"Recent posts
#1
26.1, 26,4 Series / Re: Caddy Claudflare API Token...
Last post by Monviech (Cedrik) - Today at 06:14:52 AMRemove and reinstall the caddy plugin once and it will have the latest binary with the cloudflare changes.
#2
Hardware and Performance / Re: TOPTON Mini PC Running OPN...
Last post by BrandyWine - Today at 05:14:15 AMQuote from: passeri on Today at 03:08:57 AMBetter get the dust out. Blast it through every hole with one of those little battery-powered blowers ;-)But I have run them for many years 24/7 and never used compressed air, the units never died. The firmware stopped getting updates, so I moved on to another device.
Plus, reader beware, never blow cold air onto the hot device, must power down and let it get to room temp, and even then the compressed canned air being cold can temp shock components.
#3
26.1, 26,4 Series / Re: Unable to get IPv6 Traffic...
Last post by space_cadet - Today at 04:04:23 AMHi Johnshill, I ran into a few issues getting IPv6 working with my WireGuard as well. I'm going to go over some of my settings, maybe they will help you get yours set setup. I'm going to go over a lot of the basics, so apologies if some of this seems redundant.
My ISP is Xfinity.
Interfaces > WAN
Generic configuration
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration
Prefix delegation size: 60
Request prefix only: unchecked
Request DNS configuration: Checked
Send prefix hint: Checked
Interfaces > WireGuardVPN
IPv4 Configuration Type: None
IPv6 Configuration Type: None
Interfaces > Overview
Go to the WAN row
Make note of the IPv4 Address (ignore the / and the numbers after it)
Next, select the Magnifying Glass icon at the end of the WAN Row
Scroll down to "Dynamic IPv6 prefix received", Mine is set as: 2601:xxxx:xxxx:xxxx::/60 (Redacted for privacy)
Notice the /60 prefix. This means that I can use the following for my IPv6 address:
2601:xxxx:xxxx:xxx[0-f]::/60
I'm using 2601:xxxx:xxxx:xxxa::/64 for my LAN
I'm using 2601:xxxx:xxxx:xxxb::/64 for my VPN
The /64 means that the last digit of the prefix is locked for the specific network
VPN > WireGuard > Instances tab
Enabled: checked
Name: WG-VPN
Pubic Key: click Gear to generate Public and Private Key pair
Listen Port: set port (example: 51820)
Tunnel Address (this is where you set the IPv4 and IPv6 addresses for your VPN): 192.168.101.1/24 2601:xxxx:xxxx:xxxb::fffa/64
NOTICE the /64 and the b on the prefix, I also set the last 4 hex digits (hextet?)
Use the Peer Generator to create your peers. It's an amazing tool:
Instance: WG-VPN
Endpoint: External IPv4 Address and port (Listen Port set earlier). Example: 17.16.15.14:51820
Name: Client Name. Example: MyPhone
Public Key: Auto Gen
Private Key: Auto Gen
Address: 192.168.101.2/32,2601:xxxx:xxxx:xxxb::fffb/128
DETAILS for Address: IPv4 address generated, Example: 192.168.101.2/32 IPv6 address prefix with full /128 address. You still need to specify the last hextet of the IP. Prefill Example: 2601:xxxx:xxxx:xxxb::/128. You need to add the last 4 of the ip: fffa or something, so it reads as follows: 2601:xxxx:xxxx:xxxb::fffa/128
Allowed IPs: 0.0.0.0/0,::/0
DETAILS for Allowed IPs: 0.0.0.0/0 is the IPv4 note to allow all IPv4 traffic through the VPN, ::/0 is the IPv6 version.
DNS Servers: 192.168.101.1,2601:xxxx:xxxx:xxxb::fffa
DETAILS for DNS Servers: It's your VPN Tunnel addresses.
When setting up the Clients, use the QR code. Test with your phone. It basically starts with a blank rule and copys everything from the config section.
Store and generate next: Checked
Enable WireGuard: Checked
ONLY WHEN THE QR CODE IS SAVED ON YOUR PHONE SHOULD YOU HIT APPLY. YOU CAN'T TEST OR USE THE VPN UNTIL YOU APPLY THE CHANGES! YOU CAN'T VIEW THE PRIVATE KEYS ONCE THE APPLY IS PRESSED, SO ORDER OF OPERATIONS IS IMPORTANT!
1. Enter info
2. Scan QR Code, Save to Device
3. Click Apply
4. Test VPN connections
Let us know what matches, what changes you didn't use, and what questions you have.
My ISP is Xfinity.
