"Recent posts
#1
25.7, 25.10 Series / Re: Tailscale and OPNSense Web...
Last post by willj8823 - Today at 12:31:48 AMSame here. On my active OPNsense setup (version 25.7.11_1), I can access the OPNsense web interface using the tailscale URL. However, on my test setup (version 25.7.11_2), I am unable to access the OPNsense web interface using the tailscale url. After restarting the WebGUI, access via the tailscale URL works.
Will
Will
#2
German - Deutsch / Re: Welches DSL-Modem für VDSL...
Last post by k0ns0l3 - Today at 12:03:58 AMQuote from: meyergru on January 20, 2026, 11:44:50 AMQuote from: k0ns0l3 on January 20, 2026, 11:29:38 AMgibt es eine beschreibung wie man das macht leider kein erfahrung,
Wie immer, in der Tutorial-Sektion: https://forum.opnsense.org/index.php?topic=36936.0 oder auch hier, Punkt 11.
Quote from: meyergru on January 20, 2026, 11:44:50 AMQuote from: k0ns0l3 on January 20, 2026, 11:29:38 AMgibt es eine beschreibung wie man das macht leider kein erfahrung,
Wie immer, in der Tutorial-Sektion: https://forum.opnsense.org/index.php?topic=36936.0 oder auch hier, Punkt 11.
Danke, melde mich bald wieder 😉
Lg
#3
25.1, 25.4 Series / Wireguard issue(s)
Last post by Dark-Sider - January 20, 2026, 11:15:08 PMHi,
since wireguard made its way into opnsense it works ok-ish for however its "stability" is not comparable to OpenVPN. However I like the concept behind wireguard therefore I'm putting up with some issues and still using it.
Last week I had to restart my opnSense box (25.1.12) and me being away on a business trip, wireguard failed me (again) after the restart. I usually solve this issue by de- and reactivating my one and only wg0 instance via the webgui. After restarting wg0 everything works as it is supposed to.
Since the issue caught me cold (again) I did some forum reading and found interesting threads regarding wg and DNS, stale connections etc:
https://forum.opnsense.org/index.php?topic=49432.0
https://forum.opnsense.org/index.php?topic=37905.0
https://forum.opnsense.org/index.php?topic=42648.0
Honestly I didn't know about the quirks of wg and DNS resolve issues after your dynamic IP refreshes or wg only doing DNS queries once on startup and not refreshing it. One might argue that using a static ip would solve such problems, however static IPs on consumer lines are hard to get these days. Even IPv6 is dynamic with my ISP.
While I think wg's behaviour is a severe design oversight in the protocol / moudule (nothing related to opnsense though) I appreciate the effort that a cron job exists that somewhat is supposed to fix the issue.
I activated the cron-job to run */5 * * * * however my issue was not resolved. My mobile phone was not able to connect via IPv6 or IPv4 (both usually works) to my opnSense box. I did a packet capture on 51820 and the packets from phone arrived but no response was sent back.
I then noticed there is another cron-job called "restart wireguard service" I also did setup this job */7 * * * * however after waiting for 14 minutes my wireguard log still showed that the service was started last week - no other log entries.
While looking at the logs I found that the wg status page was quite empty, only showing wg0 with my local endpoint at port 33###. Didn't notice this first, but my wg setup uses only port 51820. Also no peers were shown at all on the status page.
I have 3 road warrior peers configured ("dial in only") being my phone, my laptop and a mobile gl_inet travel router. I also have a site2site connection configured to a remote network.
Only after I deactivate my Instance and reactivate it, all 4 peers will be listed on the status page. When the peers are listed the connections start working again.
My openSense runs virtualized (yes it could need a firmware update which I will do later) and is on a dial up connection at a German ISP (M-Net) using both IPv4 and IPv6 connectivity via pppoe. Luckily my ISP-connection is hyper-stable so reboots and disconnects thus ip-changes happen very rarely.
I still wonder why wg needs a kick in the... after my box boots up? And shouldn't that restart wg cron-job also fix my issue?
thanks,
Dark-Sider
since wireguard made its way into opnsense it works ok-ish for however its "stability" is not comparable to OpenVPN. However I like the concept behind wireguard therefore I'm putting up with some issues and still using it.
Last week I had to restart my opnSense box (25.1.12) and me being away on a business trip, wireguard failed me (again) after the restart. I usually solve this issue by de- and reactivating my one and only wg0 instance via the webgui. After restarting wg0 everything works as it is supposed to.
Since the issue caught me cold (again) I did some forum reading and found interesting threads regarding wg and DNS, stale connections etc:
https://forum.opnsense.org/index.php?topic=49432.0
https://forum.opnsense.org/index.php?topic=37905.0
https://forum.opnsense.org/index.php?topic=42648.0
Honestly I didn't know about the quirks of wg and DNS resolve issues after your dynamic IP refreshes or wg only doing DNS queries once on startup and not refreshing it. One might argue that using a static ip would solve such problems, however static IPs on consumer lines are hard to get these days. Even IPv6 is dynamic with my ISP.
While I think wg's behaviour is a severe design oversight in the protocol / moudule (nothing related to opnsense though) I appreciate the effort that a cron job exists that somewhat is supposed to fix the issue.
