Recent Posts

1

General Discussion / Re: My VM's traffic not passing thur OPNsense

« Last post by viragomann on Today at 04:28:42 pm »

OPNsense can only see, what it gets provided from Proxmox.

It's recommended to provide virtIO network cards.

I suggested to assign different subnets to WAN and LAN. If both have IPs in the same subnet, OPNsense is not able to route any traffic.

2

24.7 Production Series / Re: easy way to revert to former revision of OPNsense?

« Last post by Will78 on Today at 04:25:41 pm »

Patch worked for me as well.

3

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« Last post by gac on Today at 04:20:08 pm »

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else?

They would be in /var/unbound/etc/dot.conf

Hmm, ok the link he quoted mentioned the unbound.conf.  My dot.conf file other than a single forwarding zone is empty.

The documentation for `unbound.conf` just shows every available option - Unbound is one of the (sensible) apps which allows for options to be spread across multiple configuration files, for example some provided by a package manager (eligible for overwriting) and some manually (which should not be overwritten). Or separated out by purpose/feature.

So `/var/unbound/etc/dot.conf` will contain a rendered config file with the configuration entries from the `unbound.conf` man page, which are relevant for DNS-over-TLS (or `dot`).

4

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK? -> OK with 24.7.10_1

« Last post by Wendigo on Today at 04:15:27 pm »

24.7.10_1 works fine for me. Thank you

5

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« Last post by FullyBorked on Today at 04:14:42 pm »

> Thanks, mine is currently un-patched, I show " tls-system-cert: yes".

Can you add "tls-win-cert: yes" in the line below (with the same indent) and apply from GUI?

If that doesn't work "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" and removing "tls-system-cert: yes" will do the trick.


Cheers,
Franco

Adding "tls-win-cert" in the line below didn't fix it.  But replacing "tls-system-cert: yes" with "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" did restore functionality. 

Do I need to leave the "tls-win-cert: yes" in place? 

6

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« Last post by longtom on Today at 04:11:13 pm »

Thanks a lot for the quick patch! 

7

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« Last post by franco on Today at 04:08:02 pm »

> Thanks, mine is currently un-patched, I show " tls-system-cert: yes".

Can you add "tls-win-cert: yes" in the line below (with the same indent) and apply from GUI?

If that doesn't work "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" and removing "tls-system-cert: yes" will do the trick.


Cheers,
Franco

8

Announcements / Re: OPNsense 24.7.10 released

« Last post by franco on Today at 04:06:18 pm »

A hotfix release was issued as 24.7.10_1:

o unbound: use tls-cert-bundle to point to remaining valid bundle

9

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« Last post by FullyBorked on Today at 04:04:23 pm »

No, /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf otherwise it will be overwritten on apply.

Thanks, mine is currently un-patched, I show " tls-system-cert: yes". 

10

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« Last post by franco on Today at 04:03:27 pm »

24.7.10_1 is now live...