Interfaces > WAN
Generic configuration
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration
Prefix delegation size: 60
Request prefix only: unchecked
Request DNS configuration: Checked
Send prefix hint: Checked
Interfaces > WireGuardVPN
IPv4 Configuration Type: None
IPv6 Configuration Type: None
Interfaces > Overview
Go to the WAN row
Make note of the IPv4 Address (ignore the / and the numbers after it)
Next, select the Magnifying Glass icon at the end of the WAN Row
Scroll down to "Dynamic IPv6 prefix received", Mine is set as: 2601:xxxx:xxxx:xxxx::/60 (Redacted for privacy)
Notice the /60 prefix. This means that I can use the following for my IPv6 address:
2601:xxxx:xxxx:xxx[0-f]::/60
I'm using 2601:xxxx:xxxx:xxxa::/64 for my LAN
I'm using 2601:xxxx:xxxx:xxxb::/64 for my VPN
The /64 means that the last digit of the prefix is locked for the specific network
VPN > WireGuard > Instances tab
Enabled: checked
Name: WG-VPN
Pubic Key: click Gear to generate Public and Private Key pair
Listen Port: set port (example: 51820)
Tunnel Address (this is where you set the IPv4 and IPv6 addresses for your VPN): 192.168.101.1/24 2601:xxxx:xxxx:xxxb::fffa/64
NOTICE the /64 and the b on the prefix, I also set the last 4 hex digits (hextet?)
Use the Peer Generator to create your peers. It's an amazing tool:
Instance: WG-VPN
Endpoint: External IPv4 Address and port (Listen Port set earlier). Example: 17.16.15.14:51820
Name: Client Name. Example: MyPhone
Public Key: Auto Gen
Private Key: Auto Gen
Address: 192.168.101.2/32,2601:xxxx:xxxx:xxxb::fffb/128
DETAILS for Address: IPv4 address generated, Example: 192.168.101.2/32 IPv6 address prefix with full /128 address. You still need to specify the last hextet of the IP. Prefill Example: 2601:xxxx:xxxx:xxxb::/128. You need to add the last 4 of the ip: fffa or something, so it reads as follows: 2601:xxxx:xxxx:xxxb::fffa/128
Allowed IPs: 0.0.0.0/0,::/0
DETAILS for Allowed IPs: 0.0.0.0/0 is the IPv4 note to allow all IPv4 traffic through the VPN, ::/0 is the IPv6 version.
DNS Servers: 192.168.101.1,2601:xxxx:xxxx:xxxb::fffa
DETAILS for DNS Servers: It's your VPN Tunnel addresses.
When setting up the Clients, use the QR code. Test with your phone. It basically starts with a blank rule and copys everything from the config section.
Store and generate next: Checked
Enable WireGuard: Checked
ONLY WHEN THE QR CODE IS SAVED ON YOUR PHONE SHOULD YOU HIT APPLY. YOU CAN'T TEST OR USE THE VPN UNTIL YOU APPLY THE CHANGES! YOU CAN'T VIEW THE PRIVATE KEYS ONCE THE APPLY IS PRESSED, SO ORDER OF OPERATIONS IS IMPORTANT!
1. Enter info
2. Scan QR Code, Save to Device
3. Click Apply
4. Test VPN connections
Let us know what matches, what changes you didn't use, and what questions you have.
#4
26.1, 26,4 Series / Re: 26.1.8 breaks NUT
Last post by lmoore - Today at 03:48:55 AMQuote from: OPNenthu on Today at 03:17:59 AMPer the release notes there was no change to the nut package. So what are you all even talking about? :P
With 2.8.5 the NUT widget reports an error.
Listed are the tail ends of ktrace for upsc in 2.8.3 & 2.8.5.
upsc - NUT 2.8.3
QuoteVAR SUA1000I ups.temperature "027.0"
VAR SUA1000I ups.test."