I activated the cron-job to run */5 * * * * however my issue was not resolved. My mobile phone was not able to connect via IPv6 or IPv4 (both usually works) to my opnSense box. I did a packet capture on 51820 and the packets from phone arrived but no response was sent back.
I then noticed there is another cron-job called "restart wireguard service" I also did setup this job */7 * * * * however after waiting for 14 minutes my wireguard log still showed that the service was started last week - no other log entries.
While looking at the logs I found that the wg status page was quite empty, only showing wg0 with my local endpoint at port 33###. Didn't notice this first, but my wg setup uses only port 51820. Also no peers were shown at all on the status page.
I have 3 road warrior peers configured ("dial in only") being my phone, my laptop and a mobile gl_inet travel router. I also have a site2site connection configured to a remote network.
Only after I deactivate my Instance and reactivate it, all 4 peers will be listed on the status page. When the peers are listed the connections start working again.
My openSense runs virtualized (yes it could need a firmware update which I will do later) and is on a dial up connection at a German ISP (M-Net) using both IPv4 and IPv6 connectivity via pppoe. Luckily my ISP-connection is hyper-stable so reboots and disconnects thus ip-changes happen very rarely.
I still wonder why wg needs a kick in the... after my box boots up? And shouldn't that restart wg cron-job also fix my issue?
thanks,
Dark-Sider
#4
25.7, 25.10 Series / Re: Unbound to DNSmasq/KEA?
Last post by nero355 - January 20, 2026, 10:28:55 PMQuote from: spetrillo on January 20, 2026, 08:10:20 PMI am still using ISC for DHCP and would like to rip the band aid off and migrate to KEA for DHCP, DNSMasq for local DNS, and Unbound as the DNS that talks to the Internet.I moved from ISC to KEA in about 10 minutes :
Has anyone done this?
- Export all Static DHCP Mappings into seperate .csv files via the webGUI feature.
- Setup everything in KEA but DO NOT Enable it yet!
- Go to your ISC DHCP networks and Stop & Disable all of them one by one.
- Enable KEA for all those Networks/Interfaces and Start the service if needed.
DONE! :)
QuoteIs this a good plan or is there a better solution?Using both KEA and DNSmasqd will probably end in a conflict : Both use the same ports!
Just use KEA or DNSmasqd and when you use the last one you don't even need Unbound if that's easier for you, because the DNS part of DNSmasqd and Unbound can have a port conflict too !! ;)
QuoteIs there a document that talks about making the split? I did not find one.This one is pretty good :
Quote from: jp0469 on January 20, 2026, 08:29:06 PMThis guide helped me tremendously:It answered some minor questions that I had about some options/workflows and my "Migration plan" so to speak...
https://homenetworkguy.com/how-to/migrate-from-isc-dhcp-to-dnsmasq-or-kea-dhcp-in-opnsense/
#5
25.7, 25.10 Series / Re: [SOLVED]--Unbound + dnscry...
Last post by nero355 - January 20, 2026, 10:19:08 PMQuote from: opnessense on January 17, 2026, 10:59:24 PMAdGuard running on a Raspberry Pi in LAN (some VLANs used it directly, others only via Unbound)If you are running that anyway then why not move everything DNS to that Raspberry Pi ?!
I am not even using Unbound in OPNsense : My Pi-Hole + Unbound setup do everything for me on a Raspberry Pi 3B :)
In your case you could run :
AdGuard
Unbound
And also add dnscrypt-proxy to that if you want...
#6
25.7, 25.10 Series / Re: Periodic interface reset -...
Last post by nero355 - January 20, 2026, 10:09:30 PMQuote from: franco on January 20, 2026, 01:31:39 PMWell, we're talking about the documented cron job name "periodic interface reset":Well...
https://docs.opnsense.org/manual/settingsmenu.html#cron
And not all interfaces use DHCP but can still be "periodically reset".
At least the description seems to explain that it's "legit" more or less :
QuoteCycle through an interface reset that removes all connectivity and reactivates it cleanly.Right ?!
QuotePlease don't shoot the messenger. This terminology was invented before we started our project. :)Was just wondering why you guys call it the way you call it : That's all! :)
#7
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by franco - January 20, 2026, 10:06:41 PMI've asked IPinfo to take a look. Also make sure the maximum table entries value is not too small.
Cheers,
Franco
Cheers,
Franco
#8
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
Last post by Patrick M. Hausen - January 20, 2026, 10:01:43 PMSet it to the MTU and OPNsense will use MTU - 40 for IPv4 and MTU - 60 for IPv6 which is the reason why you do not put the effective MSS in that field. Because that is different for both protocols.
#9
25.7, 25.10 Series / Re: GeoIP list no more correct...
Last post by meyergru - January 20, 2026, 10:00:17 PMAFAIK, the business edition uses IPinfo per default, if not configured otherwise.
#10
25.7, 25.10 Series / Re: New site PPPoE PMTU woes
Last post by meyergru - January 20, 2026, 09:59:12 PMIn theory, MSS should be set to MTU-40, but OpnSense does some trickery with the input value, so I would not set it at all.
