_msg "DNS OK: $CHECK_HOST resolved. Restarting Wireguard via pluginctl."

            # Official OPNsense 26.1 method for plugin service management
            /usr/local/sbin/pluginctl -s wireguard restart
           
            # Allow time for handshake and routing table updates
            sleep 15
           
            if ping -c 1 -t 3 "$TUNNEL_IP" > /dev/null 2>&1; then
                log_msg "SUCCESS: Connectivity to $TUNNEL_IP confirmed."
                exit 0
            fi
        fi
    fi
   
    # Log status every 5th attempt to keep the system log clean
    if [ $((i % 5)) -eq 0 ]; then
        log_msg "WAIT: Attempt $i/$MAX_RETRIES - Dependencies or DNS not ready."
    fi
   
    sleep $SLEEP_INTERVAL
done

log_msg "FATAL: Timeout reached. Connectivity could not be verified for $PEER_NAME."
exit 1


#6

26.1, 26,4 Series / Re: Factory reset, but retain ...

Last post by chemlud - Today at 09:38:49 AM

How about "restoring" a custom config.xml with serial console enabled and other parts of the .xmp reset to your favourite state and reboot?

#7

General Discussion / Re: Crowdsec & floating rules ...

Last post by Patrick M. Hausen - Today at 09:06:03 AM

Workaround: Whitelist Docker IP subnets in Crowdsec

Don't you have RFC 1918 networks whitelisted, anyway?

https://docs.crowdsec.net/u/getting_started/next_steps

By default, CrowdSec whitelists private LAN IP addresses. You can add your own IPs or events to prevent false positives.

#8

25.1, 25.4 Legacy Series / Re: Bridging two VLAN's togeth...

Last post by LizaM - Today at 08:46:00 AM

Yeap bridging VLANs isn't really the right move here- it tends to break things more than fix them
What you actually need is to let the VLANs "see" each other not merge them. Steam uses local discovery so even if routing works the PCs won't find each other without multicast/broadcast passing through.

So in simple terms:

-Keep VLANs as they are
-Allow traffic between them in firewall
-Enable something like mDNS repeater / multicast forwarding on your router

If your router doesn't support that honestly the easiest way is just to put the gaming PCs in the same VLAN when you're downloading stuff

mDNS/multicast forwarding is the key here. Bridging VLANs causes headaches; better to keep segmentation and just enable proper discovery between networks.

#9

26.1, 26,4 Series / Re: Factory reset, but retain ...

Last post by OPNenthu - Today at 06:52:45 AM

Only if you installed from the OPNsense serial installer image then the console should be enabled with defaults (115200 baud):

https://docs.opnsense.org/manual/how-tos/serial_access.html

I guess you would be able to log in with the default credentials (root:opnsense) if prompted.

#10

General Discussion / Re: NPTv6 seems to mistranslat...

Last post by OPNenthu - Today at 06:36:11 AM

binat rules as seen in /tmp/rules.debug:

Code Select Expand

# cat /tmp/rules.debug | grep binat
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1000::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1001::/64 -> (igc1:0)/64 # NPTv6 WAN<->MANAGE (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1002::/64 -> (igc1:0)/64 # NPTv6 WAN<->VPN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1003::/64 -> (igc1:0)/64 # NPTv6 WAN<->CLEAR (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1004::/64 -> (igc1:0)/64 # NPTv6 WAN<->GUEST (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1005::/64 -> (igc1:0)/64 # NPTv6 WAN<->IOT (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1006::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAB (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1007::/64 -> (igc1:0)/64 # NPTv6 WAN<->MOBILES (/64)