51229 upsc RET read 64/0x40
51229 upsc CALL write(1,33258138185728,18)
51229 upsc GIO fd 1 wrote 18 bytes
"ups.status: OL LB
"
51229 upsc RET write 18/0x12
51229 upsc CALL write(1,33258138185728,23)
51229 upsc GIO fd 1 wrote 23 bytes
"ups.temperature: 027.0
"
51229 upsc RET write 23/0x17
51229 upsc CALL select(4,34899832816,0,0,34899832800)
51229 upsc RET select 1
51229 upsc CALL read(3,33258138055320,64)
51229 upsc GIO fd 3 read 64 bytes
"interval "0"
VAR SUA1000I ups.test.result "NO"
END LIST VAR SUA1"
51229 upsc RET read 64/0x40
51229 upsc CALL write(1,33258138185728,21)
51229 upsc GIO fd 1 wrote 21 bytes
"ups.test.interval: 0
"
51229 upsc RET write 21/0x15
51229 upsc CALL write(1,33258138185728,20)
51229 upsc GIO fd 1 wrote 20 bytes
"ups.test.result: NO
"
51229 upsc RET write 20/0x14
51229 upsc CALL select(4,34899832816,0,0,34899832800)
51229 upsc RET select 1
51229 upsc CALL read(3,33258138055320,64)
51229 upsc GIO fd 3 read 5 bytes
"000I
"
51229 upsc RET read 5
51229 upsc CALL select(4,0,34899833232,0,34899833216)
51229 upsc RET select 1
51229 upsc CALL write(3,34918619370,7)
51229 upsc GIO fd 3 wrote 7 bytes
"LOGOUT
"
51229 upsc RET write 7
51229 upsc CALL shutdown(3,SHUT_RDWR)
51229 upsc RET shutdown 0
51229 upsc CALL close(3)
51229 upsc RET close 0
51229 upsc CALL exit(0)
upsc - NUT 2.8.5
QuoteVAR SUA1000I ups.temperature "027.0"
VAR SUA1000I ups.test."
93660 upsc RET read 64/0x40
93660 upsc CALL write(1,59259719200768,18)
93660 upsc GIO fd 1 wrote 18 bytes
"ups.status: OL LB
"
93660 upsc RET write 18/0x12
93660 upsc CALL write(1,59259719200768,23)
93660 upsc GIO fd 1 wrote 23 bytes
"ups.temperature: 027.0
"
93660 upsc RET write 23/0x17
93660 upsc CALL select(4,34912627584,0,0,34912627568)
93660 upsc RET select 1
93660 upsc CALL read(3,59259719086744,64)
93660 upsc GIO fd 3 read 64 bytes
"interval "0"
VAR SUA1000I ups.test.result "NO"
END LIST VAR SUA1"
93660 upsc RET read 64/0x40
93660 upsc CALL write(1,59259719200768,21)
93660 upsc GIO fd 1 wrote 21 bytes
"ups.test.interval: 0
"
93660 upsc RET write 21/0x15
93660 upsc CALL write(1,59259719200768,20)
93660 upsc GIO fd 1 wrote 20 bytes
"ups.test.result: NO
"
93660 upsc RET write 20/0x14
93660 upsc CALL select(4,34912627584,0,0,34912627568)
93660 upsc RET select 1
93660 upsc CALL read(3,59259719086744,64)
93660 upsc GIO fd 3 read 5 bytes
"000I
"
93660 upsc RET read 5
93660 upsc CALL getpid
93660 upsc RET getpid 93660/0x16ddc
93660 upsc CALL fstatat(AT_FDCWD,2106259,34912628176,0)
93660 upsc NAMI "/proc"
93660 upsc STRU struct stat {dev=5509020405254355969, ino=538, mode=040555, nlink=2, uid=0, gid=0, rdev=0, atime=1769520096, mtime=1769520096, ctime=1770272166.850398000, birthtime=1769520096, size=2, blksize=4096, blocks=1, flags=0x800 }
93660 upsc RET fstatat 0
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0x200<AT_SYMLINK_NOFOLLOW>)
93660 upsc NAMI "/proc/93660/exe"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0x200<AT_SYMLINK_NOFOLLOW>)
93660 upsc NAMI "/proc/93660/file"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0)
93660 upsc NAMI "/proc/93660/cmdline"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0)
93660 upsc NAMI "/proc/93660/stat"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL getpid
93660 upsc RET getpid 93660/0x16ddc
93660 upsc CALL fstatat(AT_FDCWD,34933438876,34912628176,0)
93660 upsc NAMI "/proc"
93660 upsc STRU struct stat {dev=5509020405254355969, ino=538, mode=040555, nlink=2, uid=0, gid=0, rdev=0, atime=1769520096, mtime=1769520096, ctime=1770272166.850398000, birthtime=1769520096, size=2, blksize=4096, blocks=1, flags=0x800 }
93660 upsc RET fstatat 0
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0x200<AT_SYMLINK_NOFOLLOW>)
93660 upsc NAMI "/proc/93660/exe"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0x200<AT_SYMLINK_NOFOLLOW>)
93660 upsc NAMI "/proc/93660/file"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0)
93660 upsc NAMI "/proc/93660/cmdline"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL fstatat(AT_FDCWD,34912628400,34912628176,0)
93660 upsc NAMI "/proc/93660/stat"
93660 upsc RET fstatat -1 errno 2 No such file or directory
93660 upsc CALL select(4,0,34912628592,0,34912628576)
93660 upsc RET select 1
93660 upsc CALL write(3,34933446671,7)
93660 upsc GIO fd 3 wrote 7 bytes
"LOGOUT
"
93660 upsc RET write 7
93660 upsc CALL select(4,34912628592,0,0,34912628576)
93660 upsc RET select 1
93660 upsc CALL read(3,34912628784,512)
93660 upsc GIO fd 3 read 11 bytes
"OK Goodbye
"
93660 upsc RET read 11/0xb
93660 upsc CALL shutdown(3,SHUT_RDWR)
93660 upsc RET shutdown 0
93660 upsc CALL close(3)
93660 upsc RET close 0
93660 upsc PSIG SIGSEGV SIG_DFL code=SEGV_MAPERR
#5
Web Proxy Filtering and Caching / Reverse Proxy Web GUI Using os...
Last post by Al Muckart - Today at 03:48:25 AMDoes anyone have a working setup using the os-OPENWAF plugin to reverse proxy the web GUI?
No matter what I try I just get a 'Forbidden' page.
There is excellent and extensive documentation for doing this with Caddy, but the documentation for os-OPENWAF is a lot less comprehensive.
Thanks.
No matter what I try I just get a 'Forbidden' page.
There is excellent and extensive documentation for doing this with Caddy, but the documentation for os-OPENWAF is a lot less comprehensive.
Thanks.
#6
26.1, 26,4 Series / Re: 26.1.8 breaks NUT
Last post by OPNenthu - Today at 03:17:59 AMPer the release notes there was no change to the nut package. So what are you all even talking about? :P
#7
Hardware and Performance / Re: TOPTON Mini PC Running OPN...
Last post by passeri - Today at 03:08:57 AMBetter get the dust out. Blast it through every hole with one of those little battery-powered blowers ;-)
#8
Tutorials and FAQs / Re: HOWTO - Redirect all DNS R...
Last post by rumshot - Today at 02:54:45 AMHey Nero
Thanks for responding .
I've made a summary that can help others :
Successfully validated transparent DNS interception + centralized DNS enforcement.
Test scenario:
Client intentionally queried external resolvers directly:
* 1.1.1.1
* 2.2.2.2
Goal:
Force all DNS traffic to local resolver regardless of client configuration.
Validation chain:
1. Client-side packet capture initially showed:
192.168.50.214 -> 2.2.2.2:53
2. However, WAN-side packet capture showed NO outbound DNS/53 traffic leaving externally.
3. At the same time, local Unbound overrides were applied successfully even when querying external resolvers directly:
dig @2.2.2.2 aljazeera.com
Returned:
0.0.0.0
which only existed in local Unbound configuration.
4. VLAN-side capture still showed original tuples (expected pre-NAT behavior):
192.168.50.214.57805 > 2.2.2.2.53: A? aljazeera.com
but WAN capture confirmed no actual DNS egress.
5. Final proof came from Unbound query logs:
query: 192.168.50.214 ufpa.br. A IN
reply: 192.168.50.214 ufpa.br. A IN NOERROR
6. Upstream DNS validation:
WAN capture on TCP/853 showed:
192.168.1.74 -> 9.9.9.9:853
confirming:
* local interception works
* firewall itself performs upstream DNS-over-TLS
* clients no longer query external resolvers directly.
Final architecture:
Client
→ forced DNS interception (NAT redirect)
→ local Unbound
→ Quad9 DNS-over-TLS
Interesting observation:
Ingress/VLAN packet captures may still display original pre-NAT destination tuples, while WAN captures reveal the actual post-NAT egress reality.
Hope I'm correct on my understanding and that's also helps someone
Quote from: nero355 on May 12, 2026, 11:51:32 PMQuote from: rumshot on May 12, 2026, 09:30:58 PMEven more confusing:After applying the correct DNAT/SNAT Rules and related Firewall Rules that should work indeed, but instead of the queries going to those Public DNS Servers the queries should show up in the Query Log of your Private DNS Server ;)
* `dig @1.1.1.1 google.com
* `dig @2.2.2.2 aljazeera.com
still succeed from the client (macbook terminal) (just in case has something special with mac).QuoteI also noticed:That's not good...
* some DNS requests *are* going to `192.168.50.1`
* but other requests still leave directly to public DNS servers
Try these settings : https://forum.opnsense.org/index.php?msg=259581
And if you have questions let me know :)
#9
26.1, 26,4 Series / Caddy Claudflare API Token Upd...
Last post by space_cadet - Today at 02:52:46 AMInfo:
OPNsense Ver: 26.1.8
os-caddy Ver: 2.1.0
I was clearing out some old API settings and deleted the one I was using for Caddy. I followed the steps in the directions to setup a new API Token. After a lot of troubleshooting, I've come to the conclusion that the Caddy Plugin is not accepting my new API Token, because Cloudflare is now giving out longer API Tokens than what the plugin is expecting.
Caddy will fail to start when the new API Token is saved. However, it will not add anything to the log file. I had to run the following shell command, and here is the result:
Command:
Reply:
Notice the error at the end of the startup attempt. It says that the token is invalid. The API tokens generated by Cloudflare now have a prefixes:
API Token (User API Token in Directions): cfut_{48 char string}
Global API Key (Not Recommended): cfk_{48 char string}
Account API Token: cfat_{48 char string}
These Cloudflare prefixes make the API Token longer than what is expected and prevent the service from starting properly. The wiki documentation page lists https://github.com/caddy-dns/cloudflare as the GitHub for Cloudflare, and the cloudflare.go file shows that the old API Tokens, which may still be in use, are 35-50 characters long (see line 27). The new API Tokens are 32-256 characters, and it takes the prefix into account (see line 30).
Will this update be incorporated into an update at any point, or is there another way I should update the DNS records?
OPNsense Ver: 26.1.8
os-caddy Ver: 2.1.0
I was clearing out some old API settings and deleted the one I was using for Caddy. I followed the steps in the directions to setup a new API Token. After a lot of troubleshooting, I've come to the conclusion that the Caddy Plugin is not accepting my new API Token, because Cloudflare is now giving out longer API Tokens than what the plugin is expecting.
Caddy will fail to start when the new API Token is saved. However, it will not add anything to the log file. I had to run the following shell command, and here is the result:
Command:
Code Select
caddy validate --config /usr/local/etc/caddy/CaddyfileReply:
Code Select
2026/05/12 23:27:32.387 INFO using config from file {"file": "/usr/local/etc/caddy/Caddyfile"}
2026/05/12 23:27:32.388 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.global"}
2026/05/12 23:27:32.388 WARN No files matching import glob pattern {"pattern": "/usr/local/etc/caddy/caddy.d/*.conf"}
2026/05/12 23:27:32.389 WARN caddyfile Unnecessary header_up X-Forwarded-For: the reverse proxy's default behavior is to pass headers to the upstream
2026/05/12 23:27:32.389 WARN caddyfile Unnecessary header_up X-Forwarded-Host: the reverse proxy's default behavior is to pass headers to the upstream
2026/05/12 23:27:32.390 WARN caddyfile Unnecessary header_up X-Forwarded-For: the reverse proxy's default behavior is to pass headers to the upstream
2026/05/12 23:27:32.390 WARN caddyfile Unnecessary header_up X-Forwarded-Host: the reverse proxy's default behavior is to pass headers to the upstream
2026/05/12 23:27:32.392 INFO adapted config to JSON {"adapter": "caddyfile"}
2026/05/12 23:27:32.393 INFO redirected default logger {"from": "stderr", "to": "unixgram//var/run/caddy/log.sock"}
Error: loading dynamic_dns app module: provision dynamic_dns: loading DNS provider module: loading module 'cloudflare': provision dns.providers.cloudflare: API token 'cfut_PhB{Rest-Of-The-Key}' appears invalid; ensure it's correctly entered and not wrapped in braces nor quotes
Notice the error at the end of the startup attempt. It says that the token is invalid. The API tokens generated by Cloudflare now have a prefixes:
API Token (User API Token in Directions): cfut_{48 char string}
Global API Key (Not Recommended): cfk_{48 char string}
Account API Token: cfat_{48 char string}
These Cloudflare prefixes make the API Token longer than what is expected and prevent the service from starting properly. The wiki documentation page lists https://github.com/caddy-dns/cloudflare as the GitHub for Cloudflare, and the cloudflare.go file shows that the old API Tokens, which may still be in use, are 35-50 characters long (see line 27). The new API Tokens are 32-256 characters, and it takes the prefix into account (see line 30).
Will this update be incorporated into an update at any point, or is there another way I should update the DNS records?
#10
26.1, 26,4 Series / Re: One of the networks stops ...
Last post by opnseeker - Today at 02:05:26 AMI switched Home and Admin such that now Admin uses the untagged network and Home uses tagged network.
Now the problem occured on Admin interface. It looks like this problem is specific to the untagged network.
Hope that generates some interest and suggestions.
Now the problem occured on Admin interface. It looks like this problem is specific to the untagged network.
Hope that generates some interest and suggestions.
